Is email or fax safer when it comes to transmitting sensitive documents to the CRA?
While the CRA has embraced the electronic filing of taxes, there is a reluctance to adopt email as a way of providing supplemental information. Why the CRA does not allow documents to be sent by email is highlighted in the article below.
How Can the T661 be Submitted to the CRA?
The T661 – Scientific Research and Experimental Development (SR&ED) Expenditures Claim,1 once completed, must be sent to the Canada Revenue Agency (CRA).
Currently, you are able to submit your T661 at the same time as you submit your corporate income tax return using tax preparation software. SR&ED Education and Resources sought clarification from the CRA in an email regarding this and their reply was as follows: 2
All the required forms can be filed electronically with the CRA using internet filling for individuals or corporations upon the filling of the applicable tax return, except for Form T661 with respect to individuals, [which] currently can only be filed by mail. The CRA is exploring making the T661 available in an electronic format for T1 filers in the near future.
If you are using software that doesn’t include SR&ED modules, the T4088 – Scientific Research and Experimental Development (SR&ED) Expenditures Claim – Guide to Form T661,3 specifies that forms can only be sent to one of seven tax service offices by fax or post. This can quickly become confusing for a small taxpayer, as the office closest to them may not be the one that handles their files (for example, Nunavut is handled by Toronto).
While the T661 can be efiled, mailed or faxed it is a relatively short form. If selected for a review, a taxpayer may be required to provide extensive supporting documentation. When there are multiple sheets of information to be provided, the CRA will still request that it is sent by fax or post, and this can be an inconvenience for claimants. Why does the CRA insist that supporting information is sent by mail or fax?
Is Email Insecure When Transmitting Sensitive Documents?
According to Matthew Hudnall in Technologies for Homeland Security, email in its default state “does not guarantee the authentic identity of either the intended sender or receiver of a message, nor does it guarantee the confidentially and integrity of the message.” 4
Email plugins and encryption are available and can minimize security problems; however, they cannot eliminate them.5 While current email systems can ensure confidentiality of data in transit and the sender’s identity, one still cannot be sure that the email will only be seen by the intended recipients. The Secure Sockets Layer (SSL), which protects online purchases, can only be applied to emails whilst they are being sent, and so once they are received they are no longer protected.6
In regards to the privacy of emails, the CRA agrees that email does not meet the security requirements as “since email received from taxpayers cannot be authenticated and can be intercepted and altered, we ask that taxpayers [do] not send their personal information to the Agency using insecure email.” 7
Is Transmitting Sensitive Documents by Fax More Secure?
Although fax is considered more secure, it may be argued that there are also risks. As a fax is often sent to another physical fax machine in an office, anyone in that office can examine the content, unlike in emails that are sent directly to their intended recipient. Faxes also pose similar risks to security as emails, as anyone who gains access to a fax network can view the contents of the faxes sent.8
When we asked the CRA if faxing was safer, they continued to list the security and privacy risks of email: 9
Standard email introduces significant risks of potential compromise of personal information as [its] transmission is on a public domain. Emails are vulnerable to hackers who can read and modify email messages without the sender’s or recipient’s knowledge. Email can also be spoofed in order to appear from an individual or organization without their prior knowledge or consent. The email protocols also use a ‘store and forward’ mechanism to transmit, which means that email can be stored on multiple email servers. Data breaches involving email services are commonly reported.
The CRA did not respond to a follow-up email requesting an answer specifically to if fax was a more secure method of transmitting sensitive documentation. The only indication the CRA gave that fax may be a problematic method of communication was to note that, “the CRA is not responsible for misdirected, incomplete or illegible documents because of the nature of fax services.” 10
Transmitting Sensitive Documentation to the CRA: The Options
If you are concerned about the security of faxing sensitive information (e.g. supporting documentation, etc.) to the CRA, there are two other options for providing the CRA information:
1. Sending by Courier to a Tax Office
Couriers can be used in lieu of a standard postal service to submit sensitive documentation to the CRA; however, there were rumours that tax offices would no longer sign acknowledgment receipts for paperwork. Sending documentation by courier also still requires the information to be printed, which is both environmentally unfriendly and unfeasible, especially if the documentation being provided is multiple pages of code or complex excel spreadsheets.
2. Copy the Required Information to a CD and Send by Post
Copying (or “burning”) the required documentation to a CD and then sending this by post is potentially the most effective way to send sensitive information to the CRA. We encourage using tracked mail to ensure you are able to track the CD’s location whilst it is in transit and so you are covered if the disc is lost or broken.
Unfortunately, the CRA cannot accept USBs due to security issues – connecting a “personal USB” to a CRA computer is regarded as an “[example] of misconduct related to the use of CRA computers and electronic networks” in the CRA’s Code of integrity and professional conduct.11 (In order to provide more context to the security issues surrounding using USBs – STUXNET, the “world’s first digital weapon” was used to “wreak physical destruction on equipment the computers controlled” at a nuclear power plant and was introduced via infected USB drives.) 12
The CRA’s position to only accept sensitive documents by fax or post, although potentially inconvenient for the claimant, may be the most secure methods of transmitting sensitive documentation. In order to ensure the information about your SR&ED projects remains secure, it’s better to err on the side of caution.