[en] Access to the Source Code of Imposed Tax Software

info en fsfla.org info en fsfla.org
Lun Oct 15 11:29:38 UTC 2012


Brazil, October 2012--Receita Federal do Brasil (RFB for short), the
Brazilian public administration office in charge of federal taxes, has
ignored for years its obligations of transparency and of respecting
taxpayers' software freedom.  However, because of a recent federal law
that sets deadlines for them to respond to citizens' requests for
information, and penalties if they don't, they resort to lies and
distortions to avoid public scrutiny and to impose their
anti-democratic policy.

Since 2008, RFB has been subject to federal regulations that require
the product of software development contracts to be published in the
Brazilian Public [Free] Software Portal, licensed under the GNU GPL.
Their contract with SERPRO (the Federal Data Processing Service), to
develop several programs that RFB publishes on its web site for
taxpayers to fill in and submit tax returns and other forms, should
comply with the obligations established in this regulation, but RFB
prefers to pretend the regulation “does not apply to these programs,
because they do not meet the requirements to be published in the
Portal,” as if their refusal to meet the requirements excused the
non-compliance with the obligations.

As of May 2012, a new law that regulates the constitutional right to
access to public information came into effect, enabling citizens to
request and obtain information from public officials within specific
time frames.  On the first day, two requests for access to the source
code of income tax form-filling software were filed on a web site
maintained by the federal government.

Professor Jorge Machado, from University of São Paulo's Access to
Information Public Policies Research Group, got a response stating
that the source code of the requested program contained information
protected by fiscal privacy, that therefore could not be divulged.
Alexandre Oliva, from FSF Latin America, got a response several weeks
after the deadline, with a significantly different argument: the
source code “does not contain, per se, third-party economic-financial
information,” but “evidence about security rules of the institution,
that would increase significantly the risk of unauthorized access to
the systems that receive and validate files sent to this organization,
exposing to vulnerabilities all the private information in the
databases it guards.”

Laymen in information security science might regard this revised
statement as credible, except for a small detail: we have obtained,
through reverse engineering, and published, several years ago, the
source code of one of these programs.  We know it contains no
information that could raise the risk of unauthorized access to the
systems or databases containing fiscal information: it doesn't even
interact with such systems or databases.

SERPRO, that not only develops and publishes the requested programs,
but also develops and maintains the databases and the reception and
validation systems, confirmed that “the source code contains no such
information,” that this assertion applies to all programs they have
developed and made available to third parties, and that “there
wouldn't be any technical justification to make the mistake” of
including such sensitive information in these programs.

Why, of course!  Since the source code has been public since April,
2007 and both RFB and SERPRO knew it, anything in it that could have
exposed to vulnerabilities the databases with fiscal information would
have demanded immediate action to patch the security issues.
According to SERPRO, no such action was taken.  After all, there was
no need for any.

RFB, on its turn, does not even acknowledge that, if they couldn't
publish the source code for security reasons but they took no action
upon knowing it was published, it would follow that they have been
negligent for years in protecting fiscal privacy.  But in order to
sustain their authoritarian, antidemocratic and unlawful policy that
“all source code of its ownership [sic] must be safeguarded” because
of its alleged “effective potential to reduce security,” they won't
retract their lie, or they'd lose their only remaining argument
against publishing the programs that ought to be Public Free Software.

Fortunately for all Brazilians, SERPRO has disclaimed RFB's lie, so if
RFB higher officials do not act on this matter out of their own will,
the justice system or other government agencies in charge of enforcing
compliance with the mandate of transparency by default ought to demand
them to do so.  While they don't, we keep on pressing RFB with
requests for information that challenge and contradict their lie.

While they insist on it, we get further evidence for future lawsuits
to set them straight, even if with a slim hope they will retract the
lie and publish the requested source code.  Meanwhile, we realized
SERPRO is just as required as RFB to publish the source code in their
possession, so we've now filed a request for SERPRO to publish the
source code of some of the programs.
http://www.fsfla.org/blogs/lxo/2012-10-10-IRPF-LAI (in Portuguese)

When either of them do, we'll have further evidence for the future
lawsuits, and we'll be much closer to meeting the first goal set for
our campaign against Softwares Impostos in Brazil.  The source code
will probably still be proprietary if SERPRO publishes it, but its
availability will counter the authoritarian reasoning that alleges a
need for secrecy, so going from that to Free Software shouldn't take
long: the law that requires the software to be published under the GNU
GPL on the Public [Free] Software Portal is on our side for the final
step too.


== About FSFLA's Campaign against Imposed/Tax Software

We understand the Brazilian law, particularly the Federal
Constitution, grant preference to Free Software in the public
administration, both internally, for compliance with constitutional
principles, and in interactions with citizens, for respect for their
fundamental constitutional rights and for compliance with the same and
other constitutional principles.

This campaign, started in October, 2006, seeks to educate public
administration managers about these obligations that are beneficial
both to citizens and to the public administration itself, such that
they pay attention not only to compliance with the law, but also to
respect for citizens and for digital freedom.
http://www.fsfla.org/blogs/lxo/pub/o-software-era-a-lei (in Portuguese)
http://www.fsfla.org/anuncio/2011-04-IRPF-Livre-2011
http://www.fsfla.org/anuncio/2010-03-IRPF-Livre-2010
http://www.fsfla.org/blogs/lxo/pub/misterios-de-eleusis (in Portuguese)
http://www.fsfla.org/anuncio/2009-04-softimp-irpf-livre-2009
http://www.fsfla.org/anuncio/2008-04-softimp-irpf-livre-2008
http://www.fsfla.org/anuncio/2008-02-softimp-irpf2008
http://www.fsfla.org/circular/2007-09#1
http://www.fsfla.org/circular/2007-04#3
http://www.fsfla.org/anuncio/2007-03-irpf2007 (in Portuguese)
http://www.fsfla.org/circular/2007-03#1
http://www.fsfla.org/circular/2006-11#Editorial
http://www.fsfla.org/anuncio/2006-10-softimp


== About IRPF-Livre

It's a software development project to prepare Natural Person's Income
Tax returns in the standards defined by the Brazilian Receita Federal,
but without the technical and legal insecurity imposed by it.

IRPF-Livre is Free Software, that is, software that respects users'
freedom to run it for any purpose, to study its source code and adapt
it to their needs, and to distribute copies, modified or not.

The program can be obtained, both in source and Java object code forms
at the following location:
http://www.fsfla.org/~lxoliva/fsfla/irpf-livre/


== About FSFLA's “Be Free!” Initiative

It's a project to renew the original goals of the Free Software
Movement: not just promote Free Software itself, but rather Software
Freedom, achieved by a user only when all the software s/he uses is
Free Software.
http://www.fsfla.org/befree/

To make this goal achievable, besides awareness campaigns and speeches
and the activities against “Imposed/Tax Software,” FSFLA has
maintained GNU Linux-Libre, a project to set and keep Free the
non-Free kernel Linux, most used along with the Free operating system
GNU.
http://linux-libre.fsfla.org/
http://www.gnu.org/distros/


== About FSFLA

Free Software Foundation Latin America joined in 2005 the
international FSF network, previously formed by Free Software
Foundations in the United States, in Europe and in India.  These
sister organizations work in their corresponding geographies towards
promoting the same Free Software ideals and defending the same
freedoms for software users and developers, working locally but
cooperating globally.
http://www.fsfla.org/


== Press contacts

Alexandre Oliva
Board member, FSFLA
lxoliva en fsfla.org
+55 19 9714-3658 / 3243-5233

----

Copyright 2012 FSFLA

Permission is granted to make and distribute verbatim copies of this
entire document without royalty, provided the copyright notice, the
document's official URL, and this permission notice are preserved.

Permission is also granted to make and distribute verbatim copies of
individual sections of this document worldwide without royalty
provided the copyright notice and the permission notice above are
preserved, and the document's official URL is preserved or replaced by
the individual section's official URL.

http://www.fsfla.org/anuncio/2012-10-Acesso-SoftImp


Más información sobre la lista de distribución Anuncios