I am thrilled that the MLS Technology and Emerging Issues Advisory Board took up the task of merging IDX and VOW Policies into a unified “Listing Exchange Rules”. I had been advocating for it for a long time, and it was a subject of a panel at the 2018 MLS Executive Workshop. As a consultant assisting MLSs with IDX and VOW compliance, and who has reviewed hundreds of websites, apps, and other displays I can tell you that a rigorous review of these rules is overdue. The new draft is a pretty good starting point and has been substantially reorganized. But there is further opportunity for improvement.
What do you mean by visible and prominent?
This is an area that leads to differences in enforcement and disagreement – visibility and prominence. For example:
- 2.7 “readily visible color and typeface.” (identifying the participant)
- 2.12. “reasonably prominent location, in a readily visible color, and in a font size not smaller than the median font size used in the Display of listing data” (identifying the listing attribution)
What is readily visible? Most obvious is font size. If the address is in an 18-point font, and square feet, bedrooms and bathrooms are in a 16-point font and the rest of the listing is in a 12-point font, the median font size is 16. There is hardly a site that is compliant with the rule as written. More typically, the designer chooses the mode font size – displaying attribution in the same size font as most of the listing is in, not the median. Discuss this one and if you really mean median make sure that vendors and MLS staff know you mean it. Otherwise change this one to mode.
When it comes to visibility, color probably comes next. So many web developers play around with decreasing color contrast to de-emphasize information they don’t want read. When have they gone too far? I’d go with the same standards as needed for accessibility – WCAG 2.0 level AA requires a contrast ratio of at least 4.5:1 and level AAA requires a 7:1 ratio. Choose a level – having the committee play around with a testing tool such as https://webaim.org/resources/contrastchecker/
Once one picks an accessibility level, all the tools developed for accessibility become useful both for developers and compliance staff (and consultants). Take a cue from RESO and leverage existing standards. Than you can take language relating to visibility out of individual rules.
Finally, what is a “reasonably prominent location”? I like the language in 8.2.11 – “immediate proximity”. If you expect the attribution to be immediately proximate to the listing data, and not requiring user interaction to display (Click here for more”) just say so.
Security should re-thought, and not be optional
Section 18.3.7 “Security of Listing Information” should not be optional. How can one provide privacy (mandatory) without security? This section needs a lot of work too: A “firewall” is not enough – plenty of unconfigured firewalls meet this requirement. There’s a huge range in anti-scraping capabilities and ranging in efficacy. This section needs to be thought through, using a starting point of the business objectives before straying into requirements to meet those objectives and auditable criteria (e.g. no non-plaintext or known-vulnerable protocols for server administration, properly configured encryption for sensitive information transfer, no XSS or other major software vulnerabilities, server patched to latest version, etc.).
While on the subject of security, “password” is mentioned 9 time in this draft. Passwords are not gathered when using a social media login, which needs to be accommodated by this policy – though generalized to accommodate other identity providers. If the site does store a password, then it should be encrypted, which make some of the other requirements problematic.
And as I recently posted with more detail, password changes (Section 18.6.2) are of very limited value in this context. This is why the NIST guideline is as follows:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
(https://pages.nist.gov/800-63-3/sp800-63b.html)
I strongly advise the committee engage additional MLS compliance staff, IDX and VOW vendors, additional real estate professionals, their technical staff, and subject matter experts in the next phase of re-drafting.