Using Tax Software? Warning: The Software You Choose May be Sending Your Personal Data to Foreign Countires

WARNING: The popular Intuit TurboTax software plays Man-In-The-Middle with your personal income tax data and sends your information DIRECTLY to foreign countries.

Since its tax season again I want to share my experience using tax software.  I believe in privacy and I protect my personal information.  I don’t want to be a victim of identity theft.  For that reason I would NEVER choose to use a web based tax filing software.  If I choose to give my personal info to an accountant, I expect them, as professionals, to follow their professional rules of conduct and safeguard my information.

I was a long time user of Intuit TurboTax (nee QuickTax) for filing my and my family’s personal income tax returns.  The benefit to me for using the same tax software year after year was the ability to import previous tax returns to simplify data entry.  After all, there was a form of trust between us – Canada Revenue Agency (CRA) gave Intuit the “Thumbs Up” as a legitimate electronic tax software vendor.  Up until the 2014 income tax year we could file our income taxes electronically directly with the CRA.

After CRA and other Canadian government agencies were hit with the Heartbleed bug in 2014/2015 and the problem was finally revealed to the media with much fanfare, some bureaucrat in the government decided that security of Canadians data was/is best left to be ensured by private industry.  For the 2014 income tax year CRA no longer allowed individuals to directly submit their income tax filings to the CRA using their web browsers.  CRA now forces all electronic filers to use income tax software from a select group of vendors to file directly with the CRA.

I didn’t discover this change until I was ready to NETFILE my income taxes.  I went to save my “.TAX” file but to my horror TurboTax no longer allowed me to do this.  Even worse, TurboTax kindly informed me that they are now filing directly on my behalf with CRA and that I had no options.  WTF?  Screw that.

Bombshell #1

I thought to myself – screw Inutit and TurboTax, let me go to CRA and see what the real story is.  Here’s bombshell #1 (this is directly from CRA for the 2014 tax year)

NETFILE is an electronic tax-filing service that allows you to send your individual income tax and benefit return directly to the Canada Revenue Agency (CRA) using the Internet and a NETFILE-certified software product. It streamlines the tax-filing process and offers the following benefits:

  • It is secure and confidential.
  • File your returns directly from one of the NETFILE-certified products available using the NETFILE webservice.
  • No more need to upload your “.tax” file.
  • Refunds are issued faster (in most cases, with direct deposit, you can receive your refund in as little as eight business days).
  • It is more accurate (because the CRA doesn’t re-key the information, there is less chance of errors).
  • You don’t have to mail a paper return.
  • You don’t have to send in receipts, unless the CRA asks for them at a later date.
  • You get immediate confirmation that the CRA has received your tax return.

That couldn’t be right.  So I called CRA directly.  The agent told me that I could either use one of the certified NETFILE software packages listed on the CRA website to transmit data electronically, or, mail in a paper tax return.

Bombshell #2

Maybe I was just being a little too paranoid?  Should I try being a little more trusting and use the tax software and see what happens?  After all, this is Intuit, a large Canadian employer that makes accounting software.  They should be trustworthy…

OK – I still wasn’t comfortable with the whole black box approach.  So I installed TurboTax on a brand new clean Virtual Machine install like I always do.    For the non-initiated, Virtual Machines are a full Personal Computer (PC) image I can operate in a sandboxed window on a host PC. After installing and updating the TurboTax software, I would disconnect the Virtual Machine from the network.  I would do my taxes, save the .TAX file to a shared folder, then I upload the .TAX file using  a different secure PC.  I do this because I am always suspicious that certain software vendors upload my personal data to unknown servers without my knowledge or consent.  Using the Virtual Machine allows me to install the TurboTax software on a PC with zero personal footprint – no emails or contact lists or network information that can be harvested and uploaded to some remote server.

To file my taxes, I had to enable the network connection on the Virtual Machine and allow TurboTax to upload the TAX file directly to CRA.

