PayPal’s peer-to-peer payment app, Venmo, is one of the modern world’s greatest conveniences. It’s a simple way to send people money without jumping through a bunch of hoops. But, what if you found out that every transaction you completed with the app was, by default, instantly uploaded to the internet for the entire world to see? You’d be upset right?
Well, as it turns out, if you never changed the privacy settings in your Venmo account you’re sharing your transaction history with everyone.
Mozilla fellow and data expert Hang Do Thi Duc today posted a blog entry detailing her project Public By Default which, despite sounding like a sweet name for a punk rock band, visualizes some of the details a person can glean from publicly available Venmo data.
Using Venmo’s public data, she was able to track the dealings of a California cannabis salesman, observe a fighting couple on Valentine’s day, and trace the footsteps of a married man and woman as they conducted their daily lives. None of the people her project observed – she’s changed names and details to protect their privacy – knew that anyone was gathering and organizing data on them, and her work was based on information that was sourced solely from Venmo’s public API.
Bottom line: if you use Venmo with the default settings, anyone can make a detailed record of all your transactions. And that’s a huge problem because the data doesn’t just deal with dollars and cents. Depending on what info you signed up with, your profile name, Facebook account, real name, and information about anyone you’ve sent money to or received it from, are all available publicly.
A savvy data expert can easily use this information to build a financial profile, track your habits, and make educated guesses about your lifestyle. But with enough time and effort, a more interested party – say, a pissed off ex-lover or identity thief – can cross-reference your Venmo data with other publicly available information and, if you’re not proactively protecting your own privacy, create an incredibly accurate model of your day-to-day life.
Hang told TNW she was shocked by what she was able to find out after using Venmo’s public API to download a list of every public transaction from 2017 – a total of 207,984,218. According to her, it makes no sense for the company to put user’s personal information out there, “If you want to show a public feed within the app, you don’t have to have a public API,” says Hang.
She also told us that it’s up to the public to take control of their data:
I don’t think you can really express how important this is. We can demand all the things we want from companies, but I feel like there has to be common awareness.
Many people, myself included, sign up for Venmo as a reaction to a friendly request. One of our friends or co-workers will suggest the app as a simple way to send money and we, assuming that a financial transaction app features security and privacy, sign up and send/recieve the money right away none the wiser. Chances are, those of us who were introduced to the app this way are still rocking the default settings.
Luckily, the default settings can be changed and set to protect your privacy. According to the Public By Default website, here’s the steps you need to take:
We reached out to Venmo for more information, a spokesperson gave TNW the following statement:
The safety and privacy of Venmo users and their information is one of our highest priorities. Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed. The API is used to populate the public feed for Venmo’s website and the app. The API is only populating the feed with information our customers choose to make public. There are a number of different settings that you can customize when it comes to sharing your payments on Venmo.
There you have it: Venmo treats your privacy the same as any other “social network.” And that means you definitely need to tweak the settings if you’re uncomfortable with the company revealing your personal information.
To learn more visit the Public By Default website here, and read Hang Do Thi Duc’s blog post on the project here.