In a comment, badger points to an IRS memorandum released last Friday: AM2015-005, “International Data Exchange Service (IDES) — responsibility for data transmitted under Sections 6103 and 6105, and tax treaties”. (KPMG has a summary.) Large sections of the fourteen-page memorandum have been redacted, including a page-and-a-half from a three-page section discussing technical details of IDES. (In the technology world, this is known as “security through obscurity”.) Nevertheless, the memorandum still contains some amusing revelations, such as this, from page 1:
We understand that earlier in the development of IDES, oral advice was rendered by Counsel that IDES was a sufficiently secure means of transmission so that using it did not give rise to an improper disclosure of tax return information.
As first pointed out by actual security expert Bruce Schneier in February (and as we discussed last month), in the IDES user manual the IRS recommended the use of the insecure ECB mode of AES in order to encrypt FATCA bank account data uploads. (As of the time of this post, that recommendation still appears on the IDES website.)
Above you can see the IRS’ logo “encrypted” using these settings. AES, like all encryption, is secure only when used properly; using ECB mode on plaintext which is far longer than the AES block length and has numerous repetitions — like an image with a plain background, or an XML file — does not qualify as proper usage. Apparently someone in the IRS was worried that the suggestion to use these insecure encryption settings could expose the IRS to liability, but rather than asking tech experts to recommend correct settings, they decided it was a better use of IRS employee time & taxpayer dollars to ask lawyers whether it was illegal to recommend incorrect settings.
Even worse, in the latest update to the IDES FAQ, the IRS instructs banks to use totally unsecured-and-unvetted online tools to reformat the FATCA XML files prior to submitting them to IDES. These tools will send the XML file to privately-operated websites with no encryption whatsoever during transit and no guarantee that the owners of the websites will not misuse the data.
No Section 6103 protection prior to IDES upload
The rest of the memorandum includes a lengthy discussion of whether Section 6103 protection arises at the time a non-U.S. bank uploads FATCA data to IDES, or whether protection only begins at the time the IRS downloads the data. (26 USC 6103, “Confidentiality and disclosure of returns and return information”, makes it illegal for U.S. state and federal government employees, and certain other persons with access to return information, to disclose it except in circumstances provided for by that section.) The IRS lawyers weren’t quite sure either way, because ▇▇▇▇▇▇▇▇.
Under the current facts and circumstances, we believe ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ that 6103 protection arises on the inbound transfer of information at the time that the information is uploaded to IDES. Furthermore, we believe section 6105 and treaty protections are likely to follow the conclusion under section 6103. We understand that the IRS will likely act as if the information were protected at upload and that business decision would be conservative and justified under the current state of the law.
(Note that the IRS staff redacted the PDF file correctly. Apparently they learned something from the woes of the TSA and HSBC five years ago. They didn’t simply change the background colour of the redacted text to black, but completely removed the words underneath from the PDF file. They take the security of Office of Chief Counsel memoranda quite seriously, even if they don’t care about the security of U.S. Persons’ FATCA data.)
However, one thing that’s quite clear from the memorandum, despite the pages and pages of blacked-out sections, is that the IRS lawyers believe there is no Section 6103 protection for FATCA information collected by banks prior to its upload. Conveniently, this position absolves the IRS of all responsibility for illegal disclosure of FATCA data by banks, even though it’s the IRS which demanded that banks act as agents of the United States government to hunt down U.S. Persons and collect all this information on them in the first place.
Recommends insecure online tools to reformat XML
On 14 July, a few days before releasing the above memorandum, the IRS also posted an update to the IDES FAQ. They added questions about currency rounding (A15), enrollment for testing (B9), URL of test environment (B10), confirmation of receipt of uploads (D12), bug causing missing confirmations (D13), who gets a confirmation when a third-party preparer does the upload (F6), IDES enrollment in Model 1 countries (F7), and third-party preparers serving clients in both Model 1 and Model 2 countries (F8).
The answer to D13 is the most disturbing one from a security perspective:
D13. I uploaded a FATCA Report to IDES 3 days ago and have not received a notification about the status of my FATCA Report. Does the XML format cause a problem?
The IRS has identified a specific scenario where notifications are not issued to filers when certain errors are present. A possible cause for a missing notification is XML that is not formatted and is contained on one continuous line. In this scenario, you can reformat the XML into an acceptable format using a variety of online tools, such as XML Pretty Print. The correctly formatted version of the XML can be resubmitted in a new data packet.
