In an era, and in an area, where digital privacy concerns are front and center, the Internal Revenue Service (IRS) appears to be treading a thin line between user experience and individual privacy on its Direct File website. The platform, currently in pilot form in a select number of states, contains Google
GOOG
The tools offer valuable insights into user behavior, which can be leveraged to enhance functionality, improve user support, and even discern what outreach campaigns are most effective. Yet, they tread into a murky ethical territory for some users, challenging the norms of digital consent and privacy in the realm of government services.
Google Analytics
Google Analytics is a near ubiquitous tool across the web, designed to help site owners understand how visitors arrive and interact with their content. The use of the tool is not nefarious and, indeed, the IRS even provides information regarding privacy policies of third-party service providers that includes Google Analytics. It also provides self-serve links to assist users that wish to opt out of Google Analytics cookies.
Notwithstanding that, the implementation of tracking code on a government service website raises important considerations beyond typical privacy policy assurances and disclosures. While the IRS unquestionably makes an effort to inform and empower users regarding their data privacy, the core concern turns on the expectation of privacy and confidentiality inherent in taxpayer-government interactions—put differently, to what extent are users expecting to be subject to tracking code when interfacing with the IRS?
This becomes a more pressing concern considering the breadth of data Google Analytics can collect, with assurances of anonymity hinging on Google’s decision not to attempt to correlate disparate bits of data in order to paint a clear picture of an individual user. After all, this is precisely what users were perturbed with when it was revealed that for-profit tax preparation websites were funneling user data to Facebook.
Canvas Fingerprinting
More disquieting, perhaps, than Google Analytics code which can be opted-out of, is the presence of so-called canvas fingerprinting on the Direct File website. There is no readily apparent disclosure on any part of the Direct File website indicating to users that the cookie blocker-avoiding technology is being utilized.
Canvas fingerprinting functions by exploiting an element in HTML5 called “canvas” which is intended to allow browsers to draw a graphic through JavaScript – generating images inline, rather than having them embedded in the content itself. Think of it like source code for pictures, rendered by the browser.
The way in which each browser, operating system, and even graphics processing unit (GPU) within a given machine renders an image creates what can be thought of as a unique fingerprint for that individual device. The fingerprint can be just as distinct as a human fingerprint – with no two devices being precisely the same.
Unlike traditional cookies, which users can block or choose not to accept, canvas fingerprinting leverages a facet of HTML5 that was never intended for tracking and thus is not able to be blocked—it is nearly impossible for users to even know they’re being tracked, much less to obfuscate the tracking. This raises significant privacy concerns when employed on platforms operated by the government, as it would appear to be a willful step to evade measures taken by privacy-conscious users.
The lack of transparency and user consent options surrounding the use of canvas fingerprinting further exacerbates the above concerns, suggesting a gap between user privacy rights and the IRS’s practices on the Direct File platform. The incorporation of a covert tracking mechanism, without explicit disclosure or opt-out capabilities, places in question the commitment to user privacy and consent on the part of the IRS.
The need for both transparency and consent is paramount, prompting a reevaluation of how digital tools align with the values of privacy and trust that must underpin the relationship between taxpayers and the government. If nothing else, the inclusion of tracking code and leveraging of canvas fingerprinting by the IRS on Direct File should prompt a broader discussion about the ethical use of tracking technologies on government websites and the balance being struck by the IRS between user experience and privacy.
Read the full article here