20th July 2018

You may or may not have heard about Venmo before, but in the simplest terms – they’re a payment provider that also lets you have an internal balance (quick fact – all payment processing is actually performed by PayPal). They’re one of many FinTech companies trying to do roughly the same thing.

They also have an API. From which you can check out individual transactions, the people that sent/received money, and even identifiable bits of information such as Facebook IDs.

But hang on, what was this I saw on the Venmo website:

Your personal and financial data is encrypted and protected on our secure servers to guard against unauthorized transactions.

You’d probably assume this meant your transactions as well. Turns out these are public by default.

That’s what allowed Hang Do Thi Duc to create PUBLIC BY DEFAULT. Her reasoning behind why she made it:

Many products that we use on a daily basis make it more difficult than it should be to protect our privacy, our most personal information. Many of these products share data (publicly) by default. Venmo is an example of one of these products.

And what an interesting example! One would think that when it comes to money, privacy by design is of greater importance and higher demand. One would be disappointed in this particular case.

I think it’s problematic that there is a public feed which includes real names, their profile links (to access past transactions), possibly their Facebook IDs and essentially their network of friends they spend time with. And all of this is so easy to access! I believe this could be designed better. Why include all this information, when essentially the only interesting part is the message? If you – as a company – actually care about your users and their privacy you would ask this kind of questions.

So, if companies don’t care, I think WE have to take action

The website is rather packed full with examples of the type of data you can extract from the API, and also how you can combine it to recreate stories of peoples lives.

I won’t list of everything, because honestly, I wouldn’t be able to, but there’s a cannabis retailer that had 920 incoming transactions, a few couples that have been having conversations via their transactions, and one young female that had 965 transactions for soft and alcoholic drinks, fast food, and sweets, in just 8 months.

All of this seemingly fun data, also comes packed with personally identifiable information. I’m wondering whether this is breaking GDPR rules.

I’d definitely recommend having a play around on the website, as it really brings to life what information can be realised, just by transactions.

Just to end on a scary note, based on the 207,984,218 public Venmo transactions from 2017, there were 18,429,464 people that had their transactions set to public visibility, 1,731,783 shared Facebook IDs, and 1,189,210 unique last names (from which a pretty cool graph was made).