July 6, 2006 4:00 AM PDT

Senate tax proposal under scrutiny

The U.S. Senate is nearing a vote on changes to the tax code that are supposed to enhance the way the IRS uses the Internet.

But critics are wondering if the legislation will adequately protect Americans' security and privacy, and whether it's necessary for the IRS to regulate software developers.

At issue are a handful of sections of a massive tax bill--the summary alone is 151 pages--that the Senate Finance Committee approved last week.

One section lets the IRS use the Internet to let Americans know that they're owed tax refunds. Another directs the IRS to regulate any programmer who "develops software that is used to prepare or file a tax return"; the third eliminates privacy safeguards when the IRS opens confidential tax records to the FBI and other police agencies.

If the IRS chooses to use e-mail to alert taxpayers to potential refunds, that could cause problems, technologists warn.

"The preponderance of phishing attempts that involve the IRS is so high that it would be shortsighted for them to think that they could overcome what has obviously been something that has built up over time," said Ron O'Brien, a senior security consultant with the computer security firm Sophos. "People will have to unlearn that which they have already learned."

Scam artists last year began sending phishing e-mails (messages that try to trick the recipient into typing in personal information) purporting to be from the IRS and offering tax refunds. This phishing trick resurfaced during the Independence Day weekend, Sophos says.

At the moment, the IRS rarely uses e-mail to contact individual taxpayers. IRS spokeswoman Michelle Lamishaw said Wednesday that "I don't know what our plans are for potentially changing that process" and declined to comment on the Senate legislation.

Under existing law, the tax agency can use the "press or other media" to deliver such notifications, but it has interpreted the 1976 statute to exclude the Internet. Without the changes proposed by the Senate, the IRS claims it cannot use the Web or e-mail to contact taxpayers about refunds that they're owed.

Awaiting actual text
Complicating the situation is the Senate committee's unusual step of voting on a summary of the tax bill (click for PDF)--but not on the actual text, which has yet to be written. That means the final wording of the legislation is still up in the air, even though it's awaiting a floor vote.

A representative of the Senate Finance Committee, chaired by Republican Sen. Charles Grassley of Iowa, said the drafting process is expected to take a few weeks.

Another concern is that legitimate e-mail from the IRS would be flagged as junk e-mail and never delivered. "E-mail is not an authoritative protocol and should never be used to deliver information of importance by itself," said Lance James, chief scientist for Secure Science Corp. and author of a book called "Phishing Exposed." "I hope that if it's caught in spam filters, the IRS would send a letter to back it up."

If the IRS chose to set up a Web site instead of relying on e-mail, other problems could arise. "If the site has vulnerabilities, such as cross-site scripting, or in general just some way that a hacker can get in, then he can use that list to phish," James said. (The bill's summary says that the IRS may use the Internet to disclose a taxpayer's name, and the city state, and ZIP code of the taxpayer's mailing address.)

CONTINUED: Privacy, regulatory concerns…
Page 1 | 2

See more CNET content tagged:
tax, phishing, legislation, summary, Sophos Plc.

14 comments

Join the conversation!
Add your comment
such email should be encrypted
Email on its way can be read by anyone on the way. It may also be stored on the way, and there is no gurantee that the eauipment used to temporarily store it would not eventually get to the wrong heads (e.g., a disk would be replaced, but old deleted data on it can still be read with proper equipment). Email routed between two points in one country can pass through another country.
Posted by hadaso (468 comments )
Reply Link Flag
such email should be encrypted
Email on its way can be read by anyone on the way. It may also be stored on the way, and there is no gurantee that the eauipment used to temporarily store it would not eventually get to the wrong heads (e.g., a disk would be replaced, but old deleted data on it can still be read with proper equipment). Email routed between two points in one country can pass through another country.
Posted by hadaso (468 comments )
Reply Link Flag
such email should be encrypted
Email on its way can be read by anyone on the way. It may also be stored on the way, and there is no gurantee that the eauipment used to temporarily store it would not eventually get to the wrong heads (e.g., a disk would be replaced, but old deleted data on it can still be read with proper equipment). Email routed between two points in one country can pass through another country.
Posted by hadaso (468 comments )
Reply Link Flag
such email should be encrypted
Email on its way can be read by anyone on the way. It may also be stored on the way, and there is no gurantee that the eauipment used to temporarily store it would not eventually get to the wrong heads (e.g., a disk would be replaced, but old deleted data on it can still be read with proper equipment). Email routed between two points in one country can pass through another country.
Posted by hadaso (468 comments )
Reply Link Flag
Make tax processes better by removing security?
For whom, exactly, does removing security make the tax process easier and more secure for? Let's look again incase you missed it:

"One section lets the IRS use the Internet to let Americans know that they're owed tax refunds. Another directs the IRS to regulate any programmer who "develops software that is used to prepare or file a tax return"; a third lets the IRS open confidential tax records to the FBI and other police without maintaining logs of who saw what information."

One of these things is not like the other
One of these thigns just doesn't belong

Did you spot it? Use the mighty WAN refered to as the interweb for communications; novel, but it just might work. Regulate production of software relating to taxes; I kinda thought that might be done already. REMOVE security put inplace to protect the (inocent until proven guilty) public's information collected through tax processes; What? How does this benifit the tax payer? How (in a world where data machines are the new cool toy) exactly is it just too gosh-golly much work to require a supena (spelling?), maintain a sign-in log and afterward destory printed copy? Perhaps this would be too much to ask if the NSA was going to audit every citizen. After all, that means recording evidence that the No Such Agency exists and operates with the understanding that everyone is guilty until proven inocent.

