In a comment, badger points to an IRS memorandum released last Friday: AM2015-005, “International Data Exchange Service (IDES) — responsibility for data transmitted under Sections 6103 and 6105, and tax treaties”. (KPMG has a summary.) Large sections of the fourteen-page memorandum have been redacted, including a page-and-a-half from a three-page section discussing technical details of IDES. (In the technology world, this is known as “security through obscurity”.) Nevertheless, the memorandum still contains some amusing revelations, such as this, from page 1:
We understand that earlier in the development of IDES, oral advice was rendered by Counsel that IDES was a sufficiently secure means of transmission so that using it did not give rise to an improper disclosure of tax return information.
As first pointed out by actual security expert Bruce Schneier in February (and as we discussed last month), in the IDES user manual the IRS recommended the use of the insecure ECB mode of AES in order to encrypt FATCA bank account data uploads. (As of the time of this post, that recommendation still appears on the IDES website.)
Above you can see the IRS’ logo “encrypted” using these settings. AES, like all encryption, is secure only when used properly; using ECB mode on plaintext which is far longer than the AES block length and has numerous repetitions — like an image with a plain background, or an XML file — does not qualify as proper usage. Apparently someone in the IRS was worried that the suggestion to use these insecure encryption settings could expose the IRS to liability, but rather than asking tech experts to recommend correct settings, they decided it was a better use of IRS employee time & taxpayer dollars to ask lawyers whether it was illegal to recommend incorrect settings.
Even worse, in the latest update to the IDES FAQ, the IRS instructs banks to use totally unsecured-and-unvetted online tools to reformat the FATCA XML files prior to submitting them to IDES. These tools will send the XML file to privately-operated websites with no encryption whatsoever during transit and no guarantee that the owners of the websites will not misuse the data.
