Our Procedures and Policies in Fulfillment
of IRS Requirements
Authentication and Integrity Through Digital
Determination of Fees
Our Procedures and
Policies in Fulfillment of IRS Requirements
IRS regulations prescribe the conditions required to make exempt organization documents "widely available"
using the Internet. Those conditions are satisfied by 990online.com as described on this page. Text extracted
from the IRS regulations is given below in italics.
From the Code of Federal Regulations § 301.6104(e)-2:
§ 301.6104(e)-2 Making applications and returns widely available.
(a) In general. A tax-exempt organization is not required to comply with a request for a copy of its application
for tax exemption or an annual information return pursuant to § 301.6104(e)-1(a) if the organization has made
the requested application or return widely available in accordance with paragraph (b) of this section. An organization
that makes its application or return widely available must nevertheless make the application or return available
for public inspection as required under § 301.6104(d)-1 or § 301.6104(e)-1, as applicable.
(b) Widely available-
(1) In general. A tax-exempt organization makes its application for tax exemption and/or an annual information
return widely available if the organization uses a method specified in paragraph (b)(2) of this section or in a
revenue procedure or other form of guidance issued by the Commissioner, and if the organization satisfies the requirements
of paragraph (b)(3) of this section.
(2) Internet posting. A tax-exempt organization can make its application for tax exemption and/or an annual
information return widely available by posting the application or return on a World Wide Web page that the tax-exempt
organization establishes and maintains or by having the application or return posted, as part of a database of
similar documents of other tax-exempt organizations, on a World Wide Web page established and maintained by another
990online.com specifically maintains a database of tax-exempt organization
returns and applications for exemption.
In order for the application or return to be widely available through an Internet posting, the entity maintaining
the World Wide Web page must have procedures for ensuring the reliability and accuracy of the application or return
that it posts on the page and must take reasonable precautions to prevent alteration, destruction or accidental
loss of the application or return posted on its page.
990online.com adheres to the following policies and procedures to comply with this requirement:
- Returns and applications for exemption are accepted by 990online.com only if accompanied by a signed
declaration from an authorized organization representative. This person must be either a member of the Board, the
Executive Director (or President), the chief financial manager, or the chief operations manager. The declaration
requires that person to warrant that the submitted documents are "true and accurate copies of our organization's
records as required under federal regulations for public disclosure."
- Payment is accepted only in the form of a check payable by the tax-exempt organization, in order to confirm
the source of the submitted material.
- Each submitted document is received and stored in electronic form as a DCX-format multipage document file,
which is then converted in its entirety to PDF format automatically. The PDF file is viewed manually to determine
if the number of pages is correct, then edited to remove the fax cover pages. The unaltered remainder of the document
is saved as a file whose name is based on an unambiguous labeling scheme that allows it to be easily matched to
the originating organization (through that organization's FEIN number). This file is uploaded to the 990online.com
Web site. No other changes are made to the submitted electronic document.
- The submitting organization is asked to review the documents posted online as an additional measure to insure
that transcription and publishing has been performed accurately.
- Industry-standard security measures (password-based) are used to insure that only authorized individuals have
the ability to write to or otherwise alter the 990online.com Web site, including the database of submitted
documents. Additional security is provided by a PGP digital signature mechanism,
which allows the public to verify that the documents at this Web site were not altered by any unauthorized party
after online publication.
- An secure electronic backup archive of the entire 990online.com database of documents is maintained
in a secure physical location separate from that of the Web server, on a hard disk and/or ZIP disks. Even in the
event of a total loss of that Web server, the entire data set would be restored to public online access within
- An additional secure backup archive of all documents submitted to 990online.com is maintained on tape
- An administrative database is maintained, which records the name and contact information for the organization
and lists the documents that have been processed by 990online.com.
