PSA: Venmo users check your privacy settings!

[mdlbear]

If you're using the popular social/money-transfer phone app Venmo check your privacy settings!! It seems that the default is that every transaction you make is public! It is difficult for me to express just how broken this is. In case you're having trouble grasping the implications, just go to PUBLIC BY DEFAULT - Venmo Stories of 2017. There you will find profiles of five unsuspecting Venmo users -- one of them is a cannabis retailer -- whose transactions were among the over two hundred thousand exposed to public view during 2017.

The site is a project of Mozilla Media Fellow Hang Do Thi Duc. She has some other interesting things on her site.

It's worth noting that Venmo is owned by PayPal, and that according to a PayPal spokesperson quoted in this article on Gizmodo the public-by-default nature of person-to-person transfers (person-to-business transactions are private) is apparently a deliberate feature, not a bug.

“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” a company spokesperson told Gizmodo, asserting that the “safety and privacy” of its users is a “top priority.”

Yeah. Right.

Here are more articles at The Guardian, Lifehacker, and CNET.

"We make it default because it's fun to share [information] with friends in the social world," a Venmo representative told CNET Friday. "[We've seen that] people open up Venmo to see what their family and friends are up to."

Because it's fun. Kind of puts it in the same category as other "fun" things like cocaine, binge drinking, and unprotected sex, doesn't it?

This has been a public service announcement from The Computer Curmudgeon. With a tip of the hat to Thnidu.

Comments

[stardreamer]

There's another ongoing issue with PayPal and Venmo, which I discussed here after it bit me last year. In brief: there's a backdoor access from one entity to the other, which got leaked and thieves are using it to drain the accounts of people who have a PayPal debit card.

I had never heard of Venmo prior to getting hit with the theft attempt, and as you can imagine, that made me unwilling to have anything to do with it.

[mdlbear]

Good grief! Fortunately I don't have a PP debit card.

[johnpalmer]

I'm glad I left PayPal when they changed their privacy policy to "we're allowed to use any phone number you give us, or that we think might be yours, to contact you." When I told them why I was quitting, they said "we'll only use it in ways you choose."

See, if you are going to get consent, you don't need to demand *blanket* consent. You can just get consent, and log it. Simple. If you need to demand blanket consent, you're planning to cheat.

(I hate using "consent" in that context in one sense - there's all kinds of sex-based jokes that I'm starting to realize are far less funny than I once thought. In the other sense, though, it fits with a sense of dominance-based behavior.)

More directly: geez, this is *precisely* the Cambridge Analytica Epic Facebook Fail, writ differently, and one of the reasons I'm glad I'm a privacy fetishist.

[archangelbeth]

Yikes!

I'm glad I don't have a Venmo thing. (Or a Paypal Debit card!)

[madfilkentist]

Ack! This is the first I've heard of Venmo. To me, the question is not so much why anyone would combine a payment app and a social network as why anyone would touch such a thing.

[kellan_the_tabby]

...well THAT'S a terrible idea.

[dreamshark]

Thank you for the reminder! I enrolled in Venmo last year because it was the only way I had handy to transfer money to a millennial aged family member. I noticed the default setting at the time, was appalled, and promptly changed it. I intended to delete my account once the money transfers were done, but forgot about it. I didn't realized it was linked to Paypal, which I use regularly. Ack. I have deleted my Venmo account. I think. More likely I just deactivated it, but it's still lurking there like a cancer. I have no idea how to verify that it is deleted. All I know is that I can no longer log into it. I didn't even get a confirmation message of account closure. This is truly a service that only a millennial could love. That generation seems to have an entirely different idea of privacy boundaries.