“Venmo finally got the message that maximizing publicity for a financial app is a horrible idea,” says Kayleigh Lambie, chief campaigner at the Mozilla Foundation, a nonprofit focused on openness and accessibility on the internet. “However, from the start, we have been calling for Venmo to be private by default, because many Venmo users don’t actually know that their transactions are public to the world.”
A Venmo spokesperson said the company has no plans at this time to consider making these transactions private by default instead. This means that users will still need to go out of their way to make sure that every peer-to-peer transaction is not broadcast to the rest of the world. It is hard to see the benefit of maintaining the status quo.
“You’re thinking of a lot of really sensitive use cases,” Gebhart says. “You think of therapists, you think of sex workers. You think of the President of the United States. It doesn’t take a great deal of imagination to imagine where these default settings could go horribly wrong and cause real harm to real people.”
The repercussions of Venmo’s public stance by default go far beyond the discovery of Biden’s account. In 2018, privacy advocate and designer Hang Do Thi Duc used Venmo’s public API for Sorting nearly 208 million transactions on the platform, piecing together alarmingly Detailed pictures From five users based on their app activity only. The following year, programmer Dan Salmon wrote a 20-line Python script Let Him Take Millions of Venmo Payments in a matter of weeks.
Since then, Venmo has restricted the rate at which you can access transaction data through its public API, but Salmon says the company hasn’t gone far enough. “Venmo had a fire hose that I could call for transaction data,” he says. “Now that that has been cut, the transactions are still in place; it will take a few more steps to get it going.” He says it will take about an hour of work to build a new scraper.
“At Venmo, we routinely evaluate our technology protocols as part of our commitment to platform security and continuous improvement of the Venmo experience for our customers. Venmo scraping is a violation of our Terms of Service, and we are actively working to reduce and block activity that violates these policies.” “We continue to enable specific access to existing APIs for certified developers to continue innovating and building on the Venmo platform.”
Venmo is not the only app that Makes you choose not to participate rather than actively searching for it. But since its use case is exclusively financial, the risks are significantly higher, and the assumption of its users is likely to be misplaced. Venmo itself hasn’t made it easy for users to decide what to share or not to share; In 2018 it reached a settlement With the Federal Trade Commissions related in part to confusing privacy settings.
“People are often very surprised to find that the financial services app is available to everyone by default,” says Lampi of the Mozilla Foundation. “Even people who have been using Venmo for years may not know that their settings are public.”
To make sure you don’t progress, head over to Settings > Privacy and choose Special. then press Previous Transactions, and press Change all to private To lock things up retroactively. And while you’re at it, go ahead and tap Friends List, then tap Special and switch Appear in other users’ friends list. Other than that, you’re sharing the digital equivalent of your credit card purchases with everyone you know, and plenty of people you don’t. Or consider using something like Square’s Cash app instead, which is private by default.
The loss of the global feed is an important step towards the privacy of Venmo and its users. Hopefully more steps are yet to come.
More great wired stories