A Lesson in Privacy Settings

In this blog we take a look at what happens when privacy is an afterthought in app development.


Published by Hamish Kerry

When we think about the consequences of data leaks and mismanagement on social media platforms, there are a few key players that come to mind. Facebook and Cambridge Analytica, Twitter and misinformation during the COVID-19 pandemic Yahoo in 2013 and LinkedIn’s whopper of a data leak in 2012. 

There are few examples, though, of social media platforms who actively defended their poor security and user privacy policies, that is of course, with the exception of Venmo. 

To readers outside the US, Venmo is a bit of a mystery. In the UK, when you want to easily send money to friends and relatives, there’s a range of options. Bank transfers, Monzo request links and the integration of payments within Meta Messenger make it easy to send and receive cash from your mates. This is not the case in the US. Wire transfer charges in the US mean users could see their $5 transfer for their share of a pizza cost them an additional $15 in transfer fees. Enter Venmo.

Venmo allows users to transfer money between each other with for around 1.75% the total value in transaction fees. UK readers will recoil at the thought of paying to send their mates money, but this is the reality for our American friends, banks simply aren’t as joined up in the US as they are in the UK. In addition to its ease of payments, Venmo has another USP, it bills itself as a social media platform.

And here-in, lies the beginning of our cautionary tale.

Image via CNBC

 

Everything, everywhere, all at once.

Venmo’s story begins 14 years ago, when the app was used to buy music from bands, prior to its evolution towards the revolution of peer to peer payments. It was a new dawn for American consumers. At the same time, apps and social media platforms were swinging into their prime. People were liberal with their posts, and their data, sharing a great deal more than most would be comfortable with today. In 2010, Vemo introduced (like many other social media platforms) timelines, a handy feature that allowed  you to catch up on all the gossip you might have missed while you were at work or school in most instances. Venmo’s foray into the world of timelines was initially seen as a fun little log to share with your friends. It was a ledger of what you were doing, when you were doing it and, as came to be the feature’s downfall, the amount. 

It might be said here that there could be little wrong with this between friends and family, after all, it was only slightly further on from what people were filling their facebook and twitter feeds with at the time. Venmo, however, had forgotten the golden rule of developing social media platforms… give people power over their own information. 

The details of transaction history for Venmo users were public, not just amongst friends, but for anyone with an account. If you knew someone's username, you could see their transaction history. Solidifying the abject weirdness of this feature, is that by default everyone's transactions were, and still are, public. Yes, even after everything you will read here, Venmo still takes an “opt out” stance on data sharing. 

Where there’s smoke, there’s fire.

Over the last decade, US officials have had their careers undone by evidence of crimes uncovered via their Venmo history, and while we won’t go through those details here, it’s fair to say that none of them would have used the platform to complete payments for those services had they known their default public privacy settings. 

Venmo, in certain circles, had ceased to be a platform for payments, and instead a sophisticated ledger of everything users would usually prefer to keep private. With access to your Doctor’s Venmo profile, you could, theoretically expose their patients list, provided their numbers were hosted in their phone book. Ex partners could spy on each other, potential employers could find out how often you’d been going out, where and whether there was anything that could become a potential PR concern. 

Even US President Joe Biden was forced to delete his account following a leak of his phone contacts via his page.

What’s the lesson?

Venmo is a prime example of a company who up until very recently was firmly behind the times with users' privacy expectations. And, while they have begun to make changes in the right direction, up until 2018 their stance on potential oversharing was answered with a swift “We make it default because it’s fun to share [information] with family and friends.”

Whether through being a unique selling point, or just a bit of an oversight, Venmo provides an excellent case study of what can happen when you don’t design apps with the appropriate privacy concerns in mind. Consumers are increasingly aware of their rights on data protection, particularly within a European context. 

We'd love to chat about your project!

We're here to help. If you've got an idea or a direct need you would like help addressing, we're all ears!