(pdf)
On June 8, ProPublica released a report analyzing the tax records of some of the wealthiest taxpayers in the country. NTUF analyzed the contents of this report in other writings, but the data contained in the report raises questions of its own — namely, how did a nongovernmental advocacy organization manage to get ahold of this data, and how can we be sure it doesn’t happen again?
Progressives who feel that this leak did provide meaningful information may not be inclined to be concerned about the privacy violation of wealthy and powerful individuals. But even aside from the fact that wealth does not disqualify Americans from the expectation that their tax filings will stay between them and the Internal Revenue Service (IRS), without knowing how the leak occurred, it is impossible to know that future leaks will be so limited.
For instance, as NTUF has emphasized in the past, much of the so-called “tax gap” is due to improper claiming of refundable tax credits and underreporting of pass-through business income, both activities that are far from the exclusive purview of the one percent. Moreover, they are often accidental, attributable to the confusing nature of the tax code rather than malice.
It’s probably safe to assume that whoever accessed or leaked the information contained in the ProPublica report did so in order to highlight a group of individuals they felt were not paying enough in taxes. Would progressives look so kindly on a future leak of private tax records that targeted small business owners who accidentally misused deductions or undercounted taxable income, or individuals who mistakenly claimed credits they were not eligible for?
Most leaks of tax filing information aren’t done in the interest of public edification. A man who managed to access an IRS database in 2016 and an IRS employee two years ago each used the tax records they accessed to perpetrate identity theft schemes. History is rife with examples of IRS employees or other individuals playing out their own personal vendettas through improper access or distribution of tax information.
So, while it is worthwhile to address the contents of the ProPublica leak now that they are public knowledge, it is equally important to ask how the leak happened and what changes will be made to prevent a similar leak in the future.
Potential Origins of the Leak
Hacking by external parties
Until we hear more information from the IRS, we can only speculate where the leak came from. One possibility is that the IRS was one of several government institutions compromised by Russian-backed hackers towards the end of 2020 in the so-called “Solar Winds” attack. It’s known that the Department of the Treasury was affected by the cyberattack, so it is feasible that hackers got access to taxpayer records and then leaked them in order to facilitate long-running Russian objectives of sowing discord and division in American politics.
ProPublica, for its part, says it even considered this possibility in deciding to publish the information. It cites a report by the Treasury Inspector General for Tax Administration (TIGTA) that claims that there is no evidence taxpayer data was affected by the breach, but it remains a possibility.
And while the Solar Winds attack is a known incident that could be responsible for the breach in question here, it’s also possible that a new attack occurred that is not yet publicly known. National security and data experts have warned for years that the U.S. is not adequately prepared to defend against hacking threats posed by foreign governments or by rogue stateless entities. Given the lax precautions in many areas of government, it is not implausible that a new attack might have yielded this information.
The IRS itself
Another possible source of the information is an IRS employee. Though leaking taxpayer information is a decidedly illegal act, there is precedent for IRS employees having done so in the past. In fact, ProPublica has received confidential tax filing information from an agency source as recently as 2012. The IRS does some internal access tracking for tax information of wealthy and notable individuals, but it is unclear how comprehensive these procedures are and they may have failed to achieve their intended purpose.
After all, there’s evidence suggesting that internal IRS protocols have not always been sufficient to protect taxpayer data. In 2012, TIGTA reported that the IRS’s data security efforts were lacking as it related to unauthorized access, and recommended that the agency work to improve its monitoring and data collection practices. Meanwhile, a TIGTA report from last year found that 67 applications for access to taxpayer data should have been monitored for unauthorized access, but only six of them received accurate and complete audit trails. On the other hand, just under half received no audit trails at all.
It is possible that an IRS employee, particularly one with access to the agency’s datasets that support its Statistics of Income (SOI) project, could have compiled and released the information to ProPublica. For many years, the agency produced a separate report on the top 400 taxpayers in the country by adjusted gross income, identifying details about their tax situations on average, and in anonymized fashion. After tax year 2014, this information was reported through their Individual Income Tax Rates and Tax Shares release, which includes data on the top 0.001 percent of taxpayers, or about 1,443 taxpayers in the most recent data.
