Slashdot Mirror
Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud
Qedward writes "The Norwegian Ministry of Finance seems to be taking a bit of stick at the moment. It wants all the existing cash registers in the country thrown out and replaced with new ones. Not surprisingly, this massive upgrade is not popular. But it is apparently being pushed through in an attempt to prevent cash registers' figures being massaged downwards in use so as to reduce tax. The Norwegian association of tax auditors said: 'The source code must be opened.' 'Without source code it is not possible to determine whether or "hidden" functionality exists or not. Just knowing that the tax authorities have access to the source code of the application, will reduce the effort to implement hidden functionality in the software.'"
Releasing the source doesn't guarantee that a specific cash register is also running that code. So will this be all that helpful?
I code a Point of Sale, and while I could easily under report, even the most elementary audit would make it blatantly obvious that this was occurring, at least all the ways I would think to do it. I'm also curious how they plan to make 1 cash register program that covers the needs let alone desires of every business out there.
How would you advertise : "Our registers have "hidden" functionality to help you skip on your taxes."
My guess is that this would be the sort of verbal promise made by the salespeople of a dodgy cash register company. And it would be attractive to the kinds of businesses that are also pretty dodgy, e.g. bottom-feeder bars or strip joints.
I am officially gone from
These are the requirements from the article:
Suppliers must be able to prove that the system can integrate with external software that allows changing the online journal.
It shall not be possible to change the entries in retrospect or change preset text on goods and services at registration.
It shall not be possible to record sales without a receipt is printed.
It shall not be possible to drive out more than one copy of the receipt.
It shall not be possible to mark some groups so that they are included in the reports.
I can't remember who told me when I was much younger how to spot the people running cash businesses and not declaring all their tax - they wouldn't be able to get the mortgage for an expensive house, but the inside would be overly luxuriously appointed, and they'd often have a flash car bought outright.
Misleading title is misleading.
Nevada has rules like that for slot machines. Only tougher. Stuff like:
Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent authentication information.
Provide, as a minimum, a two-stage mechanism for verifying all program components on demand via a communication port and protocol approved by the chairman. The mechanism must employ a hashing algorithm which produces a messages digest output of a least 128 bits and must be designed to accept a user selected authentication key or seed to be used as part of the mechanism (i.e. HMAC SHA-1). The first stage of this mechanism must allow for verification of all control components. The second stage must allow for the verification of all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the verification information must be stored on a Conventional ROM Device. [Effective 11/1/2012] All gaming devices must also provide the same two-stage mechanism for verifying all program components on demand via a gaming device user interface where the results are displayed on the gaming device.
That's just one item. There are lots of other logging and audit trail requirements. The Nevada Gaming Commission checks these regularly.
Indeed - they could mandate that the cash registers are also TiVoized to prevent them running anything but the approved build, but then it isn't Free software.
I had a friend who installed POS systems in small businesses for a living. At restaurants, the most important feature of any POS system was the ability to make a table disappear out of the records.
The real "Libtards" are the Libertarians!
Or have functionality that's "customer customizable".
One easy way is registers that allow multiple currencies, which is common enough in Europe. Have the customer pay in "Kr" and get his receipt in "Kr" (the common symbol in Norway for Norwegian kroner, crowns), and then have the sales registered as NOK with an exchange rate of 1.5:1. Suddenly you only have to pay tax on 2/3 of your income.
Another easy way would be to split the credit between two accounts (which unlike double ledgers isn't illegal - but reporting just one of them most certainly is).
Or allow functions like deleting sales records to be accessible by anyone by running the register in a documented "test mode".
There are so many possible ways to allow the stores to game the system without being programming geniuses.
But is open source going to help? I am unsure.
Since a few years back all bussines are demanded to have a "black box" connected to the register that tracks all events. Tax authorities can come in any time and download the content to check for any irregularities. It logs everything including how many times and how often the drawer is opened.
American posing as a Norwegian.
Far from dodgy companies. This is a common feature in many (all?) cash registers used in small business, especially restaurants.
I know people who work in restaurants, and they told me that this is a public secret.
The way it works is that at the end of the day, you can make the register change the numbers by an amount or a percent. Ther register will then do the math to change the number of coffees served and muffins sold and things like that. It does this so that the numbers still make sense and correlate with expected ratios.
At that point, the business day is closed, the register is printed, and you get some money out of the till under the table. If the inspectors should come in during the day, you can just print whatever the current status is, which will then be immutable at the end of the business day to avoid discrepancies.
This functionality is not advertized in writing, but all sales persons know about it and know how they can explain this to the owners. All major registers have features like this, and I can understand why the inspectors would require open source. Because skimming money becomes an order of magnitude more difficult if you don't have a register to help you create a phony audit trail.
