← Back to context

Comment by aaln

9 days ago

Hey, Aaron the builder here.

The scamming that happens to homebuyers is not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone. This is genuinely a pro buyer tool with no association with any 3rd party.

The tool has already helped many people negotiate and get a better deal on their mortgage. Please before judging understand that 70% of buyers overpay in their mortgage 1-3% in closing costs and bad rates. It's mind boggling how much lenders get away with profiting in junk fees from stressed out homebuyers.

Allow me to expound on @kojeovo's remark. Please take this as a constructive criticism to improve your success potential. Much of it is from a quick glance, and am sure there are many other facets to improve.

A business is not just about the product.

Your Privacy Policy. There is no default way to download it (see 9.), and since it is window-ed cannot print entire doc. That means I cannot keep a copy of it for myself.

> We collect the following types of information:

> Mortgage Documents: Loan Estimates and Closing Disclosures you upload for analysis.

Okay, but

> 4. Data Security

> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

This means nothing. Are you ISO 27001:2022, NIST SP 800-53, CIS, CE+, Essential Eight, or something else? Have you been audited, and proof? Who is your ISP? What regs do you follow around data sovereignty?

Terms of Service. Again, no default way of download. Overall, I would never agree to this ToS. It demands all kinds of requirements on the user, but takes no responsibility for anything - or as described above, explain how you will protect your customers.

You have no reference anywhere where you are geographically. No address, no about us, no who you are. I would be very leery on uploading anything.

  • Would it matter if they had a "perfect" privacy policy? I don't believe there's anything legally that enforces it. So they can promise the moon then turn around and sell your data.

    Maybe I'm wrong here, but, My mental model of privacy policies and the like has always been: This is a lie, the company will do whatever it wants with my data. And I will have no recourse.

    As such I've always acted accordingly. And very few websites have legit info on me.

    • I think acting 'as if' is the safe option here but encouraging change for the better in someone willing to engage in dialog is still better than not doing it. Maybe you didn't intend to make a counterpoint, i just wanted to point that out.

  • Thanks for the constructive feedback.

    I just added a way to easily download the entire privacy policy and terms of service, also quickly added an about page with some info about me - https://closing.wtf/about

    Eventually I'm going to get a certification and will keep your other points in mind.

    • > industry-standard security measures

      The industry-standard is to get hacked and have your info leaked online.

      "Industry-standard" is like saying "military-grade"

    • I think based on your responses so far, it’s disappointing, but people should not upload these docs.

      There isn’t anything actionable in them. It seems like you are running some kind of scheme to collect these documents. And it’s not clear why you need them at all: you could provide the same advise to everyone regardless of their contents, which is to compare options, or to ask for more lender refunds.

    • Just replace the entire contents of the privacy policy with the word “None.”

      You’ll never ever please the privacy commenters on HN who are armchair security enthusiasts. They’re never going to use your product and they’re never going to stop complaining if you show your product to them.

      Normal people just don’t care. For a tiny side project spend your time on the thing that’s potentially useful to people not trying to appease the privacy crowd on HN.

  • Legitimately curious, what’s the worst they could do with this data?

    • The most common scams around home buying are wire fraud - contact the buyer pretending to be the title company and steal their money. The data in a mortgage is exactly what you need to enable these scams and you're getting people to hand it to you and at the same time tell you they are about to wire money.

      17 replies →

    • Aside from the personal details (name, address, etc), they can collect pricing info on houses, run analytics, and swoop the deal with a slightly better offer or better yet, sell it to wholesale buyers, reits, and whoever is interested in stealing the deal.

      14 replies →

FYI, this reads as a very aggressive response to someone raising legitimate privacy concerns and doesn't engender the trust you very likely deserve.

Rather than talking up the value of the tool as superceding the concerns, a more constructive approach might acknowledge the concerns and emphasize how you already do minimize risk or commitments you're willing to make towards doing so.

Being dismissive doesn't help worried or skeptical people feel more secure, and worried and skeptical people make perfectly good users too.

  • Interesting. I didn't read it as aggressive, and certainly not "very" aggressive. I read it as polite and perhaps mildly defensive. What about the response suggests aggression to you?

It is fair to describe the pains of not getting analysis on mortgage loan estimates, but what I think folks are looking for is some kind of authentic answer to the problem posed.

For example, you could advise the person uploading to remove PII prior to the upload, and link to pdf editing tools that allow them to do that.

You could say that not including PII like full name(s) found on just about every loan estimate does not take away from the value of the tool.

Another thing that could be done is to provide clear means for removing any data uploaded, or opt-out pre-upload of any data being used for training.

For example by creating an account first.

Providing some skin in the game such as putting the removal behavior in the terms of service and a personal guarantee to do everything to ensure sensitivity to privacy of this information will be handled carefully staking your reputation, probably would help.

  • Thank you for these suggestions, I'm going to advise users to remove PII before uploading and eventually allow users to purge their data.

> not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone. This is genuinely a pro buyer tool with no association with any 3rd party.

I have no reason to think you're not completely sincere in this!

