← Government App
C

ATO App / myTax

Notable issues
Australian Taxation Office · 🇦🇺 Australia
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: ATO app
Manufacturer: Australian Taxation Office

⚠️ The bottom line

Criminals lodge fake tax returns through your ATO account and get refunds in 14 days. Your real refund? Months of delays and identity verification hoops. $557 million stolen in one year because the ATO made it easier for fraudsters to get in than for real taxpayers to get paid. 776 million transactions matched in a single year. The ATO knows your Uber earnings, your Airbnb rentals, your crypto trades, your share dividends, and your property sales — often before you report them. They buy bulk data from banks and platforms, then wait to see if your return matches. It is the most comprehensive financial surveillance system in the country, and it's legal.

Legal jurisdiction
🇦🇺 Australia (headquarters)
Assistance and Access Act read more →
Govt can force companies to build backdoors in encryption — and gag them from telling you
Metadata Retention read more →
ISPs and telcos must store 2 years of your connection data for law enforcement
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
1/4 LOW
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
4Contradictions
1Critical
1High
2Medium
4Sources
Findings by concern
Spying 2/4 MODERATE 2 findings
⚡ highprivacy policy vs regulatory
776 million transactions matched in a single year. The ATO knows your Uber earnings, your Airbnb rentals, your crypto trades, your share dividends, and your property sales — often before you report them. They buy bulk data from banks and platforms, then wait to see if your return matches. It is the most comprehensive financial surveillance system in the country, and it's legal.

What they claim: ATO privacy policy describes data collection as necessary for tax administration

What we found: The ATO operates the most extensive data-matching program in Australia, collecting data from banks, employers, share registries, cryptocurrency exchanges, ride-share platforms, property settlements, and foreign governments. In 2023, the ATO matched data from 776 million transactions, including Uber, Airbnb, and cryptocurrency exchange records.

⚫ mediumprivacy policy vs regulatory
1.2 million Australians traded crypto thinking it was private. The ATO issued orders to every Australian exchange and collected everything — names, addresses, dates of birth, and every transaction back to 2014. The exchanges that marketed "privacy" handed it all over. There is no anonymous crypto in Australia.

What they claim: ATO describes cryptocurrency reporting as part of standard tax obligations

What we found: The ATO issued data-matching orders to all Australian cryptocurrency exchanges in 2019, collecting personal details and transaction records of up to 1.2 million Australians who traded crypto between 2014-2019. Many users had traded small amounts on platforms that marketed themselves as "anonymous" or "private."

Security 3/4 HIGH 1 finding
⚠️ criticalmarketing vs regulatory
Criminals lodge fake tax returns through your ATO account and get refunds in 14 days. Your real refund? Months of delays and identity verification hoops. $557 million stolen in one year because the ATO made it easier for fraudsters to get in than for real taxpayers to get paid.

What they claim: ATO promotes secure online tax lodgement through myTax and the ATO app

What we found: The ATO lost $557 million to identity fraud in 2022-23, with criminals using stolen credentials to lodge fraudulent tax returns through myGov-linked ATO accounts. The Inspector-General of Taxation found the ATO's identity verification was "fundamentally inadequate" and that some fraudulent refunds were paid within 14 days while legitimate refunds took months.

Honesty 2/4 MODERATE 1 finding
⚫ mediumprivacy policy vs third party research
Your tax file number, income, deductions, and superannuation balance — accessible to hundreds of third-party tax software companies via API. The ATO audited some of them and found weak authentication. Once your data leaves the ATO's system through a tax agent's software, the ATO admits it has "limited visibility" into what happens to it.

What they claim: ATO app handles sensitive financial data with appropriate security

What we found: The ATO allows third-party tax agents and software providers (H&R Block, TurboTax/Intuit, Xero) to access taxpayer records via API. A 2020 audit found some tax agent portals had weak authentication, and the ATO had limited visibility into how third-party software stored or transmitted taxpayer data once accessed.

Sources