Friday, December 19, 2014

Are Doxpop Recorders protected from unauthorized access to documents?

We have been reading with interest The Indiana Law Blog's coverage of the Federal cases involving several Indiana Recorders and LPS Real Estate Data Solutions (now Black Knight Financial Services.)

In brief, at least two Recorders and Fidlar Technologies, the company that supplies indexing software and remote access services to the affected Recorders, are suing LPS for failing to pay copy fees per their agreement with the Recorders. (Details in ILB posts from: Dec 10th, Dec 16th, and Dec 18th.)

This is a big deal for Indiana Recorders. Indiana statutes require that Recorders collect a $1/page fee when they supply a copy of a document to the public. Recorders depend on this revenue to fund part of their office, thereby reducing local tax burdens. The statutes also forbid recipients of copies from re-selling them, thus preserving the income stream for the Recorders. That means Recorders must keep a tight rein on access, so they take a dim view of those who don't follow the rules or take care to protect their income.

Doxpop provides an online access service very similar to Fidlar's for 33 Indiana Recorders. Fidlar's business is similar enough to ours that we become alarmed when someone abuses them. We could be the next target, so we take this seriously. Although we think we've got a better approach to security, we are also keenly aware that nobody is perfect. The rest of this post explains why we are not vulnerable to the specific exploit LPS used, but please don't take it as an assertion that our security is perfect. The most important security tool is humility.

Several of the Recorders Doxpop partners with have asked us to look over the lawsuit and make sure they are not at risk for the same method of stealing through our service. The short answer is No, they are not at risk.

There are two reasons:
  • First, there is protection in our system architecture. Based on the statements in the lawsuit, it appears that LPS was supplied with software that counted the number of copies on the LPS end of the Internet connection, and then reported back the totals. Fidlar alleges that LPS mimicked that program's Internet requests to retrieve thousands of documents without reporting the transactions. Doxpop takes a different approach. We count the copies as they leave the server on our end of the connection. It's like the difference between the electric company reading a meter on the outside of a house themselves or putting the meter inside the house & asking the customer to report the readings. We keep the metering on our side of the wall.
  • Second, there is legal protection. Doxpop executes a contract with each Recorder we work with that makes us responsible for paying all copy fees for documents obtained through our service. If this had happened to one of our partner Recorders, we'd have paid the Recorder in full for all fees due, and it would be up to us to go after LPS for our losses. This is a simple fix that every county should consider implementing immediately. A good vendor should be willing to protect their local government partners from loss. (That's also what keeps us watchful; We'll be the losers if we screw up.)

Nobody knows what the next exploit might be, but we believe this two-pronged approach of taking care to prevent breaches and then additionally taking responsibility ourselves if a breach occurs is the right way to protect the public officials we work with from whatever the future holds.
  

10 comments:

Anonymous said...

Is the $1 copy fee per page a discretionary charge, or "required" by state law? The law may have been altered since I last reviewed it, but my understanding was that Indiana local officials (including clerk, recorder) can charge up to $1 per copied page in order to reimburse the time and materials taken by employees to produce the copies at their respective offices. Printing your own copies at home would not appear to fall into this distinction, or be appropriately covered in the the current legislation. I do understand Recorders who are keen to protect their "revenue" streams when budgets might be tighter than they once were, though I am not certain that the copy fee legislation was designed to provide them with a stream of income, more that it was intended to reimburse expenses. Interested in your thoughts on this point. Thanks.

Nick Fankhauser said...

Recorders are different from other offices. You are correct that in general, other elected officials *may* charge a fee to cover time & materials, but the amount is left to the discretion of the local office holders. However, there is a separate statute specifically for Recorders that requires them to charge this fee. That particular statute was written when $1 per page was clearly well above the direct costs, and is in the same section where recording fees are established, so it is clear that the legislature's intention was to provide fee-based funding for this office.

Nick Fankhauser said...

If you're really curious, you can find this fee in the Indiana Statutes: IC 36-2-7-10(b)(5)

https://iga.in.gov/legislative/laws/2014/ic/titles/036/articles/002/chapters/007/

Anonymous said...

Ok, thank you for the information. I have done a little further research and discovered that a St Joseph county judge has recently written in an order denying LPS's motion for judgment on the pleadings that IC 36-2-7-10(b)(5) refers to copies furnished directly by the Recorder, and it is the court's opinion that this statute cannot be properly used as a basis for setting fees for electronic copies. The separate statute covering fees for enhanced access apparently says that: [T]he Recorder may charge the individual receiving access a "reasonable" fee to either the third party to a contract or to the public agency, or both. 5-14-3-3.6(e) It appears to come down to what is considered "reasonable", and the court was not willing to rule on this point at the pleadings stage of the case. I'm not commenting on the legality of what LPS has allegedly done, but it has thrown the spotlight on the Recorder fee issue, which is of interest to me, and I thank you again for alerting me to this case. I will be watching with interest to see how it develops!

Anonymous said...

Apologies, it was not a St Joseph county judge, it was a Federal judge. St Joseph county was the Plaintiff in the case.

Nick Fankhauser said...

Yes, this is interesting. On the one hand, I personally think every public record should be freely available, but since the Indiana legislature chose to fund their offices with fees, we certainly can't fault the Recorders for protecting that revenue stream. They didn't write the rules, but they are forced by the rules to regard their records as a revenue source. I believe the Recorders would be much happier with the situation if their offices were simply adequately funded by tax revenue... but I don't see the legislature replacing fees with higher taxes any time soon. In fact, the courts are already headed in the other direction, adding fees to fund their projects.

Anonymous said...

the recorders office has no way of knowing how many copies are made on doxpop,so when not if the system gets hacked the only way for the recorder to know is by assuming doxpop will tell them and they will accurately tell them how many copies were made,so the doxpop paying for these are totally at there discretion,the fox is guarding the hen house,why trust a company that sells hoosier real estate records to India,they say they don't but I know for a fact that national title companies have India divisions,what do you think they are doing over there,how un american is it to outsource hoosier jobs to India

Nick Fankhauser said...

Actually, Doxpop pays to have a CPA firm make random purchases from our database throughout the year without telling us and then independently verify that all purchases were paid for with the Recorders. We do this at our own expense because although we like to think we're not foxes, we agree that a third party should be guarding the henhouse. As far as I know no other company handling public records for Indiana Recorders takes this step to ensure integrity. (BTW... getting a little tired of talking to "anonymous"... care to give me a name so we can talk about whatever grievance induces you to troll our blog?)

Nick Fankhauser said...
This comment has been removed by the author.
Nick Fankhauser said...

Sorry- missed the India reference in my last response to Mr. anonymous. Seems as if the concern is that Doxpop has somehow moved the job of anonymous to India. That's an complex issue to address, since we don't know what anonymous does for a living. Our company is based in Indiana. Twelve of our fifteen employees live in Indiana and the other three are in other states. (United States, that is.) It *is* true that anyone in the world can use our service, and the last time I checked, about 1% of our traffic comes from India, so that's a pretty small amount, but I'll grant that it exists. Of course we don't employ any of those people- They are probably employees of some other US firm that outsources. Seems like your beef should be with the people doing the outsourcing, not us. As always, hoping you'll find the courage to identify yourself so we can have a real conversation.