Before I enabled the network adapter, I ran Wireshark.  Wireshark is a free, open source, network packet analyzer software.  It allows me to capture, filter, and inspect all packets of network traffic in and out of my network device.

I filed a simple tax return for my kid using TurboTax.  Then I looked at my Wireshark logs expecting to see connection(s) to a CRA website.  Instead, all of my tax return data was uploaded to “https://netfile.turbotaxonline.ca” at IP Address 64.34.20.86.

A little bit of digging – I used a software program called “Traceroute” which revealed that my tax return was uploaded to a 3rd party owned server farm located in New York, NY, USA!  To confirm this, I used another program called “Whois” to see that IP Address really did reside in the US.

I called Intuit and spoke with one of their customer support reps. I asked why my income tax return was being uploaded to a server in New York and NOT to CRA as expected.  The rep told me that all data was encrypted and sent to CRA on my behalf.  When I told them I was very unhappy that my tax returns were being sent to a foreign country without my knowledge or consent, the rep told me that if I was dissatisfied with my purchase, I could get a full refund of the purchase price on the TurboTax software by faxing a request to customer service.  I did just that.

I called CRA again.  When I explained my concern that TurboTax was playing Man-In-The-Middle with our tax returns, the agent insisted that the data transfer was totally secure and said if I didn’t trust the software services then I could choose to mail my return in.

Why should YOU care WHERE your tax return goes?

The answer is simple.  I am Canadian.  I am subject to and follow Canadian laws.  In Canada, I only have to provide my social insurance number and personal data to the Government, my Employer, and my Bank.  To everyone else its hands off.  When your data is sent directly to a foreign country, it’s all-bets-are-off when it comes to following and enforcing Canadian laws.  Those countries can and will do anything they like with your data with unknown repercussions.

OK now what – I still want to e-file my taxes because its easier and faster…

Immediately I started reviewing every software vendor on CRA’s approved software for NETFILE list.  I excluded all web based “online” tax software because I would have no clue where my tax returns were being stored or how MY information was being processed.  In my mind, when I install a software package on a local computer, I can ensure that my data is being stored on my own PC.

On the FREE software list I found StudioTax, a small software vendor based in Ottawa, Ontario.  What caught my interest was that they advertised the following:

StudioTax – Serving Canadians since 2004!

StudioTax is the pioneer free tax software in Canada. This is where free tax software started!

Proudly Canadian: StudioTax is made in Canada, only made for Canada and supported from Canada.

You do not have to guess what version you need or can afford. Only one fully functional version with 20 returns is available for all at the affordable cost of $0.00/return and regardless of level of income!

StudioTax is FREE for personal use with no strings attached:
NO name, phone number, address, email, or credit card number.
NO login or a need to create an online account.
NO coercion to get you to upgrade or pay for other software or services.
NO registration.
NO license key.
NO software activation.

Security of your personal information

StudioTax is the most secure option to prepare and file your return. StudioTax is a Windows/Mac installable program and NOT an online application. Unlike online applications where you have to trust a private third party for the security of your valuable personal information, StudioTax gives you full control over your security. StudioTax installs on your computer’s local hard drive, saves your returns on your computer’s local hard drive, and absolutely NO information, personal or otherwise, leaves your computer.

I installed the software, completed a second simple tax return, then uploaded the file.  To my relief, Wireshark only showed connections to a CRA server.  Unfortunately, StudioTax could not import data from my old TurboTax returns meaning I had to manually input all the data.  The interface was not as slick as TurboTax, but it generated the exact same results as TurboTax.  Best of all, my tax return stayed in Canada.

I decided to write an email to my Member of Parliament, Hon. Michael Chong:

Dear Michael Chong

I am concerned that for the 2014 tax year the Canada Revenue Agency no longer allows us to file our personal income taxes electronically directly with the CRA.

Up until last year I could electronically file my income taxes by logging into a secure CRA web server located in Canada and send them my income tax files.

Starting this year, the CRA is now forcing me to electronically file my income taxes using third party software vendors that intercept, store, then transmit my personal information with servers located outside of Canada.

