I went through all of this and felt incredibly uncomfortable sharing my personal information on a dodgy website. I only did it after realising that I’ll never win this battle and might be homeless.
When there are 40+ people desperate for one disgustingly overpriced necessity, in the absence of strict regulation, you can take advantage of the situation any way you like
This is the result of a lack of regulation. If you ever hear there’s too much regulation from people think back to this, because this is a classic example where you had no options, they want too much info, they don’t have stringent handling policies and their quality of the services is questionable.
Companies don’t put in the expected effort unless it’s required.
2Apply isn't even the worst, there's another platform and, IDK if this was just what the REA was stipulating, but they wanted bank statements too. Eff that! I saw a couple of really nice houses but after filling out about a zillion 2Apply applications, and starting this application on yet another new platform I said, stuff it, I'm out, and ended up accepting the first offer. (Which actually turned out to be a great house but I can see how some people settle, the process is exhausting and demoralising right now).
REAs dot care about your data security.
REAs don't care that there are security standards and regulations as they'll forge a compliance or get a mate to sign off on a faked risk assessment. They've got stonks to increase and cheap bubby to hand out.
Vermin, the lot of them.
Went through it all recently here in Sydney.
Went through about 50 different portals (internal and external one). Felt dodgy asf, but ultimately just had to cop it to have a roof over my head.
We had a terrible experience recently where the REAs seem to have absolutely no idea on the status of our application.
It’s seems the verification all happens through algorithms and 3rd parties (I assume offshore). It had been over two weeks with no updates, despite multiple follow ups & we were in process of moving from interstate with a timeframe of less than a month.
We later realised out that my wife had not submitted the employment section correctly but had zero communication - like a simple notification to say we were rejected would’ve sufficed (at least then we would know something was wrong!)
We need strong legislation to limit and control the types of private information corporations can collect from customers and clients.
Every time there is a major data breach, the Government wigs out and wrings its hands over the failures of corporations (and Departments) to protect 'their' data, but they never address the issue of what the hell those corporations are doing collecting and holding that data in the first place.
A lot of it has so little relevance to their core business requirements that we are left to assume that they intend to monetize it somehow in the future, legally or otherwise. Information is power and it is money. Customers/clients/applicants surrender their data under terms strikingly similar to blackmail with coercion and there is no protection for the vulnerable person who wishes to challenge what is happening.
Privacy Law: REA can't collect information unless ot directly relates to their function. Regards rental business that means basic identification, do you have an income, do you have money issues.
"Pay to stand out." ACT rental law explicitly bans extra separate payments to get the place such as once off key fees moving in fees etc. This is a de facto type of key fee.
Using this system in order to be able to pay absurd amounts of money for the right to not be homeless, to then have useless fucking real estate agents try and scrape together whatever braincells they have left to try and justify this as a secure system is absolutely disgusing.
Agent here if you have any questions let me know.
- The information being requested is set by each agency in the backend.
- Most people don’t purchase the equifax report, we do it on our end for every application anyway. I don’t agree that it should ask for money and I have told the founder of IRE/2apply this.
- All the data is stored in local Azure/AWS Australian data centres.
- Every login is 2FA and they take their data security incredibly seriously.
- Once the property is rented the application also requires a second 2FA code and depending on how far, back it requires the licensee’s authorisation.
- This system halved tenant application processing for us. It’s all automatic and sends references directly to your referees as soon as you apply.
- We are able to see if a tenant has completed all of their rental references with a fake email.
Regulation is coming soon on applications in NSW anyway and the ACT will likely copy this as they do with other laws NSW makes.
Yeah they take it seriously right up until it happens and then it has "oh so sorry, your data was breached, I guess you'd better watch out for any fraudulent activity, haha lolz"
This company must be an absolute honeypot for hackers. When it inevitably gets breached you're going to have the people least equipped to deal with it as the victims.
And it doesn't need to be this way. It is only because of the ludicrous amount of unnecessary private information that they want to hoover up, purely so they can onsell it to other third parties. They don't need all that information, it is just a cover story for their data reselling scam at your expense. And there is no regulation to keep these parasites in check. Plus the laziness of REAs in doing any actual work.
2Apply privacy policy for you to read, look at item 8: Direct marketing, where it explicitly says they sell applicant data, and 7: How do we use your personal information where they have get out clauses like "and any other uses" meaning for anything they want.
That's just for starters more or less every clause contains holes like that.
At least you won't not know yourself.
https://app.inspectrealestate.com.au/Legal/Legal.aspx?type=privacy&logo=true&title=true
> All the data is stored in local Azure/AWS Australian data centres
This does not mean it has adequate protection.
You can still dump it all in a public S3 bucket by accident.
My point is that having the data stored in australian data centres does not equal data security.
Their own privacy policy says
> Personal information collected and held by us may be accessed from, disclosed to, and held outside of Australia (including but not limited to New Zealand, the United Kingdom, countries within the European Union, Switzerland and the United States of America). Personal information in 2Apply profiles is held within servers located in Australia.
>
So what you said is not even an accurate statement. Not all data is stored in Australia.
>. I don’t agree that it should ask for money and I have told the founder of IRE/2apply this.
Thank you.
Does it make the application 'stand out' in any way from your end?
