In a letter to the Treasury Inspector General for Tax Administration, Finance Committee Ranking Member Mike Crapo (R-Idaho) and Judiciary Committee Ranking Member Chuck Grassley (R-Iowa) requested an audit of the IRS’s ability to ensure sensitive taxpayer data is not leaked or disclosed through research the agency conducts with outside academics and researchers.

“Senators Grassley and Crapo are doing something very important in demanding there be an audit of the IRS’ ability and willingness to safeguard the privacy of American taxpayers,” said Grover Norquist, president of Americans for Tax Reform. “We know from sad experience that the IRS has failed to do that in the past. They have refused to punish people who have leaked the personal data of Americans, and they have even re-hired agents caught snooping on private taxpayer files. It is outrageous that Biden and the Democrats now want to give the IRS yet another power: Automatic capture and storage of private bank account inflows and outflows.”

This audit is particularly timely given the news in June of this year that the progressive group ProPublica had received the stolen private tax returns of thousands of taxpayers covering 15 years. Since this announcement, ProPublica has released multiple articles claiming to have the detailed taxpayer information of specific individuals. If this information is true, its disclosure is illegal. However, the IRS and Treasury department claim to not know how this tax information was obtained.

One possible source of this illegal disclosure is through the activities of the IRS Research, Applied Analytics, and Statistics (RAAS) division given that this division has access to confidential taxpayer information. As the letter notes:

“One longstanding way in which confidential taxpayer information is utilized is through research done in-house at the IRS, and by working with outside academics and researchers…  Even legitimate efforts to anonymize data for research purposes may not adequately protect individuals from being identified by the resulting data.  The articles published by ProPublica are themselves a product of unknown individuals performing analysis of large amounts of complicated data, which suggests a possible connection to legitimate research functions.”

There is evidence that RAAS does not have proper safeguards in place to protect confidential taxpayer data, based on prior TIGTA examinations. As the letter notes:

“We do not know what protocols and safeguards are in place, or how they are monitored and documented, to ensure that leaks of troves of confidential taxpayer information do not occur.  We do not know whether private, legally-protected taxpayer data were in some form shared outside of IRS facilities with authors not employed in some manner by the IRS.  TIGTA has examined the RAAS division before and identified issues of concern.  A 2018 TIGTA audit report on uses of taxpayer resources in the RAAS division identified that RAAS had “not instituted project management controls” to track research projects.”

As the letter notes, the complexity behind analyzing the taxpayer data suggests that it may have been performed by someone who had legitimate access to it before being released to ProPublica: 

“This level of analysis of complicated taxpayer information from many individuals and across many industries raises the question as to whether the analysis was done strictly by ProPublica or the analysis was performed by someone with legitimate access to the data, and then handed over as a complete package to ProPublica.”

The letter concludes by requesting answers to a number of questions including how the IRS monitors usage of confidential data by researchers, what criteria the IRS uses to select outside researchers and academics, whether TIGTA has identified the unauthorized disclosure of confidential taxpayer data from the RAAS division, and whether there are any researchers or research projects with access to taxpayer information exploring similar topics to the ProPublica articles.