Slashdot Mirror
British Startup Strip Mines Renters' Private Social Media For Landlords (washingtonpost.com)
Rick Zeman writes: Creepy British startup Score Assured has brought the power of "big data" to plumb new depths. In order to rent from landlords who use their services, potential renters are "...required to grant it full access to your Facebook, LinkedIn, Twitter and/or Instagram profiles. From there, Tenant Assured scrapes your site activity, including entire conversation threads and private messages; runs it through natural language processing and other analytic software; and finally, spits out a report that catalogs everything from your personality to your 'financial stress level.'" This "stress level" is a deep dive to (allegedly) determine whether the potential renter will pay their bills using vague indicators like "online retail social logins and frequency of social logins used for leisure activities." To make it worse, the company turns over to the landlords' indicators that the landlords aren't legally allowed to consider (age, race, pregnancy status), counting on the landlords to "do the right thing." As if this isn't abusive enough, the candidates are not allowed to see nor challenge their report, unlike with credit reports. Landlords first, employers next...and then? As the co-founder says, "People will give up their privacy to get something they want" and, evidently, that includes a place to live and a job. In late May, an apartment building in Salt Lake City told tenants living in the complex to "like" its Facebook page or they will be in breach of their lease.
Wow. I'm not on Facebook, LinkedIn, or Instagram, but I do have a twitter account. Which I only use for following porn stars and for trolling. Guess I won't be renting via any agency that uses this service ;).
In all honesty, I highly doubt this will stand up. In connection with employers asking for social media passwords of employees;
A spokesman for the ICO [Information Commissioner's Office] said: "The UK Data Protection Act clearly says that organisations shouldn't hold excessive information about individuals, and it's questionable why they would need that information in the first place." [...] "In the UK, however, it would potentially put employers in breach of the Data Protection Act because it would constitute "excessive" information about an individual, the ICO indicated. "We would have very serious concerns if this practice was to become the norm in the UK," (article).
If that's true for employers, I'd say it's way more true for landlords and letting agencies, so I'd expect the ICO to have a few things to say on this. Seems like a probable violation of the Data Protection Act.
Oh no... it's the future.
You can find many property management companies and related businesses on Yelp and other reviews. They are usually also covered in news sources, you can find out past and current lawsuits against them, and get information about their financials. So, you actually have a lot of sources of information.
Furthermore, the reason landlords have become very cautious is because (1) they are letting you use something valuable and you can do a lot of damage to it, and (2) laws in many places make it difficult to evict renters even when they misbehave.
"What is worrying me is that I can't immediately see why this would be illegal under current data protection law in England and Wales"
There are two reasons, first, that I have covered elsewhere, is that they're providing a credit score. This is a regulated industry by the FCA, and they're not registered as a financial services company with the FCA for this purpose. Registering imposes certain requirements on them, such as being able to justify how they came to a credit score. If they're using artificial intelligence/statistical techniques as they claim to determine credit score from social media data then it's near impossible to fulfil this obligation because retracing how and why such systems came up with the score they did on an individual basis is damn near impossible, it just doesn't give the auditability required for FCA compliance, and they're not FCA registered anyway.
From a non-financial aspect in terms of the DPA, the DPA states that an organisation cannot capture more data than is necessary for the purposes of their business. Given that their business is effectively evaluating people by capturing social media data, and that some of that data will be inherently irrelevant to determining trust, but that they're relying on statistical algorithms to figure out which data is and isn't valid, as well as including data that they're simply not even legally allowed to use as a determination (gender, sex, sexuality) then it seems pretty clear that they're not in compliance with the DPA. Perhaps most damingly is the fact that upon loading a post onto their own systems, or a picture, they may be capturing data of other people. If a person being evaluated posts "£50k to blow at Joe Bloggs 30th Birthday on Friday!" then they've already taken data illegaly about Joe Bloggs - his name, his birthday, and his age. No individual can ever give permission to a company to harvest another individual's data in this way.
The reason the big boys in this industry haven't done any of this is precisely because it's an unnavigable minefield. When you start introducing non-deterministic algorithms into the fray, with data that can be so arbitrary such as social media posts, there is absolutely no way whatsoever you can guarantee that your system is not going to discriminate based on sex, race, religion, and so on and so forth. It only takes one case where someone suggests that their race, or sex, or sexuality or similar has been taken into account creating bias in the outcome, for that data to be stored on the company's system (which it is, see the example profile) and for the company not to be able to prove otherwise for the whole system to be shut down as non-compliant and for a fine to be issued.
You're right in that there's nothing to stop an organisation harvesting data about an individual that they've been given permission to harvest by that individual, but as soon as you start doing evaluation on that data in a non, or effectively non-deterministic manner, and when that data can include personal information about others then you're going to cross the line.
But again, in this case, they've outright failed on their FCA obligations alone before you even factor that in so regardless this company is not fulfilling their legal obligations.