A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) IRS Proposal Could Impact Millions of Internet Users
(2) Treasury Proposal Mirrors Problems With Other Data Retention Schemes
(3) Request for SSNs Runs Contrary to Anti-ID Theft Initiative
The U.S. Treasury Department -- in an effort to track down unreported small business income -- is seeking legislation requiring brokers of personal property, such as auction houses and consignment stores, to collect personal data on their customers and share it with the Internal Revenue Service. It appears that the real targets of the proposal are Internet-based businesses, including eBay and Amazon. It seems the IRS believes Internet companies should be enlisted in tax collection due to the apparent ease of collecting and transmitting information over the Internet.
The IRS proposal is disturbing on many levels -- not least in that it calls for the collection, storage and transmission of large amounts of sensitive personal information at a time when Internet users are increasingly concerned about identity theft; and when public- and private-sector data breaches have become routine. It would also potentially burden many smaller businesses that lack the technology or security infrastructure to safely collect sensitive personal information.
The IRS proposal calls for "brokers" of transactions involving tangible personal property to file income statements about all sellers who conduct 100 or more separate transactions that generate $5,000 or more in gross income. The IRS form required under the proposal would include the name, address and Social Security number (SSN) or Taxpayer ID Number (TIN) of each seller. In order to comply, brokers would likely need to keep track of ID numbers and other information on all sellers, even those that do not meet the sales threshold (since they won't know until the end of the year who meets the threshold). For small sellers this will almost always be an SSN. The proposal is in the President's budget and, while no lawmaker has yet come out in support of it, the measure could easily find its way into a larger legislative package.
The request is just the latest manifestation of a broader effort by the government to force businesses to retain large amounts of customer data. These "data retention" proposals would force the creation of massive, privately maintained databases of personally identifiable data that government investigators could tap at their leisure. What's particularly troubling about this trend is that it occurs against the backdrop of a concerted effort by the Administration to weaken the legal standards that protect ordinary Americans against undue government snooping.
The government is effectively seeking to increase the amount of information collected and stored about ordinary Americans even as it relaxes the standards by which it can obtain that information. Also, forcing businesses to collect SSNs could have a chilling effect on legitimate e-commerce if consumers balk at providing their SSNs for simple transactions -- something most people are not accustomed to doing.
The Treasury Department has done little to justify why Congress should impose this substantial new burden on brokers and their customers. Although reports of a multi-billion dollar gap between the taxes Americans owe and the taxes they pay have made headlines of late, there has been no evidence that online sellers are prime offenders or that the imposition of draconian record keeping requirements on auction operators and other online brokers represent the best, least intrusive means to address the problem.
While the IRS needs SSNs for tax purposes, and private sector tax reporting is partly what the number was created for, this proposal essentially requires Internet commerce companies to collect and store the SSNs of millions of people, most of whom will never even meet the requirements for reporting their auction income to the IRS.
To the best of our knowledge, the IRS is not seeking to compel flea market or mall operators to collect the Social Security numbers of their sellers for tax purposes, so it's hard to understand the rationale for targeting Internet businesses. Too often, it seems the basis for seeking ever-larger amounts of information from Internet operators has to do with the fact that such collection is believed to be easy, not because it is a good idea.
A broader concern is that the Treasury Department is seeking to dramatically increase the amount of sensitive personal data collected from individuals, even as other agencies are being urged to limit such collection as a means of combating ID theft. The Federal Trade Commission (FTC) and Justice Department recently unveiled a strategic plan to combat identity theft, which, among other things, called for agencies to minimize their use of Social Security numbers. The IRS proposal is goes against the spirit of the DOJ-FTC recommendations.
Last year, the Justice Department began calling for federal legislation that would require Internet service providers to retain information about their customers for months or even years at a time. Ostensibly aimed at preserving information about the activities of online predators for use in later investigations, the proposal would mandate the creation of massive databases of sensitive information about Internet users. In February of this year, Rep. Lamar Smith (R-Texas) introduced legislation that would effectively give the Justice Department a blank check to write its data retention rules for ISPs.
The Treasury proposal is similar to the DOJ data retention proposal in several objectionable aspects:
Adoption of any data retention law should require a full-scale reexamination of existing data privacy laws. The US has no comprehensive privacy framework to deal with the kind of information that would be collected under this proposal. CDT has long maintained that Congress must enact comprehensive consumer privacy legislation and update the laws that protect our personal information from government intrusion. Until such rules are adopted, data retention requirements like the Treasury proposal would exacerbate the already serious weaknesses in our national privacy framework.
CDT Data Retention Memo(June 2006)
On April 23, the Justice Department and FTC unveiled the government's plan to combat identity theft. For many privacy advocates, including CDT, the plan was something of a disappointment, as it failed to offer any holistic proposals to address one of the main underlying causes of identity theft -- an increasingly inadequate and outdated federal privacy framework.
However, despite its flaws, the DOJ-FTC plan did contain several worthwhile, common sense recommendations for combating ID theft. One recommendation that virtually everyone in the privacy and data security community applauded was a call for government agencies to reduce unnecessary use of Social Security numbers. The logic of reducing use of the SSNs is obvious. SSNs are an essential element of many types of ID theft, and often one of the main targets of serious data breaches. Until we can limit the frequency with which sensitive information is exposed in data breaches, we can at least limit the negative exposure caused by breaches by limiting the number of places we store SSNs.
The underlying finding of the DOJ-FTC report -- that SSNs are a prime target for identity thieves and that their use should be limited -- is difficult to reconcile with a plan that calls for massive new collection and storage of SSNs, with limited justification.
Although the Treasury proposal only requires brokers to submit taxpayer information about users generating $5,000 or more in proceeds, it would likely affect a far larger segment of Internet users. It is extremely likely that Internet businesses affected by the requirement would collect SSNs (or TIN) from all their users, not just high-volume sellers and, in fact, individuals that sell less often would be more likely to have to turn over an SSN because it is likely their only tax ID. Although it would be theoretically possible for companies to design systems that tracked customers' account activity and forced them to divulge tax information only when they attempted to make any sales over the federal threshold, it is difficult to imagine any online broker taking such a step, which would be costly, complicated and almost assuredly unpopular. Rather, most online brokers, faced with the proposed Treasury requirement, would probably require all customers to submit their SSNs as a condition of setting up or maintaining an account.
The brokers will also need to link information across accounts -- even those that have been closed or not recently used -- to ensure that the same taxpayer does not open multiple accounts simply to avoid detection.
DOJ-FTC ID Theft Release (April 2007)