Indeed the IRS website blocks Tor users from accessing tax information, as if tor users don’t need tax information. Important legal guidance exists on irs.gov, so it’s obviously an injustice to block people from becoming informed about their rights and obligations.
(edit)
What’s the fix? Would it be effective to make a FOIA request on paper so the IRS must send the info on paper via USPS? Or would that require compensation to offset their burden?
Filing a FOIA is free, but the agency is allowed to charge for gathering the info and sending it to you. They should tell you how much it will cost before they do it.
Sounds like a FOIA doesn’t help then. If they are compensated sufficiently for their labor and cost, then FOIA reqs would fail to pressure them to make their website more accessible. That sucks. It means (AFAICT) we have no push back mechanism against lousy/enshitified gov websites.
I suppose we can make requests on paper (not expressed as a FOIA), but then they can simply ignore it. Which is the case with some gov offices (yeah, I already tried… sec of states generally ignore requests for info that come by mail).
This just seems like a prudent cyber security practice.
infosec 101:
- confidentiality
- integrity
- availability
If users who should have access (e.g. US taxpayers) are blocked, there is an availability loss. Blocking Tor reduces availability. Which by definition undermines security.
Some would argue blocking Tor promotes availability because a pre-emptive strike against arbitrary possible attackers revents DoS, which I suppose is what you are thinking. But this is a sloppy practice by under-resourced or under-skilled workers. It demonstrates an IT team who lacks the talent needed to provide resources to all legit users.
A mom and pop shop, sure, we expect them to have limited skills. But the US federal gov? It’s a bit embarrassing. The Tor network of exit nodes is tiny. The IRS should be able to handle a full-on DDoS attempt from Tor because such an effort should bring down the Tor network itself before a federal gov website. If it’s fear of spam, there are other tools for that. IRS publications could of course be on a separate host than that which collects feedback.
If users who should have access (e.g. US taxpayers) are blocked, there is an availability loss. Blocking Tor reducesavailability. Which by definition undermines security.
This is a gross misunderstanding of that CIA triad. You do have access, just not through tor. Nor through Bluetooth. Nor plaintext. “Availability” does not mean you will support every known protocol so that purists and idealists can be happy.
You do have access, just not through tor.
That is reduced access. And it makes a world of difference because the lost access also forces excessive disclosures. It would be perversely narrow to disregard that as a security compromise.
Also, you assume everyone has clearnet access, not just that everyone has the will to use clearnet, and that everyone would find clearnet appropriate for this, and that some users rightly see clearnet as a break from the rule of least privilege principle. But some people offer open internet access to the public on a tor-only network. Users on such a network have no clearnet option.
Furthermore, I personally have a DNS problem with my local public library. I have not yet taken the time to troubleshoot it, but when I connect to the library’s network, all clearnet attemps fail because of some DNS problem. Tor is the only way I can access the internet from my local public library. So until I get to the bottom of that problem, the IRS website is unavailable.
For me, not having privacy-respecting access is the same as not having access. For pushovers who don’t think about their own security, their availability is not affected. More broadly, it’s not your place to tell users what threat model and security posture is right for them – unless they hired you for that. If a blockade forces a connection outside the parameters of someone’s security policy, they have lost availability.
Nor through Bluetooth. Nor plaintext. “Availability” does not mean you will support every known protocol so that purists and idealists can be happy.
You can’t dress this up as “neglecting to offer Tor support”. The IRS is taking a deliberate action that reduces availability. They took something that works by default and crippled/broke it in an act of sabotage.
No, you have full access. You can go utilize 100% of the functionality of the site. Again, you are misrepresenting what availability is in the CIA triad. It does not mean all feasible ways and means of access are supported. Otherwise you’re arguing that all iOS apps are also insecure because they aren’t available to Android users.
If TLS isn’t sufficient (or available) for you, do the paperwork and mail it in.
No, you have full access.
You’re not reading what I wrote. I won’t repeat it all here but in short not everyone has clearnet access. Start there.
