Should You Give An Anime Girl Your SSN?
Tax Heaven 3000 has taken over the Internet, partly by continuing the ever-present trend of weird visual novels, and partly due to the ever-present meme of giving an anime girl your personal information.
At the same time, as a tax preparation program, it does need some of your personal information in order to properly fill out the forms. So, should you trust Iris with your Social Security number? There's only one way to find out.
The Importance of the SSN
In the United States, Social Security is a system to provide income to the elderly after they retire to make sure they still have some source of income. Workers pay into the system throughout their life through taxes, and then can cash out once they receive retirement age. In addition, it provides income to disabled and low-income citizens.
To track people paying into and cashing out of Social Security, every US citizen is issues a Social Security number, a nine-digit number unique to the person it is issued to. As such, for better or for worse, it's become a standard form of identification to prove that you are, in fact, you.
It should go without saying that it's extremely bad if this number falls into the wrong hands, and it's extremely important to make sure that it doesn't. This brings us back to the question at hand: should you trust a cute anime girl with your SSN?
Tax Heaven 3000: A Review
In order to properly analyze the program, we do have to use it, and this is going to be a really short post, so I'll pad it by including an abbreviated review of the game.
As far as tax programs go, it's extremely easy to use. It takes the various forms on the standard US Form 1040 and turns them into easy to understand questions. If you already know what you're doing, you can blow through the process pretty quickly, but it also has a lot of helpful explanations should you need them.
That said, it only works for fairly simple tax returns, so if you're married, claiming dependents, or have invested in crypto, the game will kick you out, and you'll probably need to track down a tax preparer to hire.
We still haven't addressed the question: is the game safe?
The most obvious way of exfiltrating data would be over a network, so we'll take a look at that vector first. I used Microsoft Network Monitor to keep an eye on network traffic. While it isn't officially supported by Microsoft anymore, it keeps track of traffic based on process IDs, which will make the data a lot easier to parse through.
Not that there was much to parse through. Tax Heaven 3000 didn't appear to make any kind of attempt to access anything network-related. As far as that front goes, your personal data seems to be pretty safe.
Even though it doesn't directly send data over the network, it could save the data to be sent later, or trigger another program to send the data for it.
Spoiler: it doesn't.
I ran Process Monitor to track everything the game did and accessed and didn't see anything out of the ordinary. The only thing that stuck out all was a few launches of
There's actually nothing to see here: it just runs the
ver command, which checks the current Windows version.
There's a good explanation for this, too. The game is written with Ren'Py, and as of version 7, Ren'Py does not support Windows XP. It's a reasonable assumption that Ren'Py has a built-in check to make sure it's running on a compatible version of Windows. The same behavior shows up in the Ren'Py launcher, the Ren'Py tutorial, and the sample game “The Question”.
Like I just said, Tax Heaven 3000 was created using Ren'Py, a popular engine for creating visual novels. As you can probably guess from the name, it's built with Python.
Ren'Py does have a couple methods for obfuscating code, but they're all pretty trivial to crack. I'll leave finding the tools for doing that as an exercise for the reader.
With that said, in my admittedly not-very-thorough code analysis, everything seems to be pretty much what you'd expect from a Ren'Py game.
The moral of this story is... probably still don't give an anime girl your SSN. But, at least in this specific case, it seems to be just as safe as giving your SSN to any other tax program on the market. Plus, it's a good “FU” to Intuit and the wider tax lobby, as well as a lesson that doing your own taxes might not be quite as difficult as you might expect.