I purchased software that was recommended by CRA as “Certified software for the 2015 NETFILE program”. (For your reference http://www.cra-arc.gc.ca/esrvc-srvce/tx/ndvdls/netfile-impotnet/crtfdsftwr/menu-eng.html) The program I purchased was TurboTax for Windows and I purchased it from Walmart on CD-ROM.

When it came to NETFILE my return I discovered that the software is trying to upload my income tax return not to the CRA as expected but to a third party server “https://netfile.turbotaxonline.ca”. Upon investigation I found that this website is owned by “Intuit Canada ULC” (the makers of TurboTax software) and the server is located at IP address 64.34.20.86 which is located in New York, NY, USA. I contacted Intuit and was told that all income tax data now had to be electronically sent through them as was dictated by the CRA.

I contacted the CRA today and explained that I wanted to NETFILE directly to the CRA as I have done yearly since it has been available to me in 2003.

I was told by the CRA agent that I now had to file electronically through an approved software vendor, or, I could print the documents and send it in by mail. The agent also told me the software was filing directly with the CRA. I explained to the agent that the software was not filing directly to the CRA, but was acting as the “man-in-the-middle”, and was trying to upload my electronic tax returns to their external server before re-transmitting my tax return to the CRA server. The agent insisted that the data transfer was totally secure and said if I didn’t trust the software services then I could choose to mail my return in.

My concerns are as follows:

a. CRA has indicated through the news media that they are trying to phase out paper tax returns. I don’t have a problem with this and support the effort to eliminate waste and paper. However, the CRA policy seems to be to force Canadian citizens to file their income tax returns electronically through unknown third parties using servers located in foreign countries (USA).

b. These third parties are actively harvesting our personal information. These companies are not legislated into keeping our private information secure and private. We are living in a day and age where identity theft is a major concern. Yet the Government of Canada is now forcing us to send our private information (including our Social Insurance Numbers and complete personal information profiles of spouses and children) to unknown third parties who process and store our private information in foreign countries who are not subject to our Canadian laws or regulations.

I have elected to file a paper tax return this year and will do so until our privacy and personal information can and will be kept safely and securely in Canada, and by Canadian companies who are subject to Canadian Laws.

I am asking you to please investigate why the CRA no longer allows us to file our tax information directly with the CRA and to insist that the CRA allow us that right. I do not believe that Canadian citizens would approve if they found out that their personal, private and confidential information was being sent into foreign countries without their knowledge or explicit approval.

Sincerely, XXXXXXX

The next day I received an response email from Michael Chong’s office:

Dear Mr XXXXXXX,

Michael asked me to let you know that he has read your email and will be doing a cover letter and forwarding your concerns directly to the Minister of Revenue for consideration and response. He will ask that the Minister respond directly to you and copy him on the response.

Sincerely,

Jim Smith,
Constituency Assistant to
Hon. Michael Chong, P.C., M.P.
Wellington-Halton Hills
xxxxxxxxxxx@parl.gc.ca
Toll free 1-866-878-5556
www.michaelchong.ca

Approximately three months later I received a reply from the Minister of National Revenue, Hon. Kerry-Lynne D. Findlay.

I did further research on the Personal Information Protection and Electronic Documents Act and was left feeling uneasy and no better informed.  The best summary was probably on CRA’s website:

 

Your responsibilities using a certified software product

The CRA does not look at the privacy policies of software developers. It is your responsibility to research these policies before buying or using a software product or web application.

Use of the software, and any omission or error in the information provided, is the responsibility of the user and the developer. Consequently, the CRA cannot be held responsible if programming errors affect the calculation of income tax and benefits payable.

Always make sure that you are using the most recent version of the software to prepare your tax return. If you encounter difficulties with the software, first, confirm that you’re using a software package that has been certified for NETFILE by checking our certified software list. It could be that you are using an uncertified tax preparation software package or an older version of the software. If you have problems with the software product, contact the software developer directly for help.

