I consider myself a fairly privacy-conscious person, going out of my way to evade online tracking and, for the most part, avoiding spam mail. But when I found myself staring at my home address on the website of a company I had never heard of, I knew somewhere I had gone wrong.
A few days before our rent was due at the end of April, my partner received an email from the owner of our apartment building about a new way we could pay rent while collecting reward points, like a loyalty program. It was a good offer at a time when rents are at record highs, so she clicked and it loaded the website of rental rewards company Bilt Rewards and prominently displayed her full name and our apartment number.
Already this was fairly alarming. Our apartment building had given her information to Bilt and we were now staring at it on its website. I never got the email that my partner received. But I was curious, did Bilt have my information too?
Any time she clicked the link in the email, it opened the same personalized Bilt webpage showing her name and apartment number because the webpage was retrieving her information directly from Bilt’s servers through an API. (An API allows two things to talk to each other over the internet, in this case Bilt’s servers storing our information and its website.) You could see this using the browser’s developer tools, no fancy tricks needed. Using the browser’s tools, you could also see that the website was also pulling the name of the apartment building we live in, even though it wasn’t displayed on Bilt’s website.
At best this was a gross attempt at personalizing a sign-up page, and at worst it was a breach of our home address. But it was also possible to retrieve the same information directly from Bilt’s servers using just her email address — no special email link needed — which, like for many of us whose email addresses are public, unfortunately wouldn’t require much guesswork.
I plugged in my email address and the site returned my name, building name and apartment number, all the same as my partner’s information. How was it possible for a startup I hadn’t heard of until this point to obtain and leak my home address?
I am one of about 50 million renters in the United States. I live just outside New York City with my partner and our two cats in an apartment building owned by Equity Residential, one of the biggest corporate landlords in the U.S. with more than 80,000 rental apartments under its management. Even then, Equity is one of about 20 corporate landlords including Blackstone, AvalonBay and Starwood that account for over two million homes, or about 4% of all U.S. rental housing.
Enter Bilt, one of many startups that have emerged thanks to the recent boom in the property technology space, or proptech, as it’s widely known. Bilt was founded by entrepreneur Ankur Jain in June 2021 and lets renters earn rewards each time they make a rent payment. It’s through partnerships with most of the largest corporate landlords that Bilt now offers its rental rewards program to more than two million rental homes across the U.S., including homes like mine that are owned by Equity.
My first call was to a neighbor in the same building, who when told about how Bilt’s website leaked my address, agreed to check to see if he was also affected. I pulled out my laptop and we entered his email address into Bilt’s API, which immediately returned his name, the building name and his apartment number; his face shifted from trepidation to horror, much as mine had done earlier in the day.
My second call was to Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, a name you might know from previous encounters with leaky online services, like Peloton bikes, smartphone apps and the occasional sex toy. Unbeknownst to me, one of his stateside colleagues has an apartment in my building and confirmed to me that the details of his home address were also exposed by the API.
Now we’re at four people whose information was exposed by Bilt’s leaky website just by knowing their email address.
I contacted Bilt, whose response was not great.
“The API you sent below is working as intended,” responded Jain, now Bilt’s CEO. (Jain declared his email “off the record,” which requires both parties agree to the terms in advance. I told Jain we would publish his responses since there was no opportunity to decline.)
“The only exception to this is a handful of buildings operated by Equity Residential, where they have not yet integrated Bilt into their native resident portal,” said Jain. “But given the small number of buildings, Equity made a risk decision to send email invitations and landing pages using a more manual approach in the short term. For this small set of pilot buildings, landing pages generated using this API require email only,” he said.
Jain said that the information returned by the API “is widely and easily available via any public records search,” and that there is “no private information being disclosed via this API that isn’t available across these public records.” (Jain and I will have to agree to disagree since up to this point I had kept my home address largely off the internet — and in any case, just because someone’s personal information is made public in one place isn’t a justification for making it public somewhere else.)
When reached for comment, Equity spokesperson Marty McKenna said: “We are using this process at a limited number of buildings while we complete our integration with Bilt. We do not agree that this is a security issue,” said McKenna.
McKenna repeatedly declined to say how many Equity buildings had residents whose information was exposed. But my own leaked information left behind clues that suggest the number could be at least 21 Equity buildings, amounting to thousands of tenants. When asked about the number of buildings, McKenna did not dispute the figure.
Bilt eventually plugged its leaky API on May 26, almost a month after I first made contact.
But it still wasn’t clear how Bilt got my information to begin with, absent any mention of data collection or sharing in my signed lease agreement.
And it’s not unique to Equity. Many of the other corporate landlords use similar catch-all language in their privacy policies that gives them wide latitude to collect, use and share or sell your personal information.
Erin McElroy, an assistant professor in the Department of American Studies at the University of Texas at Austin, whose research includes proptech and housing, told TechCrunch that as housing becomes treated more as a commodity rather than a right or a social good. With tenants’ increasingly framed as consumers, much of what a person might experience when using a certain product or service is now also experienced as a tenant. “That’s strategic and part and parcel with the corporatization and financialization of housing, that certainly tenants don’t think of themselves as consumers and read all the fine print in their lease agreements, imagining that something like this might happen,” said McElroy.
The FTC can, and sometimes does, take action against companies that misuse data or have poor data security practices, like mortgage data firms exposing sensitive personal information, attempts to cover up data breaches and tech companies for breaking their privacy promises. As attorneys at law firm Orrick wrote: “The fact that you can sell your tenants’ data does not mean you should sell that data.”
But there are no rules that specifically protect the sharing of a tenant’s personal information.
Instead, it’s up to each state to legislate. Only a handful of U.S. states — California, Connecticut, Colorado, Utah and Virginia — have passed privacy laws that protect consumers in those states, said Sotto. And only California’s law is currently in force at the time of writing.
CCPA is, like GDPR, imperfect to say the least. But as the first U.S. statewide privacy law in, it set the bar for other states to follow and, ideally, improve over time.
Virginia is the next state with a law to come into effect in January 2023. But critics have called the bill “weak,” alongside reports that the bill’s text was authored by Amazon and Microsoft lobbyists, working to serve their corporate interests. Tech giants are backing and pushing for heavily lobbied state privacy laws, like Virginia’s, with the ultimate goal of prompting federal legislation that would create weaker blanket rules across the U.S. that would replace the patchwork of state laws — including California’s, where the rules are the strongest.
But while a fraction of Americans are covered by some privacy laws, the majority live in states that have little to no protections against the sharing of a person’s information.
“There is really a paucity of legislation,” said McElroy. “Tenants are not told generally anything about what kinds of data are being collected about them. They don’t have the opportunity to consent and they’re not given any sort of indication of potential harms,” they said.
Would I have moved into this apartment knowing that my corporate landlord would share my personal information with third parties that show little regard to protecting it? Maybe not. But with skyrocketing rents and a looming global economic downturn, despite record profits by some of America’s largest corporate landlords, renters may not have much of a choice.
“As housing gets swept up by these corporations, there’s an affordable housing crisis in most cities and tenants can’t be too picky when it comes to finding a place to rent,” said McElroy. “Often tenants are forced to sort of forgo finding a landlord with less abusive data policies just because there aren’t options.”
So, how did a technology startup obtain my home address? Easily and legally. As for leaking it? That’s just bad security.
More on TechCrunch:
- Period tracker Stardust surges, but its privacy claims aren’t airtight
- Google is notifying Android users targeted by Hermit government-grade spyware
- DOJ says it will no longer prosecute good-faith hackers under CFAA