Venmo is getting extra personal – but it surely’s nonetheless not totally protected
Venmo, the popular mobile payment service, has redesigned its app. These are usually messages to safely ignore, but this announcement is worth a closer look. In addition to some navigation optimizations and the addition of new purchase protection measures, PayPal’s own platform is finally discontinuing its global social feed in which the app publishes transactions from people from all over the world. It’s an important step in solving one of the most important privacy problems in the world of apps, but the work is still ongoing.
Venmo’s global feed has been a source of voyeuristic insights into the financial habits of total strangers for years. The feed doesn’t show any amounts for a specific transaction, but it does include names and notes, emojis, and likes. Tapping a name takes you to that user’s profile, and an enterprising busy person (or worse) could pretty quickly create a little dossier about that person’s friends, hobbies, and everything else they slipped onto the stream – without maybe notice how public this information can be. In the time it took to write these paragraphs, relatives reimbursed each other for Phillies tickets, someone paid for “liquid gold 😍”, more than one roommate shared their internet bills.
The visibility of Venmo transactions and other user data has been criticized by data protection and consumer advocates for years. “This commitment to this strange part of the company, this corporate DNA of a social payment app, is a huge burden,” says Gennie Gebhart, activism director at the Electronic Frontier Foundation, a digital rights group. “It’s not a disaster waiting to happen, it’s a disaster that has happened to so many people so many times.”
The most recent and well-known case in which this openness can go wrong came in May when a team of Buzzfeed reporters found President Joe Biden’s Venmo account, along with those of his family and close friends, simply by doing a search on the app. It took you 10 minutes.
Even if your transaction history was blocked at that point, your friends list was free for anyone to find. Which, in turn, seems a little unwise for an app that is based on the often sensitive business of sending and receiving money. However, two weeks after the Buzzfeed report, Venmo added new privacy settings that allow you to make your contact list private in the app for the first time.
The removal of the global feed expands this work by making it increasingly difficult to spy on complete strangers. Soon the social element of the app will be limited to what your Venmo contacts are up to. “This change enables customers to connect meaningful moments and experiences with the people who matter most,” the company said in a blog post announcing the redesign. While it is certainly considered progress, data protection officers believe it doesn’t go far enough.
“Venmo is finally getting the message that maximum advertising for a finance app is a terrible idea,” said Kaili Lambe, senior campaigner at the Mozilla Foundation, a nonprofit that focuses on the openness and accessibility of the Internet. “However, from the outset we demanded that Venmo be private by default because so many Venmo users do not know that their transactions are public worldwide.”
With the upcoming redesign of Venmo, the only feed will be from transactions from your friends list.
A Venmo spokesman said the company currently has no plans to make these transactions private by default. That means users still have to do whatever they can to ensure that not every peer-to-peer transaction is broadcast to the world. It is difficult to see the benefit of maintaining the status quo.
“You think of a lot of really sensitive use cases,” says Gebhart. “You think of therapists, you think of sex workers. You think of the President of the United States. It doesn’t take a lot of imagination to imagine places where those defaults could go horribly wrong and cause real harm to real people. “
The effects of Venmo’s standard public stance have been seen beyond the discovery of Biden’s account. In 2018, data protection officer and designer Hang Do Thi Duc used Venmo’s public API to sort nearly 208 million transactions on the platform and compile shockingly detailed portraits of five users based solely on their activity on the app. The following year, programmer Dan Salmon wrote a 20-line Python script that could scrape off millions of Venmo payments in a matter of weeks.
Venmo has since limited the rate at which you can access transactional data through the public API, but Salmon says the company hasn’t gone far enough. “Venmo basically had a firehose that I could use to connect to transactional data,” he says. “Now that that’s cut off, the transactions are still out there; It only takes a few more steps to get it. ”He says it would take about an hour of work to build a new scraping tool.
Venmo is far from the only app where you opt out of sharing instead of actively looking for it. However, since its use case is purely financial, the stakes are significantly higher and the adoption of its users may be out of place. Venmo didn’t make it particularly easy for users to find out what they were sharing or not. In 2018, it reached an agreement with the Federal Trade Commissions that partially related to its confusing privacy settings.
“Anecdotally, people are very surprised that a financial services app is public by default,” says Lambe of the Mozilla Foundation. “Even people who have been using Venmo for years may not know that their settings are public.”
To make sure your stuck, go to Settings> Privacy and choose Private. Then tap Past transactionsand tap Change everything in private Block things retrospectively. And while you’re at it, tap Friends list, then tap Private and turn off Appear in other users’ friends lists. Otherwise, you’ll be sharing the digital equivalent of your credit card purchases with everyone you know and with many people you don’t know. Or consider using something like Square’s Cash app instead, which is private by default.
Losing the global feed is an important step towards privacy for Venmo and its users. Hopefully there will be more steps.
This story originally appeared on wired.com.