Forgot your password?
typodupeerror
Security IT

IRS Left Taxpayer Data Vulnerable and Lied About It 79

Posted by Unknown Lamer
from the close-enough dept.
Bruce66423 writes with news that the IRS hasn't made much progress improving its poor IT security. From the article: "The Treasury Inspector General for Tax Administration found that the IRS had only partially implemented 42 percent of the corrective plans it checked off as completed in recent years. ... The review (PDF) showed that the IRS failed to properly track its progress toward completing many of the fixes auditors had recommended in recent years. The agency closed most of the cases without adequate documentation and did not always upload the necessary information into a database that helps ensure compliance."
This discussion has been archived. No new comments can be posted.

IRS Left Taxpayer Data Vulnerable and Lied About It

Comments Filter:
  • by amiga3D (567632) on Saturday November 23, 2013 @10:20AM (#45500545)

    A Federal agency lying? Surely not.

    • by JustOK (667959)

      Here is your tax refund, sir.

    • by Joining Yet Again (2992179) on Saturday November 23, 2013 @10:46AM (#45500653)

      Gentlemen, engage your confirmation biases.

      • by Anonymous Coward

        Is it bias if its true?
        How many occasions of complete government incompetence/corruption must exist before my bias of govermnet incompetence/corruption is no longer a bias and is instead fact?

        • by Joining Yet Again (2992179) on Saturday November 23, 2013 @12:18PM (#45501009)

          The US government - which in its current form has led the world's leading/only superpower for over a century - is "incompetent"? No, my friend. It might be miles from perfect. It might be partly corrupted by power and the powerful (though it experiences nothing like the corruption of some governments). It might fuck up royally from time to time. But, as an organisation, as a whole over time, it is as far from "incompetent" as any large organisation can hope to be.

          And I say this as someone who doesn't think of the US government as particularly moral. I just think it's fucking good at what it does, which is why it's where it is, and my country is not.

          • by smpoole7 (1467717)

            > The US government - which in its current form has led the world's leading/only superpower for over a century - is "incompetent?"

            Yes. The fact that you can point to other governments that are worse don't make me feel any better. I can be shot by a bow and arrow or a .45, either way, it's really gonna hurt and I'll probably be dead. You could argue that the bow isn't quite as bad, but that's small consolation to the one being ventilated. (I.e., me.)

            Any large organization will be corrupt. (That's the answ

            • The UK Inland Revenue was quite approachable IME before the past 5-10 years, when they merged with Customs and then gradually closed down all their walk-in offices. One can run a large organisation accessibly or inaccessibly - in the case of the British IR/HMRC, the present problem has been management consultants from private industry turning it into a callcentre-style service company.

              A family friend was a commercial tax collector in England - it was her job to arrange payment plans for businesses which we

          • by Anonymous Coward

            Actually we're coasting on top of what the govt did in the 60's and 70's.
            Since then we've had fuckup after fuckup in charge and a massively wasteful system where no real work gets done. and no real challenger in the world either.

            The cracks are really starting to show now.
            If you're under 50 you're going to live to see the fall of the american empire.
            Unless we pull our heads out of our wallets and get things fixed we're pretty much done.
            Till then incompetent is being nice about it. We have that special kin

            • by khallow (566160)

              Actually we're coasting on top of what the govt did in the 60's and 70's.

              And that would be? My view is that what the government did in that time, as well as since, is largely responsible for the mess now. For example, most of the problems with the big three living expenses which rise much faster than official inflation: higher education, health care, and housing, stem from government policies during this period.

              It's also when the US started to get exposed to cheaper labor from the rest of the world. For example, the US got out of TV manufacture about then. As I see it, a lot

          • by khallow (566160)

            The US government - which in its current form has led the world's leading/only superpower for over a century - is "incompetent"?

            Of course. It's like you haven't been paying attention. The reason the US government is currently the world's leading/only superpower is because it scraps 15-20% of the GDP of the largest national economy in the world. You can buy a lot of graft with that kind of captive revenue stream and still have some left over for the services you're actually supposed to provide.

            • To you, the chicken came first.

              To reality, eggs require chickens require eggs require chickens...

              • by khallow (566160)
                In reality, we have history to look at. Here, the US became an economic power well before its federal government grew to substantial size. The economy came before the government did.
        • by Anonymous Coward

          Far fewer than have already happened.

