[EDRM Editor’s Note: EDRM is happy to amplify our Trusted Partners‘ news, education and events.]
This week, the Internal Revenue Service (IRS) began to roll out a pilot for the agency’s free online tax-return filing program, known as “Direct File”. What should be a straightforward and beneficial program has already become the subject of numerous conflicting news stories and debates, casting the program and its motives as dubious. While the well-funded pundits and politicians in Washington will continue to debate whether spending government funds to develop and run this program are in the best interest of the wealthy or the tax-paying public, the success of the pilot will hinge on whether tax filers see benefits when compared to existing options and feel safe and secure opting in.
Direct File is intended to offer taxpayers who qualify a new alternative beyond what’s available today, including: mailing in paper forms and bank checks, filing electronically through a for-profit tax return software company, or by engaging a paid tax professional. From either a computer or mobile device, taxpayers who receive an email invitation from the IRS, can visit directfile.irs.gov, and after validating their identity, complete their federal tax returns at no cost. While the pilot will initially be available to only a select group of taxpayers in thirteen states, the program could make filing returns much more convenient, and safer, for eligible participants.
Before we assess how Direct File stacks up in terms of protecting taxpayers and their data, to set the scene, let’s briefly look at past and current efforts from the government to aid both lower- and middle-income individuals with filing returns. It may come as a surprise, but there is already a program through the Free File Alliance that offers free online tax filing for most taxpayers.
A History of Failed Free Filing Alternatives
If you haven’t heard of the Free File Alliance before, you’re certainly not alone. Despite over 70% of taxpayers being eligible for free electronic filing each year, only about 2% of them use the program annually. This low uptake is largely attributed to the lack of public awareness, which arguably is not accidental, but rather the result of misleading tactics by for-profit tax software giants.
The Free File Alliance is a private-public partnership first established in 2003 with the aim of providing Americans access to free online tax filing, using existing free-market technology. It began as a collaborative effort between the IRS and 17 private tax preparation companies, headlined by Intuit (maker of TurboTax) and supported by other significant players such as H&R Block and TaxAct. As part of the alliance, these companies committed to providing free online filing services to eligible taxpayers. In exchange for private companies providing this service to those eligible, the IRS agreed to stay out of the online tax filing business.
While the government’s decision to establish the Free File Alliance may have been well-intentioned, the execution of this partnership was marred by the self-serving actions of the private entities involved. These companies had agreed to make free tax filing available to a broad segment of taxpayers, but some of them purposely made it difficult to access or learn about the program, all while enjoying no competition from the IRS thanks to their partnership.
Many taxpayers found themselves navigating a confusing maze of web pages and fine print to access these free services, while most were unknowingly steered towards paid services through “dark patterns”. A 2020 report by the US Treasury Inspector General for Tax Administration revealed that out of the 12 commercial companies participating in the Free File program at the time, at least 5 were using coding techniques to hide their free service from search engine results. Along with hiding the free options, these companies used misleading marketing to trick them into thinking they had found a no-cost service. While the commercial applications were advertised as “free” (such as TurboTax’s “Free Edition”, which often made people pay), the genuine Free File options were obscured through confusing naming conventions and hidden locations (TurboTax’s Free File service, was labeled the “Freedom Edition”, and was not accessible via the main TurboTax website).
As of 2019, only 2.4% of the 104 million taxpayers eligible for the Free File program used it, with over 30% instead using commercial software from Free File Alliance companies. Through clever marketing tricks and obfuscated options, at least half of those eligible ended up paying for services that should have cost them nothing. Based on publicly available data and statements by Intuit executives, ProPublica estimates that in 2019, over $1.5 billion in estimated revenue, or more than half the total that TurboTax generated, came from people who could have filed for free if they found Free File.
Since then, several of these companies, notably Intuit and H&R Block, have faced lawsuits for their conduct. Last year, TurboTax was told to pay a $141 million settlement for misleading low-income tax filers into paying for services that should have been free. This year, the FTC ordered Intuit to stop labeling programs as free when most people pay for them. Citing various reasons, both companies have withdrawn from the Free File Alliance. The Free File Alliance continues to exist, but without any of the major members, and still struggles with a limited user base (down 16% this last tax filing season).
In response to these developments, the rule barring the IRS from making their own service was removed in 2020, leading the Government Accountability Office (GAO) to suggest exploring alternative options in a May 2022 report to Congress. As part of the Inflation Reduction Act, which President Joe Biden enacted last August, the IRS received funding and a mandate to explore the development of a “direct file” system. This directive included a nine-month timeframe and a budget of $15 million for the IRS to prepare a report detailing the implementation strategy for such a program. This past spring, the IRS released a feasibility study that covered various aspects of the proposed direct file system. Since then, directed by the Treasury Department, the IRS has been developing a pilot for the upcoming filing season.
