Would you trust eBay to keep your name, address and taxpayer identification number safe? What about uBid.com, or what about an obscure online broker youve never heard of?
The Center for Democracy and Technology is raising a red flag over the prospect after language appeared in the President Bushs budget that would require brokers of personal property—including online auction houses and consignment stores—to collect personal data from customers and to share it with the Internal Revenue Service.
The push to put personal customer information into the hands of the Feds is coming from the U.S. Treasury Department, which is attempting to track down millions in unreported small business income. Theres serious money at stake: The Treasury Departments proposal in the presidents budget estimates that it could raise $20 million in 2008, increasing steadily over the years to hit a cumulative $1.974 billion by 2017.
Nobodys defending the rights of tax scofflaws, but privacy groups see a range of negatives that the legislation could bring about, from potentially increasing loss or theft of personal data, to spawning a new breed of phishing scams, to indulging the government in its quest to hold more sway over information collected easily online.
The CDT also sees the move as specifically targeting Internet-based businesses including eBay and Amazon—two businesses whose customer databases comprise millions of Internet users.
"The IRS proposal is disturbing on many levels—not least in that it calls for the collection, storage and transmission of large amounts of sensitive personal information at a time when Internet users are increasingly concerned about identity theft; and when public- and private-sector data breaches have become routine," the CDT said in its posting, which went up earlier this month.
"It would also potentially burden many smaller businesses that lack the technology or security infrastructure to safely collect sensitive personal information."
When the CDT raised the issue with the Federal Trade Commission, the FTC pointed out that tax information such as Social Security numbers and TINs (Taxpayer Identification Numbers) were originally created for the purpose of collecting taxes, said CDT Deputy Director Ari Schwartz in an interview with eWEEK.
The IRS getting hold of this information is nothing out of the norm. But what about these online brokers whom the government would have collecting such sensitive personal information? "The question is, Is the private sector supposed to get more of it, and at what risk?" Schwartz said.
The language in the presidents budget, in fact, does not reference the collection of SSNs, only that of TINs. When eWEEK asked a tax spokesperson for the Treasury Department whether TINs have the potential to be used in identity theft, he said that the question stumped him. "Im not sure if it can be used in identity theft," said Andrew Desouza of the Treasury Department.
"This is simply information thats being shared between a broker and the IRS," Desouza said. "All the information that the IRS deals with in terms of taxpayer [data] is never shared."
Privacy experts arent questioning the IRS attention to safeguarding taxpayer information, however—its the brokers theyre worried about. Desouza said the Treasury Department wouldnt know about the details of brokers storing and transmitting taxpayer information, saying that the IRS handles the details.
As the CDT points out, ironically enough, a U.S. task force created to stem identity theft just last month urged federal agencies to stop unnecessary collection and storage of Social Security numbers. A two-volume plan issued by the task force—headed up by Attorney General Alberto Gonzales and FTC chairman Deborah Platt Majoras—contained recommendations on fighting the scourge of identity theft. One of the recommendations:
"Decrease the usage and collection of Social Security numbers on the state, local, and federal levels. The Task Force recommended that the federal Office of Personnel Management (OPM) complete its review of how various agencies utilize SSNs, and to help develop guidance on limiting their collection to absolutely necessary functions."
The legislative language in the presidents budget would require auction houses, consignment stores and other transaction brokers to collect personal data on customers who conduct 100 or more transactions that generate $5,000 or more in gross income per year.
The IRS proposal would require such businesses to submit a form including name, address and Taxpayer ID Number of each seller that fits those parameters.
But to comply, brokers would likely have to keep track of such information on all sellers, given that they wouldnt know until years end which sellers would meet the threshold, the CDT says. "For small sellers this will almost always be an SSN," the CDTs posting says.