Public By Default

2018

What Venmo (and the Whole World) Knows About You

PublicByDefault.fyi examines how much personal data Venmo users — from drug dealers to feuding couples — share with the world.

There’s an app where you can follow a drug dealer in real time, watch a couple fight viciously on Valentine’s Day, and learn exactly how many mangos a Santa Barbara, CA food cart sells each week.

The app has about 7 million active monthly users. And if you’ve signed up without checking the settings, you’re likely sharing your personal details with the world, too.

Sound like fiction? It’s not — it’s Venmo, the popular mobile payment app. Since all Venmo activity is public by default, it’s incredibly easy to see what people are buying, who they’re sending money to, and why.

As a developer and designer, I’ve always been interested in data and privacy — specifically, how social media exposes so much of our personal life to so many people, often without us fully understanding how. (In 2016 I built Data Selfie, a browser extension that shows what Facebook might know about you through various data profiling algorithms.)

This is what led me to build Public By Default — a project that showcases just how much personal data Venmo users are sharing with the world. I used Venmo’s public API to download all public transactions of 2017, pulling in a total of 207,984,218 transactions. By looking through users and their transactions, I learned an alarming amount about them.

The Stories

publicbydefault

Public By Default features five Venmo users and sagas — all real. (I stripped out their identifying information.) Among them:

The Cannabis Retailer. This Venmo user sells pot in Santa Barbara, CA. The  transactions between him and his customers are captioned with emojis and mentions of “weed,” “grass,” medicine,” “CBD,” “stacked kush,” and “gorilla cookie.” Business is booming for him — he had a total of 920 incoming payments in 2017.

The Corn Dealer. This Venmo user operates a food cart at University of California, Santa Barbara and sells Latin American eats. The cart vendor had a total of 8,026 transactions in 2017. I was able to tell the most popular menu item (“elote,” or corn on the cob), along with who bought food, how often and at what time of day.

The Lovers. Forget soap operas and romantic novels — Venmo is the best place to find drama. I uncovered two lengthy love stories between Venmo users, complete with flirting, arguing, apologies, and threats. One couple feuds: “You don’t love me,” a lover wrote. The other couple flirts regularly: “I’m waiting for the sugar daddy,” a lover wrote.

The YOLOist. This Venmo user — a young woman with a Greek last name — had 2,033 transactions in eight months’ time. And through her Venmo transactions emerges an unhealthy portrait. She loves Coca Cola (280 transactions) and pizza (209 transactions), and often goes for coffee with the same three friends. She also likes to eat a lot of sweets, especially donuts.

The All Americans. A married couple in California uses Venmo often — and as a result, offers an intimate window into their lives. They own a dog, which they recently took to the vet. They have a car, which they refuel at Chevron about every two weeks. When they eat out, it’s usually pizza — but sometimes Asian or German cuisine. They shop for groceries weekly at Walmart, they’re paying off a loan, and they get their utilities from San Diego Gas & Electric (SDG&E).

And then there is the “Venmo God” which features insights I gained by looking at all the 207,984,218 public transactions. For example users’ last names can reveal their ethnicity, rent transactions naturally peak on the first of month, however millennials seem to pay rent to their roommates all the time, and pizza is especially popular in the fall. You can also get a glimpse into how people use other services like Uber or Airbnb. Fortunately, public transactions don’t include the payment amount, but can you imagine the richness of such data set? Venmo which is owned by PayPal, has access to a wealth of data. This is just a tiny glimpse into it.

The Data

I used the Public Venmo API to gather and save all public transactions from 2017. There were 207,984,218 transactions. Anybody can click and access the URL of the Public Venmo API! You can, too: click this to see data from the Public Venmo API!

You will see the data for the most recent public transaction on Venmo. This includes first and last names, profile picture, the time of the transaction, the message and more.

The blog post by Dan Gorelick called ‘”Hacking” the public Venmo API’ has great documentation of how the API works, including how to get transactions from a specific point in time. It’s public, yet not documented anywhere on Venmo’s website.

Why I made this?

Many products that we use on a daily basis make it more difficult than it should be to protect our privacy, our most personal information. Many of these products share data (publicly) by default. Venmo is an example of one of these products.

And what an interesting example! One would think that when it comes to money, privacy by design is of greater importance and higher demand. One would be disappointed in this particular case.

I think it’s problematic that there is a public feed which includes real names, their profile links (to access past transactions), possibly their Facebook IDs and essentially their network of friends they spend time with. And all of this is so easy to access! I believe this could be designed better. Why include all this information, when essentially the only interesting part is the message? If you – as a company – actually care about your users and their privacy you would ask this kind of questions.

So, if companies don’t care, I think WE have to take action!

When you think of your transactions, you might think ​“I have nothing to hide.”​ But after spending time with these stories and insights, perhaps you will ask ​“Do I really need to share this?” and invest a few seconds to change your settings on Venmo and on other services.

Hopefully companies will one day put user data protection first, either pressured by regulation or by us users. For now, we have to be proactive and protect our pricacy.

Recently, more and more people are paying attention to the consequences of sharing personal data online. The practice doesn’t simply make our private lives public — it also opens us up to tracking and invasive advertising. It can even fuel broken algorithms and recommendation systems.

And yet, so many Venmo users share their most intimate financial, narcotic, and romantic details with the world. And products like Venmo still make user transactions public by default.

Why is that? Should we accept that?

publicbydefault.fyi

This is a project made while a Media Fellow at the Mozilla Foundation, supported [in part] by a grant from the Open Society Foundations. I developed concept, performed data analysis, designed and developed this media piece. Contributions by Huy Do Duc, Kevin Zawacki, Amel Ghouila, Chris Hartgerink, Umi Syam. Special thanks to Brett Gaylor.

Featured in:

The Guardian
Fast Company
CNN
Motherboard
The Next Web
Mic
Süddeutsche Zeitung
Ars Technica

Update:

After the attention the project has received and bots have appeared around the same time, Venmo quietly changed the rate limit, so bulk access to the API is not possible anymore. When I gathered the data (January 2018) I was able to access hundreds of public transactions every two seconds. This is not possible anymore. In my opinion this is only a small step in the right direction. The default is still public and that for me doesn’t show a company’s commitment to fully protecting their users’ privacy and data.

Mozilla launched a petition to push Venmo to change their privacy default settings. More than 25000 signed it.