EFF and Mozilla scold Venmo over app’s privacy failings

The increasingly tense stand-off between privacy campaigners and the popular mobile payment app Venmo has taken another turn for the worse.

The latest salvo is an open letter by the Electronic Frontier Foundation (EFF) and Firefox makers The Mozilla Foundation to Dan Schulman and Bill Ready, respectively the CEO and COO of Venmo owner, PayPal.

Their complaint has three strands to it, the first of which is the long-running gripe that transactions made using Venmo are still not private by default.

The second worry is that anyone using the app can see who someone is connected to through their friends’ list.

Together these create the third problem – it’s likely that many Venmo users don’t realise the privacy effect of these settings, which means they might be giving away data about their personal habits they’d rather not. As the EFF/Mozilla letter puts it:

It appears that your users may assume that, like their other financial transactions, their activity on Venmo is both private and secure.

How we got here

Founded a decade ago, people use Venmo’s digital app wallet to send money to other users, for example conveniently splitting restaurant bills or bar tabs. It can also be used to buy things from participating merchants.

In practice, Venmo is also used to pay for everything from rent and personal debts to illegal drugs and prostitutes.

We know this because Venmo transactions between friends (with helpful user descriptions) are public through the software’s developer API, which has allowed researchers to deploy scraping tools to infer how it’s used.

Why is Venmo so fixated on making transactions public? Because it’s really a kind of social network and the whole point of such platforms is to do things in the open. As a company official told CNET last year:

We make it default because it’s fun to share with friends in the social world.

Oversharing

To critics, this is akin to asking users to willingly participate in a breach of their own data going back to the first transaction they sent or received on the app:

As a result, they are vulnerable to stalking, snooping, or hacking with so much of their data available to anyone on the web.

Venmo users bothered by this can turn off ‘public by default’ through Settings > Privacy, select Private > Change All to Private (not forgetting to do the same for Past Transactions).

However, as last week’s EFF/Mozilla letter also points out, there is still currently no way to turn off public access to friends’ lists.

So far, neither Venmo or PayPal has responded to the EFF/Mozilla complaint.

Until that setting changes, the best advice is for Venmo users to be careful how they describe transactions and to limit who they use the app to transact with.

Paying towards a meal with friends is probably not going to be a big privacy reveal – doing the same after a visit to a therapist, doctor, or clinic might be very different.