Spotlight on Surveillance
IRS's Inadequate Security Leaves Taxpayer Data Largely Unprotected
EPIC’s “Spotlight on Surveillance” project scrutinizes federal government programs that affect individual privacy. For more information, see previous Spotlights on Surveillance. This month, Spotlight surveys the Internal Revenue Service amidst recent questions concerning its information-sharing regulations and security systems. With lawmakers now considering the use of IRS data for homeland security purposes, the absence of adequate security at the agency is all the more troubling.
The income tax was first created in 1862 to pay for war expenses and, during the course of the next 30 years, was repealed, reinstated and struck down by the U.S. Supreme Court.1 However, "[i]n 1913, Wyoming ratified the 16th Amendment, providing the three-quarter majority of states necessary to amend the Constitution. The 16th Amendment gave Congress the authority to enact an income tax."2 In 2005, about 160 million people filed tax returns.3 For Fiscal Year 2007, IRS is requesting $10.6 billion, a budget increase of 0.2 percent.4
Recently, IRS has come under fire for issues related to individual privacy. Government reports have found that the agency has poor physical and electronic security, and it has had considerable trouble with its contractors improperly accessing and collecting sensitive taxpayer information.5
For 2005, Department of Treasury received a D-minus grade
in the Federal Computer Security Report Card, down from a
D-plus grade in 2004. The majority of Treasury systems are
those belonging to Internal Revenue Service.
Source: U.S. House of Representatives Government Reform Committee
Two weeks ago, Department of Treasury received a D-minus grade in the Federal Computer Security Report Card for 2005, down from a D-plus grade in 2004.6 The majority of Treasury systems are those belonging to IRS. The government-wide computer-security grade for 2005 was D-plus, while Homeland Security and Defense both received an F.7 Grades are based on reports submitted to Congress by the agencies; the reports are required under the Federal Information Security Management Act of 2002.8 The scores are meant to reflect whether departments meet federally mandated security standards.
Also this month, the Government Accountability Office reported that weaknesses in information security at IRS "increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption."9 Though IRS computer security had improved since the last GAO assessment a year ago, GAO found multiple security problems. These include: IRS's physical security controls (restricting physical access to computer facilities and resources); software patch management; system change controls; and electronic access controls such as network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-relevant events.10 For example, of 2,700 IRS agents with "significant information technology security responsibilities," only 300 (11 percent) had received specialized security training.11 GAO explained that IRS had all of these security holes mainly because the agency "has not yet fully implemented its information security program to help ensure that effective controls were established and maintained."12
The GAO report also stated that IRS did not ensure adequate security training or oversight for its contractors.13 An earlier GAO report also found that IRS had security problems concerning contractors.14 "IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers’ compliance," GAO said.15 IRS "monitors and oversees tax preparers, including how well they safeguard taxpayer information, by investigating complaints, which may come from clients or referrals from local IRS offices," according to GAO.16 The agency "has plans to start conducting more self-initiated reviews of a sample of tax preparers but the agency has limited resources for this effort," IRS officials said.17
Government Accountability Office reported that weaknesses in IRS security systems
place sensitive taxpayer information at risk. One example: of 2,700 IRS agents with
"significant information technology security responsibilities," only 300 (11 percent)
had received specialized security training.
Source: Government Accountability Office
This is a significant privacy issue because Social Security numbers are considered the "keys to the kingdom" to obtain records about individual consumers and are essential to identity theft, according to EPIC Executive Director Marc Rotenberg, who recently testified before the House Subcommittee on Social Security about identity theft issues.18 He explained that "widespread use [of Social Security Numbers], combined with lax verification procedures and aggressive credit marketing that lead to widespread identity theft."19 EPIC has detailed many cases where, "[d]espite the fact that the names, addresses, or telephone numbers of the thief and victim do not match, accounts are opened and credit granted using only the SSN as a means of authentication."20
The lack of oversight of contractors is significant in light of the fact that IRS recently proposed changes to its regulations prohibiting tax return preparers from disclosing tax return data to third parties.21 Earlier this month, EPIC, Privacy Rights Clearinghouse and World Privacy Forum submitted comments concerning these proposed changes.22 The groups said that, though "[t]he proposed changes to the regulations represent an important effort to increase taxpayers' awareness of what is done with their personal information," there are problems.23 "[T]he updated regulations fail to adequately safeguard taxpayer privacy because they neglect to protect information once it is disclosed, allow consent that is less than voluntary, and carry penalties that are not harsh enough to ensure tax return preparers obey the law," the groups said.24
If IRS seeks to safeguard taxpayer data, it should, among other things, define "tax return preparer" so that "[a]ny employee with access to tax return information should be prohibited from using or disclosing it"; "expand the definition of 'use to include all foreseeable situations where the preparer accesses the information"; "state that use and disclosure are only permissible when relevant and necessary"; inform consumers "before their information is passed to third parties"; and require "disclosing tax return preparers to take affirmative steps to prevent misuse of the information by the third-party recipients. Disclosing preparers should be required to have audited security measures in place to protect the security and authenticity of data."25 Such protections are necessary to protect against improper disclosure of sensitive taxpayer information.
