> Convenience vs Security: Venmo Edition

BuzzFeed News found President Joe Biden’s Venmo account after less than 10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app. On Friday, following a passing mention in the New York Times that the president had sent his grandchildren money on Venmo, BuzzFeed News searched for the president’s account using only a combination of the app’s built-in search tool and public friends feature. In the process, BuzzFeed News found nearly a dozen Biden family members and mapped out a social web that encompasses not only the first family, but a wide network of people around them, including the president’s children, grandchildren, senior White House officials, and all of their contacts on Venmo.

Jesus christ. Do people not know how to use privacy features of apps or do they just not careß? I’m sure someone like Biden has someone do this for him so I’m not even sure that he’s at fault for this. This is just completely unnecessary.

Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people — including the president of the United States — at risk. While many critics have focused on how the app makes all transactions public by default, Venmo’s friend lists are arguably a larger privacy issue. Even if a Venmo account is set to make payments private, its friend list remains exposed. There is no setting to make this information private, which means it can provide a window into someone’s personal life that could be exploited by anyone — including trolls, stalkers, police, and spies. No other major social network or service has contact-based friend lists that are publicly accessible by default to anyone — and that cannot be made private. People use Venmo to get paid, often using their real names. They often also import their phone contact lists or Facebook friend lists — which the app highly encourages when you sign up — creating networks where people automatically “friend” dozens if not hundreds of other Venmo users to allow them to find people they want to pay more easily. Venmo makes it impossible for users to hide their list of friends. To remove someone as a friend, a user has to unfriend the person manually.

I really don’t care if my friends know someone paid me for something or I split a bill at dinner. That’s bad but not the end of the world though I feel those things should absolutely be private. The problem is that I don’t want, quite literally in Venmo’s case, the world to know that I’m sending any amount of money to anyone. At least you can make transactions private, as they should be by default. I still don’t understand why I can open my app and see a list of transactions from complete strangers. Mutual friends paying each other or friends paying friends I may not know? I can kinda understand that. Strangers? Not so much. This should be opt-in not opt-out.

The fact that friend’s lists are public – and can’t be made private at all is such a huge security risk. Look at how just with a mere mention that it exists, Buzzfeed was able to find The President’s Venmo account. That’s a major national security risk. Imagine what could happen if a foreign government gets this kind of information. I’m not just talking about the president either. This is an issue for anyone working with any kind of security clearance.

Several former Venmo employees told BuzzFeed News that Venmo’s public transaction feed and friend lists were integral to the app’s early design. Launched in 2009 as a simple and free way to transfer money between friends, it relied heavily on the social dynamics pioneered on Facebook. People were unafraid to publicly share that they had paid their friends for pizza after a night out or were splitting a gas bill among their roommates. The idea, according to one former engineer, is that building off someone’s social network was a much easier way for someone to trust who they were paying or receiving money from. Since then, the app has become one of PayPal’s main drivers of growth, clearing $51 billion in payments during the first three months of 2021.

This was never really a good idea but I can completely understand the thinking. In 2009 Nobody was thinking that anything we did on the internet mattered. After all, it was during this time we were not only signing up for things like Facebook and literally dumping our entire lives on there. So I get the inclination to capitalize on social dynamics. But honestly, if you don’t know a person or can’t reach out to someone who does why are you even sending them money in the first place? I can kind of understand this position from a naive 2009 standpoint but in 2021? Guys… C’mon.

> ▋