Skip to main content

The choice between convenience and data security: the Amazon Echo and HMRC partnership

(Image credit: Image Credit: Amedley / Shutterstock)

There is no denying that the use of a personal assistant device, such as the Amazon Echo, can bring convenience and efficiency to the home. Utilising voice recognition software, UK consumers can create shopping lists, set reminders and, as of 10th July 2018, ask for guidance when renewing their tax credit. HMRC has announced that in preparation for the 31st July tax credit renewal deadline, UK tax payers can use Alexa to receive information about tax credit applications in an attempt to offer more automated assistance to consumers.

Even though the introduction of this service may seem harmless, and HMRC has insisted that no personal information is stored as a result of this feature, the tax office appears to be making further steps towards total application automation. HMRC has previously stated its ambition to explore the possibility of developing software that allows tax applications to be created using smart personal assistant devices. As this trend of using smart technology to streamline services continues, issues surrounding data protection and security become more firmly affixed at the forefront of consumer discussion. 

Devices like the Amazon Echo already have access to a huge quantity of personal data but with the introduction of more sophisticated assistance features, such as HMRC application automation, the possibility for intentional and unintentional data abuse greatly increases. 

Neither Amazon nor HMRC have impeccable information protection records. When Amazon released the Echo device in 2014, many consumers were apprehensive about what data is and is not collected through the device. Even though Amazon claims that the Echo was made with privacy at the forefront of its design and that the only information the device can understand by itself are its 'wake words' ("Ok Alexa"), these reassurances have done little to subdue these long-standing consumer privacy worries. 

In May 2018, a couple from Portland discovered that their Echo device had recorded a private conversation without provocation and sent the recording via email to a random contact. Amazon explained that the device had misinterpreted the background conversation as a series of commands and believed it was just following instruction from the user. 

In 2016, a group of scientists also discovered that Echo devices could be turned on and instructed with commands that were hidden in unintelligible white noise, demonstrating that there are a huge variety of ways for the device to be manipulated. These discoveries and unfortunate malfunctions show that if the device was to collect personal tax information in the way that HMRC is planning, there is no reason to assume that the data is guaranteed to be safe. Even though the same can be said about most technological devices, the opportunity for a breach is undoubtedly greater in a device that is designed to be accessed by anyone. 

Amazon Echo audio clip logs can be manually deleted using the Alexa app, but it remains unclear whether the deleted data survives on Amazon's servers, adding to concerns that confidential tax information could remain stored on a third-party cloud. 

HMRC's data protection record is even more alarming. In 2007, it was reported that HMRC had lost the personal records, including bank details, of 25 million individuals in the post. After the information was requested from the National Audit Office (NAO), the entire HMRC database was uploaded onto two password-protected discs and sent via post. Neither disc was encrypted and neither were sent by recorded delivery. NAO never received the discs and the disaster has since been noted as one of the most serious personal data breaches in living memory. 

The seriousness of the breach led to widespread reform of data practices and the Information Commissioner's Office (ICO) was granted greater regulatory and punitive powers. More recently, the government has been accused of breaching personal data security nearly 9,000 times a year, with HMRC being accountable for 6,041 breaches. HMRC has only reported three of these instances to the ICO. These data breaches understandably add to concerns about the steps toward automated applications. Given HMRC's less than exemplary data protection track record, concerns about the security of data recorded and stored through a personal assistance device are entirely warranted. 

HMRC's partnership with Amazon comes at an interesting and transformative period for data protection. In May 2018, the 'sunrise period' for the General Data Protection Regulation (GDPR) ended, as the provisions of the new law took effect. The GDPR aims to create a 'gold standard' for data protection law and will apply to any business, public authority or charity established in the EU that uses information about living individuals. Higher standards are expected from organisations to keep personal information secure and to allow consumers greater choice as to how their information is ultimately used. Organisations should adopt systems of transparency as more extensive powers of punishment have been granted to data protection authorities as ensure total compliance. 

HMRC has already been accused of breaching the GDPR. Big Brother Watch, a privacy campaign group, has published complaints that HMRC's new voice ID system has infringed GDPR regulations concerning biometric data, resulting in an investigation by the ICO. HMRC has collected over 5 million individual voice ID's from tax payers to further automate their services. Even though the GDPR requires organisations to operate under a policy of transparency, HMRC is refusing to disclose how the data is stored and who the data is ultimately stored with. This complaint demonstrates the challenges facing organisations which are attempting to develop secure automated services under the wide shadow of the new, stringent GDPR. 

Society is currently inundated with technology that uses personal data to make life easier. With the rise of wearable technology, smart houses and personal assistance devices, personal information is being collected in an unprecedented volume. As technology becomes more sophisticated, data will be collected and stored through an even greater variety of third party sources, which undoubtedly gives rise to an even greater risk of data breaches occurring. 

GDPR will help provide individuals with a choice as to how their data is used but some organisations will still ultimately fail to meet these new higher standards. Although the current partnership between Amazon and HMRC is relatively harmless, the possibility for data abuse with fully automated tax applications is very possible. If current trends continue, some consumers will ultimately be choosing between convenience and secure data protection. 

James Castro-Edwards, Partner and Head of Data Protection at Wedlake Bell LLP

Andrew Rogers, student and participant in Wedlake Bell's Summer Vacation Scheme

Image Credit: Amedley / Shutterstock 

James Castro-Edwards
James Castro-Edwards, Partner and Head of Data Protection at Wedlake Bell LLP, advises organisations in the private, public and third sectors on data protection issues.