Venmo becomes more private, but not completely secure yet


Venmo becomes more private, but not completely secure yet

fake images

Venmo, the popular mobile payment service, has redesigned its application. Usually this is news you could safely ignore, but this announcement is worth taking a closer look at. In addition to making some browsing tweaks and adding new purchase protections, the PayPal-owned platform is finally shutting down its global social feed, where the app posted transactions from people around the world. It’s an important step in solving one of the biggest privacy issues in the app world, but the work isn’t done yet.

Venmo’s global feed has for years been a source of voyeuristic insights into the financial habits of strangers. The feed does not show the amounts for a given transaction, but names and notes, emoji, and likes are included. Tapping on a name brings up that user’s profile, and a nosy entrepreneur (or worse) could quickly create a small file of that person’s friends, hobbies, and whatever else they’ve included in the stream, without, perhaps, realize. how public that information can be. In the time it took to write these paragraphs, relatives reimbursed each other for the Phillies’ tickets, someone made a payment for “liquid gold 😍,” more than one group of roommates split their Internet account.

The visibility of Venmo transactions and other user data has been criticized by privacy advocates and consumers for years. “This commitment to this strange corporate part, this corporate DNA, of a social payment app is a huge responsibility,” says Gennie Gebhart, director of advocacy for the Electronic Frontier Foundation, a digital rights group. “It is not a disaster waiting to happen, it is a disaster that has already happened so many times to so many people.”

The most recent and highest-profile instance of where that opening can go wrong came in May, when a team of Buzzfeed reporters found President Joe Biden’s Venmo account, along with those of his family and close friends, simply by searching within the app. It took them 10 minutes.

At the time, even if her transaction history was locked, her friends list was fair game for anyone to find. Which, again, seems a bit reckless for an app built around the often delicate business of sending and receiving money. However, two weeks after the Buzzfeed report, Venmo added new privacy controls, allowing you to make your in-app contact list private for the first time.

Removing the global feed expands that work, by making it increasingly difficult to spy on strangers. Soon the social element of the app will be limited to what your Venmo contacts are up to. “This change allows customers to connect and share meaningful moments and experiences with the people who matter most to them,” the company said in a blog. mail announcing the redesign. While it certainly counts as progress, privacy advocates believe it doesn’t go far enough.

“Venmo is finally getting the message that maximum publicity in a financial app is a terrible idea,” says Kaili Lambe, a lead activist for the Mozilla Foundation, a nonprofit organization focused on the openness and accessibility of the Internet. “However, from the beginning we have been asking Venmo to be private by default, because many Venmo users do not really know that their transactions are public to the world.”

After Venmo's imminent redesign, the only source will be your friend list transactions.

After Venmo’s imminent redesign, the only source will be your friend list transactions.

Venmo

A Venmo spokesperson said the company has no plans at this time to consider making those transactions private by default. That means users will still have to do their best to ensure that all their peer-to-peer transactions are not broadcast to the world. It’s hard to see the benefit of maintaining the status quo.

“You think of a lot of really tricky use cases,” Gebhart says. “You think of therapists, you think of sex workers. You think of the president of the United States. It doesn’t take much imagination to imagine places where these defaults could go horribly wrong and cause real harm to real people. “

The implications of Venmo’s default public stance have developed beyond the discovery of Biden’s account. In 2018, designer and privacy advocate Hang Do Thi Duc used Venmo’s public API to classify almost 208 million transactions on the platform, alarmingly rebuilding detailed portraits than five users based solely on their activity in the app. The following year, programmer Dan Salmon wrote a 20-line Python script that let it scratch millions of Venmo payments in a matter of weeks.

Venmo has since placed restrictions on the speed at which it can access transaction data through the public API, but Salmon says the company hasn’t gone far enough. “Basically Venmo had a fire hose that I could connect to from transaction data,” he says. “Now that that is cut, the transactions are still there; It will only take a few more steps to fetch them. ”He says it would take about an hour of work to build a new scraping tool.

“At Venmo, we routinely evaluate our technical protocols as part of our commitment to platform security and continually improving the Venmo experience for our customers. Scraping Venmo is a violation of our terms of service, and we are actively working to limit and block activity that violates these policies, ”Venmo spokesperson Jaymie Sinlao wrote in an emailed statement. “We continue to allow select access to our existing APIs for approved developers to continue innovating and building on the Venmo platform.”

Venmo is far from the only application that makes you choose not to share rather than actively seeking it out. But because its use case is purely financial, the stakes are significantly higher and the assumption of its users potentially misplaced. Venmo hasn’t made it especially easy for users to figure out what they share and what they don’t; in 2018 it is reached an agreement with Federal Trade Commissions related in part to your confusing privacy settings.

“As an anecdote, people are very surprised to find that a financial services application is public by default,” says Lambe of the Mozilla Foundation. “Even people who have been using Venmo for years may not know that their settings are public.”

To make sure yours doesn’t progress, head over to Settings> Privacy and select Private. Then touch Past transactionsand touch Make everything private to retroactively lock things. And while you do, go ahead and touch Friends list, then touch Private and turn off Appears in the friends list of other users. Otherwise, you are sharing the digital equivalent of your credit card purchases with everyone you know and many people you don’t know. Or consider using something like Square’s Cash app, which is private by default.

Losing the global feed is an important step towards privacy for Venmo and its users. Hopefully, there are still more steps to come.

This story originally appeared in wired.com.


arstechnica.com

Leave a Reply

Your email address will not be published.