I consider myself a fairly privacy-conscious person, going out of my way to evade online tracking and, for the most part, avoiding spam mail. But when I found myself staring at my home address on the website of a company I had never heard of, I knew somewhere I had gone wrong.
A few days before our rent was due at the end of April, my partner received an email from the owner of our apartment building about a new way we could pay rent while collecting reward points, like a loyalty program. It was a good offer at a time when rents are at record highs, so she clicked and it loaded the website of rental rewards company Bilt Rewards and prominently displayed her full name and our apartment number.
Already this was fairly alarming. Our apartment building had given her information to Bilt and we were now staring at it on its website. I never got the email that my partner received. But I was curious, did Bilt have my information too?
Any time she clicked the link in the email, it opened the same personalized Bilt webpage showing her name and apartment number because the webpage was retrieving her information directly from Bilt’s servers through an API. (An API allows two things to talk to each other over the internet, in this case Bilt’s servers storing our information and its website.) You could see this using the browser’s developer tools, no fancy tricks needed. Using the browser’s tools, you could also see that the website was also pulling the name of the apartment building we live in, even though it wasn’t displayed on Bilt’s website.
At best this was a gross attempt at personalizing a sign-up page, and at worst it was a breach of our home address. But it was also possible to retrieve the same information directly from Bilt’s servers using just her email address — no special email link needed — which, like for many of us whose email addresses are public, unfortunately wouldn’t require much guesswork.
I plugged in my email address and the site returned my name, building name and apartment number, all the same as my partner’s information. How was it possible for a startup I hadn’t heard of until this point to obtain and leak my home address?
I am one of about 50 million renters in the United States. I live just outside New York City with my partner and our two cats in an apartment building owned by Equity Residential, one of the biggest corporate landlords in the U.S. with more than 80,000 rental apartments under its management. Even then, Equity is one of about 20 corporate landlords including Blackstone, AvalonBay and Starwood that account for over two million homes, or about 4% of all U.S. rental housing.
Enter Bilt, one of many startups that have emerged thanks to the recent boom in the property technology space, or proptech, as it’s widely known. Bilt was founded by entrepreneur Ankur Jain in June 2021 and lets renters earn rewards each time they make a rent payment. It’s through partnerships with most of the largest corporate landlords that Bilt now offers its rental rewards program to more than two million rental homes across the U.S., including homes like mine that are owned by Equity.
I started by thinking of this as any other data breach story I’ve covered in the past and wanted to know who else was affected.
My first call was to a neighbor in the same building, who when told about how Bilt’s website leaked my address, agreed to check to see if he was also affected. I pulled out my laptop and we entered his email address into Bilt’s API, which immediately returned his name, the building name and his apartment number; his face shifted from trepidation to horror, much as mine had done earlier in the day.
My second call was to Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, a name you might know from previous encounters with leaky online services, like Peloton bikes, smartphone apps and the occasional sex toy. Unbeknownst to me, one of his stateside colleagues has an apartment in my building and confirmed to me that the details of his home address were also exposed by the API.
Now we’re at four people whose information was exposed by Bilt’s leaky website just by knowing their email address.
I contacted Bilt, whose response was not great.
“The API you sent below is working as intended,” responded Jain, now Bilt’s CEO. (Jain declared his email “off the record,” which requires both parties agree to the terms in advance. I told Jain we would publish his responses since there was no opportunity to decline.)
“The only exception to this is a handful of buildings operated by Equity Residential, where they have not yet integrated Bilt into their native resident portal,” said Jain. “But given the small number of buildings, Equity made a risk decision to send email invitations and landing pages using a more manual approach in the short term. For this small set of pilot buildings, landing pages generated using this API require email only,” he said.
Jain said that the information returned by the API “is widely and easily available via any public records search,” and that there is “no private information being disclosed via this API that isn’t available across these public records.” (Jain and I will have to agree to disagree since up to this point I had kept my home address largely off the internet — and in any case, just because someone’s personal information is made public in one place isn’t a justification for making it public somewhere else.)
When reached for comment, Equity spokesperson Marty McKenna said: “We are using this process at a limited number of buildings while we complete our integration with Bilt. We do not agree that this is a security issue,” said McKenna.
McKenna repeatedly declined to say how many Equity buildings had residents whose information was exposed. But my own leaked information left behind clues that suggest the number could be at least 21 Equity buildings, amounting to thousands of tenants. When asked about the number of buildings, McKenna did not dispute the figure.
Bilt eventually plugged its leaky API on May 26, almost a month after I first made contact.
But it still wasn’t clear how Bilt got my information to begin with, absent any mention of data collection or sharing in my signed lease agreement.
McKenna solved that mystery, telling me: “Equity Residential shares information with service providers to allow services to be provided to our residents. Our authority to do so lies in our Terms of Use and Privacy Policy which are available on our website.”