This is not about me, but if you meant “you” literally, then you need to read what I wrote about my personal situation. Only Tor works at the library for me. I rely on the library for anything large (i do not have a normal unlimited broadband connection). Grabbing many big PDFs could suck my quota dry.
Again, you are misrepresenting what availability is in the CIA triad.
Again, nonsense. Lost access is lost availability. If the Tor network has no access, then they have no availability.
Otherwise you’re arguing that all iOS apps are also insecure because they aren’t available to Android users.
In fact if you only offer service to iOS users, then you most certainly are unavailable to AOS users. Of course. You can‘t disregard the userbase in an availability assessment.
Your analogy would be more accurate if you started with an app that runs on both platforms, and you deliberately artificially sabotaged it from working on one of the platforms. Like a javascript app but you add a line “if Android then terminate end if;” It would result in reduced availabilty, and intentionally so.
If TLS isn’t sufficient (or available) for you, do the paperwork and mail it in.
The website is not just for transmitting tax declarations. If it were, then indeed there would be no problem here. Check it out, if you get access. There are countless publications and guides.
I’ve read what you wrote, but you are refusing to acknowledge reality. Availability does not even remotely mean what you are stating. You might reconsider taking infosec 101.
If the Tor network has no access, then they have no availability.
Then there is no service that has any availability and all meaning is stripped from the word.
The website is not just for transmitting tax declarations.
Indeed, and if TLS isn’t sufficient for you then by all means, use the postal service. Hell, you could even go to your local IRS location.
Then there is no service that has any availability and all meaning is stripped from the word.
It’s not necessariliy a binary. You apparently did not even complete an infosec 101 class b/c that should have been made clear to you. Your prof has failed you. Availability loss is not necessarly a total loss. Even an underperforming server is a loss of availbility. Availability is a measurable quantity. Of course it can also have a binary context in a narrow sense (e.g. “the tor network has no availability”). This does not strip meaning away in the slightest. It is how the term is used. If a whole demographic of people do not have access, then there is no service (no availability) for that demographic, whether it’s a demographic of Tor users, or VPN users, or CGNAT users, or users on a particular platform. To fail to grasp this is to fail to meaningfully understand availability. If you can’t articulate a whole demographic of people losing access to a resource, you’re missing the fundamental purpose of the concept.
Indeed, and if TLS isn’t sufficient for you then by all means, use the postal service.
That’s not an option. Gov offices laugh at those requests now. Gov offices don’t even have the courtesy of expressing refusal of postal requests. They just ignore them. So no, you cannot rely on the postal service as a crutch for incompetent security when you cannot even expect it to work.
Hell, you could even go to your local IRS location.
You’re fired. This does not compensate or serve as an excuse for incompetent security. Expecting Americans living abroad to get on a plane to physically appear at an IRS office is absurd. Unlike most of the world, Americans must file their tax wherever they are in the world (which is not just a transmission but also research – reading publications and advice).
You have to go out of your way to have your access reduced. There are endless ways to achieve that and tor is just one of them. Besides the sigint opportunities on tor aren’t as minimal as you want them to be. Also, you’re connecting to the site and acting in behalf of yourself. I’m at a loss why this should rank at all in the context of a tidal wave of measurable abuses.
You have to go out of your way to have your access reduced.
That would only be true of someone without a Tor setup to begin with. Some of us have Tor baked into our scripts and apps to the extent that using clearnet is going out of our way.
There are endless ways to achieve that and tor is just one of them.
They all have benefits and drawbacks, some cost money, some entail more effort, etc.
Besides the sigint opportunities on tor aren’t as minimal as you want them to be.
It serves the purpose for the case at hand.
Also, you’re connecting to the site and acting in behalf of yourself.
Only if you login, which is often not the case for irs.gov.
I’m at a loss why this should rank at all in the context of a tidal wave of measurable abuses.
Read the sidebar. It’s a service that is essential and intended for the whole pulblic. As the digital transformation forces people do perform transactions with public agencies, those agencies are progressively removing offline options. Exclusivity is trending as a consequence. Essential public services should be inclusive and open to all.
So add proxy?