          The only means of preventing incompetence and corruption is the rigorous application of transparency and accountability. Those in power always resist this as much as possible, meaning those not in power must constantly demand and push for this.

          Complacency is our enemy, eternal vigilance, and so on. Everyone already knows all this. It is very trite. And very true.

          • Hear, hear! It is when everything looks like it's going right that you can be most sure that everything is going wrong.

          • by smpoole7 (1467717)

            > The only means of preventing incompetence and corruption is the rigorous application of transparency and accountability.

            And you're right, middle management in the US bureaucracy fights this tooth and nail. Their natural inclination is to go after the whistleblower for "rocking the boat."

            Another true story: guy was a middle manager, had been there for years. Did virtually no work. Sat at his computer and played Solitaire for an hour or so, then went down and smoked his pipe for an hour or so. Came back

  • by glennrrr (592457) on Saturday November 23, 2013 @10:36AM (#45500615)
    It seems as though every time you here about the IRS invoking 'Taxpayer Privacy' it's to avoid having to admit the agency is doing something criminal.
    • Yeah, "every time". Like the way I read about a few dozen murders in the paper every year so it seems like "every time" someone is in the papers, they are murdered.

  • From the article (Score:5, Insightful)

    by BringsApples (3418089) on Saturday November 23, 2013 @10:48AM (#45500663)

    The IRS said in its response to the findings that it issued a new manual this year to help improve its monitoring practices and that the agency would audit completed actions in the future.

    So, if I file the wrong kind of taxes, can I take the same sort of stance? "Yeah yeah, I know I filled out the form totally with the wrong numbers, and made it look like I needed a huge return, but I've purchased a new pen, and I've trained myself to better understand the form. So in the future, I will do better."

    I'm tired of hearing so much wrong done by our governing body, and never hear of any repercussions.

    • by Anonymous Coward

      well, actually, if you genuinely failed to understand the direction, caught it internally and submit an ammended return, yes, you can generally "get away with it", paying only accrued interest on the underpayment and no fine. Yes, I did that.

  • Consequences? (Score:5, Insightful)

    by JBMcB (73720) on Saturday November 23, 2013 @10:49AM (#45500669)

    So the punishment for not securing taxpayer data is... nothing? So why bother fixing anything?

    • "Punishing" the IRS would be moving money from one part of government to another, and wouldn't fix anything.

      Fines don't work. Prison doesn't work, except to protect future victims. Punishment in general does not fix behaviour. Values, not regulations.

      • by JBMcB (73720)

        Fines? Prison? How about just firing those not doing their job?

        • by ISoldat53 (977164)
          Amen!
        • If it's clear that the IRS employees dishonestly or incompetently disobeyed the auditor's instructions then removing them makes sense. I wouldn't really identify that as a "punishment", though - that's just removing people who aren't doing their job. People are not fired as punishment. Indeed, from the IRS PoV it'd be a good opportunity to obtain better workers - again, assuming they demonstrated dishonesty/incompetence.

        • by anegg (1390659)
          Firing a US federal government worker? An unlikely outcome.
      • Re:Consequences? (Score:4, Interesting)

        by jmac_the_man (1612215) on Saturday November 23, 2013 @12:05PM (#45500951)

        "Punishing" the IRS would be moving money from one part of government to another, and wouldn't fix anything.

        You work, right? Unless you work for the government, there will be some kind of expectations set out for you. If you don't do your job properly, you can lose bonuses, get demoted, have to take paycuts, or eventually be dismissed for cause. That's how most jobs are. The parent poster is arguing for firing whoever made poor security decisions.

        Values, not regulations.

        The IRS is an organization that decided it didn't like a Supreme Court decision that limited its power and benefited people that its employees didn't like, so they used their powers as the nation's tax collectors to harass their political enemies. They have pretty shitty values, and heads should be rolling until we get people in there with better values. "Should" is the operative word here, as no one has actually been punished for this.

        • Unless you work for the government...

          Oh, grow up.

          • You're the one who said that it's impossible to punish government employees who screw up.
            • No, I indicated that it makes no sense to punish the government, then went on to describe that e.g. firing someone isn't punishing them. But, in general, punishing an employee doesn't make them work harder.

