Would you trust eBay to keep your name, address and taxpayer identification number safe? What about uBid.com, or what about an obscure online broker youve never heard of?
The Center for Democracy and Technology is raising a red flag over the prospect after language appeared in the President Bushs budget that would require brokers of personal property—including online auction houses and consignment stores—to collect personal data from customers and to share it with the Internal Revenue Service.
The push to put personal customer information into the hands of the Feds is coming from the U.S. Treasury Department, which is attempting to track down millions in unreported small business income. Theres serious money at stake: The Treasury Departments proposal in the presidents budget estimates that it could raise $20 million in 2008, increasing steadily over the years to hit a cumulative $1.974 billion by 2017.
Nobodys defending the rights of tax scofflaws, but privacy groups see a range of negatives that the legislation could bring about, from potentially increasing loss or theft of personal data, to spawning a new breed of phishing scams, to indulging the government in its quest to hold more sway over information collected easily online.
The CDT also sees the move as specifically targeting Internet-based businesses including eBay and Amazon—two businesses whose customer databases comprise millions of Internet users.
“The IRS proposal is disturbing on many levels—not least in that it calls for the collection, storage and transmission of large amounts of sensitive personal information at a time when Internet users are increasingly concerned about identity theft; and when public- and private-sector data breaches have become routine,” the CDT said in its posting, which went up earlier this month.
“It would also potentially burden many smaller businesses that lack the technology or security infrastructure to safely collect sensitive personal information.”
When the CDT raised the issue with the Federal Trade Commission, the FTC pointed out that tax information such as Social Security numbers and TINs (Taxpayer Identification Numbers) were originally created for the purpose of collecting taxes, said CDT Deputy Director Ari Schwartz in an interview with eWEEK.
The IRS getting hold of this information is nothing out of the norm. But what about these online brokers whom the government would have collecting such sensitive personal information? “The question is, Is the private sector supposed to get more of it, and at what risk?” Schwartz said.
The language in the presidents budget, in fact, does not reference the collection of SSNs, only that of TINs. When eWEEK asked a tax spokesperson for the Treasury Department whether TINs have the potential to be used in identity theft, he said that the question stumped him. “Im not sure if it can be used in identity theft,” said Andrew Desouza of the Treasury Department.
“This is simply information thats being shared between a broker and the IRS,” Desouza said. “All the information that the IRS deals with in terms of taxpayer [data] is never shared.”
Privacy experts arent questioning the IRS attention to safeguarding taxpayer information, however—its the brokers theyre worried about. Desouza said the Treasury Department wouldnt know about the details of brokers storing and transmitting taxpayer information, saying that the IRS handles the details.
As the CDT points out, ironically enough, a U.S. task force created to stem identity theft just last month urged federal agencies to stop unnecessary collection and storage of Social Security numbers. A two-volume plan issued by the task force—headed up by Attorney General Alberto Gonzales and FTC chairman Deborah Platt Majoras—contained recommendations on fighting the scourge of identity theft. One of the recommendations:
“Decrease the usage and collection of Social Security numbers on the state, local, and federal levels. The Task Force recommended that the federal Office of Personnel Management (OPM) complete its review of how various agencies utilize SSNs, and to help develop guidance on limiting their collection to absolutely necessary functions.”
The legislative language in the presidents budget would require auction houses, consignment stores and other transaction brokers to collect personal data on customers who conduct 100 or more transactions that generate $5,000 or more in gross income per year.
The IRS proposal would require such businesses to submit a form including name, address and Taxpayer ID Number of each seller that fits those parameters.
But to comply, brokers would likely have to keep track of such information on all sellers, given that they wouldnt know until years end which sellers would meet the threshold, the CDT says. “For small sellers this will almost always be an SSN,” the CDTs posting says.
Next Page: Small brokers are the most dangerous.
Small Brokers Are the
No lawmaker has yet stepped forward to support the IRS proposal, but the CDT points out that the measure “could easily find its way into a larger legislative package.”
Its the small fry brokers that have privacy experts concerned, not outfits like Amazon or eBay. “There are big guys like eBay and Amazon. One assumes theyre pretty much reputable, but how about some of the other companies? It certainly does increase the prospect for fraudulent use of SSNs,” said Paul Stethens, a policy analyst for the Privacy Rights Clearinghouse.
“The problem here is youre getting involved with entities that in many instances might not be well-known to the person whos doing the selling,” he said. “We provide SSNs to banks and to employers, but theyre well-known. When youre dealing with a company online, how do you check that company out? What standards do they have for protecting your SSN?”
A bigger, theoretically more reliable company such as eBay might be trusted to store TINs. But the issue is in fact moot to eBay, which claims that the proposal wouldnt apply to its business model, given that its a marketplace, not an auctioneer or broker.
“Most states have a legal definition” of what an auctioneer is, said eBay spokesperson Catherine England in an interview with eWEEK. “We dont actually mediate the transaction. We never take possession of the items; we dont take possession of the money. That happens between the buyers and sellers.”
eBay can only track listings and can determine if a given listing has closed. But whether transactions have occurred is information it cant confirm, since transactions happen off eBays platform.
Its a good thing that eBay has been working with federal agencies to try to educate them on how its business model works, because those agencies sure dont share eBays notion of whether or not their proposals apply.
A recent report that came out of an IRS committee on Small Business/Self-Employed Subgroup called the growth of the Internet “explosive” and said that it has brought about an increased number of ways to open a business, one of the more popular type being the selling of new and used items “through auction sites such as eBay.com, uBid.com, etc.”
The report goes on to reference a 2005 ACNielsen report that found that more than 724,000 Americans report their primary or secondary source of income through eBay.com. It is likely, the subcommittee continues, that a “significant number” of eBay or uBid customers either “choose to ignore income reporting requirements or are unaware of their obligations, thus contributing to the tax gap.”
Theres an underlying assumption at play with these proposals, eBays England pointed out, namely that “folks are assuming our sellers, who are engaged in frequent transactions, arent already reporting [taxes],” she said. “Ive seen no research or evidence to indicate thats the case. Most of our sellers are running small businesses. The assumption that eBay business are underreporting to the IRS” hasnt been demonstrated in any research that shes seen, she said.
The Treasury Department does base its proposal on research, Desouza said. That research, however, is a tad dusty, dating back to 2001.
They may be old numbers, but thats all the Treasury Department has to work with, Desouza said. “We stated in [documentation] and in the presidents budget that were requesting additional funding to increase our” taxpayer compliance reporting, he said.
“Our specific proposals were done off of 2001 research on how much taxpayers are compliant,” he said. “Through that study and a vetting process of sorts, we came up with 16 proposals to make sure theres a balance between increasing compliance and unduly burdening taxpayers. And this is one of them. Throughout the study, we found that compliance significantly increases with third-party reporting.”
Even if the government were to collect substantial amounts of unpaid tax, privacy experts still fear the possible impact. “It will open up a Pandoras box with requiring individuals to provide a SSN for transactions for which theyve never had to provide SSNs before,” said the Privacy Rights Clearinghouses Stethens.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.