Access to the Source Code of Imposed Tax Software
Brazil, October 2012--Receita Federal do Brasil (RFB for short), the Brazilian public administration office in charge of federal taxes, has ignored for years its obligations of transparency and of respecting taxpayers' software freedom. However, because of a recent federal law that sets deadlines for them to respond to citizens' requests for information, and penalties if they don't, they resort to lies and distortions to avoid public scrutiny and to impose their anti-democratic policy.
Since 2008, RFB has been subject to federal regulations that require the product of software development contracts to be published in the Brazilian Public [Free] Software Portal, licensed under the GNU GPL. Their contract with SERPRO (the Federal Data Processing Service), to develop several programs that RFB publishes on its web site for taxpayers to fill in and submit tax returns and other forms, should comply with the obligations established in this regulation, but RFB prefers to pretend the regulation “does not apply to these programs, because they do not meet the requirements to be published in the Portal,” as if their refusal to meet the requirements excused the non-compliance with the obligations.
As of May 2012, a new law that regulates the constitutional right to access to public information came into effect, enabling citizens to request and obtain information from public officials within specific time frames. On the first day, two requests for access to the source code of income tax form-filling software were filed on a web site maintained by the federal government.
Professor Jorge Machado, from University of São Paulo's Access to Information Public Policies Research Group, got a response stating that the source code of the requested program contained information protected by fiscal privacy, that therefore could not be divulged. Alexandre Oliva, from FSF Latin America, got a response several weeks after the deadline, with a significantly different argument: the source code “does not contain, per se, third-party economic-financial information,” but “evidence about security rules of the institution, that would increase significantly the risk of unauthorized access to the systems that receive and validate files sent to this organization, exposing to vulnerabilities all the private information in the databases it guards.”
Laymen in information security science might regard this revised statement as credible, except for a small detail: we have obtained, through reverse engineering, and published, several years ago, the source code of one of these programs. We know it contains no information that could raise the risk of unauthorized access to the systems or databases containing fiscal information: it doesn't even interact with such systems or databases.
SERPRO, that not only develops and publishes the requested programs, but also develops and maintains the databases and the reception and validation systems, confirmed that “the source code contains no such information,” that this assertion applies to all programs they have developed and made available to third parties, and that “there wouldn't be any technical justification to make the mistake” of including such sensitive information in these programs.
Why, of course! Since the source code has been public since April, 2007 and both RFB and SERPRO knew it, anything in it that could have exposed to vulnerabilities the databases with fiscal information would have demanded immediate action to patch the security issues. According to SERPRO, no such action was taken. After all, there was no need for any.
RFB, on its turn, does not even acknowledge that, if they couldn't publish the source code for security reasons but they took no action upon knowing it was published, it would follow that they have been negligent for years in protecting fiscal privacy. But in order to sustain their authoritarian, antidemocratic and unlawful policy that “all source code of its ownership [sic] must be safeguarded” because of its alleged “effective potential to reduce security,” they won't retract their lie, or they'd lose their only remaining argument against publishing the programs that ought to be Public Free Software.
Fortunately for all Brazilians, SERPRO has disclaimed RFB's lie, so if RFB higher officials do not act on this matter out of their own will, the justice system or other government agencies in charge of enforcing compliance with the mandate of transparency by default ought to demand them to do so. While they don't, we keep on pressing RFB with requests for information that challenge and contradict their lie.
While they insist on it, we get further evidence for future lawsuits
to set them straight, even if with a slim hope they will retract the
lie and publish the requested source code. Meanwhile, we realized
SERPRO is just as required as RFB to publish the source code in their
possession, so we've now filed a request for SERPRO to publish the
source code of some of the programs.
http://www.fsfla.org/blogs/lxo/2012-10-10-IRPF-LAI (in Portuguese)
When either of them do, we'll have further evidence for the future lawsuits, and we'll be much closer to meeting the first goal set for our campaign against Softwares Impostos in Brazil. The source code will probably still be proprietary if SERPRO publishes it, but its availability will counter the authoritarian reasoning that alleges a need for secrecy, so going from that to Free Software shouldn't take long: the law that requires the software to be published under the GNU GPL on the Public [Free] Software Portal is on our side for the final step too.
About FSFLA's Campaign against Imposed/Tax Software
We understand the Brazilian law, particularly the Federal Constitution, grant preference to Free Software in the public administration, both internally, for compliance with constitutional principles, and in interactions with citizens, for respect for their fundamental constitutional rights and for compliance with the same and other constitutional principles.
This campaign, started in October, 2006, seeks to educate public
administration managers about these obligations that are beneficial
both to citizens and to the public administration itself, such that
they pay attention not only to compliance with the law, but also to
respect for citizens and for digital freedom.
http://www.fsfla.org/blogs/lxo/pub/o-software-era-a-lei (in Portuguese)
http://www.fsfla.org/anuncio/2011-04-IRPF-Livre-2011
http://www.fsfla.org/anuncio/2010-03-IRPF-Livre-2010
http://www.fsfla.org/blogs/lxo/pub/misterios-de-eleusis (in Portuguese)
http://www.fsfla.org/anuncio/2009-04-softimp-irpf-livre-2009
http://www.fsfla.org/anuncio/2008-04-softimp-irpf-livre-2008
http://www.fsfla.org/anuncio/2008-02-softimp-irpf2008
http://www.fsfla.org/circular/2007-09#1
http://www.fsfla.org/circular/2007-04#3
http://www.fsfla.org/anuncio/2007-03-irpf2007 (in Portuguese)
http://www.fsfla.org/circular/2007-03#1
http://www.fsfla.org/circular/2006-11#Editorial
http://www.fsfla.org/anuncio/2006-10-softimp
About IRPF-Livre
It's a software development project to prepare Natural Person's Income Tax returns in the standards defined by the Brazilian Receita Federal, but without the technical and legal insecurity imposed by it.
IRPF-Livre is Free Software, that is, software that respects users' freedom to run it for any purpose, to study its source code and adapt it to their needs, and to distribute copies, modified or not.
The program can be obtained, both in source and Java object code forms
at the following location:
http://www.fsfla.org/~lxoliva/fsfla/irpf-livre/
About FSFLA's “Be Free!” Initiative
It's a project to renew the original goals of the Free Software
Movement: not just promote Free Software itself, but rather Software
Freedom, achieved by a user only when all the software s/he uses is
Free Software.
http://www.fsfla.org/befree/
To make this goal achievable, besides awareness campaigns and speeches
and the activities against “Imposed/Tax Software,” FSFLA has
maintained GNU Linux-Libre, a project to set and keep Free the
non-Free kernel Linux, most used along with the Free operating system
GNU.
http://linux-libre.fsfla.org/
http://www.gnu.org/distros/
About FSFLA
Free Software Foundation Latin America joined in 2005 the
international FSF network, previously formed by Free Software
Foundations in the United States, in Europe and in India. These
sister organizations work in their corresponding geographies towards
promoting the same Free Software ideals and defending the same
freedoms for software users and developers, working locally but
cooperating globally.
http://www.fsfla.org/
Press contacts
Alexandre Oliva
Board member, FSFLA
lxoliva@fsfla.org
+55 19 9714-3658 / 3243-5233
Copyright 2012 FSFLA
Permission is granted to make and distribute verbatim copies of this entire document without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.
Permission is also granted to make and distribute verbatim copies of individual sections of this document worldwide without royalty provided the copyright notice and the permission notice above are preserved, and the document's official URL is preserved or replaced by the individual section's official URL.