There is little reason to think that the Direct File pilot will launch with no hiccups or challenges, but that’s to be expected. Pilot programs, by their very nature, are a learning experience. They aren’t expected to be flawless but are rather designed to test core functionalities, leaving room for improvement and addressing more complex requirements in subsequent phases. For this program to be successful, the key is about attracting enough eligible taxpayers willing to participate, not having any major technical or support issues, avoiding any significant cyber/privacy incidents, preventing delays that lead to late filing or delayed refunds, and maintaining a secure data pipeline.
Since last May, when the IRS first announced its intention to launch a Direct File pilot, various claims and assertions undermining the trustworthiness of the IRS and of this program began to surface in both local and national news. Direct File’s future will, at least in part, be determined by the success of the pilot, and misinformation could easily discourage eligible participants from taking part, underscoring the importance of critically analyzing the actual risk to tax filers.
Evaluating Cyber and Privacy Tax Filing Risks
To understand the risks that come with filing tax returns, we need to look at what actually hurts taxpayers. We need to consider how tax filing alternatives stack up in terms of their vulnerability to trending cyber threats which are likely to expose taxpayers to immediate and longer-term financial losses or credit and reputational damage. From a privacy and fraud standpoint, this could include:
- Theft of sensitive personal and financial information and identity credentials,
- Committing fraud online or through the mail to steal tax returns,
- Exposure to phishing and social engineering scams, or even,
- Personal income and lifestyle data exploited for unwanted, targeted advertising.
How Direct File Could Reduce Data Exposure Risks
Fewer eyes on your data, smaller attack surface A key advantage of Direct File is that taxpayer data is exclusively handled by the IRS. Using Direct File can help taxpayers minimize the number of organizations that process their data, which limits the potential opportunities for a cybersecurity incident to exposure their information. Both the tax preparation industry and the IRS have experienced cyber incidents.
When filing taxes through tax preparation software or a tax professional, who will ultimately share some of your data with the IRS, there are at least two potential points of attack for malicious actors to steal your information. If your tax preparer relies on seasonal help in their office or offshore contractors, or if the tax preparation software stores data abroad or shares it with their vendors, the number of points of contact increases, driving up the risk of a weak link that could expose data. Direct File reduces this risk by limiting the interaction to a single entity.
Safer and more accountable than paper-filing For those that still file paper returns by mail to avoid having to pay, Direct File will provide a cost-free alternative that will reduce cumbersome processing and more easily stolen or lost postal mail submissions and checks. Transitioning from paper filings will reduce return processing backlogs and improve cybersecurity by introducing a traceable chain of custody for data and funds. If even a small percentage of taxpayers who filed by mail started using Direct File instead, it would likely make a huge impact on the efficiency of processing returns. Despite only 8% of returns being filed on paper, they account for nearly 70% of the IRS’s processing costs. Processing a paper-filed Form 1040 costs the IRS $7.33, in contrast to just $0.28 for an e-filed return.
Let’s not forget that most tax professionals will also collect heaps of paper forms, receipts, and other documents that they review during tax return preparation. It can be difficult to manage physical files for clients and guarantee their safe return to taxpayers after filing is completed.
Convenience, without extraneous personal monitoring The IRS has also noted that Direct File will be mobile-friendly, and “will work as well on a mobile phone as it does on a laptop”. Depending on how the IRS implements this, the program may offer Taxpayers a new way for them to file taxes on mobile devices that forgoes mobile apps which seem to gather extraneous data and excessively track users. Hopefully, Direct File will use a mobile-friendly website versus a mobile app, which would make security and privacy more difficult. We have sampled a variety of the current popular mobile apps used to file taxes (all of these are based on android, downloadable via the Google app store). Every app sampled requires certain permissions deemed as dangerous or special level according to Google’s protection level guidance:
- TurboTax App: 6 trackers, 26 permissions
- CashApp (CashApp Taxes): 3 trackers, 28 permissions
- MyBlock (H&R Block): 4 trackers, 23 permissions
- TaxAct Express: 4 trackers, 10 permissions
- Liberty Tax: 4 trackers, 13 permissions
No incentive to monetize personal data Tax software services often share personal information, ranging from user identifiers to sensitive personal information with their affiliates, for example, TurboTax, QuickBooks, Credit Karma which are all part of Intuit, with social media. Multiple big tax-filing service providers, in particular TurboTax and H&R Block, were found to be sending sensitive user data to platforms like Facebook and will try to prompt you to allow them to send your tax information to their various business divisions or overseas partners.
By comparison, “The IRS Office of Safeguards prohibits sharing and transferring federal tax information (FTI) using any social media application and/or collaboration tools due to security risks.” Using a direct-to-government program, taxpayers can circumvent the shady practices of companies’ intent on leveraging your information for their financial gain. While vendors may exploit data privacy for unanticipated and unwelcome uses, the IRS will never do this.
