The IRS’s Verification System for Sharing Taxpayer Data With ICE Would Have Accepted ‘Don’t Care 12345’ as a Valid Address

Failures

from the what-a-mess dept

We’re a couple weeks late to this one, but it deserves more attention than it received. As the Washington Post first reported, a federal judge has found that the IRS violated federal law 42,695 times when it handed over confidential taxpayer addresses to ICE last summer. But the raw number, staggering as it is, undersells how absurd this whole thing was. The details of how it happened are so much worse.

Federal law has a pretty basic safeguard built in: before the IRS can hand over a taxpayer’s home address to another agency, the requesting agency has to provide the name and address of the person they’re looking for — specifically to prevent the government from using tax records as a fishing expedition against people it hasn’t already identified.

Can you guess how the Trump IRS’s actual verification process worked when ICE wanted addresses? I’m betting you absolutely can.

The judge, U.S. District Judge Colleen Kollar-Kotelly, laid it out in devastating detail. When ICE sent over its massive datafile of 1.28 million records, the IRS ran two different matching processes. For requests where ICE included a Social Security number, the IRS used something called “TIN Matching” — which checked that the name and SSN matched IRS records. What TIN Matching did not do was verify that ICE had actually provided a real address. The only address-related check was an automated filter that looked for whether the address field contained something resembling a zip code — meaning, any five-digit or nine-digit number.

That was it. That was the safeguard.

As Judge Kollar-Kotelly pointedly observed:

A zip code is not an address, and a zip code proxy, as the IRS would define it, might as well be a set of random numbers. For instance, ICE could have submitted a request with an “address” like, “Don’t Care 12345,” or, “00000,” and still received a taxpayer’s address through the IRS’s TIN Matching process.

And this was the process used for the overwhelming majority of the disclosures. Of the 47,289 taxpayer addresses the IRS shared with ICE, 90.3% — those 42,695 — went through TIN Matching, the process that never actually checked the address. Only 9.7% went through a process that bothered to verify ICE had provided a matching address.

So when the IRS’s own Chief Risk and Control Officer, Dottie Romo, filed a supplemental declaration with the court admitting the agency “may have supplied last known addresses to ICE” in cases where the data was “either incomplete or insufficiently populated,” that was putting it generously. The judge’s opinion catalogs what ICE actually submitted as “addresses” in many of these cases:

In other words, the IRS not only failed to ensure that ICE’s request for confidential taxpayer address information met the statutory requirements, but this failure led the IRS to disclose confidential taxpayer addresses to ICE in situations where ICE’s request for that information was patently deficient. The IRS, for example, disclosed to ICE the last known addresses for taxpayers in situations where ICE supplied an “address of the taxpayer” in its request that contained “language indicating that the address was not complete, such as ‘Failed to Provide,’ ‘Unknown Address,’ or ‘NA NA.’” ….The IRS also disclosed to ICE the last known addresses of taxpayers where the ICE-supplied address was missing essential information, such as “a street name or street number.” … Still more, the IRS disclosed to ICE the last known addresses of taxpayers where the ICE-supplied address “referred to, described, or named specific locations”—examples of which are “jails, detention facilities, or prisons”—and “the corresponding city, state, and zip code” for those locations, but did not include “the street names and street numbers where the buildings or facilities are located.”

“Failed to Provide.” “Unknown Address.” “NA NA.” The system was designed not to catch these deficient requests. The TIN Matching process, as the judge noted, “was not designed to identify the additional types of data insufficiencies.” Of course it wasn’t. Because the process never looked at the address field in any meaningful way to begin with.

Nina Olson, founder of the Center for Taxpayer Rights (which brought the suit), told the Washington Post there was no precedent for anything like this:

“I don’t know of any opinion about the IRS like this. The kinds of mass requests that are coming in are unprecedented.”

And then there’s the timeline of what happened after the government figured out what it had done, which is deeply disturbing as well. The Department of Treasury identified the problems on January 23, 2026. That very same day, it notified DHS. Also on that very same day, the sole ICE official who had access to the illegally disclosed taxpayer data gave two additional ICE officials access to it. The stated reason was “for the purpose of allowing [them] to create an adequate system of safeguards for the data.”

So on the day they found out the data was obtained in violation of federal law, the first move was to give more people access to the illegally obtained data.

And when did the government get around to telling the court and the plaintiffs about these 42,695 violations of federal law? Nearly three weeks later, on February 11. As the judge noted, Defendants “informed DHS right away, but they waited nearly three weeks to inform Plaintiffs and the Court.” The opinion goes on to observe that this, along with the broader pattern, “undercut many representations made by Defendants during this litigation” and reflects, “at the very least, a disconnect between the agency clients and counsel, which leads to some concern regarding the completeness of the administrative record.”

“Some concern.” That’s judicial restraint doing a lot of heavy lifting.

The case is now before the DC Circuit, where the government is appealing Judge Kollar-Kotelly’s earlier order blocking the data-sharing arrangement. In the meantime, DHS has been defending the program as essential to immigration enforcement, with a spokesperson offering the standard line to the Washington Post about how “information sharing across agencies is essential to identify who is in our country, including violent criminals.” Which might be more compelling if the agency’s actual implementation hadn’t involved waving through requests with “NA NA” where the address was supposed to go.

A judge has now formally documented that the IRS broke federal taxpayer confidentiality law tens of thousands of times in a single data dump, using a verification process so hollow that literal gibberish would have passed muster — and when the government discovered this, its first move was to expand access to the illegally obtained data and wait three weeks before telling the court. And yet the government is still fighting to keep the underlying program alive.

Filed Under: dhs, ice, irs, taxpayer info