Connect with us

Illegal Surveillance

Over 200 Mortgage Brokers Leaked Sensitive Data to Facebook



Sensitive Data Sharing Raises Legal Concerns

When someone applies for a mortgage, they trust a home loan lender or mortgage broker with some of the most sensitive information they have: information about their credit, their home, and personal details of their lives. Unbeknownst to those prospective homeowners, they may also be sharing that information with Facebook.

The Markup tested more than 700 websites offering loans for people looking to purchase or refinance a home, from major online brokers to lesser-known regional lenders. They found that more than 200 of these companies share some amount of user data with Facebook through the Meta Pixel, a small piece of tracking software embedded on their sites. As users filled out mortgage applications or requested quotes, the pixel tracked information about their credit, veteran status, occupation, the specific homes they wanted, and more. Experts told The Markup that it might be against the law for mortgage lenders to feed this kind of information to Facebook.

For instance, Fairway Independent Mortgage Corporation, one of the largest lenders in the country, used the Meta Pixel to track detailed information about visitors, including every button they clicked on a preapproval page and the type of home they were interested in. Responses to a question about estimated credit, which asked visitors to select a numbered band from “Poor” to “Excellent,” were also tracked. Clicking “I Decline” on the site’s cookie notice did not stop the pixel from tracking.

The pixel also sent Facebook a scrambled version of a visitor’s name and email address. Meta says these “hashed” email addresses “help protect user privacy.” However, it’s simple to determine the pre-obfuscated version of the data, and Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.

Kirby Bradley, the chief content officer for Fairway Mortgage, said in an emailed response to questions from The Markup that the company has stopped using the pixel. She stated that the credit estimates shared with Facebook were not actual scores but rather “categories made up completely by the respondent based on nothing but their feeling at the time.” Bradley added that Fairway did not collect or transmit personally identifiable information while using the pixel but declined to detail how the company defines such information.

LendingTree, Veterans United Home Loans, Doorway Home Loans, and ZeroDown were among other companies found to have shared sensitive data with Facebook through the Meta Pixel. These companies sent information including unique IDs, details about co-borrowers, bankruptcy status, military history, and the exact address of homes viewed by users.

A spokesperson for Meta, Emil Vazquez, said in an emailed statement that the company’s system uses automated tools to filter out “potentially sensitive data it is able to detect.” Vazquez added, “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring.”

Potential Legal Consequences

The online mortgage industry, valued at tens of billions of dollars globally, is subject to strict regulations under laws such as the Gramm–Leach–Bliley Act, which aims to protect consumers’ financial information. The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have the authority to enforce these laws and can penalize companies that violate them.

Natalie Loebner, a consultant and former Justice Department trial attorney, told The Markup that sharing sensitive information with Facebook via the Meta Pixel could violate the Gramm–Leach–Bliley Act or other regulations. Loebner suggested that regulators might scrutinize mortgage companies using the pixel to share customer data, particularly if they failed to disclose this practice to customers.

A Call for Regulatory Action

The Markup’s investigation highlights the pervasive and troubling use of tracking technology in the mortgage industry. While some companies used the Meta Pixel more responsibly, others shared highly sensitive information without adequate consumer consent or protection. This widespread data sharing raises significant privacy concerns and underscores the need for more robust regulatory oversight and enforcement.

As digital mortgage services continue to grow, the importance of safeguarding consumer data becomes ever more critical. Regulators, companies, and consumers must work together to ensure that sensitive financial information is protected from unauthorized access and misuse.


Illegal Surveillance

Gates Foundation Awards $4M Grant To Fund Digital ID Initiative



The Gates Foundation continues to drive global efforts aimed at introducing digital ID and payment systems by the end of this decade, awarding a $4 million grant to the UK-based Alan Turing Institute. This funding is part of a broader initiative known as the digital public infrastructure (DPI), supported by a coalition of private groups, such as the Gates Foundation and the World Economic Forum (WEF), as well as major global entities like the US, the EU, and the UN.

The Turing Institute, renowned for its work in AI and data science research, has announced that this latest grant will support a multidisciplinary project over the next three years. The project’s primary objective is to ensure the “responsible” implementation of ID services, focusing on privacy and security concerns. This initiative aims to address the critical issues raised by opponents of digital ID schemes, who consistently warn about the risks of centralizing personal identities.

The Turing Institute is framing its work, funded by the Gates Foundation, as an effort to balance the benefits of digital ID systems with robust privacy and security measures. According to the Institute, the project “aims to enhance the privacy and security of national digital identity systems, with the ultimate goal to maximize the value to beneficiaries, whilst limiting known and unknown risks to these constituents and maintaining the integrity of the overall system.”

