Senate tax proposal under scrutiny

The U.S. Senate mulls expanding how the IRS can use the Internet to contact American taxpayers. But privacy and security concerns linger.

The U.S. Senate is nearing a vote on changes to the tax code that are supposed to enhance the way the IRS uses the Internet.

But critics are wondering if the legislation will adequately protect Americans' security and privacy, and whether it's necessary for the IRS to regulate software developers.

At issue are a handful of sections of a massive tax bill--the summary alone is 151 pages--that the Senate Finance Committee approved last week.

One section lets the IRS use the Internet to let Americans know that they're owed tax refunds. Another directs the IRS to regulate any programmer who "develops software that is used to prepare or file a tax return"; the third eliminates privacy safeguards when the IRS opens confidential tax records to the FBI and other police agencies.

If the IRS chooses to use e-mail to alert taxpayers to potential refunds, that could cause problems, technologists warn.

"The preponderance of phishing attempts that involve the IRS is so high that it would be shortsighted for them to think that they could overcome what has obviously been something that has built up over time," said Ron O'Brien, a senior security consultant with the computer security firm Sophos. "People will have to unlearn that which they have already learned."

Scam artists last year began sending phishing e-mails (messages that try to trick the recipient into typing in personal information) purporting to be from the IRS and offering tax refunds. This phishing trick resurfaced during the Independence Day weekend, Sophos says.

At the moment, the IRS rarely uses e-mail to contact individual taxpayers. IRS spokeswoman Michelle Lamishaw said Wednesday that "I don't know what our plans are for potentially changing that process" and declined to comment on the Senate legislation.

Under existing law, the tax agency can use the "press or other media" to deliver such notifications, but it has interpreted the 1976 statute to exclude the Internet. Without the changes proposed by the Senate, the IRS claims it cannot use the Web or e-mail to contact taxpayers about refunds that they're owed.

Awaiting actual text
Complicating the situation is the Senate committee's unusual step of voting on a summary of the tax bill (click for PDF)--but not on the actual text, which has yet to be written. That means the final wording of the legislation is still up in the air, even though it's awaiting a floor vote.

A representative of the Senate Finance Committee, chaired by Republican Sen. Charles Grassley of Iowa, said the drafting process is expected to take a few weeks.

Another concern is that legitimate e-mail from the IRS would be flagged as junk e-mail and never delivered. "E-mail is not an authoritative protocol and should never be used to deliver information of importance by itself," said Lance James, chief scientist for Secure Science Corp. and author of a book called "Phishing Exposed." "I hope that if it's caught in spam filters, the IRS would send a letter to back it up."

If the IRS chose to set up a Web site instead of relying on e-mail, other problems could arise. "If the site has vulnerabilities, such as cross-site scripting, or in general just some way that a hacker can get in, then he can use that list to phish," James said. (The bill's summary says that the IRS may use the Internet to disclose a taxpayer's name, and the city state, and ZIP code of the taxpayer's mailing address.)

Featured Video