A Privacy Researcher Uncovered a Year’s Worth of Breakups and Drug Deals Using Venmo’s Public Data

Unless you change the settings yourself, the stuff you do on Venmo is publicly visible. “Public by Default” explores the easily accessible details of Venmo users’ lives.

|
Jul 17 2018, 8:00am

Image credit: Hang Do Thi Duc

When I signed up for Venmo a couple years ago, there was something very voyeuristic about sending money on a social media platform. Payment exchanges accumulate in a public feed, where people thought it was hysterical to write things like “money for drugs” or “sexual favors” for otherwise-innocuous payments. Part of the fun was that everyone else could see what you were doing (minus the dollar amounts), and who was sending money to whom. It felt a little scandalous, another baby step toward the deep end of eroding online privacy. You know, in a fun way.

Hang Do Thi Duc, a Berlin-based coder, privacy researcher, and Mozilla Fellow, questions that exhibitionist impulse—and the companies that prey on it—in her new project, Public by Default.

In 2017, according to Do Thi Duc, Venmo users set and recieved 207,984,218 public transactions. By visiting a public URL, she was able to see every name, date, and message most recently sent through Venmo.

Unless you change the settings yourself, the stuff you do on Venmo is publicly visible—and anyone can dig into the application’s public API and see everything they’re up to, including usernames, comments, and date.

What Do Thi Duc found was a soap opera-worthy set of stories, with a few specifically standing out: There were what seemed to be couples fighting and flirtingy, sending messages along with payments and requests like “You don’t love me,” and “I’m waiting for the sugar daddy.” She watched what seemed like a drug dealer, based on tree and pill emojis, send and receive regular payments. For a married couple, she was able to piece together the specifics of their lives, complete with a dog they took to the vet, grocery trips to Walmart, and takeout dinners, down to the specific types of food they ordered.

“The moment when I went, ‘Wow this is just unbelievable,’ is when I discovered the stories of the lovers,” Do Thi Duc told me in an email. “Just the intimacy of those conversations—this was definitely not mean to be public. But that also applies to all the stories, this information shouldn’t be that easy accessible.”

Any of these interactions could be inside jokes, but gathered over enough time, they still reveal intimate connections and slices of their lives. A lot of the transactions seem too specific, repetitive, and mundane to be one-off jokes. Like the cannabis retailer she found doing business in California, whose transactions made mentions of “weed,” “grass,” medicine,” “CBD,” “stacked kush,” and “gorilla cookie.” She could see that he made a total of 920 incoming payments in 2017.

Then there’s a food cart operator at University of California, who had 8,026 transactions in 2017, and whose customers preferred elote. The API showed who bought food, how often and at what time of day.

It’s not so much the exposure of the intimate details of your life, Do Thi Duc said, but that each transaction is just one data point in a massive web of knowledge companies like Venmo are building about us. And once they know who we’re closely connected to, what we buy, and when, that’s an immensely valuable dataset for companies to use in targeting your future decisions.

“Users should definitely push for developers to build their services with the value of privacy by design!” Do Thi Duc said. “This project gives arguments why you, as a user should care about your settings. By changing your settings, you also show the apps and services out there what your values are."