Whine whine whine I have to pay taxes to the evil gubmint so I have to whine in this article even when I don't have anything to add!
If you're not happy with the way your peers vote, then your options are to influence them in the right direction or move to a place with better peers. Whining just makes you seem like a sucker.
c++;
There's nothing in the article about FOSS. There's not even anything about "open source", just that the tax agency should have access to the source code.
c++;
being, of course, the pocket of the clerk at the register.
if this is supposed to be a new economy, how come they still want my old fashioned money?
In Portugal, for the last couple of years it is already required for every business to have a "certified" software that enforce some similar rules. Even though the software doesn't need to be open source, every invoice or receipt must include part of an hash key that is automatically generated based on key data (VAT Nr, amount, date, value), an asymmetric key given to each software manufacturer *and* the hash from the previous document. This makes it impossible to change any document after it has been printed out without invalidating every document printed after it. There was a requirement that every software had to be able to export accounting details in a standard format (SAF-T), if requested from the tax authority. Since 1-Jan-2013 every business is now forced to send monthly detailed invoce data to the tax authority.
I was an auditor for a state in the USA (posting anon). This is widely known among auditors. The hard part is proving that the place did that.
The state has in the past (at least talk at the legislative level) talked about outlawing software with this feature, but the business burrow makes excuses, like for instance I think I heard these type of "features" are required for discounts, coupon type things, if someone isn't satisfied and get's a free meal, etc.
I think it's a bunch of BS since the software does these things quietly without making an audit trail, but nothing ever happened past the initial talks that I'm aware of.
And even if it did, you could say oh it was a 15% off day or some crap, so you could still hide it unless you could prove it wasn't.
I worked in banking previously, and it was widely known that business's hide money. See small business's want it both ways. They bring their tax info to the Bank for loan or w/e then the bank denies or less then they wanted or unfavorable terms, and some people actually say well I actually make more then this. Our loan officer used to joke about it during training. You can't have it both ways.
There are many things working in Auditing I've learned about. Some is very creative and some is just very simple.
Let us apply it at goverment level first.
I always enjoyed the South Korean solution to the problem. They created a system wherein if you pay cash, you can ask for a special 'cash receipt'. Generating the cash receipt generates an automatic reporting to the government of the expense, associated with your account.
The kicker is, people who report their cash expenditures get 1% of their purchase back in taxes at the end of the year.
Here in Portugal, the government has mandated all cash-registers to run certified programs that regularly upload transaction data to our Tax Authority.
Tax evasion has always been blatantly huge in restaurants, bars and cafés. It's no wonder the restaurant associations are up in arms with this. They've declared war on card payments too, which is something that pisses me off. They claim the bank rates are too high, but guess what the real reason is?
Just like the constructions business, they've had practically a licence to print money during the latest decades. Now with the economic crisis, they're going down the toilet. I'm not shedding a tear for them. I just pity their poor employees that will be out of work and are certainly not finding another anytime soon. They had shit-paid, stressful, long-hour jobs, but it's better than no job.
Sha256
What they call "fraud", we call "free-market capitalism" here in the States.
Thank God I live in a country where the inalienable right of a corporation to defraud you is enshrined in the Constitution.
You are welcome on my lawn.
You could also consider it a means of the customer being able to correct their records manually, if needed. Obviously, the users of the registers are the customers, and the customers will get features that they want added. Unless there is a law against specifically that ability, chances are good the vendor will give you what you want or you will be able to request some sort of ability that makes it possible to use the feature as a backdoor to get the same result. It is up to the collector of the tax to produce valid results.
Open source is really only going to help the bigger problem if there is legislation that prevents the code from having certain types of functionality.
In the narrow case, the Open Source could be highly successful in proving that the code that the vendor provides is the same code that is in the hands of the government. People have talked about backdoor compilers, but that doesn't defeat this because the government will insist on binaries that compiled with clean compilers.
The real question is whether they can make sure the vendor writes the code so that it cannot be cleverly manipulated to get the same effect as before. In other words, if I wrote code that is written in such a way there there is a bug or backdoor that the government does not manage to find in the 200000 lines of code in front of them, then adaptation will not be difficult. Having code does not mean you understand all that it can do.
Tax evasion has always been blatantly huge in restaurants, bars and cafés. It's no wonder the restaurant associations are up in arms with this. They've declared war on card payments too, which is something that pisses me off. They claim the bank rates are too high, but guess what the real reason is?
I'm curious as to how much pressure the government is actually willing to apply. A crackdown on under-the-table transactions is a lot more feasible when you can just look at the register and fine the owner for having unapproved software, since you don't have to prove tax evasion proper. They could definitely do a crackdown on suspected tax evaders more or less like the health authorities did their crackdown on the unsanitary chinese restaurants a few years back and scare most small businesses into compliance.
Clearly, they can't be talking about open software the way we know it. If YOU had access to your cash register's software, you could hack it to underreport your transactions so as to evade tax. They only mean open to the government and it seems like there's no way to really accomplish their goal. What's to stop you from unloading the government-monitored software and making a version of it that they can't see and looks the same from their end but does something entirely different from your end?
Please note that it's an open question whether it's practical or not.
You could say the same about built-in kernel rootkits, they're very impractical to install on someone's machine. Yet we know about instances where machines were shipped with kernel rootkits installed.
Besides, why so complex ? Open sourcing these programs will lead to "tax optimizers". Write a program that reads in all the data files of the program, and outputs a "tax optimized" version with all the little details changed to better suit the business owner's tax situation. There will be absolutely zero ways of proving this was done, because the data files were generated by the exact same code that normally generates them based on sales, just with faked dates and missing transactions.
I wonder why everybody always comes with elaborate schemes to cheat using ridiculously complex methods to achieve these objectives when you could simply lie (and given the fact that no administration is ever accurate, finding an inconsistency is not exactly reason to throw the book at someone, keeping track of every single thing you do that involves money is a lot of work, you don't want to do it and as a result, accuracy is lacking at best).
No matter what they do, nothing prevents the clerk from hitting the No Sale button, or simply not hitting any button at all.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I think it would be awesome for code to be published which has the functions (that Norway's government hates) commented out, with stern warnings "don't compile with this code removed from comments, or these functions could become present."
Intelligent idiots are we. | Evil men do not understand justice.
As a citizen of Norway, I think there should be no difference in how people are treated.
So:
Ministers of the government should start using the bus, or driving their own car to work. Today they use the field reserved for busses, driving cars with a private driver. Also, when we have visits of foreign head of states, all traffic is stopped, and everyone has to wait while streets are blocked for lengthy times, and tax money is wasted on police protection.
Many years ago I worked near the Dam square in Amsterdam, about 100m from the royal palace. Every once in a while a convoy of visitors would be rushed to the palace (swift actions, lots of police on motor cycles clearing the way just in front of the convoy), and the cars would be parked on the pavement behind the palace, most of them with CD number plates (Corps Diplomatique). Once I walked by during a lunch break and one diplomat had parked his car not behind the palace but on the pavement across the street. A wheel clamp was attached and I saw a diplomat in a pinstripe suit demanding from a traffic warden that it be removed. The diplomat was about as furious as one can get, I've rarely seen people become that angry, but the traffic warden obviously was immune to angry parking violators and he wasn't impressed at all. He calmly pointed out that the guy should have parked in the designated area and wouldn't get preferential treatment. The fine couldn't be paid on the spot, he had to go an office in some inconvenient location for that. I immensely enjoyed seeing this man, whose attitude made it very clear that rules for ordinary people didn't apply to him, getting this treatment from an ordinary guy.
Audits. Norway already has a department that checks measuring devices such as weights, [gas] pumps etc. Maybe they check cash registers as well. There are classes of devices that have to be certified periodically (a number of years) by law.
I believe they check the software at the gas pumps, because obviously the numbers have to match with the output they claim was sold and delivered to the customer. I believe it would be a small matter to run checksums on cash register software.
In fact I believe they might as well require them to be online [and constantly report checksums]. There isn't a shop location in Norway that doesn't already have some digital connection to the debit card payment system run by the Norwegian banks' [shared] exchange. Most Norwegians hardly touch cash any longer, it's mostly debit cards and has been for the last decades.
I'm just guessing here, but it's probably a political issue since investigations show that some 80% of restaurants/bars were using dual records, one official and one unofficial.
Defining Statistics and Social Research
Tivoization is clearly going against the intention of GPL. They should have used BSD licensed code to do what they wanted as people who write GPL code don't intend their code to be locked down by anyone.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
In this vain I created an online petition for the White House to respond to. The US banking system could use some movement towards a modern replacement to checking.
Petition to Replace the US Checking System
Mod Parent Up! After reading all the other comments, this is the only one that strikes me as a solution that might work.
you give honest classical liberals a bad name.
Quite the opposite. roman_mir gives liberals a good name, because he is not one of them. He automatically makes everyone else look sane and reasonable, no matter how few people agree with them philosophically here on slashdot. roman_mir is not a classical liberal, he is a neo fascist.
Read what he writes. He promises freedom but his plans would deliver slavery. He is championing fascism for the people.
True. There are however other articles in Norwegian confirming that this is OSS software.
This is blinging