How the Payment App Exposes Our Private Lives

July 18, 2018

A researcher has analysed millions of public transactions to prove just how much the app reveals about our life and habits.

Anyone can track a Venmo user’s purchase history and glean a detailed profile – including their drug deals, eating habits and arguments – because the payment app lacks default privacy protections.

This was the finding of a Berlin-based researcher, Hang Do Thi Duc, who analysed the more than 200 million public Venmo transactions made in 2017. Her aim was to highlight the privacy risk from using a seemingly innocuous peer-to-peer app, and encourage people to change their privacy settings.

By accessing the data through a public application programming interface, Do Thi Duc was able to see the names of every user, along with the dates of every transaction and the message sent with the payment. This allowed her to explore the lives of unsuspecting Venmo users and learn “an alarming amount about them”.

Do Thi Duc showcases the level of personal data exposed through Venmo through her project website “Public by Default”, named because when anyone makes a payment through the app, it is public unless that person has locked down their privacy settings. Here she has honed in on five individual users, including a man who sells cannabis in Santa Barbara and a pair of lovers who pass money between each other accompanied by flirting, arguing, apologies and threats.

In the case of the cannabis seller, Do Thi Duc could see 920 incoming payments throughout 2017, accompanied by messages including words like “CBD” (an abbreviation of cannabidiol, one of the active ingredients in cannabis) “delivery”, “order” or emojis depicting trees, which have become a common shorthand for marijuana. She could also see that the dealer appeared to hire a second person, making 19 payments to them throughout the year with references to cannabis sales.

Do Thi Duc was also able to find entire conversations between couples who may not have realised that their comments were also public by default. “Please leave me alone,” said the woman, who Do Thi Duc refers to as Susana.

“I just love you. I’m sad that you don’t understand,” replies the man.

In a later exchange, he says: “It’s pretty damn clear that you were using me all along. Took me a while to figure that out.” The next morning, he’s repentant. “I’m sorry. I take everything I said back.”

Read More

0 comment