At AEI 2016, I recently had the privilege of speaking on a panel along with John Mosey and Mitch Skinner, moderated by Bill Lublin. The topic was, “Do You Know Where Your MLS Data Is?” The three of us discussed where data should be—where it’s licensed, serving the purposes of the MLS and the needs of participants—and where it shouldn’t be, as well as how it should be protected by the MLS. There’s no way I can recount all the insights provided over a full hour, but following are some highlights.
John Mosey did a great job summarizing executive-level thinking behind why one provides data protections. He described how eleven million dollars was spent just to defend against one copyright violator, and why the fragmented industry needs to rally behind REDPLAN to act in concert against those who would take advantage of it.
Mitch Skinner provided important insight into the need and process for MLSs to get their copyright in order. From a copyright perspective, there’s fractured ownership — agents, homeowners, brokers, MLS, professional photographers, and others may all own components of the listing content database – and MLSs have work to do to ensure they have good “copyright hygiene”, with agreements in place to aggregate ownership and collect information about authorship, and addressing the chain of title. Mitch also explained the process of protecting data, including non-copyrightable elements, via license. It is very important that such agreements are very clear about what data is included and how exactly that data may be used; in addition, there should be typical contractual provisions (indemnification, warranties, limitations of liability) and an exit procedure.
I provided a breakdown of the information security challenge MLSs face in terms of a housing metaphor: the front door of authentication, the back door of data distribution, and the window (no one expects anyone to come through the window!) of hacking.
Hacking, as such, isn’t exactly the main issue for MLS data, but it is important from an operational perspective. MLSs must ensure that the website is not defaced and distributing malware to visitors—as I have had to deal with in our industry several times in recent years. Almost 30% of our top 100 associations’ websites are running on insecure (unpatched) platforms, so this isn’t something to take for granted. Data theft also can occur through hacked servers, workstations, and mobile devices. Also, one must ensure member and MLS subscriber information is safe via compliance with Payment Card Industry Data Security Standards (PCI DSS).
Protecting the login with strong authentication is more important than ever, especially as the industry provides the convenience of single sign-on to multiple systems. These systems include those that contain sensitive information, such as document and transaction management systems. Out of nearly 500,000 accounts it protects with strong authentication, Clareity Security has found that over 10% of subscribers try to share their login credentials—even when there are large penalties set by the MLS. Some try to share their account with many others, but most with just one or two unauthorized users; this is very difficult to detect, especially when the computer or mobile device itself is being shared.
Following are a few important things about authentication that I didn’t have time to say during the panel: Most forms of commercial authentication systems depend on the end-user wanting to protect their login, rather than wanting to share it, and some in our industry share computers and devices with both colleagues and clients which defeats other forms of authentication – so our industry presents a special challenge. 76% of shared logins are discovered primarily through the use of biometric authentication, and Clareity Security will soon be releasing a patented new form of biometrics that works across all touch-screen platforms that will further improve detection of account sharing attempts. The most important part of managing authentication in the MLS is ensuring that MLS staff has to confront end-users about sharing as little as possible and Clareity Security’s authentication system addresses 95% of issues without that difficult staff intervention.
There are two important parts of dealing with data distribution. When sending data to third parties, the first step is to have agreements that address your security expectations. As an example, if you expect that your web application servers will be patched within twenty-four hours of a critical security patch coming out, or within thirty days of an important one being released, then it should be in your contract. Every single agreement type you have (e.g. MLS, transaction management, membership system, IDX, syndication, etc.) will have different security requirements – and there are a lot of them, especially for systems containing the most sensitive information. It’s important to provide those requirements to your attorney to ensure they are accounted for in your agreements.
For some kinds of data, such as listing information, it’s critical to implement anti-scraping technology, market-wide – including, for starters, the MLS system itself, the MLS client collaboration system, and framed IDX modules. This isn’t just a matter of protecting against the scrapers who misuse your data online where you might find it and possibly prosecute them, but also to prevent theft by all the companies that create marketing products based on this content, and those that use it to license the content to financial companies and others in a grey market that devalues your existing data licenses.
VOWs already require such anti-scraping protections by rule, and once the MLS takes care of its own resources, such requirements can be placed on IDX sites as well. However, in a large survey Clareity Consulting performed last year, 95% of MLS executives expressed an interest in also having NAR amend current MLS policy so that the ever-expanding content of IDX sites required the same protections as VOWs, to make it absolutely clear to subscribers that this is a requirement industry-wide. How nimble will NAR be responding to this need? Hopefully we’ll see progress on this at NAR meetings in 2016.
The technology needed to protect against scraping is quite complex. In the, past one could just look for a server hitting your website fast with many requests and one could block that internet address, but now the scrapers will operate from thousands of consumer internet addresses, with each just making a few slow automated requests. 70% of bots on US real estate sites come from consumer ISPs such as AT&T, Verizon, Cox, Charter, and Time Warner Cable. Scrapers are also beginning to attack APIs that are used for mobile solutions. There are a few companies out there providing anti-scraping protection, but currently the only one I’m finding highly effective against the most serious scrapers is Distil Networks. Distil Networks protects dozens of MLS public sites, Broker sites, platforms like FlexMLS and Boomtown, portals like realtor.com and realtor.ca, along with a number of high-profile listing websites outside of North America. A number of high-profile industry vendors and advertising websites have already implemented this cost-effective solution.
I hope that association and MLS executives understand that information security is an executive level function. Information security is about a lot more than computer security, and it isn’t something that technical staff can do on their own. From security assessments to remediation planning—all the steps needed to address physical security, personnel practices, contracts, and even overseeing the technical issues—the executive must stay involved.
Share this post: