Connect with us

Illegal Surveillance

Over 200 Mortgage Brokers Leaked Sensitive Data to Facebook



Sensitive Data Sharing Raises Legal Concerns

When someone applies for a mortgage, they trust a home loan lender or mortgage broker with some of the most sensitive information they have: information about their credit, their home, and personal details of their lives. Unbeknownst to those prospective homeowners, they may also be sharing that information with Facebook.

The Markup tested more than 700 websites offering loans for people looking to purchase or refinance a home, from major online brokers to lesser-known regional lenders. They found that more than 200 of these companies share some amount of user data with Facebook through the Meta Pixel, a small piece of tracking software embedded on their sites. As users filled out mortgage applications or requested quotes, the pixel tracked information about their credit, veteran status, occupation, the specific homes they wanted, and more. Experts told The Markup that it might be against the law for mortgage lenders to feed this kind of information to Facebook.

For instance, Fairway Independent Mortgage Corporation, one of the largest lenders in the country, used the Meta Pixel to track detailed information about visitors, including every button they clicked on a preapproval page and the type of home they were interested in. Responses to a question about estimated credit, which asked visitors to select a numbered band from “Poor” to “Excellent,” were also tracked. Clicking “I Decline” on the site’s cookie notice did not stop the pixel from tracking.

The pixel also sent Facebook a scrambled version of a visitor’s name and email address. Meta says these “hashed” email addresses “help protect user privacy.” However, it’s simple to determine the pre-obfuscated version of the data, and Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.

Kirby Bradley, the chief content officer for Fairway Mortgage, said in an emailed response to questions from The Markup that the company has stopped using the pixel. She stated that the credit estimates shared with Facebook were not actual scores but rather “categories made up completely by the respondent based on nothing but their feeling at the time.” Bradley added that Fairway did not collect or transmit personally identifiable information while using the pixel but declined to detail how the company defines such information.

LendingTree, Veterans United Home Loans, Doorway Home Loans, and ZeroDown were among other companies found to have shared sensitive data with Facebook through the Meta Pixel. These companies sent information including unique IDs, details about co-borrowers, bankruptcy status, military history, and the exact address of homes viewed by users.

A spokesperson for Meta, Emil Vazquez, said in an emailed statement that the company’s system uses automated tools to filter out “potentially sensitive data it is able to detect.” Vazquez added, “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring.”

Potential Legal Consequences

The online mortgage industry, valued at tens of billions of dollars globally, is subject to strict regulations under laws such as the Gramm–Leach–Bliley Act, which aims to protect consumers’ financial information. The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have the authority to enforce these laws and can penalize companies that violate them.

Natalie Loebner, a consultant and former Justice Department trial attorney, told The Markup that sharing sensitive information with Facebook via the Meta Pixel could violate the Gramm–Leach–Bliley Act or other regulations. Loebner suggested that regulators might scrutinize mortgage companies using the pixel to share customer data, particularly if they failed to disclose this practice to customers.

A Call for Regulatory Action

The Markup’s investigation highlights the pervasive and troubling use of tracking technology in the mortgage industry. While some companies used the Meta Pixel more responsibly, others shared highly sensitive information without adequate consumer consent or protection. This widespread data sharing raises significant privacy concerns and underscores the need for more robust regulatory oversight and enforcement.

As digital mortgage services continue to grow, the importance of safeguarding consumer data becomes ever more critical. Regulators, companies, and consumers must work together to ensure that sensitive financial information is protected from unauthorized access and misuse.


Government Surveillance

Supreme Court to Review Texas Digital ID Verification Law



The Supreme Court has announced it will review a legal challenge against a Texas statute mandating digital ID verification for any websites and apps that could be deemed “harmful to minors.” While the law is typically associated with pornographic material, the broad term “harmful to minors” could apply to a wide range of websites, preventing users from accessing content without first uploading their ID.

This legal battle revolves around Texas’ age verification bill, introduced in 2023. The law also requires these sites to present health warnings about the alleged psychological dangers of pornography consumption. Notably, this labeling requirement does not yet extend to search engines or social media platforms.

Websites that fail to comply with the law face steep fines, including daily civil penalties of up to $10,000 and potential fines from the Texas attorney general of up to $250,000 per instance if a minor accesses restricted content. Similar laws are currently active in seven other states and are set to be introduced in more states soon.

The Free Speech Coalition, along with several adult website operators, filed a lawsuit against the bill. Their argument is that the law infringes on First Amendment rights. A federal district court initially halted the law’s enforcement just before its implementation on September 1, 2023.

Mandatory digital ID requirements for website and social media use raise significant concerns about the chilling effect on free speech. These requirements can deter online participation due to privacy fears and undermine the anonymity vital for activists and whistleblowers. Such policies may also lead to self-censorship, as users might avoid sharing controversial opinions out of fear of being easily traced. Additionally, implementing digital IDs poses complex legal, technical, and logistical challenges that could result in bureaucratic errors and data breaches. The major Big Tech ID verification company AU10TIX was recently reported to have suffered a data leak, though the company says it hasn’t seen evidence of any user data being exploited.

The majority of the panel at the US Court of Appeals for the 5th Circuit concluded that the Texas law is “rationally related to the government’s legitimate interest in preventing minors’ access to pornography,” using the least stringent rational-basis review standard, and thus did not violate the First Amendment. In contrast, Judge Patrick Higginbotham dissented, arguing that the law necessitates strict scrutiny due to its content-based restrictions on adult access to protected speech.

As the 5th Circuit allowed its decision to stand, the Free Speech Coalition and the affected websites escalated the matter to the Supreme Court. Their appeal emphasized the contradiction between the 5th Circuit’s decision and established Supreme Court precedents regarding sexual content and expression. They argue that the law unduly burdens adults’ constitutional rights by requiring the disclosure of personal information, thus increasing the risk of data breaches and privacy violations.

Texas officials defend the legislation, asserting it as a reasonable measure to protect minors from sexually explicit materials and not an undue burden on the porn industry.

As the Supreme Court prepares to review the case, the decision will have significant implications for digital privacy, free speech, and the regulation of online content across the United States.

Continue Reading

Illegal Surveillance

Gates Foundation Awards $4M Grant To Fund Digital ID Initiative



The Gates Foundation continues to drive global efforts aimed at introducing digital ID and payment systems by the end of this decade, awarding a $4 million grant to the UK-based Alan Turing Institute. This funding is part of a broader initiative known as the digital public infrastructure (DPI), supported by a coalition of private groups, such as the Gates Foundation and the World Economic Forum (WEF), as well as major global entities like the US, the EU, and the UN.

The Turing Institute, renowned for its work in AI and data science research, has announced that this latest grant will support a multidisciplinary project over the next three years. The project’s primary objective is to ensure the “responsible” implementation of ID services, focusing on privacy and security concerns. This initiative aims to address the critical issues raised by opponents of digital ID schemes, who consistently warn about the risks of centralizing personal identities.

The Turing Institute is framing its work, funded by the Gates Foundation, as an effort to balance the benefits of digital ID systems with robust privacy and security measures. According to the Institute, the project “aims to enhance the privacy and security of national digital identity systems, with the ultimate goal to maximize the value to beneficiaries, whilst limiting known and unknown risks to these constituents and maintaining the integrity of the overall system.”

Despite these assurances, skepticism remains. Critics argue that the Gates Foundation’s long-standing involvement in promoting digital ID and payment systems raises concerns about the true motives behind these initiatives. They fear that the emphasis on privacy and security in this new project may be more about perception management than addressing substantive risks.

The Turing Institute emphasizes that implementing digital ID services can improve inclusion, access to services, and human rights. However, they acknowledge the need for “tweaking” privacy and security measures to enhance trust in these systems. The renewed grant from the Gates Foundation is seen as a step towards achieving this balance, although critics worry it might be a public relations effort to mitigate opposition.

