Venmo's "public by default" transactions reveal drug deals, breakups, more

Because Venmo defaults to making all payments public, privacy researcher Hang Do Thi Duc was able to download and analyze 208,000,000 transactions, whose notes and other metadata revealed a wealth of personal, compromising information, including drug deals and breakups.

Venmo users tagged their transactions with revealing personal notes like "You don't love me anymore" or tree and pill emojis.

Thi Duc says that her research reveals the perils of failing to engage with "privacy by design," and points out that in addition to revealing these intimate facts, Venmo also leaks information that would be useful to stalkers, identity thieves, and other bad guys.

"The moment when I went, 'Wow this is just unbelievable,' is when I discovered the stories of the lovers," Do Thi Duc told me in an email. "Just the intimacy of those conversations—this was definitely not mean to be public. But that also applies to all the stories, this information shouldn't be that easy accessible."

Any of these interactions could be inside jokes, but gathered over enough time, they still reveal intimate connections and slices of their lives. A lot of the transactions seem too specific, repetitive, and mundane to be one-off jokes. Like the cannabis retailer she found doing business in California, whose transactions made mentions of "weed," "grass," medicine," "CBD," "stacked kush," and "gorilla cookie." She could see that he made a total of 920 incoming payments in 2017.

Then there's a food cart operator at University of California, who had 8,026 transactions in 2017, and whose customers preferred elote. The API showed who bought food, how often and at what time of day.

Public By Default [Hang Do Thi Duc]

A Privacy Researcher Uncovered a Year's Worth of Breakups and Drug Deals Using Venmo's Public Data [Samantha Cole/Motherboard]