If you received an error message when you tried to send your tax return using NETFILE, call the e-Services Helpdesk at 1-800-714-7257.

It is your responsibility to find out from the software developer what restrictions there are, if any, on the software.

Only tax preparation software and web applications certified for use with NETFILE can be accepted through the NETFILE web service. If you buy your software package before it is certified for use with NETFILE, you may have to download an update from the software developer. Information on how to upgrade your software is available on the software developer’s website. If you have any other questions about the software, contact the company.

Ultimately it is Caveat Emptor.  Don’t blindly trust your software vendor because YOU are just another product stream to be monetized and sold.

In the good old days there were three types of software.  Paid software, Shareware (try it before you buy it), and Freeware (really free to use with no strings attached).  Then came Apple and it’s App Store.  The idea of Freeware became a profit centre because your personal information was now a commodity that could be stolen without your knowledge or consent, uploaded to some remote servers and monetized.  Somehow, the idea that stealing and monetizing your personal information has become mainstream and ok.

Don’t believe the claptrap that you can only get FREE software if you allow someone to monetize you in other ways.  There is still truly free software out there.

Finally don’t assume that the government has vetted something just because they require you to use it.

Hopefully you remembered your Due Diligence to use “Wireshark”, “Whois” and “Traceroute” on your income tax software to see where your personal data is going.  CRA expects you to.


ADENDUM – 2017-04-01 (Nope, this isn’t an April fools joke…)

I recently received some feedback from a reader who suggested I get a comment from Intuit.

I contacted Intuit via their online help which forwarded me to a call centre.  I asked the same question and was instructed to view Intuits privacy policy on their website.  After some digging around I found the following links:
http://www.intuit.ca/about-intuit-canada/info/privacy-policy.jsp (current)
http://www.intuit.ca/about-intuit-canada/info/privacy-policy-previous.jsp
https://security.intuit.com/index.php/privacy?id=511

Bottom line is that Intuit collects and shares your information.  There is a limited “opt-out” option that users must request.

Here’s an interesting tidbit from the privacy-policy-previous.jsp

“Intuit is a multi-national company and is able to leverage high quality technology resources in multiple countries in order to maintain its high security standards. As such, some personal information, including tax returns from Tax Year 2013 on, may be shared within Intuit and stored in countries outside of your home country. If you were a TurboTax Canada customer before Tax Year 2013 and we still house your tax return(s), your tax return information for those previous years will continue to remain in Canada except by your express consent. ‘Tax return information’ excludes non-personally identifiable information concerning your use of the Intuit tax products — e.g. which screens you viewed.”

Storing your data outside of Canada means that Intuit is not subject to Canadian laws when it comes to protecting your privacy of information.  I don’t think this is done unintentionally.  So much for Canadian sovereignty.

The line about “express consent” makes me wonder what exactly that is.  If you read the link http://www.intuit.ca/about-intuit-canada/info/privacy-policy.jsp there is this statement:

10.  CHANGES TO OUR PRIVACY STATEMENTS. From time to time we may change or update our Privacy Statements. We reserve the right to make changes or updates at any time. More information about how we will notify you is below.
 
If we make material changes to the way we process your Personal Information, we will provide you notice via our Service or by other communication channels, such as by email or community post. Please review any changes carefully. If you object to any of the changes and no longer wish to use our Services, you may close your account(s). All changes are effective immediately upon posting and your use of our Service after a notice of material change or posting of an updated Privacy Statement shall constitute your consent to all changes.

 

Basically Intuit assumes you consent to any changes to how they use your information the moment they change their minds.

I sent an email yesterday to privacyofficer@intuit.com requesting a comment.

I will be updating my blog when I get more info from Intuit.


Rate this article
  • Add your answer


As an interesting aside…

Your Tax Refund Is Selling Cheap On the Dark Web

https://www.bloomberg.com/news/articles/2017-04-06/your-tax-refund-is-selling-cheap-on-the-dark-web