Every week, I help clients establish compliance standards or am performing compliance reviews on VOWs and IDX websites and the most important thing is to make sure that the MLS is treating all of its participants even-handedly. But many brokers and their agents work across MLS borders. When they face compliance reviews, they’re sometimes frustrated at the amount of variation in interpretation of the rules. How can this be addressed? There are really two approaches: (1) have fewer MLSs; (2) have less variation in MLS rules and their interpretation. While the former is happening – very slowly – the latter seems more possible in the short term.
Following are just a few example of the many, many areas that need more clarification:
- “Any IDX display controlled by a participant must clearly identify the name of the brokerage firm under which they operate in a readily visible color and typeface.” What does “readily visible” mean, specifically? Let’s establish a standard for what degree of contrast is allowed and how it’s measured, and otherwise provide more detail around this requirement.
- “All listings displayed pursuant to IDX shall identify the listing firm in a reasonably prominent location and in a readily visible color and typeface not smaller than the median used in the display of listing data.” What exactly is the auditable criteria for “reasonably prominent” for all MLSs? The “median” requirement is a hot mess – if a few key headers and data are displayed in a 20-point font, but most of the data is displayed in a 12-point font, does the listing firm really need to be displayed at or above the median, in this case, 16 points? That’s what the rule says – rarely enforced, of course.
- “Participants are required to employ appropriate security protection such as firewalls on their websites and displays, provided that any security measures required may not be greater than those employed by the MLS. “ This rule drives me crazy. First, “the MLS” as referenced in the rule has many contexts, some of which have greater security requirements than others. The security around the core MLS system itself may be very different from that used for the MLS’s consumer-facing website, a site with listings, or other products fielded by the MLS. To what does this rule refer? And what are appropriate security protections for IDX compared with VOWs?
- “Participants must maintain an audit trail of consumer activity on their website”. What needs to be in the audit trail?
I could go on for many pages, both for IDX and VOW rules. Is it any wonder that there’s variation in compliance review practices?
For VOW compliance specifically, the most variation comes in interpreting the requirement that, “a participant’s VOW must employ reasonable efforts to monitor for and prevent misappropriation, scraping, and other unauthorized uses of MLS listing information.” That’s really broad, and covers more than “web scraping,” but let’s focus briefly on that aspect of the rule.
What’s expected, exactly, when it comes to monitoring? Is it enough to log access, but not review the logs for unauthorized uses? What criteria are there for log review? What is specifically looked for? How often must logs be reviewed? Must there be alerts and, if so, for what? How must they be responded to, in what kind of timely manner? Are brokers really expected to monitor for unauthorized uses across the whole Internet? Must their site seed data with beacons to enable such monitoring? If effective methods and tools aren’t required, what does this requirement, set by the DOJ and NAR, really mean?
When it comes to actually preventing misappropriation via scraping, what standard is good enough? Some of my clients are still on an ancient standard of “rate limiting” and “CAPTCHAs” even though both mechanisms are completely outmoded by most of today’s scrapers. Today’s scrapers use sophisticated scripts (e.g., CURL), full-browser automation (e.g., Selenium or Chrome Driver), use slow crawlers (less than 5 requests per minute), spoofed search-bot and mobile app user agents, IP addresses that can’t easily be blocked without affecting real users (dynamic consumer ISP addresses), as well as data center and cloud resources. Frankly, it’s impractical for MLS staff – or even for me – to test all of these conditions, which is why I suggest anyone providing IDX or VOW sites use commercial services that can deal with them. If a client can show me, as a compliance reviewer, that a service that addresses all of these issues is engaged and configured correctly, I can be assured that a high level of security is being met.
Our industry needs to make an effort to deal with avoidable variations in both MLS rules and their interpretation. It’s an attainable goal, but it takes work. Where should this work occur? At NAR? With CMLS?
About the AuthorMore Content by Matt Cohen