“The project aims to enhance the privacy and security of national digital identity systems, with the ultimate goal to maximize the value to beneficiaries, whilst limiting known and unknown risks to these constituents and maintaining the integrity of the overall system,” the Institute said in its announcement.

This initiative comes amidst increasing investments in developing secure, scalable, and user-friendly digital ID systems. According to the Turing Institute, billions of dollars are being poured into this field each year to address these challenges.

The Gates Foundation’s latest grant highlights the ongoing global push towards digital public infrastructure, which aims to integrate digital ID systems with broader societal benefits. However, the tension between the potential advantages of these systems and the significant privacy and security concerns they raise continues to be a focal point of debate.

As the Turing Institute embarks on this new project, the world will be watching closely to see whether the promised enhancements to privacy and security materialize, and whether these efforts genuinely address the concerns of those wary of centralized digital ID systems.

Continue Reading

Illegal Surveillance

Spyware Group Exposed for using Pegasus to target Journalists Phones has been Ordered to Dislose Software Code



For years, cybersecurity researchers at Citizen Lab have been closely monitoring the activities of the Israeli spyware firm NSO Group, particularly focusing on its flagship product, Pegasus. Their investigations have revealed alarming instances of Pegasus being used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability, as reported in 2019.

Now, NSO Group, which is blacklisted by the U.S. government for selling spyware to repressive regimes, finds itself embroiled in a lawsuit over the WhatsApp exploit. Filed in U.S. federal court in 2019 by WhatsApp and Meta (then Facebook), the lawsuit alleges that NSO sent Pegasus and other malware to approximately 1,400 devices worldwide. Despite NSO’s repeated attempts to have the case dismissed, it has persisted for over four years.

As the lawsuit progresses, NSO has resorted to demanding access to Citizen Lab’s investigative materials. However, a judge recently denied NSO’s latest attempt to obtain access to Citizen Lab’s documents. Citizen Lab’s lawyers argued that providing raw research data to NSO would endanger individuals already victimized by NSO’s activities and could lead to further harassment, including from their own governments.

NSO has been striving to improve its public image in recent years, particularly since being blacklisted in 2021. The company has even requested meetings with the State Department to discuss Pegasus as a tool for combating terrorism. Nevertheless, NSO continues to face legal challenges in U.S. courts over Pegasus, with ongoing lawsuits brought by various parties, including Salvadoran journalists, Apple, and Hanan Elatr Khashoggi, the widow of murdered journalist Jamal Khashoggi. These lawsuits rely heavily on Citizen Lab’s research findings.

Despite NSO’s efforts to evade accountability, the WhatsApp lawsuit has not been in the company’s favor. Initially, NSO claimed immunity from being sued in American courts, but this argument was rejected by a federal appeals court in 2021. The lawsuit has since faced other legal hurdles, including NSO’s unsuccessful attempts to have it moved to Israel.

In a significant development, earlier this year, Judge Phyllis Hamilton ordered NSO to disclose the software code not only for Pegasus but also for any NSO spyware targeting or directed at WhatsApp servers. This order underscores the extent of NSO’s legal obligations and the gravity of the allegations against it.

While NSO has obtained thousands of documents from Meta and WhatsApp regarding Citizen Lab’s Pegasus investigation, its attempts to extract more information directly from Citizen Lab have been thwarted. Despite NSO’s persistence, Judge Hamilton concluded that its demands were “plainly overbroad.” She has left open the possibility for NSO to try again, but only if it can provide evidence linking specific individuals identified by Citizen Lab as targets to criminal or terrorist activity.

In response to the court’s decision, Citizen Lab’s director, Ronald Deibert, expressed satisfaction that the court recognized NSO Group’s request for information as overbroad and unnecessary at this time to resolve the disputed issues. This legal battle underscores the importance of holding companies like NSO accountable for their actions and protecting the rights of individuals targeted by unlawful surveillance.


Continue Reading