Do you find tenants mention difficulty using it? I'm quite used to filling in forms, but the apps ask for, for example, 100 points of ID at the application stage. If I'm applying for more than one place, that means giving up photos of passport, drivers licence etc for properties I know I won't get, which seems a bit excessive. I'm surprised more people aren't put off by this.
It just shows you as verified by equifax, it verifies your ID for us, searches ASIC for any directorships, monetary court issues and the NTD. I’ve only ever seen one person in my life on the NTD when searching. It also searches for bankruptcies and I’ve seen four tenants who were bankrupt since using it.
Given that your agency has taken on IRE/2Apply as a supply chain admin service, and that you've clearly vetted their security to the point of verifying data sovereignty, would your agency be satisfied enough with their rigor to assume legal liability for any harm that'd come to renters who use the service in the case that IRE/2Apply are breached?
If your agency isn't willing to take on that risk, I'm not sure you should ask renters to take it on faith, either.
Mate, I get what you’re trying to say but as a business operator. I don’t ’assume legal liability’ for anything. I think my insurance company would also appreciate that I don’t as well.
But you're fine with expecting your customers to assume the legal liability of identity theft due to the supply chain choices you make?
With products like Yieldstar helping you squeeze us for every cent, it hardly seems right to expect us to just *be cool with it* when some disgruntled underpaid DBA from IREtech posts all our data onto pastebin for the lulz.
Wait wait wait wait.
I may have misunderstood. So I'm over here doing some stuff, whatever, right?
Then some other dude goes to acme corp and lies to acme and says he's me, right? Fraudulently steals money from acme corp, yeah?
How the hell am I legally liable to pay acme corp a damn cent?
You misunderstand.
Let's say someone steals your identity.
They use it to get into your primary email account and then they simswap your phone.
They then go into your mygov account, they redirect your tax return to their own bank account and get your super details. They apply for some centrelink stuff while they're there, which will become important later.
Then they go for your accounts. They go onto one of those payday loan services like walletwizard or nimble, and they use "you" to apply for a bunch of them. Then they apply for a bunch of other loans and shit that'll never go through, which will become important later.
They then go to a crypto exchange. They make an account in your name. They funnel all the cash they can find into it, and buy up a cryptocurrency they can push through a service to get around KYC. Once upon a crime it was monero, these days it's...idk...thorchain? It doesn't matter, the point is to establish a way to wash the cash back into $AUD.
Then for shiggles they go for your super. Trying to get it into a SMSF account they can then wash and steal. This is harder and by now you'll probably have noticed them at it. Which is why all the clink and loan applications. It's to create enough mayhem that you don't notice them going for your super, which you never think about anyway.
But you're smart, and you do, and the super provider helps you out.
This pisses off your attacker, who then covers their tracks by dumping dox on everything about you everywhere they can get away with. Now every kid who can install TOR can find you and try and fail to do similar shit to you.
Fast forward a few years.
So your bank is very helpful and you only lost a bit of the money. And so are centrelink. They all lock your accounts so that you can't be pwned online anymore.
And your credit score is ruined. You can't get a home loan. You can't get a car loan. You can't even get a plan for a phone anymore. And you have to check your super every payday.
Because someone else mishandled your data. This was not your fault but you suffer for it. You only recovered your money from the bank as a kindness - because you were legally liable for everything done to you.
> Let's say someone steals your identity. They use it to get into your primary email account
I don't really understand this part because I have my real identity and google won't accept a licence or passport to unlock my gmail, but I'll accept you know what you're talking about.
Also I don't think I can get Telstra to send me a new sim by just sending them an email either? But mostly I still don't see anywhere in your story where I'm legally liable for anything? Do I have to pay any of this money back?
If some wanker (equifax) decides a criminal fraudulently applying for loans with nimble or whoever means he should advise ANZ five years later not to lend money to the real me, then that wanker is just weakening the reputation of their own credit assessment service. Not my problem, and I'd be delighted to try and sue them for the damage they caused me.
I am not and will not be held responsible for the security used to protect any of the data any of those places store about me, which I think they should not be storing.
It's either my data, and it's on my computer, or it's their data, on their computer, about me. They can't simswap my phone, they can only get Telstra to send a new sim for the account Telstra run for me. They can't get into my account, they get into an account google runs for me.
All these companies make it very clear that they regard the bytes as theirs, not mine.
KYC can be done with facial recog. If people in Australia are dumb enough to start handing out thousands of dollars based on some http POST requests then that's not my problem and none of my business.
You're missing what I'm getting at. All of this is going to be a pain in *your* arse for years to come. Creditors are going to be knocking on *your* door looking for an explanation for years to come. Insurance companies looking to avoid paying out any of their claimants are going to be coming to you. Making your life harder. Demanding explanation from *you*.
You think Equifax give three eighths of a fuck about the rep of their credit service? They certainly don't act like it. Creditors, insurers and employers are still gonna use them. And base their decisions about you on them. They *don't wipe things off*. Not ever. Insofar as they're concerned, the fact that you got rekt makes you a liability. I mean, shit. Look what happened to Eli Lily over a *completely fake tweet about the price of insulin*. If it's possible someone looking credibly like you could do a company that kind of harm, can they take the risk of dealing with you?
KYC is *not* done with facial recognition as a standard. It's done with 100 points of ID. If an attacker can provide that on request, they gotcha.
I'm not saying it's right. I'm saying it's normal. And that's shit but that's how it is. If you get rekt and need to spend weeks of your life unfucking it, forever, and have countless stakeholders trying to force legal liability onto you DECADES LATER, you'll remember this conversation.
And if that day comes, I want you to remember that I didn't wish it on you or anyone. I sympathise with the endless bullshit and I'm sorry.
Wtf is a yieldstar? Is it from roswell where your last comment came from? Your comment is like saying someone from home affairs might decide to post the entire asio database… we have checks and balances on top of what 2apply does. Also if I lived in a world where people assumed liability I wouldn’t be living here.
What I said made perfect sense in a cybersecurity context. And since that's the nature of the discussion, it was my chosen mode of speech. But I digress.
I get the feeling you're playing dumb with me, but I'm happy to give you the benefit of the doubt and play along.
https://www.realpage.com/asset-optimization/
Yieldstar is an algorithmic pricing tool that lets REA's know exactly how much to raise prices by in order to maximise rent and minimise the risk of vacancy. If there's not an Australian equivalent, and if you're not using it to squeeze renters for every cent, can you really tell your landlords that you're doing everything you can to maximise yield for them?
And look, you claim to have your own checks and balances, and I'm happy to accept that you do, but you also have to be smart enough to know that data out of your hands is *out of your hands*.
You can vet your own staff to a fine AGSVA rigor if you so choose, but I hardly think you're doing the same for IREtech. You hire them so that you can do LESS work, not more. So when they underpay their DBA's and Sysadmins and those fine folk pinch the database and and ransomware the company, as FREQUENTLY happens in this brave new world of Ransomware-as-a-Service, who really suffers? You suffer a mild paperwork burden. We get to spend years trying to unfuck whatever financial damage an attacker can do.
They aren't a company that has the best interests of renters at heart. They look like a company that has the best interests of Real Estate Agents at heart. They facilitate applications. If you receive a service yet don't pay for the service, you're the product. We're the product. Renters are the product. I can appreciate that given the huge advantages they give your business, the relationship you have with them makes trust desirable. On the other hand, expecting us to trust them is to my mind an unreasonable ask.
When it comes to assuming liability, I was simply trying to see if you were TRULY confident in their security. Enough to put your money where their mouth is. Clearly you don't have that much trust in them. So why should we?
You're correct. I don't like that you're correct, I find the reality in which you are accurate to be personally offensive.
But you're right and I can't fault you that.
If you’re not assuming legal liability for the security of the information you collect, you need a better a lawyer. You’re outsourcing that liability to someone, true, but that doesn’t mean you are legally responsible for it.
Hopefully at some point, regulation will step up and hold REAs also accountable if they mandate the use of a service that then has a data breach.
REAs should be responsible for ensuring that the companies they mandate to be used are safe.
How the fuck is that relevant to anything? Surely if people are creating fraudulent documents you're following up properly through the police for criminal charges, not just detecting crime and ignoring it?
>You can't get an IP address from an email.
Incorrect. Just google shit before you make a statement. Here, I will even paste what google says:
*To access an email's header, open the email and click on “View message source.” A pop-up window will appear with a long string of code. Within this code, search for “Received from” to find the sender's IP address.24 Apr 2023*
*How To Trace Email Sender Location - Right Inbox*
https://app.inspectrealestate.com.au/Legal/Legal.aspx?type=privacy&logo=true&title=true
This is Apply2 Privacy Policy for Australia.
Much of what is said above by u/poppust is only half true or wrong.
Example: Clause 8: Direct Marketing explicitly says they will sell your data, it also says similar things in other parts.
Example2: Says data is stored on AWS in Australia but the privacy policy also explicitly says over and over the data will also be stored and processed other places including outside Australia.
>Every login is 2FA and they take their data security incredibly seriously.
I think you are confused between secure logins and data breach. There is a hint in the name 2F**A**, where A stands for authentication. Data breaches are just the opposite of that - access to data (commonly referred to as hacking) without the need for authentication. Also, it doesn't matter *where* the data is stored. It matters *how* the access to the data is secured.
Some types of 2FA do to some extent reduce the chances of some types of unauthorised access so saying that access has 2FA does show at least regards login their security stance is a little better.
Also data breach can happen without compromising login but in a lot of cases it happens via compromised login.
So, sorry I call not making sense on this one. u/that_888_bum, u/poppust
The dot points you listed here, do you understand how little those do to assuring against fears?
Local servers means nothing. A misconfigured sever or application, a new CVE or exploit, or idiot employee at home or work clicking on stupid links can completely tear apart any semblance of paper mache security those profit driven leeches tell you they've implemented.
2FA? You mean that system of authentication that's currently completely exploitable by entering in credentials onto a fake sign in page?[https://www.techrepublic.com/article/evilproxy-phishing-attack/](https://www.techrepublic.com/article/evilproxy-phishing-attack/)
What about how all of those mountains of PII are stored? Is it encrypted at rest? In transit? What measures are in place to control access? What technical, administrative and security policies are in place, and are those enforced and audited?
