“Venmo is finally getting the message that maximum publicity in the financial app is a terrible idea,” says Kaili Lambe, a senior campaigner at the Mozilla Foundation, a non-profit organization that focuses on openness and Internet access. “However, from the beginning, we call on Venmo to be private by default, because so many Venmo users don’t really know that their transactions are public around the world.”
A Venma spokesman said the company did not plan to consider making the transactions privately private at this time. This means that users will still have to do their best to make sure that each of their peer-to-peer transactions will not be broadcast to the rest of the world. It is difficult to see the benefit of maintaining the status quo.
“You’re thinking about a lot of really sensitive use cases,” Gebhart says. “Think of therapists, think of sex workers. You are thinking of the President of the United States. It doesn’t take a lot of imagination to imagine places where these given tasks could go horribly wrong and cause real harm to real people. “
The implications of Wenm’s public-given attitude took place even after the discovery of Biden’s account. In 2018, privacy advocate and designer Hang Do Thi Duc used Venmo’s public API for sort over 208 million transactions on platforms, alarmingly agreeing detailed portraits of five users based solely on their in-app activities. The following year, programmer Dan Salmon wrote a 20-line Python script let him wait for millions of Venmo’s payments in a few weeks.
Venmo has since set limits on the speed at which you can access transaction data via the public API, but Salmon says the company has not gone far enough. “Venmo basically had a fire chamber that I could connect to with transaction data,” he says. “Now that it’s cut off, transactions still exist; it will only take a few more steps to pick them up. “He says it would take about an hour to make a new scraping tool.
“At Venmo, we routinely evaluate our technical protocols as part of our commitment to platform security and the continuous improvement of the Venmo experience for our customers. Scraping Venmo is a violation of our terms of service and we are actively working to limit and block activities that violate these policies, ”Venmo spokesman Jaymie Sinlao said in a statement sent by email. “We continue to provide selected access to our existing APIs for approved developers to continue to innovate and upgrade on the Venmo platform.”
Venmo is far from the only application that makes you unsubscribe from sharing than actively seek. But since its use case is purely financial, the stakes are much higher and the assumption about its users is potentially wrong. Venmo itself has not made it particularly easy for users to say what they are or are not sharing; in 2018 reached a settlement with the Federal Trade Commissions linked in part to confusing privacy settings.
“It’s anecdotal that people are very surprised to discover that a financial services application is by default public,” says Lambe of the Mozilla Foundation. “Even people who have been using Venmo for years may not know that their settings are public.”
To make sure yours doesn’t go forward, head on Settings> Privacy and select Private. Then tap Past transactionsand tap Change everything to private to lock things up retroactively. And while you’re at it, just go ahead and tap Friends list, then tap Private and turn off Appear in the friends list of other users. By the way, you share the digital equivalent of a credit card purchase with everyone you know and many people you don’t know. Or consider using something like the Square’s Cash App instead, which is private by default.
Losing the global feed is an important step towards privacy for Venmo and its users. We hope that more steps will follow.
More great WIRE stories