Senate tax proposal under scrutiny

The U.S. Senate is nearing a vote on changes to the tax code that are supposed to enhance the way the IRS uses the Internet.

But critics are wondering if the legislation will adequately protect Americans' security and privacy, and whether it's necessary for the IRS to regulate software developers.

At issue are a handful of sections of a massive tax bill--the summary alone is 151 pages--that the Senate Finance Committee approved last week.

One section lets the IRS use the Internet to let Americans know that they're owed tax refunds. Another directs the IRS to regulate any programmer who "develops software that is used to prepare or file a tax return"; the third eliminates privacy safeguards when the IRS opens confidential tax records to the FBI and other police agencies.

If the IRS chooses to use e-mail to alert taxpayers to potential refunds, that could cause problems, technologists warn.

"The preponderance of phishing attempts that involve the IRS is so high that it would be shortsighted for them to think that they could overcome what has obviously been something that has built up over time," said Ron O'Brien, a senior security consultant with the computer security firm Sophos. "People will have to unlearn that which they have already learned."

Scam artists last year began sending phishing e-mails (messages that try to trick the recipient into typing in personal information) purporting to be from the IRS and offering tax refunds. This phishing trick resurfaced during the Independence Day weekend, Sophos says.

At the moment, the IRS rarely uses e-mail to contact individual taxpayers. IRS spokeswoman Michelle Lamishaw said Wednesday that "I don't know what our plans are for potentially changing that process" and declined to comment on the Senate legislation.

Under existing law, the tax agency can use the "press or other media" to deliver such notifications, but it has interpreted the 1976 statute to exclude the Internet. Without the changes proposed by the Senate, the IRS claims it cannot use the Web or e-mail to contact taxpayers about refunds that they're owed.

Awaiting actual text
Complicating the situation is the Senate committee's unusual step of voting on a summary of the tax bill (click for PDF)--but not on the actual text, which has yet to be written. That means the final wording of the legislation is still up in the air, even though it's awaiting a floor vote.

A representative of the Senate Finance Committee, chaired by Republican Sen. Charles Grassley of Iowa, said the drafting process is expected to take a few weeks.

Another concern is that legitimate e-mail from the IRS would be flagged as junk e-mail and never delivered. "E-mail is not an authoritative protocol and should never be used to deliver information of importance by itself," said Lance James, chief scientist for Secure Science Corp. and author of a book called "Phishing Exposed." "I hope that if it's caught in spam filters, the IRS would send a letter to back it up."

If the IRS chose to set up a Web site instead of relying on e-mail, other problems could arise. "If the site has vulnerabilities, such as cross-site scripting, or in general just some way that a hacker can get in, then he can use that list to phish," James said. (The bill's summary says that the IRS may use the Internet to disclose a taxpayer's name, and the city state, and ZIP code of the taxpayer's mailing address.)

What's also unclear are the additional powers the IRS would receive to regulate computer programmers who write tax-related software.

Because the actual bill hasn't been written yet, details remain fuzzy. At the very least, though, federal law would probably be amended to treat such programmers as "tax return preparers," who face criminal penalties for disclosing or making use of confidential information.

Intuit, which sells the popular TurboTax software, says it doesn't have "a complete understanding of their proposal because it hasn't been fully fleshed out."

Nevertheless, company spokeswoman Julie Miller said, "Intuit has always placed the privacy and security of our customers' data as a top priority, and we would certainly welcome and comply with anything that even made privacy protection for taxpayers stronger and more clear."

Tom Ochsenschlager, vice president of taxation for the American Institute of Certified Public Accountants, said that programmers and technologists should be regulated. "I think it is important that they expand the definition of tax preparer to cover particularly these electronic situations, otherwise there would be kind of a loophole here that would permit taxpayer information to go all over the place," he said.

Revising privacy protection
A third section of the tax bill would weaken the privacy protections that currently guard Americans' tax returns.

Current law 26 USC 6103(i)(3)(B) permits the IRS to open its records to federal police in an emergency--but says law enforcement must abide by certain privacy safeguards. Those include maintaining a "permanent system" of records showing who perused the data; creating a "secure area" to view the information; restricting access to people whose duties "require" it; and returning or destroying tax return data when done. Congress must receive annual reports (click for PDF) with summaries.

Those privacy protections would be eliminated. In addition, state and local law enforcement would be granted emergency access to tax returns as well (and would not be subject to the current oversight rules either).

James Maule, a professor at Villanova University who teaches tax law and writes a blog on the topic, says the elimination of the privacy and security safeguards is worrisome. "Why would (keeping the safeguards) be a challenge?" Maule said. "What is the difficulty of the recipient keeping logs?"

Mark Luscombe, principal tax analyst at CCH, an Illinois-based provider of tax and related services, said the sprawling Senate bill was something of a surprise because it started as a one-page proposal to repeal the Spanish-American War tax on telecommunications. (A congressional tax committee and the IRS have proposed extending that tax to the Internet.)

"Suddenly it's a huge tax bill," said Luscombe, adding that the House of Representatives may not see eye-to-eye with the Senate committee on all of the sections.

"You never know how these negotiations will sort out, but it doesn't look to me like this piece of legislation has a very bright future, at least in its present form," Luscombe said.