ATO integrates voice biometrics into its mobile app

The Australian Taxation Office (ATO) has partnered with Nuance Communications to extend its voice biometrics authentication service to its mobile app.

More than 1.5 million Australians have already submitted a "voiceprint" to access its contact centre, the ATO said, with the feature introduced in 2014. In what the ATO is calling the second phase of implementing the project, taxpayers will now also be able to use their voiceprint to access the tax office's online services through its app.

The use of voice biometrics replaces usernames, passwords, and security questions in order to prove identity, with the system creating a digital representation of the physical characteristics, patterns, rhythm, and sound of an individual's voice.

"The ATO is committed to delivering a contemporary digital experience for our clients, and feedback has shown an overwhelming acceptance of voice biometrics in the call centre, making it a natural next step to bring this ease of access to the mobile app," ATO Assistant Commissioner John Dardo said.

"Voice biometrics solutions have made the authentication process more convenient for taxpayers and service agents via the ATO mobile app. We're proud to be the first organisation to provide this type of innovative mobile experience."

Nuance, a global voice and language solutions provider, said the voice biometrics trend will continue growing, with customers wanting faster and easier access to their data.

"In this changing customer service ecosystem, organisations need to provide experiences that are natural and intuitive across channels in order to meet customers' higher expectations and preferences," said Nuance managing director of Enterprise for Australia and New Zealand, Robert Schwarz.

"The ATO's commitment to delivering an authentication process that is faster and smoother across channels shows they are putting their clients first by offering a more compelling and effective experience."

The ATO claimed that voice biometrics offer a higher level of security than passwords, PINs, security questions, and physical tokens, such as identity cards. It also said it saves time for ATO workers, who spend approximately 75,000 hours each year verifying callers' identities over the phone. According to the ATO, voice biometrics save around 40 to 45 seconds per call.

In September 2014, the ATO reported that more than 30,000 taxpayers had registered voiceprints to access the contact centre within two weeks of launching the service after it had announced the feature in August that year.

The Australian government has been making moves towards implementing biometrics as a security measure across agencies: In June last year, CrimTrac launched a tender to upgrade its fingerprint biometric identity system to also include palm prints, footprints, and facial images.

The government also announced that it would be spending AU$18.5 million to establish the National Facial Biometric Matching Capability for use by law-enforcement and government agencies from mid-2016.

The facial biometric system will be used to cross-check identities of unknown persons against photos contained within government records.

"This process will expedite putting a name to the face of terror suspects, murderers, and armed robbers, and will also help to detect fraud cases involving criminals that use multiple identities," Minister for Justice and Minister for Assisting the Prime Minister for Counter-Terrorism Michael Keenan said.

The Attorney-General's Department (AGD) had said in August that the capability was designed to replace manual facial image sharing arrangements between departments and agencies, with the Australian Federal Police, the Department of Foreign Affairs, the Department of Immigration and Border Protection (DIBP), the Australian Security Intelligence Organisation, the Department of Defence, and the AGD under the auspices of AusCheck the first to gain access to the system.

Still images from licence plate cameras and CCTV can also be shared.

Keenan assured that the biometrics system would have "strong privacy safeguards", falling within the remit of the Privacy Act.

At the same time, Northern Territory Police also announced a partnership with NEC Australia to integrate facial-recognition technology for its database of photographs, CCTV footage, and videos taken from phones, body-worn cameras, and drones.

In December, the AGD agreed to 16 recommendations made in a preliminary assessment to establish a National Facial Biometric Matching Capability (NFBMC) in mid-2016.

The recommendations included strengthening security measures by developing procedures for data-sharing agreements, complying with the Australian Privacy Principles, and limiting the amount of metadata that will be collected to include purpose and authorisation, transaction number, and the requesting and receiving agency.

"It enables law-enforcement and selected government agencies to share and match photographs on identity documents such as passports to strengthen identity-checking processes, while maintaining strong privacy safeguards," Keenan said.

The Migration Amendment (Strengthening Biometrics Integrity) Bill 2015 [PDF] was also introduced to Parliament in March for the purpose of preventing domestic terrorist threats by allowing for the collection of biometric data including fingerprints and iris scans from people arriving and departing through the SmartGate systems being implemented across all Australian international airports.

Five months after its introduction, the Privacy Impact Assessment into the proposed legislation was tabled to the Senate, but the report has yet to be published.

Prior to the tabling, numerous senators had continued questioning the privacy implications, especially concerning the lack of a mechanism for affected individuals to be notified if their information became subject to a privacy breach.

The Law Council of Australia had also previously argued that it was a privacy risk to store such a large bank of personal data, which could be a goldmine for hackers.

Privacy concerns are especially pertinent considering the DIBP's history of breaches, with the Federal Court in September finding that its impact assessment of a breach had been "procedurally unfair".

In February 2014, the department had accidentally published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

The information was available on the department's website for just over eight days, remaining on its archive site for 14 days, and was removed from both sites only once publication The Guardian had alerted the department of the breach.

The breach occurred due to a DIBP staff member having copied and pasted a Microsoft Excel chart into a Word document, with the underlying data rendering the chart in Excel then embedded in the Word document.

KPMG's investigation into the breach, commissioned by the DIBP, found that the document had been accessed 123 times from 104 IP addresses before being pulled down, with a report by the OAIC last November finding that this constituted a breach of the Privacy Act.

"This incident was particularly concerning due to the vulnerability of the people involved," Pilgrim said at the time.

In April, the DIBP established a task force into its own accountability and information management practices after a similar gaffe where the passport numbers, dates of birth, and visa information of world leaders attending last year's G20 summit in Brisbane -- including those of US President Barack Obama and Russian President Vladimir Putin -- were accidentally emailed to a member of the Asian Cup Local Organising Committee.

The Office of the Australian Information Commissioner (OAIC) revealed in October that the most complained about department or private company for FY15 was again the DIBP, which received 847 complaints during the year -- more than five times the amount of the next entity, which received 165 complaints.

Australia is also set to be without a mandatory data-breach notification regime until 2017 at the earliest.