Luring Taxpayers Online

GAO also faulted the IRS for not encrypting transmissions from e-file transmitters to its e-file systems. This transmission occurs over the public switched network, the telephone network used by millions every day. The IRS disputed this encrypting requirement, arguing that sensitive business frequently is conducted over the phone. The only difference, IRS officials contended, is that e-filing sends data instead of voices through the phone network.
Congress expects 80 percent of tax returns to be filed electronically by 2007. To get there, the IRS must surmount security and privacy challenges.

T

erry Lutes, director of the Electronic Tax Administration at the IRS, hears voices. "The security folks whisper in one of my ears while the privacy folks whisper in the other," Lutes says. As the IRS seeks to lure more taxpayers online, Lutes must listen carefully to Security Director Len Baptiste and Privacy Advocate Peggy Irving.

Taxpayers now have two options for filing returns electronically: Telefile and e-file. Only taxpayers eligible to file the 1040EZ form can use the telephone-based Telefile system. More than 4 million 2000 tax returns came in via Telefile during the 2001 filing season.

Taxpayers with more complicated returns can ue the e-filing approach, making it far more popular-for the 2001 filing season, 39.5 million taxpayers used e-file. E-filers can use commercial tax software such as TurboTax and Kiplinger TaxCut to do their own taxes or they can work through tax preparation services such as H&R Block Inc. or Jackson Hewitt Inc. E-filing is not entirely paperless. Tax forms are submitted electronically, but taxpayers still must provide the IRS with paper-based signatures endorsing their returns.

The IRS is counting on electronic filing as its future. E-filing began in 1986 with 25,000 returns. As part of the 1998 IRS Restructur-ing and Reform Act, Congress told the IRS it should receive 80 percent of its filings electronically by 2007. The agency receives about 150 million returns a year and collects $1.9 trillion in taxes. Lutes had hoped to receive more than 40 million electronic returns in 2001 but came up short at 39.5 million. From 1998 to 2000, returns received by the e-file and Telefile systems increased about 20 percent each year, while rising only 13 percent in 2001.

The IRS has staked so much on e-filing because of its benefits for the agency and for taxpayers. Electronically filed returns tend to be more accurate than paper returns. The information is transmitted, received and stored electronically, reducing the potential for data entry errors by IRS employees. E-filers also get tax refunds more quickly than those who file the old-fashioned way.

To catapult the number of electronically filed returns from tens of millions today to more than 100 million by 2007, the IRS must overcome taxpayers' fears about putting their financial information online. The agency must ensure that its e-filing system is secure and that it will protect the privacy of taxpayers. That's likely to be a tough task, especially in light of recent revelations about the vulnerability of the e-filing system.

Early this year, the General Accounting Office found that "unauthorized individuals, both internal and external to IRS, could have gained access to IRS' electronic filing systems and viewed and modified taxpayer data contained in those systems in 2000." A March report, "Information Security: IRS Electronic Filing Systems" (GAO-01-306), says the IRS lacks adequate controls to "ensure the security of its electronic filing systems and electronically transmitted taxpayer data."

What's more, the IRS has no idea whether anyone breached the electronic filing system because the agency had no intrusion detection systems. GAO discovered numerous other security lapses in IRS' e-file infrastructure. o Perimeter defenses were inadequate, making it easier for intruders to access systems.

  • Operating system configuration problems on e-file supporting systems permitted "the use of several risky and unnecessary services that could have aided an intrusion attempt."
  • The password management policy was lax. GAO auditors guessed many passwords and found others written down and posted in clear view at one IRS data processing facility.
  • GAO found that contrary to IRS' "need- to-know policy," e-file users "with no need for access . . . could have viewed and modified . . . [tax returns]."

E-filing data is encrypted when it travels on the Internet, notes IRS security chief Baptiste. Tax filing software and tax preparers use the Internet to send taxpayers' data to a transmitter, which then uses the phone network via modem connections to contact the IRS. This transmission is protected by secure socket layer encryption, the same service that protects most online purchases. "We operate under the assumption that the public switched network is a secure network," Baptiste says.

After GAO released its findings, the IRS scrambled to assure taxpayers the system was safe for e-filing this spring. "As GAO found issues we corrected them," Lutes says. "In fact, we addressed the issues before the report ever came out."

"We've mitigated all of the serious weaknesses," Baptiste says. "There is always going to be some element of risk just because of the dynamic environment in which we are dealing."

Baptiste's security staffers did more than focus on the vulnerabilities discovered by GAO; they created a security certification program for new initiatives. All new information technology will have security features built in from the outset rather than being retrofitted. "We do a security review whenever there are any modifications to new [projects]," Baptiste says. "Then we revisit the projects every three years."

The IRS also established a computer incident response team that monitors agency networks round the clock. "Our goal is to be as secure as is feasible," Baptiste says. "Whenever someone tells you they are totally secure, my contention is that they are probably not as secure as they think they are. There are new risks popping up every day." Baptiste says the incident response team is more actively monitoring systems dedicated to e-filing than in previous years.

The IRS also is beefing up its privacy policies in the wake of GAO's findings. Because IRS collects Social Security numbers, names, addresses and income information, privacy is a key consideration for the agency. "American taxpayers could be exposed to a loss of privacy and to financial loss and damages resulting from identity theft and financial crimes, should this information be disclosed to unauthorized individuals," GAO found.

"I believe privacy is the No. 1 concern of the American public," says IRS privacy advocate Peggy Irving. "If you look at the two places in government with the most sensitive citizen information, it resides in the medical data held by the Health and Human Services Department and the financial data held by the IRS. It's a challenge to earn the trust of the American public in the face of our mission."

The IRS elevated the importance of confidentiality by moving responsibility for its privacy policy from information systems to the communications and public relations staff. "The executive steering committee wanted to emphasize privacy as a strategic value-not as just an afterthought," Irving says. She also has begun questioning whether the IRS should be collecting all the information that it does. "We have to ask, "Should we even have the information in the first instance?' " she says. Soon, Irving adds, the IRS will collect "just the information needed to perform business."

Irving understands taxpayers' reluctance to embrace e-filing. "It's a 'Big Brother' kind of issue with the question being, 'What do you have on me?' on the part of the taxpayer," she says. Yet, like paper-based returns, e-filed returns fall under the 1997 Taxpayer Browsing Protection Act, which prevents IRS employees from looking at individual returns without an official reason. "Not everybody gets to see everything," Irving says.

IRS privacy protections reinforce the agency's security efforts. "It's common now for organizations to use privacy to leverage security," says Rich Stiennon, a security analyst with the Gartner Group, a Stamford, Conn., market research firm. "Any organization that has data on individuals is being made accountable for keeping data private. The only way do that is to have good security controls."

NEXT STORY: Bytes