Update on Taxes and Terrorism: Why Clients’ Data Could Become Vulnerable
Since this article was initially published in December 2015, the FBI has attempted to compel Apple, Inc. to defeat its own encryption for the purposes of accessing the information on the iPhone of Syed Rizwan Farook, perpetrator of the mass shootings in San Bernardino in December of last year. Apple has thus far refused to obey a federal court order to provide access to the phone, based in part on a first-amendment argument that code-writing constitutes free speech. A federal court in California will hear arguments on March 22, but promises from both the Justice Department and Apple, Inc. to appeal any decision against their respective cases mean the dispute is unlikely to conclude at that time. The case is certain to have far-reaching implications for the nature of digital security both here in the United States and abroad.
The world watched and listened in horror recently as reports of terrorism in Paris and San Bernardino, Calif., dominated the airwaves. In what is becoming a regrettably familiar scene, countries around the world joined the victims in mourning. But as the days wore on, attention increasingly turned to the covert, encrypted digital communications of the perpetrators. The government has begun questioning the wisdom of unbreakable encryption as a result. It might all seem a million miles from the concerns of tax practitioners. But is it?
In the wake of potential terrorist attacks, government officials are again addressing the complexities of obtaining intelligence data in an encrypted world. John Brennan, Director of the CIA, recently outlined these complexities in a talk at the Center for Strategic and International Studies in Washington:
"In the past few years because of a number of unauthorized disclosures and a lot of hand-wringing over the government's role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability, collectively, internationally to find these terrorists much more challenging. And I do hope that this is going to be a wake-up call."
The hand-wringing and unauthorized disclosures to which he is referring came after the revelations of the Edward Snowden leaks. Companies such as Google and Apple, among others, took steps not only to strengthen the encryption employed on their devices, but also to make sure even they cannot force their way in. Rights to privacy, they reasoned, trumped the government’s right to collect information, especially if that information was being obtained as a result of a legal gray-area.
The Two Sides of the Argument
From the perspective of the agencies charged with protecting Americans, there should be no haven for illegal communication. They argue that when strong encryption prevents them from accessing emails, texts or other communications among suspected terrorists, they are unable to anticipate and prevent attacks. For these agencies, the answer is simple: a “backdoor,” or concealed way available only to the government to unencrypt data.
But that backdoor might not remain available only to the government, argue the tech companies. They liken this idea to putting a key under the mat; safe as long as you are the only one who knows it’s there, but not for long once someone else finds out. The tech companies say leaving an entrance for government means creating an eventual gaping hole for thieves and worse, as well.
Keen to avoid complicity both in illegal search and seizures, and in the commission of thefts, the tech companies are adamant that there should never be a backdoor for any government agency to circumvent encryption. Independent tech experts agree.
Many point out that even if American companies were to comply, no such mandate for government access to encrypted systems exists globally. In short, terrorists could simply get their cell phones, tablets and laptops from another supplier in another country, and be right back at covert communication. Furthermore, they argue, the government’s record in selectively capturing private data is hardly pristine.
Meanwhile, government agencies struggle to address real-world threats, many times with their hands tied. While metadata--which contains information such as the identity of senders and receivers--is not usually encrypted at all, communications such as texts and emails that might go strictly from one device to another without a server intercept are inscrutable without some kind of access.
Why Does This Affect Tax Practitioners?
Right this very moment, the computers and mobile devices at your practice are brimming with sensitive customer data: Social Security numbers, bank account numbers, phone numbers, addresses, and much more. If you employ best practices, these devices are secured from internet access, behind one or more firewalls, and their data stored on encrypted drives.
If the recent tragedies lead to changes in the law, before long your encrypted drives and other devices could have a legally mandated backdoor installed for government access. If a hacker should discover how to exploit that back door (and let’s face facts, they usually do), the information you store could be up for bids.
With new hacks on giant corporate servers happening daily, we are seeing more theft of private information than ever before. As a steward of the data that makes your clients’ financial lives possible, it is important to keep up not only with best practices for securing that data, but also with laws that could affect your ability to do so effectively.
For now, it’s a very good idea to review your security practices with your IT provider. Stay abreast of developments in the law, Assure you are using updated versions of all your software, and review best practices for securing client data with your staff. It’s the best way to gird yourself against experiencing any more tragedy.
Adam Junkroski, Lead Manager-Tax Communications, American Institute of CPAs.
Data breach courtesy of Shutterstock.