Stephen Rees-Carter

March 6, 2021

What are you doing with my data?

My wife and I¹ were filling out a rental house application the other night, and we noted the incredibly invasive nature of the personal information the form was asking for. For example, it wanted to know our car registration number and pet microchip details - both of which have absolutely nothing to do with us applying for a place to live. It also asked for identification documents, such as bank statements, drivers licenses and passports, and a bunch of Personally Identifiable Information (PII) covering things like marital status, employment, rental history, etc. This information is useful for a rental agency to verify the applicant, it does pose an rather interesting privacy question...

What are you doing with my data?

Applying for a rental used to involve receiving a copy of a paper form from an agent, filling out your details, and returning it with the requested supporting documents. This thick pile of paper, with it's copious amounts of PII, is then reviewed by the agent and presumably filed away somewhere to never be looked at again - until the legal time limit passes and it's destroyed. With the exception of a rogue real estate staffer, the PII was fairly secure.

If we ignore Faxes², the next iteration on this process was email. You'd print, complete, sign, scan, and then email your documents to the agent. Now your PII is in your email and the agents email. They would most likely have printed it out, and filed it somewhere. The risk is greater, but still contained between your email and their email. Your emails would already contain a lot of PII, so one more email is a relatively small addition. Their emails would contain a lot of PII too. You'd hope they have good op-sec to protect it. (Ha!)

Now we have systems like 1Form and 2Apply, which are third-party rental application systems. The rental agent gives you a magic link and you are required to use the third-party to submit all of your PII for their assessment. So now you're uploading your PII to a third-party you didn't chose, who you don't know, and whose policies and/or ethics may run counter to your own. Not only that, but when you apply via 2Apply, you receive an email containing all of the PII you've submitted. So now their system has your PII and their email system has your PII!

Many email systems record the emails sent out for debugging purposes - which is another third-party system that can have your PII. One you wouldn't even know is in the chain. Let's not forget that their system has stored your PII somewhere - is it properly encrypted and secured? Or on a public S3 bucket somewhere? How can you possibly know? At least when you email PII to the agent, you know it'll be in their email or in one of their business archives.

What if 1Form or 2Apply is breached and the data leaked? That's all of your PII exposed to anyone on the internet. A system like this would have thousands of applications PII - it's a gigantic target. It's also 100% online, which gives a huge attack surface. It is quite literally a data breach waiting to happen.

This is scary stuff, which as a potential renter we have no power over. No visibility. No control.

Consider even one of the documents being breached - say your bank statement. Did you want the world knowing your bank details, and all of the transactions you've made in the last 3 months? I bet you can use those as security question answers when you call the bank to "reset your password".

It's a question we don't ask enough...

What are you doing with my data?

I don't know about you, but GDPR is sounding quite appealing right about now! Although maybe a variant without the annoying cookie popups.³ 😎

_ _ _ _ _
¹ Well, she was filling it out. I was being not very helpful trying to find past employment details far too slowly whilst making vegan pepperoni toasties (ok, these were good!).
² We don't need to get sidetracked down
that rabbit hole!
³ That said, HEY World has no cookies, if we did adopt GDPR globally, at least you can come back here without that annoyance!