Earlier this year, the FTC settled with PayPal over the company’s handling of privacy disclosures in its peer-to-peer payments app Venmo, but Mozilla doesn’t think the changes Venmo made as a result went far enough. This week, Mozilla says it delivered a petition signed by 25,000 Americans asking Venmo to set transactions shared in its app to private by default, instead of public.
As Mozilla explains, “millions of Venmo users’ spending habits are available for anyone to see. That’s because Venmo transactions are currently public by default — unless users manually update their settings, anyone, anywhere can see whom they’re sending money to, and why.”
Many Venmo users likely feel that it’s not very dangerous to share through Venmo’s feed – a key feature of its popular payments app – that they paid back a friend for part of the dinner, drinks or some concert tickets, for example.
But a Berlin-based researcher, Hang Do Thi Duc, recently studied the risks associated with this sort of over-sharing.
Do Thi Duc analyzed more than 200 million public Venmo transactions made in 2017 by accessing the data through a public API. This allowed her to see the names, dates and transactions of Venmo users. She found that a lot could actually be gleaned from this data, including users’ drug habits in some cases, as well as their relationships, junk food habits, location, daily routines, personal finances, rent payments and more.
In other words, while the individual transaction itself may seem harmless, in aggregate these transactions can be very revealing about the person in question.
Mozilla says it, along with Ipsos, also polled 1,009 Americans how they felt about Venmo’s “public by default” nature. 77% said they didn’t think that should be the case, and 92% said they don’t support Venmo’s justifications for making them public. (It thinks sharing is fun, basically.)
Venmo didn’t respond to Mozilla’s petition directly, we understand.
“We delivered our petition to Venmo’s offices in person, and spoke with the team briefly,” says Sara Haghdoosti, Mozilla’s Director of Advocacy. “Venmo declined to provide a statement that we could share with our petition signers. We hope that Venmo will take the views of the over 25,000 people who signed the petition — and the results of our recent poll — in account in future decisions,” she say.
Venmo, however, tells TechCrunch via a spokesperson that it takes its users’ trust seriously.
“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” the spokesperson said. “The safety and privacy of Venmo users and their information is always a top priority. Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously,” they added.
The company also pointed out it takes several steps to ensure some level of user protection, including not making sensitive transactions public, never publishing dollar amounts, and allowing users to control the publicity of the item, even after the fact.
As part of the FTC settlement, Venmo also had to make other changes, as well. The company now has to explain to new and existing users how to limit the visibility of transactions through the use of privacy settings.
We recently saw this in the updated Venmo app, in fact.
Users are walked through a tutorial that spells out how you can change settings to make transactions private by default, or any time you choose.
Thanks to large-scale scandals like Cambridge Analytica and others involving user data being overexposed, timed alongside the rollout of new privacy regulations like Europe’s GDPR, many companies are reviewing their data-protection policies.
Venmo’s casual over-sharing now feels like a holdover from an earlier, more naive time on the web, and it wouldn’t be surprising if it decided to later adjust the app’s settings to match where consumer sentiment is headed today.