Despite these assurances, skepticism remains. Critics argue that the Gates Foundation’s long-standing involvement in promoting digital ID and payment systems raises concerns about the true motives behind these initiatives. They fear that the emphasis on privacy and security in this new project may be more about perception management than addressing substantive risks.

The Turing Institute emphasizes that implementing digital ID services can improve inclusion, access to services, and human rights. However, they acknowledge the need for “tweaking” privacy and security measures to enhance trust in these systems. The renewed grant from the Gates Foundation is seen as a step towards achieving this balance, although critics worry it might be a public relations effort to mitigate opposition.

“The project aims to enhance the privacy and security of national digital identity systems, with the ultimate goal to maximize the value to beneficiaries, whilst limiting known and unknown risks to these constituents and maintaining the integrity of the overall system,” the Institute said in its announcement.

This initiative comes amidst increasing investments in developing secure, scalable, and user-friendly digital ID systems. According to the Turing Institute, billions of dollars are being poured into this field each year to address these challenges.

The Gates Foundation’s latest grant highlights the ongoing global push towards digital public infrastructure, which aims to integrate digital ID systems with broader societal benefits. However, the tension between the potential advantages of these systems and the significant privacy and security concerns they raise continues to be a focal point of debate.

As the Turing Institute embarks on this new project, the world will be watching closely to see whether the promised enhancements to privacy and security materialize, and whether these efforts genuinely address the concerns of those wary of centralized digital ID systems.

Continue Reading

Illegal Surveillance

Spyware Group Exposed for using Pegasus to target Journalists Phones has been Ordered to Dislose Software Code



For years, cybersecurity researchers at Citizen Lab have been closely monitoring the activities of the Israeli spyware firm NSO Group, particularly focusing on its flagship product, Pegasus. Their investigations have revealed alarming instances of Pegasus being used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability, as reported in 2019.

Now, NSO Group, which is blacklisted by the U.S. government for selling spyware to repressive regimes, finds itself embroiled in a lawsuit over the WhatsApp exploit. Filed in U.S. federal court in 2019 by WhatsApp and Meta (then Facebook), the lawsuit alleges that NSO sent Pegasus and other malware to approximately 1,400 devices worldwide. Despite NSO’s repeated attempts to have the case dismissed, it has persisted for over four years.

As the lawsuit progresses, NSO has resorted to demanding access to Citizen Lab’s investigative materials. However, a judge recently denied NSO’s latest attempt to obtain access to Citizen Lab’s documents. Citizen Lab’s lawyers argued that providing raw research data to NSO would endanger individuals already victimized by NSO’s activities and could lead to further harassment, including from their own governments.

NSO has been striving to improve its public image in recent years, particularly since being blacklisted in 2021. The company has even requested meetings with the State Department to discuss Pegasus as a tool for combating terrorism. Nevertheless, NSO continues to face legal challenges in U.S. courts over Pegasus, with ongoing lawsuits brought by various parties, including Salvadoran journalists, Apple, and Hanan Elatr Khashoggi, the widow of murdered journalist Jamal Khashoggi. These lawsuits rely heavily on Citizen Lab’s research findings.

Despite NSO’s efforts to evade accountability, the WhatsApp lawsuit has not been in the company’s favor. Initially, NSO claimed immunity from being sued in American courts, but this argument was rejected by a federal appeals court in 2021. The lawsuit has since faced other legal hurdles, including NSO’s unsuccessful attempts to have it moved to Israel.

In a significant development, earlier this year, Judge Phyllis Hamilton ordered NSO to disclose the software code not only for Pegasus but also for any NSO spyware targeting or directed at WhatsApp servers. This order underscores the extent of NSO’s legal obligations and the gravity of the allegations against it.

While NSO has obtained thousands of documents from Meta and WhatsApp regarding Citizen Lab’s Pegasus investigation, its attempts to extract more information directly from Citizen Lab have been thwarted. Despite NSO’s persistence, Judge Hamilton concluded that its demands were “plainly overbroad.” She has left open the possibility for NSO to try again, but only if it can provide evidence linking specific individuals identified by Citizen Lab as targets to criminal or terrorist activity.

In response to the court’s decision, Citizen Lab’s director, Ronald Deibert, expressed satisfaction that the court recognized NSO Group’s request for information as overbroad and unnecessary at this time to resolve the disputed issues. This legal battle underscores the importance of holding companies like NSO accountable for their actions and protecting the rights of individuals targeted by unlawful surveillance.


Continue Reading