The SA Revenue Service (Sars) has rolled out a dedicated browser that supports Adobe Flash Player, which should allow users to access its Flash-supported eFiling forms. Four years ago Flash Player, which runs applications, websites and multimedia, was deemed too much of a security risk to continue being supported on web browsers such as Google Chrome, Microsoft Edge and Firefox.
The advance notice from the browsers should have given Sars enough time to rebuild its electronic filing platform and convert its forms to newer technologies such as HTML5 or JavaScript.
In 2019, the Sars IT department was hammered for its inability to implement updated, safer tech. That was when a video went viral of its then IT head, Mmamathe Makhekhe-Mokhuane, saying to an interviewer: “Ma’am, can you give me protection from yourself.”
Arthur Goldstuck, founder of World Wide Worx, says: “It would be comical if it were not so serious. Adobe advised users three years ago that it would end support for Flash at the end of 2020. Sars moved some of its services over to HTML5, but neglected a wide range of functions on the basis that it had assumed that Flash Player would continue to function after the deadline.”
In the second half of 2020, Sars managed to port some of its most-used eFiling forms to the newer HTML5 technology. But that still meant it would have to find a post-Flash solution for the other tax forms. Time was of the essence as the eFiling due date was nearing. The deadline was extended and taxpayers were given until February 15 to file their tax returns.
A Sars spokesperson, unnamed, tells the FM: “The Sars web browser is an interim solution only to accommodate the six forms not migrated to HTML5, of 44 that have already been migrated to HTML5.”
Confusion was worsened by the level 3 lockdown at the end of December, during which Sars closed its branches. “Sars offices will continue to operate remotely via our digital channel,” it tweeted in early January. But it has become clear the revenue service lacks the digital resources to make the upgrades needed.
“It is a disgraceful response from the state institution that requires the highest levels of governance from individuals and businesses,” says Goldstuck. “Sars is a zero-tolerance revenue-collecting body in terms of its insistence on compliance, and there should be zero tolerance for its own noncompliance. Heads should roll, and an urgent inquiry should be initiated into the running of Sars and its IT functions.”
Its quick workaround resulted in a Flash-supported web browser, available to download directly from the eFiling website, that will run only eFiling (users can’t browse Google or social media).
But only users on Windows devices will be able to access the browser and complete their tax returns. The software doesn’t run on macOS or Linux machines, but Sars has noted the problem and plans to fix it.
“In the interim, Sars has made a contained web browser available to access the six forms which are distributed by an Adobe-recommended supplier, and it is limited to the two Sars websites only,” says the spokesperson. “We have noted the Mac requirement and will make such available within the next week.”
Goldstuck says: “Now, it asks users to collaborate in its fiction that using an older Chrome browser version is an adequate workaround. This is not only a deeply clunky and inconvenient requirement of users, but it is dangerous in its attempt to turn back the clock on both browser and application.”
By no measure could this have been the most practical long-term solution to a problem Sars has known about since 2017. If it had turned to the private sector, this story could have had a completely different outcome.
Coenraad Human, a software engineer at Entelect SA, says that if Sars had used a private sector company, it could have finished an enterprise-quality rebuild of the website in 12 to 18 months.
“If it had a well-trained internal team, Sars could have rewritten the eFiling website in newer technologies … that run on JavaScript frameworks,” says Human, whose company has provided IT services for the financial industry. It has helped to improve security and user interfaces for Absa, Standard Bank and FNB.
Now Sars is stuck with a single-purpose browser, and the fact that it continues to run Flash Player may be problematic in the long term.
The software has been plagued by vulnerabilities that could cause data breaches and expose users to hackers.
“Flash … had so many vulnerabilities that it had to be discontinued,” says Human.
Luckily, however, Flash Player does not currently suffer from any known security vulnerabilities, according to Hack South researchers.
The platform is safe to use for now, but it’s not a long-term solution without support from Adobe, as noted by Sars itself. Users’ personal and financial information submitted through the eFiling browser won’t be at risk, for the time being, so South Africans can submit their tax returns with peace of mind.
Graham Viljoen, director at Webber Wentzel, says the new HTML5-powered portion of the eFiling platform works very well. “They’ve updated it recently and my interaction with it has been very good. It’s very straightforward to use.”
However, he says the Windows-only limitation is a barrier to entry for many South Africans.
Even though it’s a few years too late, Sars is hard at work porting its eFiling platform in its entirety to HTML5. This will ensure increased accessibility to a platform that should, by its nature, be secure and available to all citizens.
This article first appeared in the Daily Maverick.