I’m off to attend the annual meeting of the American Psychological Association (APA) in San Diego today, but before I go, I do have two APA-related news items to post. The first is about the APA’s social networking application it deployed for this year’s convention, called InPsych. It’s a great idea with one fatal flaw that makes it not only something I suggest you avoid, but something I recommend the APA disable access to immediately.
The idea behind the social networking app is a good one — help people plan their convention schedule and meet up with other psychologists or psychology students while in San Diego. It’s a big convention with over 10,000 attendees every year, so it’s nice to have some way of keeping the information organized and at your fingertips.
Sadly, however, the APA outsourced this application to a third party. And in doing so, they apparently either didn’t review how the application handles security and logins, or reviewed the application and thought that exposing members’ personal information to anyone who’s interested in it is okay. That’s right — anyone can login to your account and view all of the personal information the APA has on file for you (your mailing address, phone number and email address). If you’ve already filled out the demographic form or talks you’d like to attend, they can view that information too.
All of which is readily available by using the 4- or 5-digit code (or any 4 or 5 digits) to login. That’s right — that’s the same 4- or 5-digit code that is helpfully displayed on the front of everybody’s convention badge.
We all use social networking websites everyday. We’re used to being asked for a username (or email address), and a password. This is a standard, tried-and-true security model that works surprisingly well. To assess, pay for, review and then deploy a social networking application that doesn’t use even the most minimal security methods to secure each individual’s personal, private information reflects the poor judgment made on the part of the American Psychological Association. In 15 years of doing online consulting for firms, I’ve never seen a more ridiculous security method for a login.
The login number on the badge is in the lower left-hand corner. I stumbled upon this problem solely by accident, because there are two 4-digit numbers on my badge and I entered in the wrong one at first. It wasn’t my profile! Oops.
When contacted regarding this issue, the APA didn’t have much to say. In the midst for preparing for their biggest event of the year, it was hard to get someone to comment on this issue. A spokesperson for the American Psychological Association noted, “the vendor providing this application was unable to accept the single sign-on usernames and passwords we use on the [main APA] website. In the future, we will look for vendors that can accommodate this requirement.”
A good idea — enabling social networking for convention goers — gone horribly awry by not requiring a password and printing the login information for every attendee on their public name badge!
My recommendation is to login once, remove all of your personally identifiable information (fill in “NA,” since it requires the fields to be filled out), and then logout and don’t use the application again. Furthermore, the APA should disable access to the InPsych application immediately until they fix this problem — this year, not next.
I’m sorry, but my personal information is private and I’d like to keep it that way.
Tomorrow, I’ll discuss how the APA is using an undisclosed technology to track your attendance at the convention.
Visit InPsych now.