So the IRS’ systems are too broken to handle XML without linebreaks, and IRS staff are recommending random online tools to work around the problem. If you go to the website of XML Pretty Print and look at the source code (apparently more due diligence than the IRS did), you’ll find that it does not operate by running Javascript on the user’s machine to reformat the XML, but requires that the XML be sent over the Internet to their servers:
<form method="POST" action="xml-pretty-printer.php">
<p>
A simple <em>XML pretty printer</em>.
</p>
<p>
Put XML in the text area below, click the "<i>Pretty Print XML</i>" button, and see <em>pretty printed XML</em>.
</p>
<textarea name="xml_data" id="xml_data"></textarea>
<input type="submit" value="Pretty Print XML" />
</form>
For those of you to whom that means nothing: when you press the “Submit” button, this will send the data you pasted in the form over the internet to the URL http://www.xmlprettyprint.com/xml-pretty-printer.php. Recall that a FATCA data submission has names, addresses, account numbers & balances, SSNs, and other such private data. If a bank pastes its FATCA data submission into this form for reformatting as instructed by the IRS and then presses “Submit”, the data will be sent to the operators of the XML Pretty Print website.
Worse yet, note the URL: http not https. It’s been well-known ever since online shopping began to become popular in the 2000s that you do not send private financial information like credit card numbers to websites which do not use TLS (those which do will have an https address), because the credit card number will not be encrypted, and every single server through which your credit card number passes in between your computer and the website can see that data.
Note that I’m not blaming XML Pretty Print’s operator for any of this. His website’s lack of support for TLS is not due to some error he made, but because he chose not to pay for a certificate. He probably put up the website to be helpful to folks who need to reformat configuration files and other similar things which don’t need to be kept private and secure. He certainly had no reason to expect a tax agency to recommend that banks use his website to reformat XML files full of private financial data, and would probably be horrified if he found out that they had. Also, I have not the slightest reason to suspect that he is a dishonest person or that he has any intention of saving the data he receives through that form, let alone doing anything untoward with it.
The blame lies squarely at the feet of the IRS. Bank employees should not be sending private financial information in plain text over the Internet to the operators of random websites. Yet the IRS is recommending precisely that. Their technical staff do not even have the level of common sense of the average online shopper.
FATCA data theft will cause security threats in U.S.
Thanks to FATCA, banks with poor security are sending threatening letters to — and gathering up data from — accidental Americans who have no practical connection to the U.S. and have never held its passport. Some of these poor folks are now struggling to apply for Social Security numbers for the first time to comply with the “Internal” Revenue Code. And the vast majority of them will use their newly-minted SSN for nothing else besides writing it at the top of IRS forms; they will not notice if someone steals it and uses it to obtain credit, or social services, or even a U.S. passport under their name.
If Homelanders are very lucky, the identity thieves who steal these accidental Americans’ data from insecure FATCA-ed banks — whether by hacking or by offering bribes to bank employees — will sell the data only to economic migrants who need an SSN in order to work in the U.S., and not to violent extremists who want to attack the country. Homelanders may not care that FATCA threatens the security of U.S. Persons in other countries, but perhaps they’ll care if it threatens their own necks?
Thanks for the excellent write-up on Fatca data security issues.
Robert Stack, Mark Mazur, et al. should focus on improving data security not just for the sake of others but for their own sake. They should reflect on the fact that a Fatca data breach could have serious personal consequences for a US Person in the wrong country and that it is still an acceptable practice for blood feuds to settle scores in some parts of the world.
As a heads-up, I would encourage Robert Stack, Mark Mazur and others who play a role in Fatca data security to review the case of Peter Nielsen, an air traffic controller, who was murdered in Switzerland in 2004 by Vitaly Kaloyev, a Russian. Mr Nielsen was on duty the night that two airplanes collided in German airspace killing 71 on-board, including Mr Kaloyev’s wife and two children. Possibly they will dismiss this line of thinking with “residual risk” but they should still consider that they could be held personally liable for data breaches in some parts of the world.
An add-on to this tragic story is that after Mr Kaloyev received a hero’s welcome in his region of Russia after release from a Swiss prison.
http://www.nytimes.com/2012/07/01/world/europe/killer-of-air-traffic-controller-barred-from-crash-memorial.html
The opinion of the US Department of Justice and US District Court for the Central District of California is that there is no Section 6103 protection of any US tax return information. Their opinion is that the US Department of Justice acted in accordance with the law by filing a tax return as an exhibit without redaction and without sealing, where anyone with a credit card could download it. Hackers are working too hard; they can get social security numbers and everything else they need from PACER.