Another problem concerning IRS arose when one of its contractors spent several months improperly collecting information about taxpayers' political party affiliations.26 Washington Sen. Patty Murray, Ranking Member of the Transportation, Treasury, Housing and Urban Development and Judiciary Appropriations Subcommittee of the Senate Appropriations Committee, called the practice an "outrageous violation of the public trust."27 The law forbids IRS from collecting such data. Because IRS did not properly supervise its contractor, this sensitive taxpayer information was improperly gathered. IRS ordered the contractor to discontinue the political party data collection when the agency learned of it from a complaint.28
IRS, in some ways the largest and most powerful of all federal enforcement agencies, also has failed to operate with the transparency necessary for open government. In January, for example, the Transactional Records Access Clearinghouse filed a suit against IRS, stating that since the middle of 2004 the agency had ceased disclosing data about its operations. 29 The agency's withholding violated a permanent court order that required it to disclose to Susan Long, the co-director of TRAC, "statistical data on an ongoing basis about its audit, collection and other enforcement activities." 30 While the agency had generally complied with this 1976 order for several decades, in 2004 it stopped providing the basic enforcement data "even while acknowledging the existence of the court order and its current collection of statistical material that is covered by the order." 31
The agency's poor physical and electronic security systems and lack of oversight of contractors have placed sensitive taxpayer information at risk. IRS has said that it has limited resources to conduct such oversight. In light of this, the agency's refusal to operate with transparency makes it all the more difficult for citizens to hold the agency and its contractors accountable for their actions.
1 Internal Revenue Service, Brief History of IRS, at http://www.irs.gov/irs/article/0,,id=149200,00.html (last visited Mar. 29, 2006).
3 Internal Revenue Service, 2005 Data Book: Oct. 1, 2004 to Sept. 30, 2005, available at http://www.irs.gov/pub/irs-soi/05databk.pdf (last visited Mar. 29, 2006) and http://www.epic.org/privacy/surveillance/spotlight/0306/irs05databk.pdf.
4 Office of Management and Budget, Budget of the United States: Fiscal Year 2007, at 236 (Feb. 2006) available at http://www.whitehouse.gov/omb/budget/fy2007/pdf/budget/budget.zip.
5 See discussion infra.
6 U.S. House of Representatives Government Reform Committee, Federal Computer Security Report Card – 2005, (Mar. 16, 2006), available at http://reform.house.gov/UploadedFiles/Federal%20Computer%20Security%20Report%20Card%20-%202005.pdf (last visited Mar. 29, 2006) and http://www.epic.org/privacy/surveillance/spotlight/0306/fcsrc2005.pdf.
8 U.S. House of Representatives Government Reform Committee, How Grades Were Assigned, (Mar. 16, 2006), available at http://reform.house.gov/UploadedFiles/How%20Grades%20Were%20Assigned.pdf (last visited Mar. 29, 2006) and http://www.epic.org/privacy/surveillance/spotlight/0306/grassign.pdf.
9 Government Accountability Office, Information Security: Continued Progress Needed to Strengthen Controls at the Internal Revenue Service, GAO-06-328 at "Highlights" (Mar. 2006) available at http://www.gao.gov/new.items/d06328.pdf (last visited Mar. 29, 2006) and http://www.epic.org/privacy/surveillance/spotlight/0306/gao06328.pdf ("GAO Report on IRS Computer Security").
10 Id. at 9-15.
11 Id. at 20.
12 Id. at 15.
13 GAO Report on IRS Computer Security at 20, supra note 8.
14 Government Accountability Office, Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs, GAO-06-238 (Jan. 2006) available at http://www.gao.gov/new.items/d06238.pdf (last visited Mar. 29, 2006) and http://www.epic.org/privacy/surveillance/spotlight/0306/gao06238.pdf.
15 Id. at 19.
16 Id. at 25.
18 Testimony and Statement for the Record of Marc Rotenberg, President and Executive Director, Electronic Privacy Information Center, at a Hearing on Social Security Number High-Risk Issues Before the Subcommittee on Social Security of the U.S. House of Representatives Committee on Ways and Means (Mar. 16, 2006) available at http://www.epic.org/privacy/ssn/mar_16test.pdf; EPIC maintains an archive of information about Social Security numbers online at http://www.epic.org/privacy/ssn/.
19 Id. at 4.
21 Department of the Treasury, Internal Revenue Service, Notice of Proposed Rulemaking: Guidance Necessary To Facilitate Electronic Tax Administration — Updating of Section 7216 Regulations, 70 Fed. Reg. 72954 (Dec. 8, 2005).
22 Comments of the Electronic Privacy Information Center, et al., on Notice 2005-93 and REG-137243-02 Concerning Secondary Use of Tax Preparation Data (Mar. 8, 2006) available at http://www.epic.org/privacy/tax/irscom3806.html.
26 Les Blumenthal, IRS tracked taxpayers' political affiliation, News-Tribune, Jan. 6, 2006, available at http://www.thenewstribune.com/news/local/story/5440902p-4912739c.html (last visited Mar. 29, 2006).