New online tax return policy raises security concerns

A new Canada Revenue Agency policy for online income tax filing is raising some privacy questions.

Right now the CRA is sending notices to Canadians explaining that only a Social Insurance Number and a birth date is required to file online. Previously, tax returns filed via CRA's web-based presence NETFILE required a personal code and pin number.

Simplifying the online tax process is the CRA's way of encouraging more people to file electronically because the agency says it costs four times as much to process a paper return than an electronic one. 

But Doug Cuff and several others on an online technology discussion group are raising questions about the CRA's new policy.

"I was surprised and alarmed by it, the fact that they'd dropped the whole web ID seems to me to open all kinds of cans of worms," said Cuff. "So that seems to me to create a security problem of massive proportions."

Canada Revenue Agency officials refused to do an interview for this story but in a statement the department assured that, "... eliminating the code does not make NETFILE less secure. There are numerous internal validations ... and the refund will only be sent to the address or account on file."

Kris Klein is a privacy lawyer based in Ottawa and in this case Klein says that Canada's privacy commissioner should have done an assessment.

"If you create a system and make it easier and easier to do, then you're opening yourself up to some risk at the same time," he said. 

Officials with the office of the Privacy Commissioner say they were not consulted about the NETFILE changes.