One of the core functions of MLS is to help subscribers cooperate and making sure all subscribers follow the MLS rules designed to minimize participant conflict is a key part of this function. One of the places conflicts play out most publicly is in arguments over IDX and VOW displays. Yet, a number of MLSs do not have a compliance program in place, and others are uncertain of their compliance practices. I think that’s why, when Clareity recently surveyed MLSs asking which of our services they planned to use in 2015, one of their most common responses was our IDX and VOW compliance services. Compliance is growing increasingly difficult, especially since MLS rules seem increasingly out of touch with innovations such as social media and installed apps. Following are some tips to help MLSs do a better job with IDX and VOW compliance reviews. Some of these may already be on the radar for my regular readers, but there are some new tips as well.

First of all, hard as it may be to shake off the habit, let’s not call these things “compliance audits” anymore, at least with subscribers. Using the word “audit” brings up bad memories people may have of certain government agencies and an inquisitorial way of doing things. Let’s call them “compliance reviews,” which is a much more neutral way of referring to them.

In keeping with this spirit, it’s important that, as far as possible, reviews be conducted consistently, not just in response to a perceived problem. “Complaint-based” reviews often lead to accusations of unfairness and even persecution. If MLSs consistently review sites and apps within a specific time period after they go live, and at specific times after that, it is harder for complaints such as, “the MLS picks on me because I am a discount broker,” to stick. If an MLS is just implementing a compliance program, I usually suggest that the leadership’s sites be reviewed first. After all, nothing is worse than having an antagonistic subscriber who is able to retort, “The MLS president’s site does it the same way – she’s out of compliance but you’re not doing anything about her!”

It is important for an MLS not just to have rules, but also a formal legal agreement with brokers governing VOWs and IDXs. The agreement is where the “rubber meets the road,” the last word on mutual rights and responsibilities. It’s the best place to clarify any vague parts of an MLS’s VOW/IDX policy and describe auditable criteria. The agreement sets out rules and responsibilities; the times when reviews may take place; how compliance and other costs are accounted for; what it takes to comply; the time during which a compliance problem can be remedied (“cure period”) and what happens then; and the criteria on which a site will be reviewed. The agreement will also have all the standard legal clauses concerning assignment, governing law, notices, and severability, and other required language. Many of the IDX and VOW agreements Clareity sees from MLSs lack much of the specificity required to be successful with a compliance program. This is an area to consult both with your business consultant and your attorney.

Again, VOW and IDX policies can be vague, and give rise to disputes if not specified more clearly.

For example, how should acceptance of the Terms of Service be handled? There is a spectrum of options that range from having a document linked to from inside a signup form all the way to having a text area with the terms where the user is forced to scroll to the bottom and nominally read them before she can check off a box marking her acceptance and move forward. What options are acceptable, and are you enforcing them consistently?

What is “appropriate security protection?” For which security criteria are sites tested? APIs have opened up a huge new area of vulnerability. What criteria apply to them? What issues can be let slide, and what issues must be fixed?

What does it mean to have “anti-scraping” protection and monitoring? Scrapers have grown radically more sophisticated with time, and measures you may be writing into your agreement, and which you may be offered by some IDX vendors, may only protect against the kinds of attacks that were common years ago.

There are also many areas where the IDX and VOW rules need to be updated and ambiguity decreased. What does it mean for the display of IDX data to be a “Participant’s display?” Ambiguity in this area is causing significant conflict in the industry these days. Who is a “Consumer”? I know at least one company that would say that a federal agency and other businesses are their “Consumer” – certainly not what was intended by policy writers.

Technology marches forward, creating increasing conflict with our aging rules. For an installed “app”, does the VOW process of email confirmation make sense, and should an installed app require the VOW username / password each time the app is opened? What’s reasonable? Consumers are becoming used to signing up for sites & apps using their social media login, which flies in the face of many of the VOW rules related to signups and logins. Do we need to engage with both NAR and DOJ to make changes to VOW rules?

The items above are just a few of many areas where MLSs must take care when implementing an IDX and VOW compliance practice. As they say, the devil is in the details! But, throughout the process of IDX and VOW compliance reviews, also keep the big picture in mind: attitude is everything. Be friendly and respectful to all subscribers and their vendors. Be merciful to the very occasional and obviously accidental violators. Remind them that rule compliance reviews are an MLS service to make sure that everyone is playing by the same rules in order to reduce conflict among subscribers. If you follow this guidance, you will be more successful with your compliance program.

As a consultant often called on by MLSs for help with VOW and IDX compliance audits as someone who is always pushing for improved information security in the real estate industry, I love that information security is featured prominently in the VOW rules, section 19.5: “A Participant’s VOW must employ reasonable efforts to monitor for, and prevent, misappropriation, ‘scraping’, and other unauthorized use of MLS listing information. A participant’s VOW shall utilize appropriate security protection, such as firewalls, as long as this requirement does not impose security obligations greater than those employed concurrently by the MLS.” The last part of that rule is also reflected in optional IDX rule section 18.3.14. Auditing these rules has allowed me to help many brokers improve their VOW and IDX security and reduce the risk of an information security incident.

I’ve already written about guidelines for anti-scraping and monitoring and, although anti-scraping is a constantly evolving challenge, that article provides at least a baseline for evaluating VOW rule compliance.

But, what else should MLSs be looking for when evaluating VOW and IDX security?

First, as specifically mentioned in the rule, appropriate firewall protection must be established. When I audit a VOW, I look to make sure that there are only a few specific network ports open on the server – 80 and 443 as needed for the web server to function, and ports needed to provide a secure method of server administration, such port 22 – or 989 and 990. If ports like 21 and 3389 are open and actually used to administer the website, it should be a big compliance red flag because they are common security incident causes – and issues I see the majority of the time when auditing a VOW or IDX site.

Second, you want to verify that all the web server software is up to date and properly configured. That means checking the web server (IIS, Apache, etc.) version, the operating system version (when possible) and the platform (.NET, JSP, ColdFusion, WordPress, etc.) version, making sure that those are the most current versions or that newer versions don’t have fixes for significant security vulnerabilities. You might think that keeping systems patched would be second nature for a technology provider, but in my experience, it seems not to be the case.

Third, you want to evaluate any externally obvious security misconfigurations of the server and platform. Every server and platform has its own security configuration guidelines and it’s reasonable to expect that obviously poor configurations should not be visible to an external evaluator.

Fourth, and probably the most complicated part of evaluating VOW security, you want to evaluate application security – at least the OWASP Top 10 Vulnerabilities: Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, and Unvalidated Redirects and Forwards. I usually evaluate Information Leakage and Improper Error Handling as well. Some of these items can’t be easily validated externally (i.e. Insecure Cryptographic Storage) though I’m always glad to hear that a web developer has encrypted the passwords and so cannot technically be compliant for VOW rule 19.3b. (“The Participant must at all times maintain a record of the name, email address, user name, and current password of each registrant.”). I’ve seen every one of these OWASP vulnerabilities while auditing VOWs and many times there are half a dozen issues on a single VOW.

If you’re a staff person at an MLS and a lot of the preceding read like gobbledy-gook to you or you don’t know how to audit security, you may want someone like me auditing VOWs and IDX sites for you, or at least auditing the security and anti-scraping related portions. It has been a blessing for the industry that the VOW and IDX rules give MLSs the opportunity to ensure that at least some reasonable security best practices are in place for VOW sites. I’ve had brokers tell me they were actually grateful someone was keeping an eye on their technology provider in this area, since they lacked the capacity to do so themselves and just figured that all appropriate measures had been taken.

Please keep in mind that website security is the smallest portion of overall brokerage security. Taking appropriate steps in terms of policies and contracts, physical security, account management and password controls, internal networking and computing, mobile device security, and internal web applications are all important. The NAR sponsored security workshops and security articles and blogs that I write, and which many MLSs and Associations reprint, are helping me reach some brokers and agents – but it’s a very difficult task to try to improve information security in this industry and I hope that I can count on my readers to act as security allies and spread the word.


mattsretechblog: matt cohen (Default)
Matt's Real Estate Tech Blog

Most Popular Tags


This blog is for informational purposes only. The author shall have no liability in connection with any inaccuracies or omissions herein. All trademarks are the property of their respective holders. The views expressed on this blog are those of the author and do not necessarily reflect the views of his employer. Non plaudite, modo pecuniam jacite.