Twitter bots are running amok with your public Venmo data

Twitter bots are running amok with your public Venmo data

A data expert by the name of Hang Do Thi Duc recently exposed a problem with Venmo’s privacy settings, they’re public by default. For those who didn’t know that, Hang’s the angel on your shoulder trying to keep you safe. And, if you look to your other side, you’ll see the devil in the form of a bot that tweets the names and faces of Venmo users who are referencing drugs and sex in their transactions.

Joel Guerra, the human behind the bot, wanted to “demonstrate how much data Venmo was making publicly available with their open API and their public by default settings and encourage people to consider their privacy settings,” according to a report from Motherboard.

And, in the spirit of fairness, the method he chose to demonstrate his point seems like it would be an effective one. Where Hang’s work, which we wrote about earlier this week, uses anonymized data and clever visualizations to show how a person’s public data could be exploited, Guerra sort of rubs people’s face in it like a dog who’s pissed on the rug.

The above Tweets are a few examples from the bot’s account that don’t contain a pic. But even without one, there’s clearly enough information here for someone who knows these two people mentioned in each Tweet to make some educated guesses.

There’s nothing incriminating about using a pill emoji, or claiming your payment is for “not drugs,” on Venmo, like one of the account’s tweets shows. And since the data is all public, there’s nothing illicit about creating a bot to exploit the data either. But, there should be some concern that it’s probable at least some of these people are oblivious their names and faces are on Twitter being associated with drugs.

To be perfectly clear here, we are not saying Guerra did anything wrong, nor are we questioning his intentions. In a way, it’s a boon that we have two contrasting examples of the same point. Because it’s a segue into the bigger issue of what the ethics surrounding public data really are.

The problem is that Venmo’s user transactions are displayed within a feed in the app, this is part of the Venmo experience and why the company compares its product to a social media network. Unfortunately, many of its users don’t think of it like they would Facebook or Twitter – they consider it a way to conduct financial transactions.

It’s not unreasonable for someone to assume that what they say in the Venmo app should stay in the Venmo app, at least by default. So, while someone might think it’s funny to send their buddy a payment for “the best meth I’ve ever had” as a joke — assuming the person Guerra’s bot outed for that was joking — they may not want everyone on Twitter seeing the comment out of context with their name and face next to it.

Caring about your personal data isn’t about having something to hide. Maybe you’re an abuse victim who’d be in harm’s way if your ex found out where you were. If you didn’t know that Venmo’s public data attached your name and face to your transaction, or weren’t aware it was public by default, you may not know to avoid saying something that could peg your location to someone else’s — Venmo’s public data contains Facebook profiles, after all.

It would be nice if companies were not only more transparent up front, but actually took steps to ensure that your information was private by default, with the option to set it public, and a warning for those who do.

We should definitely all double-check our settings, but after we do that let’s start asking these technology companies why our privacy isn’t their first priority.

Read next: Zuckerberg says Facebook doesn't decide truth. He's right.