But we know how this plays out in the end; it's for the good of the nation. No, how about to support the war on child abuse. Wait, sorry, now it's to support the war on terrorism.

But still the nagging questions:
Why does the FBI need unfetted access to tax payers information?
Why is it too much to ask that their reasons be reviewed by a judge?
Why is it too much to ask that a log be kept of who looked at information on whom?

As for the IRS plan to use the internet; I'm surprised they hadn't caught on to this whole "interweb" thing earlier. Sure anyone who's been online for more than a minute is going to be suspicious of any email refering to money and rightly so. Encrypted email would be nice and soon enough will become the norm but currently the number of people who bother to or understand encrypting of email is pretty small. Email obviously would have to be done in such a way as not too include personal information (banks seem to do it well enough) and too be backed up with mailed documents. The webserver idea should be easier to implement since any server going online today has the same security threats as a publicly accessed IRS server would; hire a good admin and research the best apps and config practices.
Posted by jabbotts (492 comments )
Reply Link Flag
Make tax processes better by removing security?
For whom, exactly, does removing security make the tax process easier and more secure for? Let's look again incase you missed it:

"One section lets the IRS use the Internet to let Americans know that they're owed tax refunds. Another directs the IRS to regulate any programmer who "develops software that is used to prepare or file a tax return"; a third lets the IRS open confidential tax records to the FBI and other police without maintaining logs of who saw what information."

One of these things is not like the other
One of these thigns just doesn't belong

Did you spot it? Use the mighty WAN refered to as the interweb for communications; novel, but it just might work. Regulate production of software relating to taxes; I kinda thought that might be done already. REMOVE security put inplace to protect the (inocent until proven guilty) public's information collected through tax processes; What? How does this benifit the tax payer? How (in a world where data machines are the new cool toy) exactly is it just too gosh-golly much work to require a supena (spelling?), maintain a sign-in log and afterward destory printed copy? Perhaps this would be too much to ask if the NSA was going to audit every citizen. After all, that means recording evidence that the No Such Agency exists and operates with the understanding that everyone is guilty until proven inocent.

But we know how this plays out in the end; it's for the good of the nation. No, how about to support the war on child abuse. Wait, sorry, now it's to support the war on terrorism.

But still the nagging questions:
Why does the FBI need unfetted access to tax payers information?
Why is it too much to ask that their reasons be reviewed by a judge?
Why is it too much to ask that a log be kept of who looked at information on whom?

As for the IRS plan to use the internet; I'm surprised they hadn't caught on to this whole "interweb" thing earlier. Sure anyone who's been online for more than a minute is going to be suspicious of any email refering to money and rightly so. Encrypted email would be nice and soon enough will become the norm but currently the number of people who bother to or understand encrypting of email is pretty small. Email obviously would have to be done in such a way as not too include personal information (banks seem to do it well enough) and too be backed up with mailed documents. The webserver idea should be easier to implement since any server going online today has the same security threats as a publicly accessed IRS server would; hire a good admin and research the best apps and config practices.
Posted by jabbotts (492 comments )
Reply Link Flag
Government "Security"?
We are talking about the same government that could not keep 26 million names, addresses and social security numbers of veterans out of the hands of common theives, right?

Let me send all the employees of the federal government a message: You are a bureaucrat. NOthing you do is so important that, if not done my 5:00 PM, cannot wait until the morrow. Neither you, nor your work, are important enough to potentially jeopardize even one citizen's personal information.

Understand?
Posted by Too Old For IT (351 comments )
Reply Link Flag
Government "Security"?
We are talking about the same government that could not keep 26 million names, addresses and social security numbers of veterans out of the hands of common theives, right?

Let me send all the employees of the federal government a message: You are a bureaucrat. NOthing you do is so important that, if not done my 5:00 PM, cannot wait until the morrow. Neither you, nor your work, are important enough to potentially jeopardize even one citizen's personal information.

Understand?
Posted by Too Old For IT (351 comments )
Reply Link Flag
A great victory for crooks.
Wow. This would be a computer villians dream come true. They could just impersonate the IRS to send all kinds of spam with viruses, data stealing programs etc... Encryption? No problem. The bad guys can just encypt viruses etc... with their encrypted bogus email. I can't think of anything more "terrifying" than a government that doesnt' have its citizenry's best interest in mind and all the tools to work against that interest.
Posted by MrHandle (71 comments )
Reply Link Flag
A great victory for crooks.
Wow. This would be a computer villians dream come true. They could just impersonate the IRS to send all kinds of spam with viruses, data stealing programs etc... Encryption? No problem. The bad guys can just encypt viruses etc... with their encrypted bogus email. I can't think of anything more "terrifying" than a government that doesnt' have its citizenry's best interest in mind and all the tools to work against that interest.
Posted by MrHandle (71 comments )
Reply Link Flag
An accident waiting for a place to happen!
Dumb people make the same mistakes over and over.

Smart people learn from their own mistakes.

Intelligent people learn from other's mistakes.

That said... the IRS is definately DUMB!!!

Nuff said. (* GRIN *)

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
An accident waiting for a place to happen!
Dumb people make the same mistakes over and over.

Smart people learn from their own mistakes.

Intelligent people learn from other's mistakes.

That said... the IRS is definately DUMB!!!

Nuff said. (* GRIN *)

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
Privacy concerns?
This is the same government who is wiretapping their citezens, is
pushing to watch Internet habits and reading personal emails?

Why would would privacy even be a concern at this pint.
Posted by richtestani (23 comments )
Reply Link Flag
Privacy concerns?
This is the same government who is wiretapping their citezens, is
pushing to watch Internet habits and reading personal emails?

Why would would privacy even be a concern at this pint.
Posted by richtestani (23 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.