(P.S. The US DOJ’s exhibit proved that my return complied 100% with instructions from the IRS, but courts didn’t care about that either.)
“Some of these poor folks are now struggling to apply for Social Security numbers for the first time to comply with the “Internal” Revenue Code.”
No need. Well wait, they need to apply, but they don’t need the Social Security Administration to issue one. The opinion of the US Department of Justice and US Court of Appeals for the Federal Circuit is that when the Social Security Administration neither grants nor rejects and application for SSN and the IRS rejects applications for ITIN, the return still has to provide an SSN anyway. The only way to comply with an appeals court is to fabricate an SSN. Do it.
(But don’t do it if you live in the US, because at least one numbered circuit court makes it illegal to fabricate an SSN. US Supreme Court is said to take an interest in conflicts between circuits, but they didn’t.)
Updated post with comments about latest IDES FAQ, which I didn’t see until after I’d made the initial post. It’s worse than I thought. This is no longer at the level of “obscure encryption problems”: the author told banks to send FATCA XML files in plain text to operators of random websites for reformatting. Whoever wrote that FAQ answer is completely incompetent and should not be allowed within shouting distance of a computer at any institution which deals with private financial data.
“Whoever wrote that FAQ answer is completely incompetent and should not be allowed within shouting distance of a computer at any institution which deals with private financial data.”
1) Brucer Schneier might be interested in this latest “unsafe and unsound” data handling practice.
2) Bank regulators and government data protection agencies around the world might also want to know how the IRS has advised banks to reformat personal financial data in this reckless way.
3) Continued exposure of these unsafe practices makes the IRS look “dumb as s—” which can serve a useful purpose.
This is nothing more than PR security. When this data is finally hacked or stolen from a bank or probably the IRS itself, what is the US Government going to do about it? Give everyone free identity fraud checking services like all those federal employee records that have gone missing.
Stick FATCA.
I made the ‘mistake’ one year of filing my US tax return on line but have now gone back to filing in paper by courier.
Just look at the compromises that have happened to the OPM, the IRS and of course Sony, Target, Anthem …
This is just an accident waiting to happen with FATCA with just a ‘Oh Sorry’ in response from the USG.
Unless I’m misinterpreting his comment below, IRS Commissioner Koskinen only cares that other nations treat data destined to LEAVE the US securely, and won’t release any reciprocal information on those nation’s taxpayers until the IRS is satisfied those nations have the appropriate safeguards in place. In other words, no reciprocity until the IRS says so? From what you’ve revealed about the IRS’s ineptness, Eric, does the IRS even have the expertise to make those determinations?
“Where a jurisdiction has a reciprocal IGA and the jurisdiction has the necessary safeguards and infrastructure in place, the IRS will also use IDES to provide similar information to the host country tax authority on accounts in U.S. financial institutions held by the jurisdiction’s residents,” Koskinen said.
http://www.thinkadvisor.com/2015/02/02/irs-international-data-exchange-service-open-for-f
Though too bad the rest of our countries don’t follow the same reciprocity guidelines — real reciprocity. What our countries will allow is appalling as they grovel to the US$ and throw their own citizens and residents under whatever bus is coming by. Everything the US is doing goes through the funnel of FATCA so their own rules. The US will never realize the hypocrisy of it all.
@bubblebustin: I foresee either (or possibly both) of two things happening.
1. Nearly all “partner country” systems will pass the security assessment whether or not their systems are actually secure. The assessment will mostly be for security theatre rather than actual security. “Highly trained IRS experts” will check that the computer doesn’t have any parts which resemble a nail file and isn’t carrying liquids in containers bigger than 100ml, and the officials will purchase millions of dollars of goods and services from their favourite outside contractors in order to carry out their security assessments.
2. The process of assessing whether or not the “partner country” systems are secure will itself become politicised; the IRS will pass certain countries quite easily while conducting much more stringent assessments of other countries, depending on how “cooperative” those countries are in other areas.
Laughing through my tears, Eric.
It doesn’t matter what security measures the IRS claims to have put into place. If US Federal Employees only get a ‘oh sorry’ what can ex-pats realistically expect?
“I made the ‘mistake’ one year of filing my US tax return on line but have now gone back to filing in paper by courier.”
That doesn’t help much. I filed on paper but still got robbed by Monica Hernandez and her colleagues.
