I’m off to attend the annual meeting of the American Psychological Association (APA) in San Diego today, but before I go, I do have two APA-related news items to post. The first is about the APA’s social networking application it deployed for this year’s convention, called InPsych. It’s a great idea with one fatal flaw that makes it not only something I suggest you avoid, but something I recommend the APA disable access to immediately.
The idea behind the social networking app is a good one — help people plan their convention schedule and meet up with other psychologists or psychology students while in San Diego. It’s a big convention with over 10,000 attendees every year, so it’s nice to have some way of keeping the information organized and at your fingertips.
Sadly, however, the APA outsourced this application to a third party. And in doing so, they apparently either didn’t review how the application handles security and logins, or reviewed the application and thought that exposing members’ personal information to anyone who’s interested in it is okay. That’s right — anyone can login to your account and view all of the personal information the APA has on file for you (your mailing address, phone number and email address). If you’ve already filled out the demographic form or talks you’d like to attend, they can view that information too.
All of which is readily available by using the 4- or 5-digit code (or any 4 or 5 digits) to login. That’s right — that’s the same 4- or 5-digit code that is helpfully displayed on the front of everybody’s convention badge.
Before posting, please read our blog moderation guidelines. The comments below begin with the oldest comments first. Click on the last comments page to jump to the most recent comments.
Before posting, please read our blog moderation guidelines.
Post a Comment:
Copyright © 1995-2013 Psych Central. All rights reserved.
Site last updated: 23 May 2013
|
In light of Dr. Grohol’s posting, APA has changed the way our convention-goers can access this social media application. Badge numbers will no longer provide access. The only way registrants can access the site is by entering the randomly generated password each was sent in a confirmation e-mail. If registrants can’t remember their password, they can go to the InPsych landing page and send an e-mail requesting that it be sent to them again.
Thank-you, Dr. Grohol, for pointing out this possible security issue. Our intent was to make it easy for registrants to access the site but we appreciate the privacy concerns he raised.
Cordially,
Kim I. Mills
Associate Executive Director
Public & Member Communications
American Psychological Association
Thanks. While this may take registrants an extra step, it’s an extra step that ensures their personally identifiable information is held in confidence and cannot be readily accessed by anyone interested.
This fixes the problems discussed in this article, and InPsych is now once again safe to use by attendees.
Well done John for pointing this out, and well done Kim and the APA for fixing this so quickly.