But, realize it doesn't mean anything.

Unless that promise is backed by some ironclad contract, it means nothing. Companies grow and hire new people who don't care about the original values. Or they get acquired and all bets are off. Or they start running low on cash and suddenly decide monetizing all that data is a good idea after all. Or it becomes visible enough to attract attention of the government who shows up demanding copies of data. And so on.

I've been in one or more startups where all of these things have happened.

I am genuinely surprised by the comments in this thread.

Privacy concerns are real but the importance of that matter in your project is overestimated here by an absurd level.

What I read is not a constructive criticism and the suggestions laid down are not realistic nor business relevant at all. I feel like this is some sort of mass wishful thinking.

  • I think it's actually refreshing to see the top comments and constructive criticism be about privacy concerns. It shows that even for little "Show HN" projects, there is growing intolerance of half-assing it. Not saying OP in particular is half-assing it, but it's good to see these questions being regularly asked front and center. I honestly wish the Tech Media paid more attention to privacy and security instead of just copy-pasting companies' PR statements as "articles."

    • My opinion is that the OP shouldn’t even half-ass it. Ignore anybody who has complaints about privacy and 0-ass it. People just love complaining and telling other people The Right Way To Do Things.

      1 reply →

  • > Privacy concerns are real

    This isn't about privacy, it's a security concern. People's life savings are on the line here, and the information OP is requesting is enough to pull off very sophisticated social engineering attacks. It's entirely reasonable to ask what they're going to do with that information and how they're keeping it secured, and their reaction to the questions is entirely inappropriate for someone who's asking for this degree of trust.

  • Title deposit wire fraud is a very big risk. The amounts are devastating to the victims, so the operator has to go above and beyond to secure the data because of the huge risks involved. Would you risk losing a 5-/6-digit amount to fraud in order to potentially save on a 4-digit closing fee?

Hey. I really don't care to compare the level of scamming nor the usefulness of the tool. I'm in the process of buying right now so I know it could be useful. That's besides the point. To clarify, here's a different thought. Reading the following copy, I am wondering "whats gonna happen to my data / file I upload?":

> We never sell or share data with third parties. All information is used solely to generate analyses to help borrowers analyze and optimize their mortgages.

I even looked further into the privacy policy, just to be diligent here.

> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

With how much info I have been provided, I'm just not gonna upload a document to your site. Like I said, just doesn't inspire confidence as I scroll your landing page. Could just be a copy change to fix this.

I love this idea (haven't tried it) and it seems like a killer app for AI. I can think of a lot of other things like health insurance, home owners insurance, and many other types of contracts for which an AI advisor can be built for. Imagine being able to rake over a complex document and make decisions that clearly benefit you. That's a rare privilege.

Also, you have no control over decisions that any future owner might have, and you won't care because you've already cashed out.

What happens when you get hacked? Not if. To come back at someone with valid concerns with a "no, you don't understand my point of view" does nothing but a disservice to you.

Expecting people to just accept things is just not a good way to operate. When you receive push back, you need better responses than this. Will the vast majority of your users push back, sadly, probably not. However, you did post this to HN and then reacted poorly to valid criticism. Tsk tsk

Great idea and execution. I understand the privacy concerns, but I believe implementing a client-side redaction step could alleviate some of them. This step would allow users to preview their uploaded content before submitting it. While designing this feature, it’s crucial to ensure user trust and convince them of its benefits. Personally, I would feel more comfortable uploading a PDF knowing that it will be anonymized or redacted before being submitted.

Doesn't matter your promise, even though you may or may not be trusted, hackers can get it and steal it all. So it's not necessarily you or your service.

How can you get scammed on a mortgage? They're typically standard products from nationwide banks.

>The scamming that happens to homebuyers is not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone.

Well as long as you promise, my privacy fears are allayed!

/s

Ignore the haters, they will probably never be your customer.

  • Ah the Disney approach.

    Bold strategy Cotton.

    Owner did the smart thing and listened to the constructive criticism which made me feel infinitely better about using his tool.

    Which I will now do, and would not have before. I am also his exact customer.

    • > Ah the Disney approach. Bold strategy Cotton.

      The Disney approach, if successful, would make you very rich. Their approach has made them one of the most powerful companies in the world.

  • People are trying to increase the potential customer base of the author by pointing out where there is room to improve. That is incredibly valuable, and one of the major reasons to do a Show HN.

    That is not being a "hater".

    • https://news.ycombinator.com/item?id=42150219 was highly constructive. It was direct and actionable.

      kojeovo's original comment was less so. When you build a product, you're going to get random, in-actionable comments from people who just like to complain. Separating the signal from noise is difficult, and while there is a underlying concern about privacy, not giving anything actionable moves it towards to the noise side of the spectrum.

      3 replies →

    • The percentage of regular people who care about any of the risks discussed in this thread is approximately zero. For better or worse.

      Your typical home buyer isn't reading the contract they sign when they buy a home, let alone the privacy policy of a simple tool they use to check if they have a mortgage with decent terms.

      3 replies →