IRS to relaunch more secure data retrieval tool for 2018-19 FAFSA

After making security and privacy tweaks to the disabled data retrieval tool, the IRS will relaunch the tool on Oct. 1 for 2018-19 FAFSA applicants.

IRS to relaunch more secure data retrieval tool for 2018-19 FAFSA
Magdalena Petrova

Millions of students were affected when the IRS disabled the IRS Data Retrieval Tool (DRT) back in March due to security concerns. Taking down the data retrieval tool caused havoc for students applying for the Free Application for Federal Student Aid (FAFSA). At the time, the IRS said the online data tool would be “unavailable for several weeks.”

Months later, starting on Oct. 1, the IRS DRT will be reinstated in time for the 2018-19 FAFSA cycle.

The changes, which were implemented to “enhance the security and privacy of sensitive personal data transferred to the FAFSA from the IRS,” included limiting the information displayed to applicants. This is to prevent malicious actors from illegally obtaining personal information such as “name, Social Security number, date of birth, address and tax filing status.”

After yanking the DRT, the IRS explained, “A malicious actor could create an FSA ID, begin completing a FAFSA or IDR application, use the IRS DRT to obtain taxpayer information, and then use that information for illegal purposes, including filing false tax returns in hope of receiving tax return refunds.”

The data retrieval tool was taken down in March after the IRS detected suspicious activity indicating identity thefts. The agency reportedly mailed breach notifications to 100,000 taxpayers who might have been affected.

The reinstated IRS DRT:

will limit the information that displays to the applicant in order to enhance the security and privacy of sensitive personal data transferred to the FAFSA from the IRS. This solution will encrypt the taxpayer’s information and hide the information from the applicant’s view on both the IRS DRT web page and on the FAFSA web pages. While students and parents will still be able to electronically transfer their IRS tax return information into the FAFSA, the information will not be visible to would-be malicious actors.

According to James W. Runcie, chief operating officer of Federal Student Aid, the IRS and FSA “acknowledge that some FAFSA applicants may have concerns about not being able to see the information they are transferring from the IRS into the FAFSA, and that there will be other challenges to applicants and to institutions (e.g., confirming results and making corrections). However, we believe that this solution provides potentially the best balance between access to federal student aid and the privacy of personal information and to maintaining the integrity of our tax collection system.”

Back on June 2, the U.S. Department of Education announced that the IRS DRT was available “for borrowers applying for an income-driven repayment plan.” The link above is a capture by the Wayback Machine as that press release now results in a 404 “page not found” error on the IRS website.

Reminder: The IRS may decide to audit after data-mining your social media

While we are discussing the IRS, it’s a good time to remind taxpayers that what you say online, as well as the pictures you post, can be a deciding factor to be audited. Some people may be trying to dodge the taxman, but “those Facebook posts from your vacation on a white sand beach, or that purchase of a fancy new vehicle, could be attracting views from the federal government.”

The same would true for people who flat-out lie. You don’t have to look beyond dating websites to realize people exaggerate about everything from their weight to their “riches.”

The Spokesperson cited a report by Washington State University business professor Kimberly Houser (pdf) that included numerous examples of how the IRS has data-mined social media and used that information to audit people.

Houser said the agency uses data analytics to decide which taxpayers to audit, based on “private, highly detailed profiles” of taxpayers created from sources other than tax returns or third-party reports, such as W-2 wage information. Her report says the IRS mines commercial and public data, including social media sites such as Facebook, Instagram and Twitter. The information is added to IRS databases, and algorithms are used to identify potential tax evaders, the report said.

Houser warned that the IRS is breaking privacy laws with all that data mining. Many privacy statues “were written before the internet was widely used, and certainly before social media,” she said. “My instinct is that because the law is not worded as broadly as it could be to cover these situations, the IRS has just taken the stance of ‘Let’s just do what we can until someone tells us we can’t.’”


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)