The UK's tax agency —HMRC (Her Majesty's Revenue and Customs)— has collected the voice records of over 5.1 million Brits, a UK-based privacy and civil liberties group has discovered.

The HMRC collected these voice records via a new service it launched in January 2017. Called Voice ID, the service allows UK citizens to authenticate when calling HMRC call centers via their voice.

HMRC misled users into providing a voice sample

When it launched, the HMRC website claimed users would be able to opt out of using this feature and continue to authenticate and prove their identity via the usual methods.

But an investigation by privacy group Big Brother Watch has discovered that there's no opt-out option when calling the HMRC support line, and all callers were forced to record a voice track to use with the Voice ID service.

The only way to avoid creating a voice track was by saying "no" three times during the voice track creation process, something the privacy group's investigators discovered on their own. The process is detailed in the Big Brother Watch investigation.

Unfortunately, the Voice ID system didn't record this option, and it would pester the caller for a voice sample every time they called back.

Privacy group: HMRC broke the law

Big Brother Watch members argue that the HMRC broke user rights by not providing a simple way of opting out.

Furthermore, after a very lengthy and complicated process, users can only opt out from using voice recognition for the authentication process, but users can't have their voice patterns removed from HMRC's database.

Big Brother Watch says it filed freedom of information (FOIA) requests, but HMRC officials refused to reveal how a user could delete his voice recording from HMRC's database. They also declined to reveal with what other third-parties and government agencies they share the voice records. The only detail HMRC officials disclosed was that Voice ID had over 5.1 million users at March 13, 2018.

The privacy group argues that HMRC is in clear violation of GDPR (an EU user privacy directive that's been enacted in the UK) by not prompting Brits for active consent and by not giving them an easy method of revoking consent and having their personal biometric data removed.

ICO is investigating

Big Brother Watch officials are now urging users to file a complaint with the HMRC and file another complaint about the HMRC with the UK's Information Commissioner's Office (ICO), the UK's national data protection authority.

The privacy group says it already notified ICO officials on its own, and the latter started an official investigation into HMRC's practices.