Optical Society of America's peer-review system can leaks reviewers' usernames
Hi,
the Optical Society of America uses an article tracking
system called "Prism" [1] to manage the submissions of
authors and the comments of the reviewers. Reviewers
can upload their reviews as MS Word or PDF documents.
Under certain circumstances, when an MS Word document
is converted to PDF on the reviewer's computer, the
username of the reviewer is embedded into the XMP
metadata of the resulting PDF document as a dc:creator
element. However, the article tracking system does not
seem to know about XMP metadata in PDF documents and only
clears the author field in the regular PDF metadata, thus
leaving the dc:creator field for the author of the reviewed
paper to see, potentially revealing the reviewer's identity.
Note that a malicious reviewer could of course easily fake
the user name field.
Since the leak can only be seen when a paper is submitted
and reviewed, I could not do a study on how many reviews
are affected.
Best regards,
Peter Wiedekind