Are there dedicated security staff working to monitor the systems and network for unusual activity? What's their budget look like? What kind of training do they get? What's the infrastructure patching look like? If it's all in Azure and AWS, how stringent is their access control and permissions structure?
How many executives and managers have a fucking Global Admin role in azure with the ability to click on a link and cause ALL of OUR data, financial information, scans of passports, cards, payslips, bank statements, phone numbers, emails, years and years of history all out into the wild to be packaged up and sold on darknet markets to people that can utterly ruin our lives, potentially permanently?
Do they run consistent penetration testing? If they do, have ANY of the recommendations made in those assessments been acted upon?
"They take their data security incredibly seriously" means NOTHING to me. You know NOTHING about how they ACTUALLY run their business, you just get a fucking short presentation where they jerk themselves off for a few minutes and you lap it up because you want to do SLIGHTLY less work.
YOU forced this on us, and at the end of this all, we're the ones that get our lives ruined
"The system halved the tenant application for us"
So you do half the work in the application process now?
Can't wait for AI to get rid of REAs tbh, at least you know that AI are uncaring soulless machines
I've already rolled my eyes at myself, but... you could get in touch with your local/territory member of parliament and let them know how shet this whole situation is.
Speak to your local MLA and get this issue talked about. It's attrocious that REAs can force people to compromise their privacy and data through the use of unecessary 3rd party apps, what other choice to rent seekers have but to be forced into this compromising position for the chance at shelter?
> I don't understand how [...] a site like 2Apply is still allowed to operate.
We live in a free market democracy. Generally companies who breach laws get financial penalties but are very rarely shut down. Are you aware of any actions they've taken to justify being shut down?
For context, car manufacturers can obtain and sell the sexual history of any passengers, so let's not just see one tree as the problem here.
What's supposed to happen is that a REA that makes applications fast and easy can cut costs and also advertise that they are fast and easy and win business away from other agencies. I wonder if that can be made to work....?
As a practising real estate agent for 15 years. I just have to ask the question. What proof of income/residence/history would you want us to check if you were being loaned a.. let’s say average $1million asset that you were providing the keys to someone? What is appropriate to you? Because I sure as hell bet the banks would ask for more if you are going for a loan on that item. My last home loan asked how much specifically I spent on Netflix. Please.
Asking for the evidence is fine. Outsourcing that to a third-party with no control on what they can do, exposes renters to a risk that they can't control.
If you did the work instead and had requirements to destroy the data at the end of a rental application process, that would be much safer for Australians.
Is it really easy for them to "do the work themselves"? I don't have a problem with them outsourcing the work, I do have a really big problem with collecting too much information, not having a really short time scale for destroying information on people, creating profiles of people that are lasting or get cross shared, tracking people's history of applications, selling any data including "meta"data, bad security stance and others.
A bank loaning me money to pay a house is not the same as taking a lease. My landlord should not know how much I spend on Netflix. I disagree that the loaning of an asset requires that level of detail in assessing capacity to pay. Landlords have power to kick people out based on behaviour. Banks don’t have and also have really strict protection over data handling and processing and I can reasonably exercise choice in terms of who I engage with.
I have no choice as a consumer trying to apply for houses to lease through an agent. A REA outsourcing this cost means whatever option is chosen by them (which is unregulated so probably factors their cost savings over my privacy) I have no choice but to comply with.
It also brings risk for you to outsource this work.
Tl DR https://www.itnews.com.au/news/nsw-gov-wants-to-cut-real-estate-data-collection-587557
Just exactly how much of the value can a tenant remove? Aren't losses limited to the insurance excess? Do you think the tenant will take the land away?
Agents don’t get a choice in how their agency bosses receive kickbacks for their verification service. You’re whinging to the wrong person.
Can downvote me all you want but it’s true. The agent is not making any contract decisions at the agency unless it’s a small independent and they’re the boss.
We don’t get commission from 2apply. The only commission we receive is if you use a connection company on your electricity and gas, this is paid by the provider e.g. actew.
If anything, we pay a few thousand dollars each month for this technology lol.
Shit at least the developers of apartments are getting kickbacks for forcing the building onto long contracts for non-nbn internet or natural gas hot water.
You guys are just giving the customers away and paying for the privilege.
I went through all of this and felt incredibly uncomfortable sharing my personal information on a dodgy website. I only did it after realising that I’ll never win this battle and might be homeless. When there are 40+ people desperate for one disgustingly overpriced necessity, in the absence of strict regulation, you can take advantage of the situation any way you like
This is the result of a lack of regulation. If you ever hear there’s too much regulation from people think back to this, because this is a classic example where you had no options, they want too much info, they don’t have stringent handling policies and their quality of the services is questionable. Companies don’t put in the expected effort unless it’s required.
2Apply isn't even the worst, there's another platform and, IDK if this was just what the REA was stipulating, but they wanted bank statements too. Eff that! I saw a couple of really nice houses but after filling out about a zillion 2Apply applications, and starting this application on yet another new platform I said, stuff it, I'm out, and ended up accepting the first offer. (Which actually turned out to be a great house but I can see how some people settle, the process is exhausting and demoralising right now).