Furthermore, the application or return will be considered widely available only if-
(i) It is posted in the same format used by the Internal Revenue Service to post forms and publications on
the Internal Revenue Service World Wide Web page;
Submitted materials are published by 990online.com in PDF-format, which is the same format used by the
IRS to post forms and publications on its Web site.
(ii) The World Wide Web page through which it is available clearly informs readers that the document is available
and provides instructions for downloading it;
Such a notice and instructions are provided.
(iii) When downloaded and printed in hard copy, the application or return is in substantially the same form
as the original application or return, and contains the same information provided in the original application or
return filed with the Internal Revenue Service (except information withheld pursuant to § 301.6104(e)-1(b)(4)(i)
(the names and addresses of contributors listed on the annual information), Schedule A of Form 990-BL and information
on the application for tax exemption required to be withheld under section 6104(a)(1)(D) and § 301.6104(e)-1(b)(3)
(trade secrets and similar information)); and
Documents in PDF-format preserve the form and contain the same information that is submitted to 990online.com
for online publication. The authorized person who submits the document is required to warrant that the submitted
documents are true and accurate copies of the materials required by these federal regulations to be publicly disclosed.
(iv) A person can access and download the application or return without payment of a fee to the organization
maintaining the World Wide Web page.
Documents in the 990online.com database are available without charge for the public
to download at any time.
(3) Notice requirement. If a tax-exempt organization has made its application for tax exemption and/or an
annual information return otherwise widely available it must tell any individual requesting a copy where the documents
are available (including the address on the World Wide Web, if applicable). If the request is made in person, the
organization shall provide such notice to the individual immediately. If the request is made in writing, the notice
shall be provided within 7 days of receiving the request.
990online.com provides tax-exempt organizations with an Internet address (URL) for a Web page from which
their submitted documents are available (http://990online.com/docs/).
Integrity Through Digital Signatures
990online.com uses industry-standard password protection to prevent malicious access to our Web site
for purposes of altering the documents published there. However, a mechanism exists that extends this security
by making it possible to recognize if such improper changes have been made. Digital signatures allow document integrity
to be tested, i.e. they provide verification that the electronic file is unaltered by anyone other than those authorized
to do so.
How Do Digital Signatures Work?
Although the mathematical basis for digital signatures is beyond this discussion, the logic of the system is
- A digital signature is generated for an electronic document through a mathematical procedure that uses both
the document and a "private key." The private key is known only to the person who generates the digital
- A digital signature is used to verify an electronic document's integrity through a mathematical procedure that
uses both the document and a "public key" that corresponds specifically to the private key used to create
the digital signature. The public key and electronic signature are made public, so anyone can perform this verification.
The verification process proves that the signature was created from this exact document, and that the person who
created the digital signature is in possession of the private key. Noone can create a digital signature that matches
the public key if they don't also have the private key.
- If a malicious hacker succeeded in accessing a Web site and changing the electronic document, they'd also have
to create a digital signature to match it, else anyone checking the signature would notice that it no longer matched
the document. However, because the hacker doesn't have the private key, any signature created would indicate upon
testing that it was created by someone other than an authorized person.
How Can I Test A Digital Signature For One of the Documents Here
In order to test a digital signature, you must first obtain the appropriate software. The 990online.com
digital signatures use the Pretty Good Privacy (PGP) method, so you'll need software that can perform PGP testing.
We recommend the commercial or freeware PGP software from NAI/McAfee as being particularly easy to use. Specific
instructions for using that software is available. However, the general procedure for testing a PGP digital
signature is the same no matter which software you use.
- INSTALL SOFTWARE
Install the PGP software of your choice on a convenient computer.