              Anyway, I wouldn't work for any private firm which paid bonuses or cut pay according to performance in a particular role. I will do the best in any role I am given, and expect all my colleagues to do the same. If one of us genuine can't do the job, we shouldn't be in that position. I have never worked for

              • No, I indicated that it makes no sense to punish the government, then went on to describe that e.g. firing someone isn't punishing them. But, in general, punishing an employee doesn't make them work harder.

                If you punish a government employee for breaking the law it makes it less likely that another government employee breaks the law.

                Anyway, I wouldn't work for any private firm which paid bonuses or cut pay according to performance in a particular role.

                That's fine, I guess. Most people are OK with performance incentives.

                I will do the best in any role I am given, and expect all my colleagues to do the same.

                I expect IRS employees not to break the law because they disagree with it, and not to stifle free speech because they disagree with the speaker but my standards are apparently too high.

                FWIW, your sentence read:

                Unless you work for the government, there will be some kind of expectations set out for you.

                That's about expectations, not punishment.

                Right. The next sentence is about what the punishment should be for breaking those expectations. THAT's the part about punishment

                • If you punish a government employee for breaking the law it makes it less likely that another government employee breaks the law.

                  Since AFAICT no individual has broken the law here - at worst they've broken an employment contract - "punishment" of an individual would have to be extra-legal.

                  Ofc we're going by the assumption that humans really do think "oh that guy's being punished for X so I should avoid X" rather than "that guy's being punished for X so I should be more sneaky when I do X", which - if the existence of crime is anything to go by - is how people actually think.

                  • Since AFAICT no individual has broken the law here...

                    OK, you're right here. Technically, they are violating federal regulations, not necessarily the law. I conflated the two concepts by using the label "illegal" to describe "violating federal regulations." I assure you, however, that the IRS punishes taxpayers for violating regulations passed by the executive branch in addition to laws passed by the judicial branch.

                    Ofc we're going by the assumption that humans really do think "oh that guy's being punished for X so I should avoid X" rather than "that guy's being punished for X so I should be more sneaky when I do X", which - if the existence of crime is anything to go by - is how people actually think.

                    I'm genuinely curious. If you're against giving people incentives to do the things you want, and against punishing people for doing the things you

        • ... as no one has actually been punished for this.

          Punished? Of course they have -- they still work there, don't they?

          (I was going to go for the "comfy Chair" [mit.edu] line -- but, well, that just seemed as easy as shooting congressmen in a barrel. Waay too easy.)

    • Re:Consequences? (Score:5, Interesting)

      by smpoole7 (1467717) on Saturday November 23, 2013 @12:22PM (#45501033) Homepage

      > So the punishment for not securing taxpayer data is... nothing? So why bother fixing anything?

      Exactly. It is very, very difficult to fire someone who works for the Federal Government. One case that I knew of: there was this woman in a wheelchair who pinched butts, stole things from the cafeteria (in plain sight, right in front of everyone) and did so little work they had to search for it with microscopes. True story. They had to apply to the regional office in Atlanta, have several hearings, go through several "counseling sessions," and finally, after about A YEAR ... this worthless piece of flotsam was terminated.

      Then she sued them for discrimination and they were tied up for another year in court. She lost, of course, but it cost time and money.

      Ergo: the strong inclination, when you have incompetents, is just to leave them in place. If they're doing too much damage, you try to transfer them to where they can't do as much harm. Barring that, if you think it'll work at all, you PROMOTE them. (Again: true stories. I'm not kidding.)

      So ... now you end up with incompetents in middle management. The problem gets worse.

      Rinse. Repeat until the entire building is like a M.A.S.H. episode, with a few who will actually do their jobs, and who can only stay sane by either taking drugs or joking about it incessantly.

      (And in real life, by the way, if you're not careful, such "joking" will actually result in counseling and a reprimand.)

      I am not kidding. There is no hyperbole in the above. Re-read it and let it nourish your brain. There's at least part of your answer.

      (The other parts are so unpalatable -- such as outright nepotism and granting favors to friends and supporters -- that I shall spare you.)

      • by GPierce (123599)

        At one time, there was a sensible reason for making it difficult to fire a federal employee. In theory, civil servants were not partisan and they were not supposed to be affected by the political ideologues who we appointed to run government agencies.

        The ideologues were prevented from firing those who wanted to do a non-ideological job..

        It worked for a while, but if you keep someone from being fired for political reasons, eventually they figure out that they can f#ck off on the job without penalty. I guess

      • Exactly. It is very, very difficult to fire someone who works for the Federal Government.

