Naked Security Naked Security

Names and photos of Venmo ‘drug buyers’ published on Twitter

The bot scraped Venmo's public API for sex, drugs and alcohol-related words, then tweeted profile photos and first names of the "buyers."

There are a few options available to get people’s attention when you find their really, really personal information dribbled onto the web for anybody to see.
For one, you could pull it all together and publish it in a nice, sober, insightful analysis that anonymizes all their Venmo drug purchases and pizza-eating habits. Or, another option is to whip up a bot to automatically tweet out the profile photos of anybody making those drug deals…
…or, to be more specific, the profile photos and first names of people whose public-by-default Venmo transactions include words such as heroin, marijuana, cocaine, meth or speed; emojis that denote drugs; or non-drug-related words such as sex, porn or hookers.
As we wrote about last week, researcher Hang Do Thi Duc took the analysis route, scraping a year’s worth of data from Venmo’s public API to find out what people are buying, who they’re sending money to, why they’re sending money, first and last names, profile pictures, times of the transactions, messages attached to the transactions, and more. Using 207,984,218 transactions, she chronicled Venmo users’ lives, everything from cannabis sales to budding romances and breakups, and eating habits.
She wanted to make it clear that anybody can find out a whole lot about you if you don’t make your Venmo account private. To do so, she used the gentle touch of anonymized data.
Joel Guerra, the creator of the Who’s buying drugs on Venmo? bot, got a little more slap-happy when he got his hands on Venmo’s public API. As he explained in a post on Medium, when Guerra saw the endpoint to Venmo’s API had been posted publicly on Twitter, he quickly did “what any software engineer would do”: he started digging through the data.
Ah, he realized: I’m not the only one who likes to put salacious nonsense in Venmo’s transaction description field.

I thought about the many times I had filled that out myself with joke descriptions like “baby oil backrub” or “plan B pills” when splitting restaurant tabs with friends.

The key difference: Guerra’s Venmo account has his transactions set to “private” to ensure that he’s not spewing his baby oil backrubs all over the place.
Venmo’s default setting is public, for whatever “we also want to be a social app” reasons there might be. Don’t like it? You shouldn’t, unless you like the idea of somebody such as Guerra coming along and tweeting out your transactions, along with your profile picture, name, and any other information Venmo makes public by default. If you don’t like the thought of that prospect, you can change your privacy settings.
Guerra wanted to do something fun to call people’s attention to the lack of privacy in Venmo’s default settings, so he whipped up a 70-line Python script and made a new Twitter account. Then, he set it free. For about 24 hours, his script diligently, automatically tweeted the first names and profile pictures of users making “drug” transactions on Venmo.

I chose drugs, sex and alcohol keywords as the trigger for the bot because they were funny and shocking. I removed the last names of users because I didn’t want to actually contribute to the problem of lack of privacy.

The transactions aren’t, necessarily, actual drug deals. In fact, most aren’t, Guerra told Motherboard. Rather, Guerra believes that he caught a net-full of tongue-in-cheek transaction descriptions, on par with his Plan B pills.
Either that, or the simple Python script took things out of context. For example, one transaction posted on Thursday included the message “Your love is my drug.” The profile picture showed the user with somebody who could have been a spouse or significant other.


Another message read “not drugs,” while yet another contained the phrase “Funding for your Scotland & Ireland trip. God speed,” with the script presumably only plucking the word “speed” out of context.
As Guerra said in his Medium post, the response to his “Who’s buying drugs on Venmo?” tweets was overwhelmingly positive. People heard his privacy message loud and clear. But even if we all got it, we didn’t all like it. Just because data is public doesn’t mean that more exposure will make things better. In fact, it makes things worse.
As Motherboard’s Joseph Cox notes, there are plenty of examples of researchers and coders who’ve scraped sites for publicly available data and then handled the data in ways that have rubbed people the wrong way.
One example: in 2016, without users’ permission, Danish researchers publicly released data scraped from 70,000 OkCupid profiles, including their usernames, age, gender, location, what kind of relationship (or sex) they’re interested in, personality traits and answers to thousands of profiling questions used by the site.
On Friday, after getting “more attention than [he] had imagined possible,” Guerra shut down the script.

I saw no further value in tweeting out anyone’s personal transactions anymore.

But just because he’s not sniffing around for public mentions of meth or hookers anymore doesn’t mean they’re not out there. He invited us all to have a peek to see for ourselves at Venmo’s API:

You’ll see all the details of the last one thousand Venmo transactions including last names and usernames that I chose not to include in my bot’s tweets.

Or, then again, maybe we shouldn’t look at that public API. Maybe instead, check your own account, and please do advise your friends if you think they need to zip up their Venmo pants.