An employee with access to this information could have selectively leaked it to ProPublica. Alternately, someone with access to a dataset with anonymized information about top taxpayers could have worked to de-anonymize it by cross-referencing company financial filings, stock sales, and other publicly-reported details of the finances of America’s wealthiest in order to associate a nameless line item in a spreadsheet with a specific real-life individual. In any case, a leak originating at the IRS itself would represent an enormous breach in trust for an agency that contains some of the most sensitive information about citizens all across the country.
Congressional staff or related agencies
One more potential source of the data is Congress itself, or related agencies. The House Ways and Means Committee has the ability to request access to tax records in order to inform tax policy. This is why there was speculation that Congressional staff might seek and release information about President Trump’s tax returns, which he had declined to release himself during and after the 2016 campaign. One of these staffers with access could have copied and leaked the information to ProPublica to drum up support for future legislative efforts.
Likewise, it’s possible that agencies closely related to Congress like the Congressional Budget Office or Joint Committee on Taxation could have been the source, as could an executive agency like the Government Accountability Office. These entities are sometimes in receipt of private tax information for the purpose of informing their research efforts.
Obviously, identifying the source of the leak is important because until we know for certain how the leak happened, it is far more difficult to prevent future leaks happening the same way. But it is just as important to know who isn’t at fault in this specific instance as it is to know who is.
For example, if the latter possibility is indeed what happened, and a Ways and Means or agency staffer leaked data provided by the IRS in the proper manner, then concerns about improving data security at the IRS itself are less important than enhancing safeguards for information transmitted to an external agency. It does taxpayers no good to waste resources shoring up functional data security measures when the leaks are coming from somewhere else.
The response to the ProPublica leak should also vary considerably depending on whether the leak came from inside or outside of the government. If the leaker was inside the IRS or Congress, then focus should be on more carefully tracking access to sensitive data and catching future leakers. On the other hand, if the leak was the result of a data breach by an external party, data security efforts would be better directed at cybersecurity.
Regardless of the source, this episode should provide a reminder of the importance that cybersecurity in the federal government must take moving forward. Even if the IRS was not affected by the December 2020 cyberattack, the agency has a history of being behind the times technologically.
Considerations for lawmakers
The above examples are by no means the only potential sources for leaks, but they are some of the most likely possibilities. To truly determine the source, however, extensive investigations will need to be conducted immediately.
Thankfully, IRS Commissioner Chuck Rettig has indicated that investigations are underway to help determine the source of the leak, including such agencies as the Treasury Department, the Federal Bureau of Investigation, and the U.S. Attorney’s office for the District of Columbia. This response is a positive sign that the agency is taking this breach seriously and that they’re utilizing the tools at their disposal to identify the root causes.
However, Congress has a role to play in finding this leak as well. In particular, leadership in both parties should work to complete a thorough review of staff contacts with agencies like the IRS, CBO, GAO, and others to determine whether anyone improperly accessed or shared sensitive taxpayer information that led to the ProPublica leak. If such unauthorized access or leaking did occur, Congress should ensure that those responsible are punished and that procedures are put in place to prevent future leaks, like comprehensive logging of requests for and access to sensitive tax information.
Congress should seek satisfactory answers to these questions before acceding to any requests to increase the IRS budget and give it access to huge new streams of data. If the agency’s security was lax enough to allow a leak of this magnitude, the IRS cannot be trusted with thousands of new agents and new sources of sensitive financial information, like bank account flows.
Congress must also work to hold the IRS to a higher standard in tax administration. The agency has long been plagued by failures to plan and modernize, leading to massive processing delays that were exacerbated by the pandemic. For example, following this year’s delayed Tax Day, the IRS was behind on 35 million returns, some of which dated to 2019, in part because of the high number of paper returns it had to process. Processing delays were made worse by the large proportion of broken or unusable printers and copiers (42 percent of the total number, according to TIGTA), a problem that appears to be a result of the agency’s failure to manage its contracts appropriately.
If the IRS is to be a functional agency, it must improve its operations and significantly strengthen its data security. This reform will not happen by throwing good money after bad, and by giving the agency access to vast amounts of private financial information that could be vulnerable to future unauthorized disclosures. By getting to the bottom of the ProPublica leak, Congress and other officials can help set the IRS on a path to reform that will better protect taxpayers and better administer the tax code.