If you’ve never touched your Venmo’s privacy settings, you’ve been putting on quite the show with your finances.
A recent study, Public by Default, catalogued hundreds of millions of public Venmo transactions the service makes available for anyone to see. The study was carried out by Hang Do Thi Duc, a coder and privacy researcher based in Berlin. As hinted in the study’s title, Do Thi Duc takes issue with “Public” being Venmo’s default privacy settings. “The problem, which I think is a larger issue with many apps, is that Venmo is set to the least private option by default,” the privacy researcher said over the phone. “I don’t think many are aware that anybody can access and collect this data. I wanted to show people how much you can learn from this kind of data from just one year of transactions.”
One public payment is harmless, but multiple can point to patterns
Many are familiar with the Venmo newsfeed that shows their friends’ transactions. A more public version exists online — by going to this site, anyone can see all of the public transactions happening at any given moment. Add in some clever code and you can save a list of all of the transactions taking place; this allowed Do Thi Duc to archive all of 2017’s public Venmo transactions. If you’ve never changed your Venmo settings, this includes all of the payments you made in 2017, too.
“In a year, I had collected over 200 million public transactions,” Do Thi Duc said. “After analyzing the transactions I was able to figure out who people are and even find them.” Do Thi Duc said the public tool hides dollar amounts, but includes first names, last names, message captions and a link to Facebook profile pictures, when available. With just a first name, last name and Facebook profile photo, Do Thi Duc was able to access much more personal data, like where Venmo users reside.
One Venmo payment being public is relatively harmless, but multiple being public can form patterns or be a sign of curious activity. One user Do Thi Duc spotlights has over 900 incoming payments per year with references to marijuana in the caption. Another user, she noted, ate terribly, with over 950 transactions in a year involving soda, alcohol, fast food and desserts.
Making this data, these patterns, public could come back to bite the user. “What if health insurers looked at this data?” Do Thi Duc noted during the call. “Could it affect how good a deal she gets on health insurance?” Insurance companies have been known to look at social media in the past. Having skydiving pictures attached to your online presence, for example, isn’t great.
A couple that the study chronicles reveals to us through their Venmo activity that they own a dog, own a car, are married and often shop at Walmart and Costco. One spouse pays the other for a loan, though they’re inconsistent with the amount and when it gets paid. Now, social media doesn’t affect one’s credit score yet, but some lenders have looked into potential customers’ social media histories. Other countries like China already consider citizens’ online presence to determine their score, affecting what train tickets they can purchase, how much their energy bill amounts to and even which dating sites they can use.
“There are many implications,” Do Thi Duc said. “With this data public, you just have no idea who has access to it and who can judge you by it.” Like most things that hit the internet, once data is made public, making it private again is nearly impossible.
Venmo does offer privacy options, if you know where to look
Your transactions are public by default, but Venmo’s settings section offers options for staying private. Along with the default setting “Public,” where anyone can see who you’re trading money with, the “Private” option allows only you and the recipient to see the transaction. A third option, “Friends,” allows only your Venmo friends and friends of the recipient to see the payment. Both “Public” and “Friends” leave out the dollar amount when publicized for all to see.
Those using the “Friends” option may still find that some of their transactions have hit the public web. Navigating to Venmo.com/username (and replacing “username” with your own) allows you to see what’s out there. Thankfully for anyone concerned, the “Past Transactions” section of Venmo’s privacy settings does allow you to hide those old payments.
In an email to Mic, a Venmo spokesperson clarified the distinction between the regular privacy settings and past transaction settings. “‘Future transactions’ is a setting that sets your default privacy for all payments going forward,” the Venmo spokesperson said. “‘Past transactions’ is a tool that changes the privacy settings for transactions that you have already made. Payments become ‘past transactions’ as soon as they are completed.”
The fix is simple, but users should be protected by default
Do Thi Duc’s advice to Venmo is simple. “If you have this public API that anyone can access without logging in, then at least remove the names and Facebook URLs attached to transactions,” she told Mic.
Venmo does claim to take some steps in improving users’ privacy, though. “When people sign up, we make an effort to educate users about sharing and changing their default setting and the setting on any individual payments past or present,” a Venmo spokesperson said over email.
Until the app makes the default privacy setting more, you know, private, you can change your Venmo privacy settings from “Public” to “Friends” or “Private” to reduce worry. Make the change in the lower option “Past Transactions” for added protection.