IRS “Bring Your Own Device” Program Puts Personal Taxpayer Information At Risk

The IRS allows agents to use their personal devices to access, transmit, process and store highly sensitive personal taxpayer information. The program is called “Bring Your Own Device” (BYOD) and is intended for the convenience of agents. But the program has significant data security problems — including screenshot capability — that put personal taxpayer information at risk of leaks and theft.

In late December 2023 the official IRS watchdog audited IRS non-compliance with the No TikTok on Government Devices Act. The Treasury Inspector General for Tax Administration found at least 2,800 handheld devices and 900 employees could still access TikTok.

The IRS was in no hurry to get in full compliance with the ban. The Bring Your Own Device program is voluntary, yet the IRS appallingly tried to assert that the TikTok ban did not apply to such devices.

But this was not the first time TIGTA called out the IRS for glaring problems with Bring Your Own Device.

In Sept. 2019 TIGTA published a report that details numerous vulnerabilities and careless management of the Bring Your Own Device program.

Key findings:

The BYOD program threatens IRS systems and personal taxpayer information.

The report says: 

“The IRS implemented the Bring Your Own Device (BYOD) program to allow its employees to access work resources using their personal mobile devices. Due to their small size, mobile devices can be easily lost or stolen. When that occurs, IRS data on the device can be subject to unauthorized access and the device itself can be used as an avenue to attack IRS systems. The risk is high because various systems and databases managed by the IRS contain significant amounts of tax data and Personally Identifiable Information.” 

The screenshot functionality on personally owned phones handling official IRS data heightens risks of data leakage.

The report states: 

 “However, TIGTA identified significant vulnerabilities within the BYOD program. For example, the risk of data leakage with personally owned iPhones is increased because iPhones enable the screenshot functionality.”

Data leakage potential arises from user configurations on personally owned devices, where the IRS lacks monitoring capabilities.

The report states: 

“A data leakage concern exists with user configurations on personally owned mobile devices, which can allow the user to take a screenshot of information displayed on the device. We also found that the IRS is not filing critical and high-risk vulnerabilities and is not maintaining and reviewing application logs on BYOD program systems.” 

Restrictions to screenshot capabilities on BYOD iPhones are inadequate in protecting sensitive IRS information.

The report says: 

“Personally owned BYOD iPhones cannot be configured to disallow the screenshot function without completely rendering the function disabled for all of the device applications.” 

BYOD participants are able to exploit user configurations and screenshot sensitive information. Relying on the policy alone to ensure employee compliance is a flawed procedure.

The report says: 

“In our opinion, this rule of behavior restriction is not enough to deter a BYOD program user from taking advantage of this capability because there is no way to monitor or detect when this function is used.” 

TIGTA recommends the IRS to disapprove BYOD requests from employees that have Internal Revenue Code violations. TIGTA found some employees had snooped on personal data but yet still had program access.

The report states: 

 “It is an opportune time to consider disapproving the employee’s request to participate in the BYOD program if the employee has Personally Identifiable Information or Internal Revenue Code Section 6103 violations.”  

Exploitation risks are increased by public knowledge of vulnerabilities.

The TIGTA report states: 

“Many of the vulnerabilities are public knowledge, making them exploitable to hackers or persons with malicious intent. Public availability of an easy-to-use attack approach increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability and the risk to the system. In other words, known vulnerabilities may have a known easy-to-use or automated attack approach, making the vulnerability extremely likely to be exploited and thus increasing the risk level of the vulnerability.” 

TIGTA’s found that the IRS was not even aware that the security log files stopped logging data several years prior.

The report says: 

“We requested the three-year log files for the Good for Enterprise Application. However, the IRS could not provide current three-year log files as it had stopped logging data in January 2016. The IRS was unaware that the application log files had stopped logging data until we requested this information. We concluded that, if the log files had been reviewed on a regular basis, the IRS would have known that its BYOD servers had stopped logging prior to our request.”  

No procedures in place to wipe data from a stolen or lost BYOD device.

The report states: 

“We did not identify any local procedures requiring a manual wipe of the device application data if the device was reported lost or stolen or any procedures for tracking manual or systematic application wipes. If mobile devices are lost or stolen and are not wiped of IRS sensitive information, the IRS is at risk of having its data recovered by a malicious party.”

BYOD devices not covered by the Computer Security Incident Response Center, leading to confusion in reporting methodologies.

The TIGTA report says: 

“The User and Network Services function administrators were under the assumption that BYOD program users’ lost or stolen devices were to be reported to the Computer Security Incident Response Center. However, Computer Security and Incident Response Center officials stated that they only handle Government-furnished lost and stolen devices. We also identified conflicting procedures for reporting lost or stolen BYOD program devices.”

Lack of enforcement on existing employee policies which fails to ensure employee compliance.

The auditors state:

 “We determined that employees were not taking the required annual refresher training because BYOD program management was not enforcing the existing policy and was not following up on the employee compliance. Without annual refresher training, the user may forget the regulations or claim that they were unaware of the security guidance, which can lead to data leakage or expose the IRS network to unauthorized access.“

TIGTA’s 2019 and 2023 audits of the IRS provide alarming documentation of data security problems associated with the Bring Your Own Device program within the IRS. The reports continue to show a pattern of neglect within the agency.

Meanwhile, the Biden administration wants to extract even more information from households and businesses for storage on its non-secure systems.