The IRS is careless with donors’ data, but philanthropists are working to spur legal decisions and legislation that force the agency to get serious about taxpayer privacy.
The IRS is racking up money, power—and security breaches. Some, fed up by this undermining of freedom, are pushing back.
Earlier this month, Federal District Court Judge Ana C. Reyes sentenced Charles Littlejohn to five years in prison for unauthorized disclosure of tax information. In 2019, as a contractor for the IRS, he skirted security protocols and leaked 15 years of confidential returns of then-President Donald Trump and thousands of other millionaires to The New York Times and ProPublica. Judge Reyes called his actions “an intolerable attack on our constitutional democracy.”
Her sentence imposes needed accountability on a pattern of negligence in security protocol. The independent U.S. Government Accountability Office (GAO) has made 246 recommendations since 2019 to the IRS for improving their security to protect taxpayer information. As of April 2023, the agency had still not addressed 44 of them—including two that the GAO labels high priority. A couple months before the Justice Department brought a charge against Littlejohn, the GAO reported that the IRS has no structures in place to assess risks to its method for transferring taxpayer information to contractors.
The Treasury Inspector General for Tax Administration (Tigta) also reports on IRS data security compliance and regularly finds them in violation. In early 2024, Tigta found that users who no longer require access to sensitive systems still retain access; users who fail background checks are not immediately removed; and “For some sensitive systems, the IRS does not have adequate controls to detect or prevent” data leaks.
Meanwhile, the IRS was handed an additional $80 billion in government funding in 2022 and is deepening its reach for power. The reporting threshold for third party settlement organizations is dropping. For example, on Venmo, if a user’s transactions exceed $600—down from the current threshold of $20,000—that user will need to report it to the IRS. Worse, a 2022 proposal would require banks to report certain account information to the IRS for those that have a total cashflow exceeding $600.
Hedge fund executive Ken Griffin was victim to the IRS’s negligence and Littlejohn’s lawlessness and, in an ongoing court battle, is trying to hold the IRS accountable.
Joining him in the fight, the nonprofit organization People United for Privacy (PUFP) acts as a donor privacy watchdog across party lines. Since 2018, they have been working to codify personal privacy rights at the federal level and, until they achieve that, within each state. They pursue litigation to expand First Amendment precedent, and they equip individual donors with the best strategies to safeguard the privacy of their giving. In their most recent report, they found 31 states threatening legislation this year to expose the names and addresses of nonprofit donors.
While some lament that Littlejohn got off easy, Judge Reyes handed down the maximum sentence allowed under the single charge the Justice Department brought against him. Her judgment and the efforts of individuals and groups like Griffin and PUFP are the only solace heading into another tax season.
