Some Thoughts on Security During Publishing

The publication workflow for an accepted manuscript with academic publishers can contain security flaws. Some journals can have been tightening up security in their publication processes during the last few years. In general, the measures taken are quite reasonable and are a “good thing”. Sometimes they are flawed, fulfilling one function while providing opportunities for the process to be abused by the unscrupulous.

Confirming authorship

An outwardly sensible idea has been to ask individual authors to confirm that they have contributed to the paper and are, indeed, authors. One mechanism used by some journals is to have authors confirm their ORCID. Publishers, however, will do this at different points in the publishing workflow. One journal might have authors confirm their ORCIDs when a paper is submitted for review, for example, while another might only verify authorship when the camera ready copy of an article is submitted. In the variants of this process I have experienced the workflow for authors other than the lead author is the same. An email is received from the journal requesting the author confirm authorship by connecting their ORCID to the paper. In the first scenario, where the paper is submitted for review, this is not a problem. In the second scenario, the journal does not often supply a copy of the camera ready paper author, so essentially the author is asked to confirm authorship of a document the publisher trusts that they have seen and approved. And this is an opportunity for the unscrupulous.

Imagine, if you will, a group of authors who have differing opinions (unsurprisingly, this is almost always true), where the first author sends out a draft for proofreading on a Thursday evening, for example, and tells the co-authors to submit any corrections by Friday lunchtime, so the final article can be submitted before the end of the working day. Other authors submit changes, mostly small, maybe a few more critical. Suppose, the first author acknowledges the emails and promises to make whatever changes are requested. Subsequently, they make some selective changes, and ignore the more important revisions they had promised to make. The revised manuscript is submitted to the publishers on Friday evening, but not sent to the other authors. On Monday morning, the other authors receive an email from the publisher asking them to confirm authorship. To all intents and purposes the authors are asked to confirm authorship of a paper that they have not seen. The first author could have submitted anything. In this latter workflow, the publisher’s side of the workflow is satisfied, but dependent on trust between the authors. If an unscrupulous first author wants, they may exploits that trust relationship. The publisher could revise the process so that authors, other than the first author, verify authorship after inspecting the camera ready article submitted to the publisher.

Making mischief too easy – maybe

Similarly, another potentially flawed workflow provides an opportunity for the unscrupulous.

A few years ago, a journal submission was butchered following acceptance by the publisher’s typesetters, who, while editing the LaTeX to follow the journal’s style guide, introduced a lot of typos, messed up the reference list, and made a few “corrections”. Fixing the problems took at lot of work and emails.

Since then, the journal has modified their workflow so that the publisher’s typesetters complete their task, and the authors are allowed access to the LaTeX source of the accepted article. Well, the corresponding authors. Now, suppose there is only one corresponding author – what mischief might they get up to? Presumably, revisions are checked by the publisher as the LaTeX source is in version control. But who does the checks? Who approves revisions? And what is checked? For example, would minor textual revisions be checked? Perhaps the meaning of statement changed by removing or introducing negation might be possible and survive the checking process. Maybe conjunction could be changed to disjunction? Or perhaps, terms might be removed from a CRediT statement, or uncomplimentary ones added?

As above, a checking process involving all the authors might be appropriate. It would require additional work, and most likely be unnecessary in most cases, but may save some blushes.