WASHINGTON — The Internal Revenue Service's efforts to solve tax problems for individuals by telephone, rather than by mail, has raised serious problems in protecting confidential taxpayer information, according to an internal IRS audit obtained by The Times.
A team of internal auditors, operating a sting this year, found that individuals could easily obtain income data on other taxpayers over the telephone--using only a name, address and Social Security number, according to the report the IRS completed Sept. 30. The auditors successfully obtained confidential tax information in 96 out of 109 telephone calls, including those in which investigators posed as other taxpayers.
"Test calls showed that impostors can obtain tax and income information with a simple phone call," the report says. In a reply to the audit, IRS officials acknowledged the problems and said they have moved to tighten procedures.
Outside experts warn, however, that business conducted over the telephone is generally less secure than by mail.
The internal investigation marks at least the second time the besieged tax agency's efforts to become more "consumer friendly" have backfired with potential compromises of security.
Last year, the IRS hastily withdrew a computer system, designed to allow taxpayers to file returns over the Internet, after a General Accounting Office audit found serious breaches in security that could have compromised private information.
The agency earlier this year was stung by another audit showing that its employees browsed through taxpayer records, looking into the incomes of celebrities, relatives and former spouses. As a result, Congress passed legislation making such browsing a federal crime.
Privacy is considered a cornerstone of the tax system, and experts have warned that the nation's entire tax system would be undermined if the public comes to distrust the IRS' ability to protect confidentiality.
Sen. William V. Roth Jr. (R-Del.), the chairman of the Senate Finance Committee who convened recent hearings into taxpayer abuses, said the report "underscores our concern for taxpayer privacy protection."
"While I am gratified to learn that the IRS checks their own systems for the ability to keep taxpayer information private, I am concerned that the IRS seems to have failed the test," Roth said. "I am even more certain now of the need for a thorough overhaul of this troubled agency."
An IRS spokesman said the agency did not have any information on whether impostors have breached confidentiality. Under the Tax Code, it is a federal crime for IRS employees to give tax information to unauthorized parties. The tax code, however, apparently does not outlaw attempts by individuals to obtain such information.
In a response contained in the audit, IRS management said it began in July to ask individuals for their date of birth and up to two additional pieces of identification-verification information. The more stringent practices are scheduled to be entered into the IRS' tax manual for employees next month.
Nonetheless, the report warns that the agency's efforts to improve customer service by moving away from paper correspondence toward telephone calls "brings greater risks."
"Our review identified weaknesses in the way the service discloses information over the telephone," the report said. "As phone usage grows to better serve customers, protecting privacy is a concern."
The IRS is often called the world's largest financial institution, operating toll-free telephone lines that handled 45 million calls in 1996 and that will handle an estimated 60 million calls this year.
The agency is being pushed to assist people over the telephone much the way banks and credit card companies do. Until recently, the agency has not done so, largely because of outdated telephone and computer systems.
Nonetheless, IRS telephone representatives can obtain by computer adjusted gross income, taxable income, withholding and tax paid for an individual, an IRS spokesman said.
The internal auditors conducted test calls from 17 offices throughout the agency's Northeast and Western regions, placing 109 calls from July 1996 to February 1997.
In at least a portion of the calls, the audit team obtained the permission of other taxpayers to take on their identities, including a schoolteacher, sports announcer, mayor, building contractor, school principal, IRS service center director, dentist and IRS worker.
The auditors then obtained addresses and Social Security numbers for the individuals on the Internet. The report noted that Social Security numbers have become widely available and that a number of states now use Social Security numbers on driver's licenses.