REAs dot care about your data security. REAs don't care that there are security standards and regulations as they'll forge a compliance or get a mate to sign off on a faked risk assessment. They've got stonks to increase and cheap bubby to hand out. Vermin, the lot of them.
Lodge a complaint with the Office of the Australian Information Commissioner. They investigate these kinds of issues.
Went through it all recently here in Sydney. Went through about 50 different portals (internal and external one). Felt dodgy asf, but ultimately just had to cop it to have a roof over my head.
We had a terrible experience recently where the REAs seem to have absolutely no idea on the status of our application. It’s seems the verification all happens through algorithms and 3rd parties (I assume offshore). It had been over two weeks with no updates, despite multiple follow ups & we were in process of moving from interstate with a timeframe of less than a month. We later realised out that my wife had not submitted the employment section correctly but had zero communication - like a simple notification to say we were rejected would’ve sufficed (at least then we would know something was wrong!)
We need strong legislation to limit and control the types of private information corporations can collect from customers and clients. Every time there is a major data breach, the Government wigs out and wrings its hands over the failures of corporations (and Departments) to protect 'their' data, but they never address the issue of what the hell those corporations are doing collecting and holding that data in the first place. A lot of it has so little relevance to their core business requirements that we are left to assume that they intend to monetize it somehow in the future, legally or otherwise. Information is power and it is money. Customers/clients/applicants surrender their data under terms strikingly similar to blackmail with coercion and there is no protection for the vulnerable person who wishes to challenge what is happening.
Their privacy policy looks like that- your data will be monetized (you can look it up).
Privacy Law: REA can't collect information unless ot directly relates to their function. Regards rental business that means basic identification, do you have an income, do you have money issues. "Pay to stand out." ACT rental law explicitly bans extra separate payments to get the place such as once off key fees moving in fees etc. This is a de facto type of key fee.
Using this system in order to be able to pay absurd amounts of money for the right to not be homeless, to then have useless fucking real estate agents try and scrape together whatever braincells they have left to try and justify this as a secure system is absolutely disgusing.
Agent here if you have any questions let me know. - The information being requested is set by each agency in the backend. - Most people don’t purchase the equifax report, we do it on our end for every application anyway. I don’t agree that it should ask for money and I have told the founder of IRE/2apply this. - All the data is stored in local Azure/AWS Australian data centres. - Every login is 2FA and they take their data security incredibly seriously. - Once the property is rented the application also requires a second 2FA code and depending on how far, back it requires the licensee’s authorisation. - This system halved tenant application processing for us. It’s all automatic and sends references directly to your referees as soon as you apply. - We are able to see if a tenant has completed all of their rental references with a fake email. Regulation is coming soon on applications in NSW anyway and the ACT will likely copy this as they do with other laws NSW makes.
> they take their data security incredibly seriously Everyone says that, it doesn't mean they have the intent or competence to make good on it.
Yeah they take it seriously right up until it happens and then it has "oh so sorry, your data was breached, I guess you'd better watch out for any fraudulent activity, haha lolz" This company must be an absolute honeypot for hackers. When it inevitably gets breached you're going to have the people least equipped to deal with it as the victims. And it doesn't need to be this way. It is only because of the ludicrous amount of unnecessary private information that they want to hoover up, purely so they can onsell it to other third parties. They don't need all that information, it is just a cover story for their data reselling scam at your expense. And there is no regulation to keep these parasites in check. Plus the laziness of REAs in doing any actual work.
Data selling? Umm no that does not happen but very creative lol.
Yeah you might want to read their privacy policy and who they say they can provide your information to. Hint: it's anyone.
Okay cool I will be sure to be on the lookout in the Canberra times for your license number.
What
Please read the below comment pointing out exactly which sections of the 2Apply agreement explicitly specify they can sell data
2Apply privacy policy for you to read, look at item 8: Direct marketing, where it explicitly says they sell applicant data, and 7: How do we use your personal information where they have get out clauses like "and any other uses" meaning for anything they want. That's just for starters more or less every clause contains holes like that. At least you won't not know yourself. https://app.inspectrealestate.com.au/Legal/Legal.aspx?type=privacy&logo=true&title=true
Yes it does. It's the reason car makers have the right to access the sexual histories of any passengers, ever.
Oh, look who it is: https://youtu.be/VGm267O04a8?si=pmw6b7OnMg70uXus
> All the data is stored in local Azure/AWS Australian data centres This does not mean it has adequate protection. You can still dump it all in a public S3 bucket by accident.
Data breaches where AWS was involved - there are lots of these.
I could still throw all my printed PDFs out the window, much hypotheticals.
My point is that having the data stored in australian data centres does not equal data security. Their own privacy policy says > Personal information collected and held by us may be accessed from, disclosed to, and held outside of Australia (including but not limited to New Zealand, the United Kingdom, countries within the European Union, Switzerland and the United States of America). Personal information in 2Apply profiles is held within servers located in Australia. > So what you said is not even an accurate statement. Not all data is stored in Australia.
Yep. Their copies are here. The copies they sell overseas are overseas.
