Friday, December 19, 2014

Are Doxpop Recorders protected from unauthorized access to documents?

We have been reading with interest The Indiana Law Blog's coverage of the Federal cases involving several Indiana Recorders and LPS Real Estate Data Solutions (now Black Knight Financial Services.)

In brief, at least two Recorders and Fidlar Technologies, the company that supplies indexing software and remote access services to the affected Recorders, are suing LPS for failing to pay copy fees per their agreement with the Recorders. (Details in ILB posts from: Dec 10th, Dec 16th, and Dec 18th.)

This is a big deal for Indiana Recorders. Indiana statutes require that Recorders collect a $1/page fee when they supply a copy of a document to the public. Recorders depend on this revenue to fund part of their office, thereby reducing local tax burdens. The statutes also forbid recipients of copies from re-selling them, thus preserving the income stream for the Recorders. That means Recorders must keep a tight rein on access, so they take a dim view of those who don't follow the rules or take care to protect their income.

Doxpop provides an online access service very similar to Fidlar's for 33 Indiana Recorders. Fidlar's business is similar enough to ours that we become alarmed when someone abuses them. We could be the next target, so we take this seriously. Although we think we've got a better approach to security, we are also keenly aware that nobody is perfect. The rest of this post explains why we are not vulnerable to the specific exploit LPS used, but please don't take it as an assertion that our security is perfect. The most important security tool is humility.

Several of the Recorders Doxpop partners with have asked us to look over the lawsuit and make sure they are not at risk for the same method of stealing through our service. The short answer is No, they are not at risk.

There are two reasons:
  • First, there is protection in our system architecture. Based on the statements in the lawsuit, it appears that LPS was supplied with software that counted the number of copies on the LPS end of the Internet connection, and then reported back the totals. Fidlar alleges that LPS mimicked that program's Internet requests to retrieve thousands of documents without reporting the transactions. Doxpop takes a different approach. We count the copies as they leave the server on our end of the connection. It's like the difference between the electric company reading a meter on the outside of a house themselves or putting the meter inside the house & asking the customer to report the readings. We keep the metering on our side of the wall.
  • Second, there is legal protection. Doxpop executes a contract with each Recorder we work with that makes us responsible for paying all copy fees for documents obtained through our service. If this had happened to one of our partner Recorders, we'd have paid the Recorder in full for all fees due, and it would be up to us to go after LPS for our losses. This is a simple fix that every county should consider implementing immediately. A good vendor should be willing to protect their local government partners from loss. (That's also what keeps us watchful; We'll be the losers if we screw up.)

Nobody knows what the next exploit might be, but we believe this two-pronged approach of taking care to prevent breaches and then additionally taking responsibility ourselves if a breach occurs is the right way to protect the public officials we work with from whatever the future holds.
  

Monday, December 8, 2014

Johnson County Converts to Odyssey- Your Doxpop Access is Unaffected.

Over the last weekend (December 6-7), the Courts in Johnson County converted to the Odyssey case tracking system, this means their Case Management System is now administered by JTAC and all data stored in Indianapolis.

This move does not affect Doxpop users because Doxpop buys access to a real-time feed of court data from the Odyssey system from the Division of State Court Administration. Your access to Johnson court information through Doxpop will not be interrupted during this transition.

A few of the services we provide will look odd during the transition, because there will be a short period when both the old data and the new data are available. In particular:
  • If you use the personal calendar feature to keep track of hearings connected to your Bar ID, you will see two colors for Johnson County on your calendar. Every event will be available, but the older cases will have a different color from the newer cases. When we complete the merge process, these will go back to being a single color.
  • When you look at our "County Details Page", you will find two entries for each court until the merge is complete.
  • When you are doing searches, you will find two entries for some cases. This is because while we are loading the information from Odyssey, we will also be maintaining the old data until the operation is complete to ensure you don't miss anything. When you see two case entries, please look at both to ensure you have the most current information.
  • If you use any of our "watch" services to keep an eye on cases or people of interest, we will be moving those watches over so they point to the cases and people that are a part of the Odyssey data feed. We run a process to convert these every hour, but it is possible for notification of events to slip through the cracks between conversion runs so you may want to periodically do a manual check between now and January 12th. After the 12th, we'll be back to normal.
Tax warrants are not stored on the Odyssey system, and thus from this point forward, if you are seeking tax warrants, you will need to either find those by visiting the clerk's office or by subscribing to an on-line service offered by the State Court Administration.

Finally, one deficiency in the Odyssey system is that financial information is not exported in their data feed, so that detail will not be available after the transition. We regularly ask that JTAC add this to the data feed, but so far, we are told that it is not allowed because the clerks using the Odyssey system have requested that JTAC not make that information available to us. If this information is important to you, please encourage the clerks you work with to tell JTAC differently so we can get the information back online.

As always, we are available to answer any questions in person, so don't hesitate to call support at 866-369-7671 if you have any questions.