        It's also very difficult for people to justify that the federal government works so radically different from that of a large corporation. Bureauacracies are the same on each side, with similar problems. I can't say a whole lot about what any individual will do in response to a given situation, but when you start talking about groups of 20 or more people, it becomes very predictable.

        Firing people doesn't accomplish anything. This is a structural problem, and at that, not even the one under discussion. Anyone

        • by smpoole7 (1467717)

          > Flat out it's a failure of leadership to have this many cooks in the kitchen

          And remember, when you're dealing with bureaucrats (and I fully agree that they're the same, private sector or government), they're covering their butts. They do everything by consensus and committee meeting. No one wants to stick his or her neck out.

          So, for example, when they were designing the ACA Website: Even though I wasn't there and have no direct information on this, I would bet you any amount you want to name that I KNO

    • by Anonymous Coward

      So the punishment for not securing taxpayer data is... nothing? So why bother fixing anything?

      No, the fix is to give the government more money and more power. If everyone paid their fair share of taxes, things would be so much better with a bigger, more expensive government.

      Right?

    • So the punishment for not securing taxpayer data is... nothing? So why bother fixing anything?

      Did you expect something otherwise? This is government, not ... anything else.

      Incentives matter. In a monopoly government system, if you deem one to be necessary, due to the incentive problem that government should only be doing things that absolutely cannot be done by a non-monopoly actor, if for no other reason than the incentive issue.

      A 'lean' government would find providers for each of the functions it wants

  • It's just their way of streamlining the ways the NSA can grab off everyone's data.

  • by Kohath (38547) on Saturday November 23, 2013 @10:55AM (#45500697)

    We should put these guys in charge of our health care!

    • by naff89 (716141)
      No, we should definitely leave it to for-profit corporations. Certainly they have our best interest in mind!
      • by Kohath (38547)

        If I don't like a private sector company, I just take my business elsewhere. If I try to do that with government, the government sends guys with guns to my house.

  • by davide marney (231845) <davide,marney&netmedia,org> on Saturday November 23, 2013 @11:00AM (#45500715) Journal

    If you read the specifics, you'll find that there is plenty of leeway between what the auditors asked for (things like scanning for empty/default admin passwords, filing security audit reports in a central location, documenting that managers approved admin accounts, etc.) and what the IRS believed it had done to implement them.

    If you ask me to implement something, I think I did so, and so I check that off as "completed", that is not lying.

    This is more like a failed test case. The auditors are complaining that the IRS' implementation of their recommendations are insufficient.

    • by Joining Yet Again (2992179) on Saturday November 23, 2013 @11:11AM (#45500751)

      Yeah but that sort of logic won't allow people to add a poorly understood event to their "LIST OF REASONS WHY IRS (AND GOV IN GENERAL) IS EVIL AND SHUD BE ELIMINATED".

      We could be happy that government is so open that even the tax collectors are audited, and a public announcement is made when they are judged to have not complied sufficiently. If only everything was so well overseen. (and, no, I don't have a hard on for tax collectors, but half my family was brought under a dictatorship, so I know what it looks like when a government is not accountable.)

    • If you ask me to implement something, I think I did so, and so I check that off as "completed", that is not lying.

      It *is* "inadequate documentation" however. Simply saying "completed" means that no one but you knows what was actually implemented because no one but you knows what you thought you were asked to do. The correct documentation in response to every item on a Corrective Action Plan is an actual list of what you did.

      Imagine if the only written documentation from a doctor visit was "treated" or if a kid tried to turn in homework where the only thing written on the answer paper was "completed". The IRS gave a

  • And here I thought that only Snowden does stuff like this!!
  • by frovingslosh (582462) on Saturday November 23, 2013 @12:59PM (#45501201)
    If they are going to be that way with my private data, I'm going to stop using their service.
  • What is the case at the IRS is actually true pretty much across the board at civilian federal agencies. The problem is FISMA, which is more about ridiculously long reports of checklists about what is in an environment than about any meaningful security approach. The worst part of it, however, is the compliance reporting which is so odious and operose that it actually gets in the way of getting anything changed. (That reporting is the "things we said we do to protect information" part of this story.) So

  • ....is why is my SSN worth so much? My SSN should only have one purpose and that's pretty irrelevant to ID thieves.

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.

Working...