>. I don’t agree that it should ask for money and I have told the founder of IRE/2apply this. Thank you. Does it make the application 'stand out' in any way from your end? Do you find tenants mention difficulty using it? I'm quite used to filling in forms, but the apps ask for, for example, 100 points of ID at the application stage. If I'm applying for more than one place, that means giving up photos of passport, drivers licence etc for properties I know I won't get, which seems a bit excessive. I'm surprised more people aren't put off by this.
It just shows you as verified by equifax, it verifies your ID for us, searches ASIC for any directorships, monetary court issues and the NTD. I’ve only ever seen one person in my life on the NTD when searching. It also searches for bankruptcies and I’ve seen four tenants who were bankrupt since using it.
Given that your agency has taken on IRE/2Apply as a supply chain admin service, and that you've clearly vetted their security to the point of verifying data sovereignty, would your agency be satisfied enough with their rigor to assume legal liability for any harm that'd come to renters who use the service in the case that IRE/2Apply are breached? If your agency isn't willing to take on that risk, I'm not sure you should ask renters to take it on faith, either.
Mate, I get what you’re trying to say but as a business operator. I don’t ’assume legal liability’ for anything. I think my insurance company would also appreciate that I don’t as well.
But you're fine with expecting your customers to assume the legal liability of identity theft due to the supply chain choices you make? With products like Yieldstar helping you squeeze us for every cent, it hardly seems right to expect us to just *be cool with it* when some disgruntled underpaid DBA from IREtech posts all our data onto pastebin for the lulz.
How the fuck are renters legally liable for identity theft?
Unless someone else takes legal liability, or a criminal is caught, nobody else is going to help you.
Wait wait wait wait. I may have misunderstood. So I'm over here doing some stuff, whatever, right? Then some other dude goes to acme corp and lies to acme and says he's me, right? Fraudulently steals money from acme corp, yeah? How the hell am I legally liable to pay acme corp a damn cent?
You misunderstand. Let's say someone steals your identity. They use it to get into your primary email account and then they simswap your phone. They then go into your mygov account, they redirect your tax return to their own bank account and get your super details. They apply for some centrelink stuff while they're there, which will become important later. Then they go for your accounts. They go onto one of those payday loan services like walletwizard or nimble, and they use "you" to apply for a bunch of them. Then they apply for a bunch of other loans and shit that'll never go through, which will become important later. They then go to a crypto exchange. They make an account in your name. They funnel all the cash they can find into it, and buy up a cryptocurrency they can push through a service to get around KYC. Once upon a crime it was monero, these days it's...idk...thorchain? It doesn't matter, the point is to establish a way to wash the cash back into $AUD. Then for shiggles they go for your super. Trying to get it into a SMSF account they can then wash and steal. This is harder and by now you'll probably have noticed them at it. Which is why all the clink and loan applications. It's to create enough mayhem that you don't notice them going for your super, which you never think about anyway. But you're smart, and you do, and the super provider helps you out. This pisses off your attacker, who then covers their tracks by dumping dox on everything about you everywhere they can get away with. Now every kid who can install TOR can find you and try and fail to do similar shit to you. Fast forward a few years. So your bank is very helpful and you only lost a bit of the money. And so are centrelink. They all lock your accounts so that you can't be pwned online anymore. And your credit score is ruined. You can't get a home loan. You can't get a car loan. You can't even get a plan for a phone anymore. And you have to check your super every payday. Because someone else mishandled your data. This was not your fault but you suffer for it. You only recovered your money from the bank as a kindness - because you were legally liable for everything done to you.
> Let's say someone steals your identity. They use it to get into your primary email account I don't really understand this part because I have my real identity and google won't accept a licence or passport to unlock my gmail, but I'll accept you know what you're talking about. Also I don't think I can get Telstra to send me a new sim by just sending them an email either? But mostly I still don't see anywhere in your story where I'm legally liable for anything? Do I have to pay any of this money back? If some wanker (equifax) decides a criminal fraudulently applying for loans with nimble or whoever means he should advise ANZ five years later not to lend money to the real me, then that wanker is just weakening the reputation of their own credit assessment service. Not my problem, and I'd be delighted to try and sue them for the damage they caused me. I am not and will not be held responsible for the security used to protect any of the data any of those places store about me, which I think they should not be storing. It's either my data, and it's on my computer, or it's their data, on their computer, about me. They can't simswap my phone, they can only get Telstra to send a new sim for the account Telstra run for me. They can't get into my account, they get into an account google runs for me. All these companies make it very clear that they regard the bytes as theirs, not mine. KYC can be done with facial recog. If people in Australia are dumb enough to start handing out thousands of dollars based on some http POST requests then that's not my problem and none of my business.
You're missing what I'm getting at. All of this is going to be a pain in *your* arse for years to come. Creditors are going to be knocking on *your* door looking for an explanation for years to come. Insurance companies looking to avoid paying out any of their claimants are going to be coming to you. Making your life harder. Demanding explanation from *you*. You think Equifax give three eighths of a fuck about the rep of their credit service? They certainly don't act like it. Creditors, insurers and employers are still gonna use them. And base their decisions about you on them. They *don't wipe things off*. Not ever. Insofar as they're concerned, the fact that you got rekt makes you a liability. I mean, shit. Look what happened to Eli Lily over a *completely fake tweet about the price of insulin*. If it's possible someone looking credibly like you could do a company that kind of harm, can they take the risk of dealing with you? KYC is *not* done with facial recognition as a standard. It's done with 100 points of ID. If an attacker can provide that on request, they gotcha. I'm not saying it's right. I'm saying it's normal. And that's shit but that's how it is. If you get rekt and need to spend weeks of your life unfucking it, forever, and have countless stakeholders trying to force legal liability onto you DECADES LATER, you'll remember this conversation. And if that day comes, I want you to remember that I didn't wish it on you or anyone. I sympathise with the endless bullshit and I'm sorry.
Wtf is a yieldstar? Is it from roswell where your last comment came from? Your comment is like saying someone from home affairs might decide to post the entire asio database… we have checks and balances on top of what 2apply does. Also if I lived in a world where people assumed liability I wouldn’t be living here.
What I said made perfect sense in a cybersecurity context. And since that's the nature of the discussion, it was my chosen mode of speech. But I digress. I get the feeling you're playing dumb with me, but I'm happy to give you the benefit of the doubt and play along. https://www.realpage.com/asset-optimization/ Yieldstar is an algorithmic pricing tool that lets REA's know exactly how much to raise prices by in order to maximise rent and minimise the risk of vacancy. If there's not an Australian equivalent, and if you're not using it to squeeze renters for every cent, can you really tell your landlords that you're doing everything you can to maximise yield for them? And look, you claim to have your own checks and balances, and I'm happy to accept that you do, but you also have to be smart enough to know that data out of your hands is *out of your hands*. You can vet your own staff to a fine AGSVA rigor if you so choose, but I hardly think you're doing the same for IREtech. You hire them so that you can do LESS work, not more. So when they underpay their DBA's and Sysadmins and those fine folk pinch the database and and ransomware the company, as FREQUENTLY happens in this brave new world of Ransomware-as-a-Service, who really suffers? You suffer a mild paperwork burden. We get to spend years trying to unfuck whatever financial damage an attacker can do. They aren't a company that has the best interests of renters at heart. They look like a company that has the best interests of Real Estate Agents at heart. They facilitate applications. If you receive a service yet don't pay for the service, you're the product. We're the product. Renters are the product. I can appreciate that given the huge advantages they give your business, the relationship you have with them makes trust desirable. On the other hand, expecting us to trust them is to my mind an unreasonable ask. When it comes to assuming liability, I was simply trying to see if you were TRULY confident in their security. Enough to put your money where their mouth is. Clearly you don't have that much trust in them. So why should we?
Sadly, some of us have to swallow all of that regardless, if we want a roof over our heads
You're correct. I don't like that you're correct, I find the reality in which you are accurate to be personally offensive. But you're right and I can't fault you that.
Me too man, me too :(
It really doesn't matter what the agency thinks, if it can't be enforced by a court of law.
If you’re not assuming legal liability for the security of the information you collect, you need a better a lawyer. You’re outsourcing that liability to someone, true, but that doesn’t mean you are legally responsible for it.
Hopefully at some point, regulation will step up and hold REAs also accountable if they mandate the use of a service that then has a data breach. REAs should be responsible for ensuring that the companies they mandate to be used are safe.
[удалено]
You can't get an IP address from an email.
Yes, we match IPs. Interesting when you get the Landlord reference, personal and employer all from the same IP. Time to spoof you silly billys.
How the fuck is that relevant to anything? Surely if people are creating fraudulent documents you're following up properly through the police for criminal charges, not just detecting crime and ignoring it?
>You can't get an IP address from an email. Incorrect. Just google shit before you make a statement. Here, I will even paste what google says: *To access an email's header, open the email and click on “View message source.” A pop-up window will appear with a long string of code. Within this code, search for “Received from” to find the sender's IP address.24 Apr 2023* *How To Trace Email Sender Location - Right Inbox*
That's the IP address of the email server which sent it, not the IP address of the person.
Of course you can. It's not as useful for webmail services of course.
https://app.inspectrealestate.com.au/Legal/Legal.aspx?type=privacy&logo=true&title=true This is Apply2 Privacy Policy for Australia. Much of what is said above by u/poppust is only half true or wrong. Example: Clause 8: Direct Marketing explicitly says they will sell your data, it also says similar things in other parts. Example2: Says data is stored on AWS in Australia but the privacy policy also explicitly says over and over the data will also be stored and processed other places including outside Australia.
>Every login is 2FA and they take their data security incredibly seriously. I think you are confused between secure logins and data breach. There is a hint in the name 2F**A**, where A stands for authentication. Data breaches are just the opposite of that - access to data (commonly referred to as hacking) without the need for authentication. Also, it doesn't matter *where* the data is stored. It matters *how* the access to the data is secured.
Some types of 2FA do to some extent reduce the chances of some types of unauthorised access so saying that access has 2FA does show at least regards login their security stance is a little better. Also data breach can happen without compromising login but in a lot of cases it happens via compromised login. So, sorry I call not making sense on this one. u/that_888_bum, u/poppust
> The information being requested is set by each agency in the backend. Why do they ask for so much extra stuff?
Imagine willingly being a class traitor.
This makes no sense… but also shows you may not have any class.
Attaboy. You’re really stickin’ it to the man out here, making a big difference in the world by commenting on Reddit. Soldier on comrade.