Direct File Risks That Need Additional Monitoring
Federal and State Tax Filing System Integration One of the biggest criticisms of this program is that Direct File will only cover federal tax returns; it is not going to prepare state returns. For the pilot program, nine out of the thirteen states participating have no generally applicable state tax, so this shouldn’t be an issue for many eligible participants. However, in the remaining four states — Arizona, California, Massachusetts, and New York —after completing and filing a federal return, Direct File will direct taxpayers to a state-endorsed platform for preparing and filing their individual state tax returns. For these states, the introduction of extra steps for state filing in the Direct File system introduces a layer of complexity that could potentially lead to costly errors.
Two out of these four states already have their own systems in place, with proven track records of success. California has CalFile, its own free direct-to-government filing system for state taxes, which is safe and convenient. CalFile and its predecessor ReadyReturn have been operational since 2005 and are utilized by a considerable number of Californians each year without issue. Massachusetts has MassTaxConnect, which has been in use for over five years and is similarly effective and user-friendly. Participants in either state should face minimal issues when it comes to the transition between filing their federal taxes through Direct File and then moving to a state-organized solution.
Alternative to the approach taken by California and Massachusetts, New York and Arizona had opted to work with the Free File Alliance for state returns rather than make their own direct-filing system. Now, both the Arizona’s Department of Revenue and New York’s Department of Taxation and Finance are partnering with Code for America, a leading civic-tech nonprofit that works with community leaders and governments to build equitable digital tools and services, to create their own state filing programs to be seamlessly integrated into the Direct File system. Code for America has a history of successful collaborations with various government organizations in the past and has a track record for developing user-friendly and efficient solutions, so it will likely bring valuable expertise to the project.
Observing how adept these two states are at developing effective solutions will also provide valuable insight into the potential success of the Direct File program after the pilot. While fourteen states already have their own state-organized return systems, and nine more states have no state income tax, there are still about half of the nation’s states that would need to develop their own systems to keep pace.
Leveraging the novelty of Direct File for social engineering attacks Another concern is the potential higher risk of socially engineered attacks on taxpayers who are planning to use Direct File. Most people are aware of current filing options, many sources for hints and tips to avoid identity theft/ tax return fraud, however, because Direct File is new and users will be unfamiliar with it, there’s a greater risk of fake emails, MIM attacks, spoofed filing websites fooling taxpayers that are unfamiliar with what to expect from the Direct File experience. Let’s hope that the IRS works hard to prevent this!
Providing sufficient rollout support to tax filers Implementing a customer service system for Direct File will likely be one of the biggest hurdles for the IRS as it rolls out this program, but the need for adequate customer support seems to be something they are clearly aware of and are actively working on making sure they can provide. The report released by the IRS suggests that around 80% of the annual cost of the program would go towards customer service.
For the pilot, participants will be able to receive assistance from IRS personnel who will staff the customer support for Direct File. These IRS customer service representatives will offer technical assistance and basic explanations of tax laws relevant to the scope of Direct File. Compared to current options, this doesn’t stick out as beyond the level of service provided by for-profit software solutions today.
For comparison, an internal Intuit analysis of customer calls from 2019 highlights how frequently customers experience confusion and dissatisfaction with private tax-prep companies, noting that, “customers need help on their taxes and seem to think if they click on Live Tax Advice, they will get someone live to assist them”. The analysis also reveals inefficiencies in customer support, where “Agents are struggling to help customers as they seem to not have/know the troubleshooting steps” and repeated instances where, “Agents are suggesting an upgrade for customers when [they] don’t need it”.
Managing funding for ongoing operational support Another issue, which we covered in a previous article, related to the potential future expansion of the program, comes from the volatility of funding the IRS receives. What happens if or when a shifting political climate or new legislative priorities lead to the IRS defunding Direct File either partially or completely? Will the IRS be able to keep the system secure, up to date, and supported? Will there be funds to eventually provide seamless integration with state filing systems? These unknowns could inject vulnerabilities if not handled properly.
Can Eligible Taxpayers Feel Safe with Direct File?
Based on what we know today, should taxpayers who qualify for the Direct File pilot feel comfortable participating? While our state isn’t participating in the pilot, based on our understanding of the risks, if we qualified, we would take part in it. The Direct File system offers several compelling advantages that align with our priorities for a safe and efficient tax filing process.
Despite potential challenges for users, such as navigating a new system or managing the complexity that comes with having to separately handle state filings, the overall benefits are convincing reasons to participate. Furthermore, the prospect of contributing to a system that could potentially transform and simplify tax filing for millions of taxpayers is an opportunity that we would embrace.
Remember that if you use any tax filing service, no matter whether it’s a third-party provider or a direct-to-government platform, cybercriminals often try to exploit passwords obtained from other sources. So, regardless of whether you decide to participate in the Direct File system, however you choose to file, it’s crucial to use unique and strong passwords and always opt to use a secure, second form of authentication. This practice helps ensure that even if your credentials are compromised elsewhere, they can’t be used to access your account through the Direct File system. Always prioritize your online security, especially when handling sensitive information that you wouldn’t want to wind up in the hands of criminals.