Re: [lp-ca-on] CRA rejects NETFILE developer application

[Greg Knittl]

Re: Credentials

So far the partial documentation the CRA has released only mentions

Software Developers’ Certification Guide:
- The software release date transmitted with a taxpayer’s return will be compared
against the certification date we have. If their release date is earlier than our
certified release date, a Web-response message will be sent to the taxpayer
indicating that an update to the software is needed. The taxpayer will have to
download a patch from you before resending their return.
- The software products will
communicate directly with the NETFILE application servers and transmit all required
information (SIN, DOB, NAMES for first time filers, and the “.ws” file) on behalf of
the taxpayer directly to CRA via the webservice.

Electronic Filers Manual for 2015 Income Tax Returns http://www.cra-arc.gc.ca/E/pub/tg/rc4018/html/rc4018ch2-15e.html
- I see no error message in 1-99 for invalid webservice credentials.
- there are error messages for document control number (DCN) but http://www.efile.cra.gc.ca/l-hwt-eng.html indicates the CRA web service generates the DCN.

I don't see anything that looks like a credential in the most recent .tax file I have which is from 2013. There certainly were no credentials present in software code in 2013 the last time I NETFILEd because I uploaded the .tax file separately. It could be the CRA is just relying on DOB, SIN, Name, Software Vendor ID and software release date... I guess there could be a hardcoded CRA NETFILE userid and password that the CRA wants to keep secret in the software. I can't imagine that would really be secure against an attack with wireshark on the network and a debugger on the tax program...

Perhaps the CRA is relying on the tax calculations to be correct in order to compress the amount of data transmitted. I don't know.

I think the next step is to extract the full 2016 NETFILE Certification Agreement from the CRA, at the least the parts that don't contain any technical secrets and have asked the CRA for this.

The 20 return limit/computer doesn't make sense to me when Raspberry PIs are $35USD. I don't have an RPI but it looks to me like you could reuse peripherals across RPIs so $35USD is really the incremental hardware cost for an additional 20 returns. That's not much of a barrier so what's the point? I don't have any experience with cloud computing, but income tax returns don't strike me as particularly compute intensive. Does anyone want to guess a ballpark cloud computing cost? A simple command line tax program might even do fine on a PI Zero. I haven't raised that with the CRA, perhaps I should.

I think we need to try to identify and clarify the key blocking issues and try to resolve them. This is going to require political and likely legal action.

Greg

On 16-07-30 11:03 PM, Stephen Paul Weber wrote:

Well, the point is that access to the netfile servers must be guarded. Only applications that have been vetted by the CRA are given credentials. Giving out your credentials to others so that they can build modified versions of your software that communicate with the netfile servers is exactly what they *do not* want.

‎However, this is not a new problem nor is it a software freedom problem.  ‎It's just a bit of a pragmatic issue that any derivative work would need to apply for separate certification/credentials in order to be useful (assuming paper filing is not an option).

Sent from my BlackBerry 10 smartphone.


  Original Message  
From: Marc Lijour
Sent: Friday, July 29, 2016 11:33
To: address@hidden
Subject: Re: [lp-ca-on] CRA rejects NETFILE developer application

I'm not sure by what the response intends by “free of right”. Assuming the licensing you propose is GPL, there is no such thing as “free of right”. They should say right to freedom...

Also, IANAL but there is a difference between trademark law and copyright law. 

Fine, we may not be able to use the trademark in some official distribution, but the code (without the trademark) might still be able to exist somewhere.
Would dual licensing solve this issue? One distribution under the GPL, and another (snapshot with a specific version number) submitted to NETFILE to deal with trademarks?

Would the code be assigned to the FSF?



On 16-07-28 11:40 AM, Greg Knittl wrote:
First of all, I appreciate that the CRA is being somewhat upfront and providing some specifics, at least more than other organizations I've dealt with, although not probably enough for a full legal analysis since we don't even have the full NETFILE agreement yet.

I think we are getting into the legal/political realm here. 

Legally, perhaps some of the legal minds involved in the Geocoder lawsuit: CIPPIC https://cippic.ca/ could provide some guidance. I suspect there are quite a few legal issues to explore here: whether it is legitimate to require certification, whether it's legitimate to force the whole tax calculation engine to be closed source instead of just the filing interface, potential Charter challenges etc. 

Politically, start thinking about how to articulate this issue. The biggest practical argument I can think of is that having fully open APIs and open software is the best way to ensure security both for the CRA and for filers. Forcing the use of closed source is putting filers and the CRA at risk. It's a big issue but it's a subtle one just like all the software freedom issues. It fits very well with Software Freedom Day. Maybe instead of just randomly contacting people on the street, there's a specific demonstration in front of a tax office or in front of an MP's office that might get some media coverage. 

thoughts?
Greg
-------- Forwarded Message --------
Subject:	RE: Placeholder application to meet July 15th deadline?
Date:	Thu, 28 Jul 2016 14:27:08 +0000
From:	NETFILE Certification Support / Soutien homologation IMPÔTNET (CRA/ARC) <address@hidden>
To:	'Greg Knittl' <address@hidden>
CC:	NETFILE Certification Support / Soutien homologation IMPÔTNET (CRA/ARC) <address@hidden>

Hello Mr. Knittl,

Thank you for submitting an Application for NETFILE.

We have reviewed your application and the link you submitted related to the philosophy of Libre Planet Ontario.

Legally it is not possible for such a “free of right” product to be Certified by CRA. The certification process is a “legalized” concept covered by legal documents such as the 2016 NETFILE Certification Agreement. Legal documents have to be endorsed by both parties.
Also the 2016 NETFILE Certification Agreement has to be signed to be able to use the NETFILE Registered trade mark. Paragraph 11.1 states that the licence is:

11.0 License to Use NETFILE Official Mark


11.1 If a Software Product meets all the requirements of NETFILE certification testing and provided that the Software Developer complies with all requirements as specified for post-certification as outlined in the Certification Guide, then the Software Developer will be granted a non exclusive, personal, non transferable, non sub-licensable, license to use the NETFILE Official Mark in respect of the Software Product Version having the CRA Software Product Identifier that has passed certification testing and only as directed by CRA. Software Developer may also represent that the Software Product has passed CRA NETFILE certification testing and the Software Product is therefore compatible with the CRA’s NETFILE Electronic Filing Service.

The article 11.1 contradicts the “Free of right” (essential freedoms 0-1-2-3) software product philosophy. A CRA Certified software cannot be modified from its original certified version, reprogrammed, nor can it be redistributed to any other parties than the one licensed for.

For all those reasons your application for NETFILE has been rejected.

Hoping this is satisfactory,

If you have any other questions about the application process, do not hesitate to contact us.

Thank you,


Electronic Filing Services Section / Section des services de transmissions électroniques
Electronic Services Division / Division des services électroniques
750 Heron Rd, 7th floor / 750, chemin Heron, 7e étage
Ottawa, ON K1A 0L5
mailto:address@hidden


From: Greg Knittl [mailto:address@hidden]
Sent: July 14, 2016 7:30 AM
To: NETFILE Certification Support / Soutien homologation IMPÔTNET (CRA/ARC)
Subject: Fwd: Placeholder application to meet July 15th deadline?

Hi,

Please find attached a placeholder Software Developer's
Application for NetFile with the box in Section 8 unchecked to meet the July 15th application deadline.

thanks
Greg

-------- Forwarded Message --------
Subject:

Placeholder application to meet July 15th deadline?

Date:

Tue, 12 Jul 2016 23:49:02 -0400

From:

Greg Knittl <address@hidden><mailto:address@hidden>

To:

NETFILE Certification Support / Soutien homologation IMPÔTNET (CRA/ARC) <address@hidden><mailto:address@hidden>, libreplanet Canada Ontario <address@hidden><mailto:address@hidden>



Hi,



Would it be okay if I submitted a placeholder Software Developer's

Application for NetFile without checking the box in Section 8 while you

decide if checking that box will bind me in any way if it turns out I

can't agree to the terms of the NETFILE Certification Agreement? I'd

like to meet the July 15th deadline somehow since it seems to be

critical to the whole 2016 Certification Cycle.



thanks,

Greg