Friday, May 29, 2015

Between the IRS and ISIS - How the internet and transparency put citizens at risk

Most Lebanese with American citizenship probably did not follow the news this week that hackers had gained information about more than 100,000 American taxpayers through an application on the Internal Revenue Service’s website.

The scheme involved entering an IRS website called “Get Transcript,”,pretending to be an American taxpayer seeking to access tax filings from previous years. The personal information the hackers needed to provide to enter the individuals’ files (social security numbers, addresses, birthdates, tax filing status) had already been stolen earlier, and allowed the hackers to do two things: gain even more information on the taxpayers, and apply for tax refunds, which the criminals could then direct to addresses, or accounts, they controlled.

According to sources at the IRS, the criminals involved in this latest cybercrime were based in Russia. To Lebanese-Americans this may all seem very far away, and of no real concern to them. But is that true, especially in light of the massive amount of personal information circulating on the internet, particularly information being sent by a host of institutions to the IRS?

Since the introduction of the Foreign Account Tax Compliance Act, or FATCA, which the IRS began implementing last summer, the amount of personal information available on Americans living abroad has risen exponentially. What is worse, it is often held by foreign institutions that have poor security protocols ensuring the information is not misused.

As Americans pay tax on their worldwide income, FATCA is legislation that the United States has introduced as a means of preventing tax evasion by citizens who live abroad. It obliges foreign financial institutions, or FFIs, to report on the accounts of its American clients, or risk a 30% withholding tax on all source payments from the United States. More important, it requires that these FFIs send an annual report on the financial status of their American clients to the IRS.

The American government never sought to seriously ensure that the information gathered by the FFIs was well protected—accessible as it is to tens of thousands of employees overseas. At best, the majority of these employees have little knowhow to defend against cybercriminals; at worst, a minority may have a stake in using the information for personal gain.

This can put Americans at risk, or facilitate matters for those who seek an American identity to strike against the United States. At a time when America is engaged in a battle to “degrade and ultimately destroy” ISIS, this is a genuine worry.

Not surprisingly, because of FATCA, in recent months there has been an uptick in efforts to engage in identity theft. This forced the IRS to issue a FATCA fraud alert last year, warning of efforts by fraudsters, pretending to be IRS representatives, to contact FFIs and ask for the details of their American clients.

The IRS alert noted that “[t]hese types of scams are typically carried out through the use of unsolicited emails and/or websites that pose as legitimate contacts in order to deceptively obtain personal or financial information.”

The benefits of identity theft to criminals are many. According to Peter Warren Singer, who writes on cybersecurity. He told the New York Times, “It’s rare for the actual attackers to turn the information directly into money. They’re stealing the data and selling it off to other people.”

The question is what those who buy identities seek to do with them. And here the imagination runs wild. It can span the gamut from using the information to entrap people by discovering their vulnerabilities and forcing them to work for you, to gaining access to further websites providing confidential information. The exploitation of such information by terrorists, in particular, is not only probable; it is to be anticipated.

Some have defended the IRS, saying that it takes cybercrimes seriously and always defends against them. Perhaps, but the IRS’s negligence when it comes to security issues under FATCA shows a very different face. A circular from the IRS to FFIs around the globe cautioning about online trickery is hardly a sufficient means of protecting Americans abroad, particularly if a majority of cybercrimes are ignored by banks and the police—as is reportedly the case in the United Kingdom.

Given ever more intrusive demands for the personal details of individuals, and new Know Your Customer procedures in banks that require customers to be transparent about many aspects of their life, we are exposed more than ever to criminals. What is most galling, however, is that the Western countries that have imposed such transparency and placed this personal data online have shown far less regard for their citizens’ safety than for whether their tax revenues are properly reported.

Americans in Lebanon must be conscious of this reality. Many are understandably wary of the IRS, which has zero credibility in Washington. But what they should really be concerned about is that if the IRS knows everything about them, it should not be hard for others with far more evil intent to know just as much

No comments: