PUBLIC.RESOURCE.

ORG ~ A Nonprofit Corporation

Public Works for a Better Government

CONTAINS SENSITIVE MATERIALSHANDLE WITH CARE July 1, 2013

Tax Exempt/Government Entities Division Internal Revenue Service Submissio g Program (SE:T:BSP:SPP) Attn: Ms. (M/S 1110) 1973 North Rulon White Blvd Ogden, Utah 84404-7843 U.S. Treasury Inspector General for Tax Administration (TIGTA) U.S. Department of Attn: Special Agent P.O. Box 12398 Ogden, UT 84412 Dear Ms. and Special Agent :

On June 18, 2013, Public.Resource.Org received a phone call from the IRS indicating that the January shipment of Form 990-T, which we received in mid-February, had been improperly vetted and that the IRS was requesting the information be recalled from the Internet. The DVD from the IRS contained 3,155 returns, of which we had successfully processed and placed online 3,109 valid returns. Nature of the Communications The nature of the request from the IRS was not initially clear, so we asked for more information. This was sent in the form of an email message with an Excel spreadsheet that day, but the IRS then sent a note requesting that the Excel spreadsheet be deleted as it was against policy to use electronic mail. Instead, the spreadsheet was printed and sent to us via UPS courier, arriving at our facility on June 20. The replacement DVD for the bad data arrived at our facility on June 19. We were able to remove the offending data on 9:30 AM on June 19, less than 24 hours after notication, and had the replacement data back online later that day on June 19. We also notied our downstream major users to determine if they had copied the January data in bulk (they had not). We also used our Webmaster Tools on Google to block search engines from the 2013_01_T subdirectory and to invalidate all cached results from that directory. This was all accomplished by close of business on June 19. To determine the extent of the exposure, weve analyzed our logs and have also analyzed the data received from the IRS. We maintain a privacy registry based on any clicks made on the privacy cover sheet on the top of each return. That registry

carl@media.org

1005 GRAVENSTEIN HIGHWAY NORTH, SEBASTOPOL, CALIFORNIA 95472 PH: (707) 827-7290 FX: (707) 829-0104

AUDIT OF FORM 990-T DISTRIBUTION FOR JANUARY, PAGE 2 indicates that 8 clicks were made from 4 unique IP addresses. However, none of those resulted in privacy complaints and could have been made by an automated process. In addition, we examined our FTP and HTTP logs. We only maintain a 7-day window for HTTP logs and did not see any HTTP-based access that was not from a search engine crawler. For the FTP logs (which indicates bulk download activity), we did not see extensive activity for the January directory, but it was clear that at least one copy of the DVD ISO image (the image of the original DVD) had been transferred. Our conclusion is that the data from the original January distribution of Form 990-T did get exposed to the public. While the exposure was not huge, it is clear that the data was distributed. We thus proceeded to the next step, which is an analysis of the data to determine if there were any sensitive data. Analysis of the January Form 990-T Disk The disk contained a total of 3,109 returns we were able to process, including 124 instances of the Form 4720 (Return of Certain Excise Taxes on Charities and Other Persons Under Chapters 41 and 42 of the Internal Revenue Code), 597 instances of the Form 5527 (Split-Interest Trust Information Return), and 2,388 instances of Form 990T (Exempt Organization Business Income Tax Return). The Form 4720 includes Part II-A, Taxes on Managers, Self-Dealers, Disqualied Persons. This form requires the identication number for those that are listed. In the January distribution there were 124 such forms, and the following 15 included Social Security Numbers:
Organization FOUNDATION FAMILY CHARITABLE TRUST FOUNDATION TRUST CENTER INC FOUNDATION INC FOUNDATION INC FOUNDATION INC FOUNDATION FOUNDATION INC CHARITABLE TRUST FOUNDATION FOUNDATION 1 EID Return 12/2010 12/2011 12/2011 06/2012 12/2010 12/2011 12/2012 12/2011 12/2011 01/2012 12/2011 12/2011 PPI page 11 Page 10 Page 10 Page 10 Page 10 Page 10 Page 10 Page 10 Page 13 Page 11 Page 10 Page 1

CONTAINS SENSITIVE MATERIALSHANDLE WITH CARE

AUDIT OF FORM 990-T DISTRIBUTION FOR JANUARY, PAGE 3

Organization FAMILY FOUNDATION

EID

Return 09/2012 12/2011 12/2010

PPI Page 9 Page 1 Page 1 Page 1

FOUNDATION FOUNDATION 12/2011

The Form 990-T is the business income tax return. Our analysis of 2,388 forms uncovered 8 major categories of privacy violations. 1. In common with all forms, the preparer is asked to furnish either a Taxpayer Preparer ID or their Social Security Number. In this day and age, it simply does not make sense to ask people for that information on a form that is meant for public distribution. We found 3 such instances of preparer ID numbers:
Organization ASSOCIATION AMERICAN LEGION MOOSE LODGE EID Return 06/2009 07/2012 04/2010 PPI Page 2 Page 2 Page 2

2. A common problem is the addition of optional information by lers in which they disclose PPI. We found two such instances.
Organization IRA CHURCH EID Return 12/2010 12/2011 PPI Page 3 Page 5

3. Form 8949, Sales and Dispositions of Capital Assets, includes a requirement for an individual identication number at the top of the form.
Organization RA EID Return 12/2011 PPI Pp. 4-13

4. An internal work document is the Current Acknowledgment Detail of ling, which includes the SSN of the person doing the ling of a return.

CONTAINS SENSITIVE MATERIALSHANDLE WITH CARE

AUDIT OF FORM 990-T DISTRIBUTION FOR JANUARY, PAGE 4

Organization LAWYERS ASSOCIATION

EID

Return 12/2010

PPI Page 7

5. Schedule K-1 of Form 65, Partners Share of Income, Deductions, Credits, etc. also requires a personal identication number.
Organization IRA RO EID Return 12/2011 PPI Page 5

6. Form SS-4, Application for Employer Identication Number, Line 7b, requires the SSN of the responsible party. Please note that the IRS systematically includes this information in the Form 527 distribution of organizations reporting political activities.
Organization EID Return 12/2011 PPI Page 7

7. Schedule G, Form 1120, Information on Certain Persons Owning the Corporation's Voting Stock, requires a personal ID number on Part II.
Organization COMPANY INC EID Return 02/2012 PPI Page 11

8. Form 5884-B, New Hire Retention Credit, specically directs the prepare to Enter the retained worker's social security number. Please note that under IPU 12U1036 issued 05-10-2012 IRM 3.20.12.2.3(1), the Form 5884-B is not open for public inspection.
Organization CARE FACILITY INC EID Return 12/2011 12/2011 HEALTH CENTER HOSPICE MEDICAL GROUP 12/2011 12/2011 12/2011 MEMORIAL HOSPITAL Page 5 Page 5 Page 5 06/2012 12/2011 PPI Page 3 Page 5 Page 5 Page 7

CONTAINS SENSITIVE MATERIALSHANDLE WITH CARE

AUDIT OF FORM 990-T DISTRIBUTION FOR JANUARY, PAGE 5

Organization CLUB HEALTH SERVICES

EID

Return 02/2012 06/2012

PPI Page 8 Page 5

Our nal analysis was based on the 597 instances of the Form 5527. A simple run through the documents to process them for OCR then look for Social Security numbers yielded a total of 2,319 possible hits over 319 documents. Attachment A includes a dump of those results. Recommendations for Corrective Action The main reason we conducted this analysis is because when we called both the IRS and the Inspector Generals Office, nobody was able to state whether or not the lers would be notied that their returns were improperly disclosed. A call with Ms. Melinda Williams with the EO headquarters group in Washington yielded inconclusive information. It appears that there is not a rm policy in place to deal with these situations and that a decision had not been made yet as to the extent of any notication program that would be undertaken. Recommendation 1: It is imperative that the IRS notify all parties whose returns were improperly disclosed. Failure to do so will appear as if the IRS is covering up this situation. We are prepared to make that notication to the affected parties, but believe it is much better for the IRS to do so. Please let us know your decision on this important matter. Recommendation 2: There is clearly no policy in place to deal with this situation. The IRS should clearly spell out what actions are to be taken in the case of an inadvertent breach and that information should be included in the Internal Revenue Manual. Recommendation 3: If a privacy violation is found by a member of the public, it is exceedingly difficult for a taxpayer or other person to understand who in the IRS to notify. Best Current Practices in almost all federal agencies include the appointment of a Chief Privacy Officer. The current closest approximation for that is the Identity Theft Hotline, but a call to that phone number if very confusing and clearly doesnt cover this situation. Recommendation 4: Public.Resource.Org and GuideStar share any privacy notications we receive so we can better protect the privacy of lers in case of inadvertent disclosures. The IRS should participate in that clearinghouse and maintain a list of all returns that have these issues. Recommendation 5: The IRS delayed excessively in notifying us of this disclosure. Use of electronic mail to transmit information instead of printing spreadsheets is essential in these circumstances. Use of a modern facility such as Dropbox instead of cutting a new DVD and mailing it would have cut the response time dramatically. Recommendation 6: The current system of processing public returns makes it very hard for the IRS to do quality checks. Instead of single-page raw bitmaps, the IRS could

CONTAINS SENSITIVE MATERIALSHANDLE WITH CARE

AUDIT OF FORM 990-T DISTRIBUTION FOR JANUARY, PAGE 6 easily move towards PDF documents with OCR. This would allow a quick check for obvious problems which, while not infallible, would help immensely in detecting errors. Recommendation 7: We understand in these times of budget cuts that it is not easy to invest in R&D to make a better system. However, there are resources available to supplement what the IRS has. The IRS should reach out to the Federal CIO for assistance in modernizing their workow and should consider working cooperatively with organizations, such as a University R&D institute, to develop better solutions. Recommendation 8: There are simple privacy tools available on the market such as Adobe Acrobat Pro. However, there are no good open source tools used for handling privacy checks on databases with millions of pages of documents. Such tools would be immensely valuable for the IRS as well as other agencies at the Federal and state levels that have to deal with this problem. Again, reaching out to the Federal CIO and the Federal CTO for assistance and discussing this problem with research funding organizations such as the National Science Foundation might lead to further development of tools that would help not only the IRS but the rest of the government. We understand that dealing with a monthly feed of public documents such as the Form 990 is an exceedingly difficult task and we hope the IRS takes this analysis and the recommendations therein in the spirit in which they are offered, which is to work with the IRS towards a common goal of providing important information about the functioning of our nonprot sector. Exempt Organizations represent 10% of U.S. wages and over $1.5 trillion in economic activity and these public lings are the mechanism that Congress has put in place to allow the IRS and the public to monitor the functioning of this vital economic sector. Please dont hesitate to contact me if you have need for any additional information or if we can provide any additional service. Sincerely yours,

Carl Malamud Public.Resource.Org

CONTAINS SENSITIVE MATERIALSHANDLE WITH CARE