The short answer is yes, the privacy policy on the website that nobody thinks — nor I thought — to read. From the moment you walk into an Equity building, its privacy policy allows for a wide range of data collection, including offline collection, such as the data that is collected on you as you sign an agreement to rent an apartment. And most of that data can be shared with third-party companies for a broad number of reasons, like offering services on behalf of Equity. Companies like Bilt, according to the policy, “may have access [to personally identifiable information] in order to provide these services to us or on our behalf.”
And it’s not unique to Equity. Many of the other corporate landlords use similar catch-all language in their privacy policies that gives them wide latitude to collect, use and share or sell your personal information.
AvalonBay, which owns 79,000 apartments across the U.S. east coast, uses the same word-for-word language in its privacy policy about giving personal information about its tenants to third parties it works with. That can include laundry services, car parking providers or — like Bilt — rent payment processors. And the number of third parties with access to your personal information can quickly add up.
Erin McElroy, an assistant professor in the Department of American Studies at the University of Texas at Austin, whose research includes proptech and housing, told TechCrunch that housing is becoming treated more as a commodity rather than a right or a social good. With tenants’ increasingly framed as consumers, much of what a person might experience when using a certain product or service is now also experienced as a tenant. “That’s strategic and part and parcel with the corporatization and financialization of housing, that certainly tenants don’t think of themselves as consumers and read all the fine print in their lease agreements, imagining that something like this might happen,” said McElroy.
Some privacy policies go further. GID, which owns more than 86,000 residential units, has a privacy policy that explicitly allows it to sell extensive amounts of its tenants’ personal information to its affiliates, other management companies and data brokers that further collect, combine and sell your information to others.
“It’s very common to have a privacy policy that governs the use of data,” Lisa Sotto, a privacy lawyer and partner at Hunton Andrews Kurth, told TechCrunch in a phone call. Sotto said that privacy policies are not empty words: “They are regulated by the Federal Trade Commission, and the FTC prohibits unfair or deceptive trade practices.”
The FTC can, and sometimes does, take action against companies that misuse data or have poor data security practices, like mortgage data firms exposing sensitive personal information, attempts to cover up data breaches and tech companies for breaking their privacy promises. As attorneys at law firm Orrick wrote: “The fact that you can sell your tenants’ data does not mean you should sell that data.”
But there are no rules that specifically protect the sharing of a tenant’s personal information.
Instead, it’s up to each state to legislate. Only a handful of U.S. states — California, Connecticut, Colorado, Utah and Virginia — have passed privacy laws that protect consumers in those states, said Sotto. And only California’s law is currently in force at the time of writing.
California became the first U.S. state to enact individual privacy rights — similar to those offered to all Europeans under GDPR. The California Consumer Privacy Act, or CCPA as it’s known, came into force in January 2020 and grants Californians rights to access, change and delete the data that companies and organizations collect on them. The CCPA became a major thorn in the side of data-hungry companies because the law forced them to carve out wide exceptions in their privacy policies to allow Californians the right to opt-out of having their data sold to third parties. It also often necessitated companies to offer an entirely separate privacy policy for California residents, just like GDPR had done years earlier.
CCPA is, like GDPR, imperfect to say the least. But as the first U.S. statewide privacy law in, it set the bar for other states to follow and, ideally, improve over time.
Virginia is the next state with a law to come into effect in January 2023. But critics have called the bill “weak,” alongside reports that the bill’s text was authored by Amazon and Microsoft lobbyists, working to serve their corporate interests. Tech giants are backing and pushing for heavily lobbied state privacy laws, like Virginia’s, with the ultimate goal of prompting federal legislation that would create weaker blanket rules across the U.S. that would replace the patchwork of state laws — including California’s, where the rules are the strongest.
But while a fraction of Americans are covered by some privacy laws, the majority live in states that have little to no protections against the sharing of a person’s information.
“There is really a paucity of legislation,” said McElroy. “Tenants are not told generally anything about what kinds of data are being collected about them. They don’t have the opportunity to consent and they’re not given any sort of indication of potential harms,” they said.
Would I have moved into this apartment knowing that my corporate landlord would share my personal information with third parties that show little regard to protecting it? Maybe not. But with skyrocketing rents and a looming global economic downturn, despite record profits by some of America’s largest corporate landlords, renters may not have much of a choice.
“As housing gets swept up by these corporations, there’s an affordable housing crisis in most cities and tenants can’t be too picky when it comes to finding a place to rent,” said McElroy. “Often tenants are forced to sort of forgo finding a landlord with less abusive data policies just because there aren’t options.”
So, how did a technology startup obtain my home address? Easily and legally. As for leaking it? That’s just bad security.
More on TechCrunch: