In brief, at least two Recorders and Fidlar Technologies, the company that supplies indexing software and remote access services to the affected Recorders, are suing LPS for failing to pay copy fees per their agreement with the Recorders. (Details in ILB posts from: Dec 10th, Dec 16th, and Dec 18th.)
This is a big deal for Indiana Recorders. Indiana statutes require that Recorders collect a $1/page fee when they supply a copy of a document to the public. Recorders depend on this revenue to fund part of their office, thereby reducing local tax burdens. The statutes also forbid recipients of copies from re-selling them, thus preserving the income stream for the Recorders. That means Recorders must keep a tight rein on access, so they take a dim view of those who don't follow the rules or take care to protect their income.
Doxpop provides an online access service very similar to Fidlar's for 33 Indiana Recorders. Fidlar's business is similar enough to ours that we become alarmed when someone abuses them. We could be the next target, so we take this seriously. Although we think we've got a better approach to security, we are also keenly aware that nobody is perfect. The rest of this post explains why we are not vulnerable to the specific exploit LPS used, but please don't take it as an assertion that our security is perfect. The most important security tool is humility.
Several of the Recorders Doxpop partners with have asked us to look over the lawsuit and make sure they are not at risk for the same method of stealing through our service. The short answer is No, they are not at risk.
There are two reasons:
- First, there is protection in our system architecture. Based on the statements in the lawsuit, it appears that LPS was supplied with software that counted the number of copies on the LPS end of the Internet connection, and then reported back the totals. Fidlar alleges that LPS mimicked that program's Internet requests to retrieve thousands of documents without reporting the transactions. Doxpop takes a different approach. We count the copies as they leave the server on our end of the connection. It's like the difference between the electric company reading a meter on the outside of a house themselves or putting the meter inside the house & asking the customer to report the readings. We keep the metering on our side of the wall.
- Second, there is legal protection. Doxpop executes a contract with each Recorder we work with that makes us responsible for paying all copy fees for documents obtained through our service. If this had happened to one of our partner Recorders, we'd have paid the Recorder in full for all fees due, and it would be up to us to go after LPS for our losses. This is a simple fix that every county should consider implementing immediately. A good vendor should be willing to protect their local government partners from loss. (That's also what keeps us watchful; We'll be the losers if we screw up.)
Nobody knows what the next exploit might be, but we believe this two-pronged approach of taking care to prevent breaches and then additionally taking responsibility ourselves if a breach occurs is the right way to protect the public officials we work with from whatever the future holds.