Thanks @eric, it is all too technical for me, but appreciate the time and effort you took to educate us.
@badger: thanks for the kind words. Non-technical analogy: the IRS is telling banks to print your bank account information on postcards and mail it to random people they found in the phonebook. Those random people will spellcheck the account information and send it back to the bank on another postcard. The IRS has not done any background checks on the random people in the phonebook and has no guarantee they will not take copies of the account information before sending it back.
Also, images of the postcards will be posted for anyone to view.
@Eric
Awesome investigative work, Eric! And your phonebooks and postcards analogy is perfect. I shudder to think, no doubt accurately, that this IRS display of utter ignorance about internet data security best practices is endemic to virtually all US Government departments and agencies. The popular recipe calls for a mere spoonful of Executive Branch hubris stirred into a vat full of bureaucratic incompetence.
I forwarded this thread to my work colleague who manages our IT, including internet and data security. His response: “Oh. My. God.”
“IRS Legal Advice Holds that Information Protection Arises at IDES Upload”
I can’t find my decoder ring, Eric. Can you use one of your great analogies here if this is something new?
http://www.fsitaxposts.com/2015/07/23/irs-legal-advice-holds-that-information-protection-arises-at-ides-upload/
Another symptom of the increasingly-obvious fact that the IRS has complete idiots writing its FAQs. They just write anything they want, don’t get anyone with legal or technical knowledge to check it, and then tens of thousands of FFIs gobble it up like it were the gospel truth. Found by PatCanadian:
http://www.bna.com/fatca-versus-igas-n17179934450/
Discussion here:
http://isaacbrocksociety.ca/2014/06/26/please-provide-in-this-post-questions-big-canadian-banks-will-ask-new-account-holders-on-july-2-2014/comment-page-21/#comment-6364035
@Eric
Maybe this is a case of the IRS applying appropriate procedures to inappropriate legislation.
And here is more recent CYA evidence of IRS willfulness:
‘Identity Protection Services After FATCA Security Breaches….. IRS’ Generosity Knows No Bounds! ‘
August 16, 2015
“Data Breaches and Identity Protection Services – Taxable by the IRS?
I believe it is just a matter of time before personal information mandated by the FATCA reporting rules will be compromised in a data breach. When that happens, one would hope that the relevant financial institution will step up to the plate and provide identity protection services to the victims. Such services typically include credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services.
The question arises whether the value of providing such identity protection services free of charge to the individuals whose personal information may have been compromised in a data breach is taxable income to that individual. Existing guidance does not specifically address the question.
In its largesse, IRS just announced that it will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. ….”……..
http://blogs.angloinfo.com/us-tax/2015/08/16/identity-protection-services-after-fatca-security-breaches-irs-generosity-knows-no-bounds/
What about when IRS employees are the ones committing identity theft, and (independently) the IRS is the one publicly revealing information used for identity thief? Does the IRS have to provide double identity protection services? No they don’t have to, so that doesn’t give us any data points on whether the services would be taxable.
@Eric,
Re IDES;
Thought you might be interested in some remarks by Koskinen which were cited recently by Patrick K. Martin’s blog response to some very astute questions put by Trish Moon (bravo and many ongoing thanks to you Trish! ) p://tax-expatriation.com/2015/08/28/letter-from-your-non-u-s-bank-regarding-chapter-4-of-subtitle-a-of-the-u-s-internal-revenue-code-aka-fatca/comment-page-1/#comment-7657
Martin’s response cites in part remarks by IRS Commissioner Koskinen on FATCA and IDES
(IF you feel comfortable visiting the IRS website and you want the IRS web link it is http://www.irs.gov/PUP/irs/Commissioner%20Koskinen%27s%20Remarks%20at%20US%20CIB%20and%20OECD%20Int%20Tax%20Conf%20June%202014.pdf otherwise, Koskinen’s remarks are reproduced here ).
Koskinen claims re IDES; “…we take very seriously the need to ensure that the financial data transmitted through IDES will be transmitted securely, kept confidential, and used only for tax purposes. Protecting this information and assuring its intended use must be our number-one goal. Toward that end, we designed IDES to include state-of-the-art encryption protocols, and we developed a set of safeguard standards addressing the security and use of data once it is received by a government….”……”during the past several months, we have been conducting bilateral meetings with each one of our reciprocal FATCA partners to ensure that our safeguard needs are understood and that we and our partners achieve a high level of comfort that FATCA data will be kept confidential and used only for tax purposes, as our treaty and information exchange agreements contemplate.”……
If you don’t want to click through to the IRS link, it was cited and Koskinen’s remarks were quoted in the blog author’s response to Trish’s comment at;
http://tax-expatriation.com/2015/08/28/letter-from-your-non-u-s-bank-regarding-chapter-4-of-subtitle-a-of-the-u-s-internal-revenue-code-aka-fatca/comment-page-1/#comment-7657
Would be very interesting to know what the discussions were between the IRS and the FATCA signatories re IDES, because the IRS has already been chastised by the GAO several times because of its lack of sufficient security for the data it already collects at home in the US. The latest is here
‘ Information Security: IRS Needs to Continue Improving Controls over Financial and Taxpayer Data ‘
GAO-15-337: Published: Mar 19, 2015. Publicly Released: Mar 19, 2015.
http://www.gao.gov/products/GAO-15-337 . The FATCA signatory governments including Canada are totally incompetent if they are not aware that the US Patriot Act provisions override any lame privacy assurances the US might make anyway, once the data crosses into the US. It is already an ongoing issue inside the US (ex. see http://www.washingtontimes.com/news/2015/mar/25/editorial-congress-must-correct-patriot-act/ ). It is difficult to believe that the FATCA signatories are not completely aware of the intent and effect of the Patriot Act on the data non-US countries will be shipping to the US, as the effect of the Patriot Act on Canadian residents’ personal information has already been raised in various venues such as BC (see; ‘Privacy and the USA Patriot Act Implications for British Columbia Public Sector Outsourcing’ https://www.oipc.bc.ca/special-reports/1271 ). We know that the US Patriot and other US laws have been an ongoing concern of EU MEPs such as Sophie in’t Veld http://www.europarl.europa.eu/sides/getDoc.do?type=CRE&reference=20120215&secondRef=ITEM-019&language=EN and has been brought to the attention of the EU Parliament several times.
That the US Patriot Act would apply to data remitted to the US once it enters into US hands was confirmed by remarks made by Prof. Arthur Cockfield https://dl.dropboxusercontent.com/s/60r4kgrxxtjd84g/24%20panel%204%20speaker%203%20Arthur%20Cockfield.mp3?dl=1&token_hash=AAEq-FGCh2XKKlaQeihquw8wyLnJO5OH2zPcfOHG6pyTYQ at the Privacy Commissioner of Canada’s sponsored event https://ccla.org/pathways2privacy/ Pathways 2 Privacy Symposium 2014 as well as raised years earlier in the 2004 report ; ‘Privacy and the USA Patriot Act
Implications for British Columbia Public Sector Outsourcing’ ( https://www.oipc.bc.ca/special-reports/1271 PDF online ).
That the Canadian government (and no doubt other FATCA signatories) are entirely aware of the interactions between FATCA and the US Patriot Act is in no doubt, as they have been told ( ex. https://openparliament.ca/committees/finance/41-2/31/murray-rankin-25/ https://openparliament.ca/committees/finance/41-2/31/murray-rankin-24/ ).
@ badger
It’s not incompetence. It’s outright disregard for the “known knowns”. We know that they know all about the sharing with no caring provisions of the US Patriot Act. After all they used it as a model for Bill C-51. The Harper regime is bad to the bone. Privacy, to them, needs only to exist in their inner sanctum and in their dirty deals with the global corporate empire. For everyone else, everywhere else, all must be revealed. Damn control freaks! I’m quite grumpy today because last night I was reading about yet another scheme to extract and exploit precious, private information about people. This time it’s about medical records. It’s called Smart911 and its made to sound oh so benevolent but I can see no good coming from passing even more information to a police department. Beware of anything with “SMART” attached. It’s usually a 5-letter word for “SPY”.
@Embee, what is also very depressing is that this is only the parts we find out about, the bare minimum that comes to light or that we have access to – it is the bare tip of the iceberg. The silver lining of awareness is only that it confirms that we have reason to be vigilant and critical – there is so much that goes on behind our backs as citizens and taxpayers. And hidden from us deliberately by this and other governments . The relationship between the person and the state appears to be essentially an adversarial one as the state exists more and more for its own purposes and solidifies and exploits the power we ‘lend’ it to achieve its own ends. I am more skeptical than ever about governments. And there are the individuals like Harper who are less and less inclined to even pretend to hide that they see our government as their own personal weapon and tool to refashion things to conform to their own vision of the world, and to provide themselves and their allies with ill gotten gains at our expense.