As if recent privacy breaches at the online tax preparer Turbotax and the health insurer Anthem weren't enough, it turns out that low-tech hacks can trick the vaunted Apple Pay system into giving up cash to thieves, too. Meanwhile, while the administration's blueprint for a Privacy Bill of Rights in 2012 was excellent, its new legislative draft from the Department of Commerce could have been written by the U.S. Chamber of Commerce. It was attacked by privacy and consumer groups, Congressional champions and even the FTC, the actual expert privacy agency that should have been tasked with drafting it, after all. Meanwhile, while a package of weak, dangerous federal data breach notification proposals that could override better state law protections lurches through Congressional hearings, Senators have at least proposed to regulate the Wild West data broker industry bent on vacuuming up tracks from all your online and offline activities for use in its secretive, practically unregulated profiles and dossiers.
Intuit's Turbotax is one of the largest of a slew of online tax preparers that have developed a pretty nice government-backed business model: they rely on a tacit endorsement from the IRS. Free File Alliance members do provide free federal tax filing services and some even more limited state filing services to lower-income Americans (after early criticism of the program by consumer groups), but count on upselling for other paid services (actual tax preparation help) to make money.
While Intuit denies its practices encourage fraud, as explained in the Washington Post, Intuit whistleblowers claim that efforts to stop fraud would cut into making that money:
"Among Intuit’s critics are two former employees (Wapo link to KrebsOnSecurity story) who said they protested Intuit’s decision not to do more to halt seemingly fraudulent returns when they worked at the company. One of them, Shane MacDougall, who was a principal security engineer at Intuit until last month, recently filed a whistleblower complaint with the Securities and Exchange Commission that alleges Intuit chose not to take needed security measures because executives worried those actions would cut into the company’s market share."
Other critics seem to agree, as Alabama state tax official Julie Magee told the Post :
"[Critics said that] Intuit and its rivals in the self-preparation software business — H&R Block and Blucora, the maker of TaxAct — do not have a financial incentive to erect the strongest possible security protections for consumers. Such steps can make accessing accounts less convenient. “Commercial tax preparation software vendors have a much different primary objective than tax agencies. They are driven by profit,” Julie Magee, commissioner of the Alabama Department of Revenue, wrote in a public letter this week. “The easier they make it to file a return, the more customers they can get and the more profitable they will become. There is no incentive for them to stop fraud.”
Magee's letter goes on to also blame the secretive IRS. Congress will be looking into tax fraud further in coming days. The Washington Post offers tips to avoid online tax fraud.
Meanwhile, we have also learned that the encouraging entry of the very high-tech Apple Pay into the payment systems fraud debacle is not without fraud problems. It turns out that while the device itself is highly-encrypted, if banks don't first verify that the cards being linked to the phone are real, thieves in short pants can use stolen cards to bypass the system's vaunted safeguards. But merchants have the same problems; their own new payments system, in beta mode, was similarly hacked by low-tech means last fall.
Consumers would benefit if companies were better required to keep personally-identifiable data secure, limited in how much data they could collect and how long that they keep it, limited in the uses they could put it to without consumer knowledge or consent, required to give consumers the right to review, edit and control their files and dossiers and then held accountable when they break these rules. To that end, two years ago the Obama Administration issued a very promising, widely praised Blueprint for a Consumer Privacy Bill of Rights. Unfortunately, the White House then tasked the Department of Commerce, not the FTC, to draft the legislation. Two weeks ago, we joined leading consumer and privacy groups, Congressional privacy champions including Rep. Jan Schakowsky and Sen. Ed Markey (MA) and even the FTC to critique both the flawed process and the proposal (we got a last minute 90-minute peek but couldn't keep the copies; our complaints resulted only in slight changes).
On the positive side, two items to report: First, Illinois Attorney General Lisa Madigan, joined by Illinois PIRG, just introduced a strong state privacy bill that, among other improvements, would add your geolocation to protected personal information. And Senator Markey, joined by Sens. Blumenthal (CT), Whitehouse (RI) and Franken (MN) introduced a proposal to rein in data brokers, the largely unregulated firms that collect and sell information both on and offline.
I am scheduled to testify soon at a rescheduled hearing on data breaches and data security of the House Information Technology subcommittee. As you can see, I will probably have a lot to say.