I’m off to attend the annual meeting of the American Psychological Association (APA) in San Diego today, but before I go, I do have two APA-related news items to post. The first is about the APA’s social networking application it deployed for this year’s convention, called InPsych. It’s a great idea with one fatal flaw that makes it not only something I suggest you avoid, but something I recommend the APA disable access to immediately.
The idea behind the social networking app is a good one — help people plan their convention schedule and meet up with other psychologists or psychology students while in San Diego. It’s a big convention with over 10,000 attendees every year, so it’s nice to have some way of keeping the information organized and at your fingertips.
Sadly, however, the APA outsourced this application to a third party. And in doing so, they apparently either didn’t review how the application handles security and logins, or reviewed the application and thought that exposing members’ personal information to anyone who’s interested in it is okay. That’s right — anyone can login to your account and view all of the personal information the APA has on file for you (your mailing address, phone number and email address). If you’ve already filled out the demographic form or talks you’d like to attend, they can view that information too.
All of which is readily available by using the 4- or 5-digit code (or any 4 or 5 digits) to login. That’s right — that’s the same 4- or 5-digit code that is helpfully displayed on the front of everybody’s convention badge.
We all use social networking websites everyday. We’re used to being asked for a username (or email address), and a password. This is a standard, tried-and-true security model that works surprisingly well. To assess, pay for, review and then deploy a social networking application that doesn’t use even the most minimal security methods to secure each individual’s personal, private information reflects the poor judgment made on the part of the American Psychological Association. In 15 years of doing online consulting for firms, I’ve never seen a more ridiculous security method for a login.
The login number on the badge is in the lower left-hand corner. I stumbled upon this problem solely by accident, because there are two 4-digit numbers on my badge and I entered in the wrong one at first. It wasn’t my profile! Oops.
When contacted regarding this issue, the APA didn’t have much to say. In the midst for preparing for their biggest event of the year, it was hard to get someone to comment on this issue. A spokesperson for the American Psychological Association noted, “the vendor providing this application was unable to accept the single sign-on usernames and passwords we use on the [main APA] website. In the future, we will look for vendors that can accommodate this requirement.”
A good idea — enabling social networking for convention goers — gone horribly awry by not requiring a password and printing the login information for every attendee on their public name badge!
My recommendation is to login once, remove all of your personally identifiable information (fill in “NA,” since it requires the fields to be filled out), and then logout and don’t use the application again. Furthermore, the APA should disable access to the InPsych application immediately until they fix this problem — this year, not next.
I’m sorry, but my personal information is private and I’d like to keep it that way.
Tomorrow, I’ll discuss how the APA is using an undisclosed technology to track your attendance at the convention.
Visit InPsych now.
3 comments
In light of Dr. Grohol’s posting, APA has changed the way our convention-goers can access this social media application. Badge numbers will no longer provide access. The only way registrants can access the site is by entering the randomly generated password each was sent in a confirmation e-mail. If registrants can’t remember their password, they can go to the InPsych landing page and send an e-mail requesting that it be sent to them again.
Thank-you, Dr. Grohol, for pointing out this possible security issue. Our intent was to make it easy for registrants to access the site but we appreciate the privacy concerns he raised.
Cordially,
Kim I. Mills
Associate Executive Director
Public & Member Communications
American Psychological Association
Thanks. While this may take registrants an extra step, it’s an extra step that ensures their personally identifiable information is held in confidence and cannot be readily accessed by anyone interested.
This fixes the problems discussed in this article, and InPsych is now once again safe to use by attendees.
Well done John for pointing this out, and well done Kim and the APA for fixing this so quickly.
Comments are closed.