Several political organizations included the Social Security numbers of thousands of their donors on forms filed with the Internal Revenue Service (IRS), despite the fact that the IRS instructed them not to do so. Moreover, a federal law requires “any application or notice” of the kind these groups filed with the IRS to be made publicly available, and a separate provision of the same law requires IRS disclosures to be made online. As a result, tens of thousands of Americans’ sensitive personal information was available to anyone online at the IRS’s website, although that information has since been pulled down.
The IRS took down the database containing the sensitive forms after Carl Malamud’s Public.Resource.Org discovered the issue while auditing another disclosure of sensitive information made directly to his organization. In a statement released on Sunday, the group explained that it “has discovered that the Internal Revenue Service has posted the Social Security Numbers of tens of thousands of Americans on government web sites. The database in question contains the filings of Section 527 political organizations such as campaign committees.” The IRS appears to have removed the database from their website on July 3rd.
While filers are not supposed to include documentation using social security numbers with public filings, when they do the IRS position has historically been that it is “required to disclose approved exemption applications and information returns” and that “with limited exceptions, the IRS has no authority to remove that information before making the forms publicly available.”
A statement released by the IRS about the 527 database situation reinforced this point, noting the “law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations” and that it “frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including Social Security numbers, in their public filings.” The law requiring this disclosure appears to be Title 26 Section 6104, which requires “any application or notice filed” to be made publicly available with very limited exceptions that do not include the protection of personally identifiable information.
While this incident obviously represents a very serious breach of privacy, it appears to arise from a genuine legal bind: The provision of law quoted above doesn’t appear to give the IRS leeway to withhold Social Security numbers from its public website, however strong the moral case is for doing so. Notably, IRS did decide the law was flexible enough to allow them to remove the database after Malamud raised the issue of the Social Security numbers being posted online.
In a conversation with ThinkProgress, Malamud questioned why the IRS did not have a procedure in place to reject public filings that included social security numbers or other obviously erroneously submitted information. He also said the IRS was aware that this data was part of public disclosures, but argued they couldn’t do anything about it until last week after he contacted the U.S. Treasury Inspector General for Tax Administration upon discovering said information was easily accessible from the website.
Malamud believes that posting social security numbers to the IRS databases should have been blocked under the Privacy Act of 1974 and the E-Government Act of 2002. Detailed guidance from the Office of Management and Budget and the President specifically tasks agencies with taking “appropriate steps necessary to protect personal information from unauthorized use, access, disclosure or sharing.”
Removing the database is also a major blow to transparency activists and journalists who rely on the 527 database to make meaningful connections about influence and campaign spending. As of this posting, the page for the database currently notes that the Political Organization Disclosure database is “temporarily unavailable” and asks visitors to “check back Monday, July 8, 2013.” As of the time of this posting, the IRS has not answered ThinkProgress inquiries about when the database will return, how long the Social Security number data was available to the public via the website, or the specifics of the legal framework of the disclosure.