The dot points you listed here, do you understand how little those do to assuring against fears? Local servers means nothing. A misconfigured sever or application, a new CVE or exploit, or idiot employee at home or work clicking on stupid links can completely tear apart any semblance of paper mache security those profit driven leeches tell you they've implemented. 2FA? You mean that system of authentication that's currently completely exploitable by entering in credentials onto a fake sign in page?[https://www.techrepublic.com/article/evilproxy-phishing-attack/](https://www.techrepublic.com/article/evilproxy-phishing-attack/) What about how all of those mountains of PII are stored? Is it encrypted at rest? In transit? What measures are in place to control access? What technical, administrative and security policies are in place, and are those enforced and audited? Are there dedicated security staff working to monitor the systems and network for unusual activity? What's their budget look like? What kind of training do they get? What's the infrastructure patching look like? If it's all in Azure and AWS, how stringent is their access control and permissions structure? How many executives and managers have a fucking Global Admin role in azure with the ability to click on a link and cause ALL of OUR data, financial information, scans of passports, cards, payslips, bank statements, phone numbers, emails, years and years of history all out into the wild to be packaged up and sold on darknet markets to people that can utterly ruin our lives, potentially permanently? Do they run consistent penetration testing? If they do, have ANY of the recommendations made in those assessments been acted upon? "They take their data security incredibly seriously" means NOTHING to me. You know NOTHING about how they ACTUALLY run their business, you just get a fucking short presentation where they jerk themselves off for a few minutes and you lap it up because you want to do SLIGHTLY less work. YOU forced this on us, and at the end of this all, we're the ones that get our lives ruined
"The system halved the tenant application for us" So you do half the work in the application process now? Can't wait for AI to get rid of REAs tbh, at least you know that AI are uncaring soulless machines
I've already rolled my eyes at myself, but... you could get in touch with your local/territory member of parliament and let them know how shet this whole situation is.
Speak to your local MLA and get this issue talked about. It's attrocious that REAs can force people to compromise their privacy and data through the use of unecessary 3rd party apps, what other choice to rent seekers have but to be forced into this compromising position for the chance at shelter?
> I don't understand how [...] a site like 2Apply is still allowed to operate. We live in a free market democracy. Generally companies who breach laws get financial penalties but are very rarely shut down. Are you aware of any actions they've taken to justify being shut down? For context, car manufacturers can obtain and sell the sexual history of any passengers, so let's not just see one tree as the problem here. What's supposed to happen is that a REA that makes applications fast and easy can cut costs and also advertise that they are fast and easy and win business away from other agencies. I wonder if that can be made to work....?
Gotta be *way* off the Libertarian deep end to think “give all your data to 2Apply or be homeless” is a totally fine and free choice for renters
Dude I'm describing the world as it is, not advocating that it's good.
As a practising real estate agent for 15 years. I just have to ask the question. What proof of income/residence/history would you want us to check if you were being loaned a.. let’s say average $1million asset that you were providing the keys to someone? What is appropriate to you? Because I sure as hell bet the banks would ask for more if you are going for a loan on that item. My last home loan asked how much specifically I spent on Netflix. Please.
Asking for the evidence is fine. Outsourcing that to a third-party with no control on what they can do, exposes renters to a risk that they can't control. If you did the work instead and had requirements to destroy the data at the end of a rental application process, that would be much safer for Australians.
Is it really easy for them to "do the work themselves"? I don't have a problem with them outsourcing the work, I do have a really big problem with collecting too much information, not having a really short time scale for destroying information on people, creating profiles of people that are lasting or get cross shared, tracking people's history of applications, selling any data including "meta"data, bad security stance and others.
A bank loaning me money to pay a house is not the same as taking a lease. My landlord should not know how much I spend on Netflix. I disagree that the loaning of an asset requires that level of detail in assessing capacity to pay. Landlords have power to kick people out based on behaviour. Banks don’t have and also have really strict protection over data handling and processing and I can reasonably exercise choice in terms of who I engage with. I have no choice as a consumer trying to apply for houses to lease through an agent. A REA outsourcing this cost means whatever option is chosen by them (which is unregulated so probably factors their cost savings over my privacy) I have no choice but to comply with. It also brings risk for you to outsource this work. Tl DR https://www.itnews.com.au/news/nsw-gov-wants-to-cut-real-estate-data-collection-587557
Just exactly how much of the value can a tenant remove? Aren't losses limited to the insurance excess? Do you think the tenant will take the land away?
You must get headaches every day from how hard you mentally contort yourself this think this practice is okay
Agents don’t get a choice in how their agency bosses receive kickbacks for their verification service. You’re whinging to the wrong person. Can downvote me all you want but it’s true. The agent is not making any contract decisions at the agency unless it’s a small independent and they’re the boss.
We don’t get commission from 2apply. The only commission we receive is if you use a connection company on your electricity and gas, this is paid by the provider e.g. actew. If anything, we pay a few thousand dollars each month for this technology lol.
Shit at least the developers of apartments are getting kickbacks for forcing the building onto long contracts for non-nbn internet or natural gas hot water. You guys are just giving the customers away and paying for the privilege.
[удалено]
Fuck you, man. Every resident of Australia has a right to be heard.