Letter Ruling 11-3: Authentication Services/Digital Certificates
Sales and Use Tax
March 24, 2011
You requested a letter ruling on behalf of your client, ***************** (hereinafter “Taxpayer”) regarding whether the Taxpayer’s sales of authentication services via provision of a digital certificate to the Taxpayer’s customers for a consideration are subject to the Massachusetts sales/use tax when provided to customers located in Massachusetts.
I. Statement of Facts
The Taxpayer is a provider of authentication solutions for businesses and individuals seeking to perform secure electronic commerce and communications over the Internet. One such solution is the provision of a digital certificate and authentication and resolution services on a subscription basis.
Digital certificates are commonly used to facilitate the secure transmissions between end users’ browsers and the Taxpayer’s customers’ (“customers”) servers. A digital certificate allows an end user to recognize that he is, indeed, accessing the customer’s server.
A digital certificate is provided through an online process, and the first step in this process is the customer’s access of the Taxpayer’s online portal to complete a registration form. As part of the customer’s request of a certificate through registration, a private and public key pair is generated by the customer’s web server. The private key is retained by the customer on its web server. The public key is part of the information sent to the Taxpayer in the registration process.
The Taxpayer performs all due diligence necessary to authenticate the identity of the customer, the related website and business, and the information presented by the customer during the registration process, including the public key. Once the Taxpayer authenticates the identity of the customer, a digital certificate is electronically sent to the customer. A digital certificate is flat file containing: the customer’s public key, metadata with information such as certificate expiration date, the certificate owners’ name, the name of the issuer (certification authority, i.e., the Taxpayer), serial number of the certificate, and an electronic signature of the issuer. [1] The flat file does not contain binary code and does not dictate statements, data or instructions to bring about certain results. As such, the flat file, i.e., the digital certificate, is not computer software.
The digital certificates are installed by the customer on a customer’s web server. When end users connect to the customer’s server through a web browser, the browser establishes the authenticity of the digital certificate (and thus the authenticity of the web site) by mathematically proving that the certificate presented by the customer’s web server was digitally signed by the Taxpayer. The digital certificate also contains the aforementioned public key. It is described as a “public” key because the digital certificate (and key contained therein) is readily viewable by any browser.
The end user’s web browser creates a session key that is used to encrypt the transmission between the customer’s server and the end user’s browser. However, the end user’s browser must first use the public key to encrypt the session key and then transmit the session key to the web server. The web server will use the private key to decrypt the session key so that both the web server and browser can begin using the session key for the encrypted transmissions. After the initial handshake between the browser and web server, the session key is used for the encryption of the transmissions. The encryption strength of the transmission is directly related to the bit length of the session key. The encryption/decryption is performed by the cryptographic software built into the web browser and customer’s server. This software is not provided by the Taxpayer.
In addition to authenticating the digital certificate and website, the end user’s browser communicates with the Taxpayer’s servers to verify that the digital certificate is valid and not revoked (resolution service). If the certificate is valid, the end user’s browser will show the end user a notification that the certificate is valid and has not been revoked. The charges for the authentication service, digital certificate, and resolution service are part of a lump sum subscription charge and must be renewed periodically.
II. Ruling Requested
The Taxpayer requests a ruling that its sales of authentication services via provision of a digital certificate to the Taxpayer’s customers for a consideration are not subject to the Massachusetts sales/use tax when provided to customers located in Massachusetts.
III. Discussion of Law
Massachusetts imposes a 6.25 percent sales tax on all retail sales of tangible personal property and telecommunications services within Massachusetts by any vendor, unless otherwise exempt. G.L. c. 64H, §§ 1, 2. A complementary 6.25 percent use tax is imposed on tangible personal property and telecommunications services purchased for storage, use or other consumption within Massachusetts. G.L. c. 64I, §§ 1, 2. A “retail sale” is defined as a sale of tangible personal property for any purpose other that resale in the regular course of business. G.L. c. 64H, § 1. The definition of “tangible personal property” provides “(a) transfer of standardized computer software, including, but not limited to electronic, telephonic, or similar transfer, shall also be considered a transfer of tangible personal property.” Other than standardized or prewritten software, digital products transferred electronically are not subject to sales or use tax. See TIR 05-8, Section VII. B.8.
For sales and use tax purposes, “sale” includes “the furnishing of information by printed, mimeographed or multigraphed matter, or by duplicating written or printed matter in any other manner, including the services of collecting, compiling, or analyzing information of any kind or nature and furnishing reports thereof to other persons, but excluding the furnishing of information which is personal or individual in nature and which is not or may not be substantially incorporated into reports furnished to other persons.” G.L. c. 64H, § 1 (emphasis added). The sales of reports of standard information in tangible form sold or intended to be sold to two or more purchasers are generally subject to the sales and use tax. 830 CMR 64H.1.3(8)(a). However, the sale of a report of individual information, even if in tangible form, is not taxable if the report may not be or is not substantially incorporated into reports furnished to others persons. 830 CMR 64H.1.3(8)(b). Charges for transmitting reports of any type by telephone lines, microwaves, or other electronic modes of transmission are not taxable, unless the vendor transfers an otherwise taxable medium imprinted with the reports as part of the same transaction. See 830 CMR 64H.1.3 (8).
Digital certificates are sent to the Taxpayer’s customers electronically; such transfers for consideration are not subject to sales or use tax unless transfer of the digital certificates constitutes a taxable transfer of prewritten software.
The rules relating to tax on prewritten software are contained in the Computer Industry Services and Products Regulation, 830 CMR 64H.1.3. Section (3) provides the following:
(3) General Rules.
(a) Sales Tax. Sales in Massachusetts of computer hardware, computer equipment, and prewritten computer software, regardless of the method of delivery, and reports of standard information in tangible form are generally subject to the Massachusetts sales tax. Taxable transfers of prewritten software include sales affected in any of the following ways regardless of the method of delivery, including electronic delivery or load and leave: licenses and leases, transfers of rights to use software installed on a remote server, upgrades, and license upgrades. The vendor collects sales tax from the purchaser and pays the sales tax to the Commissioner.
Id. For purposes of sales and use taxes, prewritten software sold to a customer in Massachusetts or purchased for use in Massachusetts shall be subject to the sales or use tax regardless of the method of delivery, including transfers by electronic means such as the Internet. The sales and use taxes, in general, do not apply to the performance of a service. 830 CMR 64H.1.3(3)(e). When a transaction involves the performance of a service and there is no transfer of tangible personal property or there is an inconsequential transfer of tangible personal property, the transaction is not subject to tax. 830 CMR 64H.1.1(2); 830 CMR 64H.1.3(14). Thus, the sales and use taxes do not apply to access or use of software where the object of the transaction is acquiring a good or service and there is no charge for the use of software. 830 CMR 64H.1.3(14).
The Taxpayer characterizes the authentication services as services involving no transfer of prewritten computer software. The taxpayer contends that the transfer of the digital certificate is not the transfer of computer software. Based on the taxpayer’s representations in the Statement of Facts, regardless of whether the generation and transfer of the digital certificate is made possible by computer software, we agree that the object of the transaction is a nontaxable authentication service and not any software that enables the provision of those services.
IV. Ruling
The Taxpayer’s sales of authentication services via provision of a digital certificate to the Taxpayer’s customers for a consideration are not subject to the Massachusetts sales and use taxes when provided to customers located in Massachusetts.
Very truly yours,
/s/Navjeet K. Bal
Navjeet K. Bal
Commissioner of Revenue
NKB:MTF:lbr
LR 11-3
[1] Note that the exact contents of a certificate adhere to certain established standards such as the “X509” standard that specifies what can or cannot be contained on a certificate.