-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Optical Society of America's peer-review system can leaks reviewers' usernames

Hi,

the Optical Society of America uses an article tracking
system called "Prism" [1] to manage the submissions of
authors and the comments of the reviewers. Reviewers
can upload their reviews as MS Word or PDF documents.

Under certain circumstances, when an MS Word document
is converted to PDF on the reviewer's computer, the
username of the reviewer is embedded into the XMP
metadata of the resulting PDF document as a dc:creator
element. However, the article tracking system does not
seem to know about XMP metadata in PDF documents and only
clears the author field in the regular PDF metadata, thus
leaving the dc:creator field for the author of the reviewed
paper to see, potentially revealing the reviewer's identity.
Note that a malicious reviewer could of course easily fake
the user name field.

Since the leak can only be seen when a paper is submitted
and reviewed, I could not do a study on how many reviews
are affected.

Best regards,

Peter Wiedekind

[1] https://prism.opticsinfobase.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT7FcLAAoJEFp1Vtbf4jqrFccP/i6DqARZWVU6VX4Ivmnl9ZKy
X5Qrg/M36E5zz1lPm9TZxlA7K1A1vU+scUr1sxPTmex/SUOP9SNStsEuPGukiCvr
n3kj2Ueeyb+lNChlqCKR66klPwyYmCwRMFGovOQ3zIU4TLv9LtxQdUKKCgN7MrXB
BvCFEeAr1Epy+AlU2436+mTu5Wg7GIdvATo+uw2MvOUwRGim94N0E57/VMFQ2Ucy
+WQRQWpLHER229XY5IzE0HXr6Od7wXhVmzqosLMESt+JZ6RqbFlEtrm2iMJm/Kjc
D8RNmrhIPPb6Ax3S4LoB+Tef0vPKqQdOfPOX5KHIZNloawgFyyD83i3roQd5YYmN
o7wdcgm/Z/OthXd1N8X0yxNi8Y06A+88xWLAUGyL5O+WPg/dboMkkqidnmGQDX2K
ZSpbm0Sz17QW1TXNOMUhsvkaiKVEt52CtOsPpFFVDQZ/UTVBC3Dj3uV7CsFsMaPs
7CxUo7KwJPR8jVKHSAcuK8/DYJp2+eQu6zU+9FoHY1TjgxeWdDP6sA8LhmS6ZkJ+
PtWZrhrduVegbxSzBB1HUskARCPWGzMJ+RuFsLyBBedoGiaCmG2Z3MLb66v+uTl3
LUEJexOLK1LiBPZVoWNpgllhTsxWO+MLfNU9JWkCzqd+KBEoRWEhh/1zBzTuYd0Q
V2Cs+VjY4H4J07s5Frlq
=fPRH
-----END PGP SIGNATURE-----