Expediency and red tape collide in IRS mobile app release
While an Internal Revenue Service mobile application that lets taxpayers check the status of refunds is secure, according to a federal watchdog, he scolded the IRS for breaking procedural rules to get it to market quickly.
The IRS2GO app, which also allows users to receive tax tips and the latest agency Twitter messages, launched Jan. 20 at Apple's App Store and Google's Android Market. In an audit released Tuesday, the Treasury Inspector General for Tax Administration found that all sensitive data a user enters, such as a Social Security number or refund amount expected, is encrypted or coded in a way that blocks interception during transmission.
Since its release, IRS2GO had gained 147,205 iPhone users as of May 15, and 178,773 Android users as of March 1.
The IRS, however, cut through red tape to publish the app, in part by using unauthorized programming language, as well as unapproved open source software -- programs with coding that is freely available to the public for modification or reproduction, the report stated.
Government procedures call for obtaining a waiver to use such tools, but IRS officials said in the interest of time they made a decision to bypass this step, according to the audit. Skipping the waiver process would have been permissible had they documented the reason for sidestepping procedures. But they overlooked this step too.
"The IRS could not provide any documentation of the risk-based decision and informed us that it was a verbal decision," wrote Michael R. Phillips, TIGTA deputy inspector general for audit.
He added, "Management was aware of the requirement to request waivers for the application more than two months prior to the release of the application to the public, and despite the recommendations of both the contractor that performed the code review and the IRS cybersecurity organization staff, the [agency] did not request waivers for the use of these nonapproved technologies."
IRS officials told inspectors they would follow the rules going forward, according to the report. In developing future apps, the agency plans to obtain the proper waivers before deployment and document any risk-based decisions.
Another slip-up: the IRS was not authorized by senior management to release the app to the public on the launch date. A senior agency official had not signed off to accept responsibility for cybersecurity safeguards until five days after the fact, according to the report.
"While the IRS2GO application did not have any significant security issues when it was released to the public, using a system development approach that does not comply with Office of Management and Budget [regulations] increases the risk that applications release to the public may contain security or privacy weaknesses," Phillips wrote.
The IRS has since agreed to make sure all future enhancements are preapproved by an authorizing official, the report states.
Currently, the app software does not store any sensitive information on users' phones and blocks users from copying and pasting data, functions that if not disabled could assist data thieves.
"While no significant security problems were identified, development of future smartphone applications should follow approved processes to avoid introducing unnecessary risk into the development process, which essentially could result in the development of vulnerable software," Phillips noted.
In an Aug. 3 letter responding to draft findings, IRS Chief Technology Officer Terence V. Milholland wrote, "As this is the first mobile application developed by the Internal Revenue Service we recognize we have more work to do to ensure we fully document our work and receive necessary waivers on a more timely basis under our rapid development process."
The agency's app strategy is to stick with one mobile tool that will offer new features continuously, rather than release separate apps to, for example, see the line items on a filed tax return.