- OBTAIN OUR PUBLIC KEY
Obtain a copy of our public key and import it into your software's "public keyring." Some software can
connect automatically to the keyserver you indicate, search for keys matching the criteria you provide, and store
the selected keys in your public keyring. Otherwise, you will probably need to get a plain-text version of the
public key, save it as a file, and then add it to your public keyring using your software's "import key"
function. For security reasons, no copy of our public key is located at the same Web site as the IRS documents
we've published. The 990online.com public key may be obtained from any of these sites:
- McAfee/PGP keyserver <ldap://certserver.pgp.com>. The key retrieval method depends on the version
of the software you are using, so check your documentation. If you are using the NAI/McAfee software, it will access
this site automatically. On the keyserver, search for "990online.com" in the User ID. You can confirm
that it is indeed our key by checking the associated verification information, as follows. This additional identifying
information is repeated at our offsite digital signature
Web page for added security as described below. Our email address is "firstname.lastname@example.org". Our Key
ID is "0xA8E1D182" and its fingerprint is:
61A4 B7D6 EDB9 52BE FE8C 8A64 3020 FC66 A8E1 D182
- McAfee/MIT keyserver <http://pgpkeys.mit.edu:11371>.
If you are using the NAI/McAfee software, it will access this site automatically. Otherwise, you can visit the
associated Web site and use the form there to search for "990online.com"
and then verify the information as in the previous paragraph.
- MIT Keyserver <http://pgp.ai.mit.edu/>. At this Web
site, go to the "extract a key" page to use the form there for retrieving our public key as an ASCII
text. Save that text and import it into your public keyring.
- Our Offsite Public Key Page <http://members.home.net/mercere/990online_pgp.html>.
We maintain another Web page, that is specifically not located on the regular 990online.com site, from which you
can obtain our public key and the associated identifying information for it. If the information there does not
exactly match that here or on the keyservers (particularly our public key's "fingerprint" given above),
someone has maliciously changed one of them. This is highly unlikely, but these security procedures were implemented
to help avoid else quickly reveal even highly unlikely events.
- DOWNLOAD THE DOCUMENT AND SIGNATURE FILES
Download a copy of the document and its associated digital signature file using your Web browser's usual mechanism.
The image of a small key
next to the name of each document published at this site is a link to its associated digital signature file.
- TEST THE SIGNATURE
Your PGP software will have a "verify" function. It will require you to indicate the document and signature
files, and may ask you which public key in your keyring to test. If the software indicates that all three items
match, you'll have confirmed that the signature file was created from that document by 990online.com and
noone else, and that the document exactly matches the signature. Note that if you haven't imported the 990online.com
public key, the verification process will invariably report that the signature is unverified.
Sources of PGP Software and General Information
- Free Software and Information
- PGP version 6.x
- PGP version 5.x
- Graphical User Interfaces (for PGP version 5) and General Information
- Commercial Software
- Note: If you own Eudora Pro, you probably already have NAI/McAfee PGP Personal Privacy, which
is bundled with it.
- NAI/McAfee ("PGP Personal Privacy" is their most affordable
- NAI/PGP International ("PGP Personal Edition" is their
most affordable version)
Determination of Fees
Although the 990online.com service is not intended as a profit-making operation, it is intended to cover
the actual costs of processing and publishing online the submitted forms. The involved costs are:
- Fax machine with direct PC connection. This enables the fax machine and computer to have two separate
phone lines, so faxes can be received even while the computer is online. The extra phone line is an additional
cost. The fax machine is a 3-year old Hewlett-Packard Office Jet 350, a somewhat out-of-date multifunction printer/fax/copier/scanner
that HP isn't supporting anymore. A special and important function is that it can be set to receive faxes and then
place them on the computer hard disk through the bidirectional printer cable, keeping the document in electronic
format. The received documents are automatically saved in DCX format, which I convert to TIF or PDF for archiving.
This hardware will probably need to be replaced early next year, with another fax device that has a direct-to-PC
- Computer. The computer is a 3-year old Dell Dimension XPS P200s (200 MHz), with 64 MB RAM, and a set
of 4.3 GB and 13.0 GB hard disks. It probably has another 2 years of effective usefulness.
- Software. I use Adobe Acrobat "Exchange" version 3 to load the DCX file, remove the cover
page(s), and save the remainder in PDF format. I use Microsoft Access to maintain a database of orders and past
and present document tracking data. I use WS_FTP to upload files to the Web site. I use Norton Antivirus, Norton
Utilities, MS Office, Eudora Pro, and several other software applications for routine maintenance and operations.
I use NAI/McAfee PGP Personal Privacy to create and verify digital signatures for the published documents. All
software is updated annually.
- Iomega Zip Drive and Ditto Tape Drive. This is a 3-year old Zip drive, with SCSI interface connected
to a very modest SCSI card in the computer. The Zip drive is used to archive both the DCX files and the PDF files
(on separate disks). When 600 MB or so of ZIP disks are full (about 6 of them), they are transferred to CD-ROM
using a local service that charges $25 per CD-ROM. The CD-ROMs are the stable long-term storage format for the
received documents.The Ditto tape drive is used to make periodic backups of the hard disk that also holds the IRS
- Web Publication Site. The 990online.com Web site and document database are hosted by Interland,
which charges the lowest basic rates for Web-site-only services I was able to find. The cost of Web space goes
up with increased size (there is no "bulk discount" when it comes to hard disk storage, because bigger
disks cost quite a bit more). If the document database started to get very large, then I might contact them about
a discount or about buying and having them host a big hard disk or CD-ROM jukebox specifically for 990online.com,
since for very large databases those would probably be more cost effective mechanisms. In the meantime, their basic
charge is $20 per month for 80 MB of Web server disk space, $40 for 120 MB, $70 for 160 MB, $150 for 200 MB (as
of January 1999). The domain names (990online.com and online990.com, the latter because people are likely to make
that error) cost $70 per year.
- Ongoing Cost of Web Site Publication. A typical PDF file takes up about 43 KB/page. The annual information
returns I've examined average 20.3 pages in length, or 0.87 MB each. Exemption applications are usually significantly
longer and vary a lot, but I've estimated 40 pages as average. The IRS estimated in its proposed regulations for
TBOR2 that around 1000 NPOs could be expected to post their application and returns online. I estimate that 80%
of those will do the work entirely themselves, and that no more than 200 organizations would use the 990online.com
service. If each of those posts three returns and one exemption application, each will publish 100 pages, 4.3MB
online, for a total of 860 MB. Therefore, I assume the $1800/year for 200 MB rate, and get around $0.40 per page
per year. I estimate another $0.10 per page for ZIP and CD-ROM archival media and processing. Finally, I increased
the per page rate by 50% (to $0.75 per page per year) to account for potential future cost changes (I am committing
for up to three years of online publication), and to insure I haven't underestimated the real costs so that I don't
end up subsidizing this service out of my own pocket.
- Incidental Costs. I will probably not be able to conduct the business entirely by email (the least expensive
mechanism), and will end up incurring phone bills to ask for clarifications, and postage costs for sending postcards
for notification, or disks to people who can't receive email attachments).
- Total Hardware/Software and Labor Costs. The total computer maintenance, hardware and software upgrading,
and final replacement cost of hardware and software over a three year period, plus incidental costs, I estimate
at $10,000. I estimate it takes me 20-30 minutes per document for processing, including stripping the cover sheet
and storing to PDF format, entering the order and the file names into my recordkeeping database, archiving the
files to ZIP disk, creating digital signatures, and finally uploading them. For 200 organizations submitting 4
documents each, that comes to 270 hours. Given 200 organizations submitting 4 documents each at $25 flat rate per
document, less the estimated costs, that would generate $10,000 over three years as a reasonable buffer against
costs that I haven't anticipated (including business and related taxes if there is actually any money left over
after expenses and such taxes are due).
It's hardly expected to be a profitable business, but if my estimates are reasonable then at least I shouldn't
lose any money personally by operating it, which is the intention.