“Venmo finally understands that maximum advertising on a financial app is a terrible idea,” says Kaili Lambe, campaign manager at the Mozilla Foundation, a nonprofit focused on the openness and accessibility of the Internet. “However, from the start, we asked Venmo to be private by default, as many Venmo users don’t really know their transactions are public to the world.”
A spokesperson for Venmo said the company has no plans at this time to consider making these transactions private by default. This means that users will always have to do everything possible to ensure that every peer-to-peer transaction is not broadcast to the world. It’s hard to see the benefit of maintaining the status quo.
“You think of a lot of very sensitive use cases,” says Gebhart. “You think of therapists, you think of sex workers. You think of the President of the United States. It doesn’t take a lot of imagination to imagine places where these flaws could go wrong and cause real harm to real people.
The implications of Venmo’s public default stance unfolded beyond the discovery of Biden’s account. In 2018, privacy advocate and designer Hang Do Thi Duc used Venmo’s public API to sort nearly 208 million transactions on the platform, alarmingly bringing together detailed portraits of five users based solely on their activity in the application. The following year, programmer Dan Salmon wrote a 20-line Python script that let it scratch millions of Venmo payments in a few weeks.
Venmo has since placed restrictions on how quickly you can access transaction data through the public API, but Salmon says the company hasn’t gone far enough. “Venmo basically had a firehose that I could connect to for transaction data,” he says. “Now that it’s cut, the transactions are still there; it will just take a few more steps to get them. He says it would take about an hour of work to build a new scraping tool.
“At Venmo, we regularly evaluate our technical protocols as part of our commitment to platform security and the continuous improvement of the Venmo experience for our customers. Scratching Venmo is a violation of our Terms of Service, and we are actively working to limit and block activity that violates these policies, ”Venmo spokesperson Jaymie Sinlao wrote in an emailed statement. “We continue to allow selective access to our existing APIs for approved developers to continue to innovate and build on the Venmo platform.”
Venmo is far from the only app that makes you refuse sharing rather than actively seeking it out. But because its use case is exclusively financial, the stakes are much higher, and the hypothesis of its users potentially misplaced. Venmo hasn’t made it particularly easy for users to share or not share; in 2018, he reached a settlement with Federal Trade Commissions linked in part to its confusing privacy settings.
“Anecdotally, people are very surprised to find that a financial services application is public by default,” says Lambe of the Mozilla Foundation. “Even people who have used Venmo for years may not know their settings are public.”
To make sure yours aren’t moving forward, go to Settings> Privacy and select Private. Then press Past operations, and press Change everything to private to lock things up retroactively. And while you’re at it, go ahead and press Friends list, then tap Private and deactivate Appear in the friends list of other users. Otherwise, you’re sharing the digital equivalent of your credit card purchases with everyone you know, and lots of people you don’t know. Or consider using something like Square’s Cash App instead, which is private by default.
The loss of the global feed is an important step towards privacy for Venmo and its users. Hopefully more steps are still to come.
More great WIRED stories