Gavel image via Shutterstock.
A federal court has given real estate transaction management company dotloop Inc. permission to subpoena the California Association of Realtors, Kirkland, Wash.-based Northwest Multiple Listing Service, Instanet Solutions and Google Inc. for information regarding the identity of someone who allegedly hacked into dotloop’s computer system.
The development comes not long after a controversy erupted in June surrounding CAR’s decision to refuse to license its real estate transaction forms to dotloop, thereby prohibiting dotloop users from filling out the association’s copyrighted forms using dotloop’s software.
CAR, the largest state Realtor association in the country, cited intellectual property and security concerns in making its decision. Critics noted CAR also owns forms software provider zipLogix and is therefore a dotloop competitor.
That month, dotloop filed suit against an anonymous individual (“John Doe”), alleging he or she had posed as an administrator for one of dotloop’s biggest clients, Keller Williams, under the name “Ian Dawtnapstur” and had “unlawfully hacked into dotloop’s computer system and proceeded to unlawfully upload and download forms stored on that system.”
In their complaint, attorneys for dotloop said the intruder “unlawfully recorded and posted his unlawful activities on the Google Plus service and on a variety of other, hacker-affiliated websites,” and “unlawfully provided third parties with the means to improperly access and use dotloop’s computer system and information contained on that system.”
Those third parties remained unnamed until Aug. 27, when dotloop filed a motion seeking permission to subpoena documents and testimony for information on the hacker’s identity from CAR, NWMLS, Instanet and Google. The motion was granted the same day.
Dotloop has yet to subpoena any of the parties, but the company said each would receive subpoenas “shortly.” None of the companies have been named as defendants in the suit.
According to court filings, on or about March 16, 2013, someone fraudulently posed as an administrator for a Keller Williams “Market Center” covering Los Angeles Harbor, Calif. He or she created an account on Form Spot, a forms repository included in the dotloop portion of Keller Williams’ eEdge software platform, using the name Ian Dawtnapstur and the email address email@example.com.
In order to activate Form Spot for a Market Center, a KW administrator is required to enter the authorized administrator’s name, email address, Market Center number, and the states and state real estate associations where that Market Center does business, as well as agree to Form Spot’s terms and conditions, dotloop said. The hacker had previously attempted, unsuccessfully, to access Form Spot using two other California KW Market Center numbers.
While Form Spot keeps a log of the Internet Protocol (IP) addresses that access its system, dotloop alleges the hacker “spoofed” the IP address of his computer by accessing Form Spot through “proxy” servers with Auckland, New Zealand, IP addresses in order to “hide his location and identity and cover his tracks in connection with his unlawful activities.”
Nonetheless, dotloop alleges other parties are aware of the hacker’s identity. The company claims Brian Manson, an attorney for CAR, had admitted the trade group accessed dotloop’s system and that dotloop’s own records show an IP address registered to CAR gaining entry to the system on March 21, 2013, less than four minutes after the hacker used the same URL that CAR used for access.
“It would have been virtually impossible for CAR to have learned this URL unless it was provided by the defendant, and the timing of CAR’s access strongly indicates that the address was in fact provided to CAR by the defendant,” attorneys for dotloop said in a court filing.
In a July 18 letter, attorneys representing dotloop asked Manson to reveal the hacker’s identity. Manson replied that CAR was unaware of the actions described in dotloop’s complaint, and hadn’t found anything identifying the user referred to as firstname.lastname@example.org.
Attorneys for dotloop also sent a letter to NWMLS asking for the identity of the hacker. According to dotloop, NWMLS had previously sent the company an email with “a copy of a PDF that shows hundreds of NWMLS forms being hosted by Dotloop” and that stated NWMLS had “downloaded over 200 NWMLS forms from this site.”
Dotloop told Inman News the company removed the NWMLS forms, which had been uploaded by dotloop users, from its site.
In a court filing, dotloop said NWMLS had accessed dotloop’s system through the same KW Market Center the hacker used with the hacker’s illegally obtained login information.
When dotloop asked where NWMLS had gotten the information, the MLS responded that “someone” at dotloop competitor Instanet Solutions had given it to NWMLS CEO Tom Hurdelbrink, the filing said. An Aug. 8 letter to Instanet CEO Martin Scrocchi from attorneys representing dotloop went unanswered.
Neither Scrocchi, Hurdelbrink nor an attorney for NWMLS responded to requests for comment for this story.
A Google spokesperson declined to comment on this particular case.
“We don’t talk about individual cases to help protect all our users,” the company said in an email. “Obviously, we follow the law like any other company. When we receive a subpoena or court order, we check to see if it meets both the letter and the spirit of the law before complying. And if it doesn’t we can object or ask that the request is narrowed. We have a track record of advocating on behalf of our users.”
Dotloop CEO Austin Allison said Google was named as a third party in the case only because the unidentified hacker had a Gmail address and a Google Plus account.
On the other hand, Allison perceived the intentions of NWMLS, CAR and Instanet as less innocuous.
