A German designer and coder has revealed that payment app (and PayPal subsidiary) Venmo has been publishing the intimate purchase details, profile pics and personal messages of users online- everything from lovers’ quarrel texts to drug deal texts to junk food purchases and purchase locations- for anyone to see.
The story was broken by The Guardian.
According to Hang Do Thi Duc’s website, Public by Default: Venmo Stories of 2018:
“On Venmo, all transactions are public by default – anyone can see them, even if they don’t use the app.”
Hang created the site to draw attention to privacy risks posed to users of Venmo if they do not deliberately change the app’s default settings to private. Almost every page of Hang’s site urges users to do so.
All told, Hang claims, the personal details associated with almost 208 million Venmo transactions were published by that company online in 2017.
To demonstrate the implications, Hang used screenshots of the Venmo-published data and emoji gif’s to create detailed lifestyle portraits, “of 5 unsuspecting humans who use the Venmo platform,” including a married California couple, quarrelsome lovers, a food cart retailer, a junk food-loving young woman and a marijuana dealer.
By studying the users’ transaction data, Hang was able to infer details like marital status and gender. In the data-based portraits she created at Public By Default, Hang redacted the names and obscured the user profile photos exposed at Venmo.com.
“This married couple (they share a last name) owns a dog and a car which they prefer to fuel at Chevron about every two weeks. They really like pizza (their favorite is from Shakey’s), but they occasionally also eat Asian and German food.”
“Our married couple is a great example of how your transactions can reveal a lot about you, including habits and routines. By far the most transactions are for grocery stores – 25 x Walmart, 19 x Albertsons and 15 x CostCo…They go shopping more than once a week, but almost never on Wednesday or Sunday.”
All that sounds innocuous enough, but what about the young “hedonistic” female with 965 junk food transactions in the past 8 months. “She might want to consider that it has become common for insurance companies to monitor social media to verify health claims,” Hang writes.
Luckily, “It’s not clear where she lives,” though transaction details indicate friends in Texas and Mexico City.
Another of Hang’s profiles shows that a marijuana dealer in Santa Barbara, California (where marijuana is legal) broadcast the details of 943 transactions in 2017, including associate social media profile pictures, before recently changing his settings to private.
From transaction details at Venmo.com, Hang was able to glean:
“…this person was male. I was also able to determine that he operates out of Santa Barbara, California. You might wonder how: some of his customers have a Facebook URL as their profile picture which includes their Facbeook ID and so it was easy for me to see where some of them, and therefore (where) the protagonist of this story as well, live(s).”
Hang uncovered multiple transactions with slang words for cannabis attached:
“You probably noticed that cbd/CBD comes up a lot — 150 times to be exact. It’s the abbreviation of “Cannabidiol…Other frequent messages include delivery, order, pill…Gorilla Cookie, Stacked Kush, GDP (abbreviation for Granddaddy Purple), and God’s gift seem to refer to different strains of cannabis.”
Hang also included on her site a somewhat cringeworthy portrait of quarrelsome chat messages between, and unwittingly broadcast by, lovers, including ‘Susana’ telling ‘Gonzalo,’including, “Don’t give me anything,” and, “Leave me alone.”
A user attempting to sign up for the Venmo app will encounter a very long user agreement and a fairly long privacy agreement which states:
“We may share your personal information with…The other Venmo user participating in the transaction and, depending on the privacy setting of each Venmo account transaction, your Venmo friends and the Venmo friends of the other user participating in the transaction, or the public, through the Venmo feed on our website and mobile application and elsewhere on the internet.” [emphasis added]
The privacy agreement definitely does not instruct users on the importance of customizing privacy settings.
Paypal CFO John Rainey told CNBC in May that, like rival company Square, the PayPal, “has a vision of democratizing financial services,” is working to provide payment options to the unbanked, and hopes to establish “a footprint” in India.