Venmo's Public API Exposes Millions of Transactions, Startling Users

Because of its default settings, digital payments service Venmo exposes many of its users' transactions to the world through its public API. Using the API, researcher Hang Do Thi Duc, a Mozilla fellow, downloaded more than 200 million transactions from the popular PayPal-owned service, which allows users to easily send money to friends and family in the US. Using that data, Thi Duc created a website, Public by Default, that visually details the implications of Venmo's public by default approach.

Thanks to the metadata that is associated with transactions and also made public, which includes messages between users, Thi Duc was able to tell the stories of five unsuspecting Venmo users.

Among them are a cannabis retailer operating in the Santa Barbara, California area, a young Greek woman with hedonistic tastes, and two couples, one of which apparently is no longer a couple.

According to Thi Duc, "The moment when I went, ‘Wow this is just unbelievable,’ is when I discovered the stories of the lovers. Just the intimacy of those conversations—this was definitely not meant to be public. But that also applies to all the stories, this information shouldn’t be that easy accessible."

Not surprisingly, Thi Duc's work has caused an uproar. Thanks in large part to the Facebook Cambridge Analytica scandal, privacy and data security are in the spotlight, which means that discoveries like Thi Duc's are going to attract more attention than they most likely would have just a few short years ago.

Of course, there are significant differences between Venmo and Facebook-Cambridge Analytica. The latter involved a third-party using Facebook APIs to acquire user data under one pretense and using it for other purposes unbeknownst to users and in violation of Facebook's terms. According to Facebook's critics, Facebook was or should have been aware of the potential for such abuse on its Platform and failed to respond swiftly when it learned of Cambridge Analytica's actions.

Venmo, on the other hand, simply makes users' transactions public by default. There is no third party with whom Venmo maintained a relationship and who violated the terms governing that relationship. The question in Venmo's case is whether users are aware of the fact that their transactions are public by default, and whether they understand the potential implications of how transaction data could be used by others.

A Call for Privacy by Design

While the Venmo situation might not be quite as nefarious as the Facebook-Cambridge Analytica situation, the questions around users' knowledge of how their data is being used are similar, and they raise the issue of whether companies should default to approaches that assume their users want their data to be private.

In Venmo's case, for instance, instead of making all transactions public by default, such an approach would have required users to explicitly opt in to the public sharing of their transactions. If Venmo had done that, every one of the stories Thi Duc is able to tell would have been a story the users reasonably understood they were sharing with the world.

As Thi Duc's sees it, "Users should definitely push for developers to build their services with the value of privacy by design! This project gives arguments why you, as a user should care about your settings. By changing your settings, you also show the apps and services out there what your values are."

But will companies actually listen? Despite the significant backlash Facebook faced over the Cambridge Analytica scandal – Facebook CEO Mark Zuckerberg was practically forced to testify before Congress and EU lawmakers – there is little evidence suggesting that large numbers of users have stopped using Facebook. The social networking giant has, however, made significant changes to its APIs in a clear effort to avoid similar scandals.

What Happens Next?

As of the publication of this article, Venmo's public transactions API is still available, making it possible to view payments between users for everything from haircuts to Harry Potter onsies. Given that Venmo's public API was used earlier this year to identify and publicize instances of illegal betting on the Super Bowl, it would appear that Venmo is not so concerned about its default settings and public API.

But that doesn't mean it shouldn't be. Even if users aren't abandoning services in droves, the privacy issue is real and not going away. The longer companies resist privacy by design, the more likely it becomes that lawmakers will eventually step in and force companies to change their practices.

Be sure to read the next Privacy article: Atlassian Updates Confluence and Jira Cloud APIs for GDPR Compliance