The hacking “appears to be a malicious and coordinated attempt between (those) multiple parties” to “disparage our name and reputation,” Allison said.
“We certainly hope that there is not a conspiracy in place with those parties and we plan to continue the action to identify the criminals,” he added.
Allison said dotloop “exists to improve the lives of real estate agents and improve the way that businesses operate” and, less than four years after launching, serves more than 3,000 real estate companies — more than any other transaction management system.
“Anytime you disrupt a mature industry like real estate, innovation and disruption is met with resistance,” Allison said.
“(CAR) has been one of those resistance points. It doesn’t make a lot of sense to me. In my mind, innovation is good for the industry.”
CAR declined to answer specific questions regarding dotloop’s litigation for this story. In a statement, the trade group said it places a high priority on protecting and respecting intellectual property, and responded promptly to dotloop’s inquiry about an unknown person accessing their system.
“CAR was unable to find anything that identifies the user of the email address they provided,” CAR said in a statement provided to Inman News. “In response to our cooperative reply, and without notice to us, dotloop obtained court permission to conduct unwarranted discovery on CAR. To be clear, CAR is not a defendant in any litigation concerning dotloop.”
“Moreover,” the trade group said, “CAR has been a leader in bringing electronic real estate forms and secure digital signatures to the forefront of the real estate industry, and as such, we only work with vendors who have the highest security standards. Consumers and Realtors are better served when other vendors focus on ensuring the integrity of their security and data before problems arise, rather than pursuing litigation after a breach.”
Allison said the anonymous hacker did not get into anyone’s individual account and no personal information was captured or available. It was Form Spot, not dotloop.com, that was hacked, he said.
“Nobody hacked into anybody’s account,” Allison said. “Whomever is behind this is behind it because their intent was to create the perception that our system is insecure.”
“What’s ironic about this is that it highlights how secure our system is” because dotloop had the logs and audit trail to take action, he said.
By making and disseminating videos showing files being uploaded and downloaded from dotloop’s computer system, the hacker was attempting to paint dotloop as a public network where documents are available to anyone, which is not true, Allison said.
“Dotloop is a completely private network akin to Dropbox or Google Drive,” he said.
When a dotloop user shares a document with someone else, the user sets permissions for that document before sharing, allowing the recipient to either view and sign the document, fill out blank fields, or modify language that appears in fields (but not the text of the document itself).
Dotloop says its users have access only to documents they own and have uploaded themselves or to content that has been licensed to dotloop to share. Users do not have access to association forms from dotloop unless an association has elected to make them available, the company said.
When asked whether the forms the hacker uploaded and downloaded were from industry groups that had declined to license their forms to dotloop, Allison said, “No, not necessarily.”
“I have no comment about the specific files that were uploaded or downloaded … but what I can tell you is that dotloop does not misuse anybody’s intellectual property,” he said. “We have partnerships or licenses with 40 state (and regional) associations.”
Dotloop users routinely upload their own content to dotloop’s system, as with any other cloud-based product, and like those products, dotloop is governed by the Digital Millennium Copyright Act (DMCA), Allison said.
Therefore, as in the NWMLS situation, “if somebody uploads anything to our system that they allegedly shouldn’t, we take action accordingly” and pull the content down, he said.
“This has nothing to do with copyright infringement. This is a criminal who is attempting to disparage our brand by committing fraud,” he added.
When asked how easy or hard it is for an individual to misrepresent themselves as a dotloop customer, as in this case, Allison said, “Well, anybody can pick up a gun and pull the trigger. If somebody wants to be a criminal they can be a criminal” and the best that a company can do is to try to make it difficult for them, which dotloop believes it has done.
Allison noted that creating an account on Form Spot is actually more difficult than creating an account on dotloop.com.
“(More) misrepresentations had to be made in this account than in a normal dotloop account. The system actually had more safeguards in place than a dotloop account,” he said.
Dotloop’s five-count complaint against “John Doe” alleges violation of the Computer Fraud and Abuse Act; unauthorized access to a computer system; trespass; breach of contract; and tortious interference with actual and prospective business relationships.
The complaint alleges “Defendant’s unlawful actions were undertaken in order to execute a scheme or artifice to defraud, deceive and/or extort dotloop, or to wrongfully control or obtain, money, property, or data.”
When asked for details on these putative wrongs, Allison said they were “just allegations until the process gets further down the road, but it appears that these actions were purely malicious.”
The complaint further claims dotloop has suffered damages, “including impairment of its systems” and losses including “costs associated with investigating Defendant’s unauthorized access and disclosure, conducting a damages assessment, taking mitigation measures, and implementing additional safety measures to prevent further unauthorized access or disclosure.”
In addition to seeking that the court award dotloop damages in an amount to be determined at a jury trial, the company requests the court award dotloop “recovery of the unjust enrichment obtained by Defendant as a result of its unlawful acts.”
Allison declined to comment on the “enrichment” referred to in the complaint.
He said the hacking did not have anything to do with an outage of dotloop’s platform in mid-August.
“Not that we’re aware of anyway. That was unscheduled maintenance,” he said.