VAT Talks - John McCallig

John McCallig

We’re honoured that John McCallig, Assistant Professor in the Accountancy Subject Area at the University College Dublin Business School, wanted to talk about VAT, real-time reporting and encryption with us! John does not only have extensive knowledge of the accounting area, but also did extensive research into modern cryptography. For his work on applying cryptography to VAT he even was awarded with the NovaUCD invention of the year award.

You are an Assistant Professor in the Accountancy Subject Area, but also interested in encryption. How did you end up being interested in this technical subject?

“I work in the University College Dublin Business School. Some of my colleagues became very interested in the Bitcoin cryptocurrency and how it was changing the way people think conceptually about money (Coding Value project). I then spent some time analysing the technical aspects of Bitcoin and how cryptography allows the record keeping to be decentralized and yet secure. As I have done quite a bit of computer programming, I was able to at least understand how blockchains work.

The cryptography behind the blockchain fascinated me and I thought some of the ideas could be used to solve problems in business information systems. I started to research blockchain systems like Ethereum and Hyperledger and their possible application to accountancy and business systems. This led me to other cryptographic techniques like homomorphic cryptography where you encode data and then perform operations on the encoded data. I think that is the coolest part of modern cryptography.”

More and more countries are implementing real-time reporting, in the final VAT in the Digital Age report regarding Digital Reporting Requirements (DRR) it is argued that gains in confidentiality remain merely theoretical, “considering that no occurrence of data leakages or significant safety accidents occurred with respect to the existing DRR.” What do you think of this statement?

“I think we will look back in 10-15 year’s time and be horrified at our lax attitude towards privacy and data sharing. I think that when you gather a lot of data in one place, you basically build a honeypot that’s going to attract hackers and people that take advantage of that data. So, I believe that when new systems are being designed and built they should have privacy at their core rather than being retrofitted later.

Modern cryptography provides the tools that allow us to build systems that provide privacy while also providing the information necessary to achieve their objective. This is not impossible and is just a matter of careful design and fitting the right cryptographic tools to the problem. Systems that collect far too much data and then store it using conventional password security will eventually be hacked. This would be very serious for tax authority systems that might disclose large amounts of highly sensitive business data that could be used for fraud or commercial gain. Governments and the EU should lead on building these secure systems and in time regulate private companies to use similar methods. It is short sighted to say that just because the data has been kept secure so far, that this will continue to be the case.”

What would be the consequences of such a data breach of a real-time reporting system?

“I think the worst consequence of a data breach would be that it would undermine the whole objective of collecting data digitally and using it for its intended purpose. People would lose confidence in the system. Users would lose confidence in the system and might even refuse to put data on the system if they feel that there is a possibility that it could be stolen. Also I think you might get a political backlash against governments collecting vast amounts of unencrypted data. People are becoming a lot more sensitive about that, as they become more informed about what their data is being used for. I think it would really set us all back if there was a large data breach. This would make it more difficult to build those systems that we really do need to build.”

Do you think people are more aware of the possibility that their privacy and/or confidentiality is being breached?

“I think so. I think people are very aware that their privacy is being breached all over the place. What they don’t know is that it’s not necessary. That there are ways of encrypting data which could allow them to get the digital services that they want and need, but without breaching their privacy. At least for the essential services. Those government provided essential services can be provided without breaching people’s privacy or causing a large risk of their data being hacked at some point in the future.”

How can modern encryption help to prevent such data breaches?

“Modern cryptographic systems can allow businesses to upload their data to the system in encrypted form. This data can be analysed while it is still encrypted and only the information necessary for the proper functioning of the VAT system is disclosed to the tax authorities. The details of the business transactions are kept private and could only be requested should a VAT audit be required.

A modern system can perform operations on encrypted data and allow things like checking that one transaction is equal to another transaction or that a sum of a number transactions is equal to a sum of other transactions plus the payment. These systems can achieve the objectives of a VAT system without disclosing the details of the transactions.”

Is real-time reporting being discussed in Ireland?

“I think the Irish Tax Authorities are waiting for more information from the EU, and will probably follow the guidance that will come from the EU.”

In the previously mentioned report, also the idea of a real-time reporting system for intra-Community transactions is discussed. What do you think about this?

“I think it will be essential to harmonise real-time reporting across Europe in order to get the full benefits of this system. A lot of VAT fraud happens between EU countries and relies on the lack of coordination of national VAT systems with each other. I think using a cryptography based system would be ideal for transnational transactions as it does not involve large amounts of unencrypted data being shared across borders.”

Politically it would make it a lot easier, if the tax authorities can say: we are sending your data to another country, but it is encrypted and they can only use it in certain ways. Instead of saying: we’re opening up our database to everyone else in the EU to look at which again would probably increase the risk of there being a data breach somewhere in the EU. Data from other countries would be included in that data breach which would obviously be a catastrophe from a data protection point of view."

If you could give one piece of advice to the European Commission regarding real-time reporting, what would it be?

“I Would say this is an opportunity to build a system for the long run rather than patching up existing systems. It’s an opportunity to build a system that works all over the EU rather than only in certain countries. This will mean building a system that is transparent and will have the confidence of both its users and the tax collection authorities. The time has come to take privacy seriously and to incorporate the highest possible standards into new systems.

What would you say to readers to make them more enthusiastic about encryption?

“I think people don’t appreciate how much they use encryption every day already. We use it when we make a payment on the web, consult our bank account, or unlock our phone. These public-key encryption systems have become part of our world and enable many new ways of living and doing business. It is now time to use more sophisticated encryption for data collection and sharing. This will enable both society and individuals to contribute and collect data, and use it as intended, while keeping our privacy. That’s what I’m most enthusiastic about and what I would like for people to see: that there is the potential to make the digital world a lot safer for us all and enable most of the functionalities that we need as well.

We would like to thank John again for his time and for giving his perspective on VAT. The opinions expressed in this article are personal. If you have any questions, suggestions or if you want to be our next interviewee, do not hesitate to contact us via