When you think of companies that violate your privacy online, chances are Facebook is one of the first names that come to mind. But there’s another common app that should: Venmo, the PayPal-owned peer-to-peer payment app that lets people send money to friends, family, and anyone else you need to pay (including, for instance, drug dealers). The payments you make on the app, complete with a cute little emoji or note, are public by default, which means that many users don’t realize just how easy it is for the rest of the world to observe the $35 billion in transactions made on Venmo.
A new data visualization by the designer-activist Hang Do Thi Duc shows just how revealing the app’s default settings can be–and how stupid it is to leave your Venmo transactions public. Called Public by Default, Duc’s project follows the stories of real Venmo users (whose information has been anonymized) based on Venmo’s publicly available data. Each story is illustrated with emoji, of course, along with clever charts and graphs that highlight just how intimate information about how you spend money is. It’s like a graphic novel for the Snapchat age.
One of the most striking is the “cannabis retailer,” who runs much of his business through Venmo, with 973 transactions in 2017–150 of which explicitly mention CBD, and many more of which use other monikers like “delivery,” “stuff,” or even just “weed.” Thirty-six people mention “groceries,” which Duc suspects is another term for drugs. The dealer even hires someone to deliver for him, leaving a trail of incoming Venmo transfers with captions like “God’s treat oz” and “CBD.”
Another storyline follows two couples, one that’s fighting and another that’s flirting, through the very real comments on their Venmo transactions. In a third story, Duc follows a woman she dubs the “yoloist” for completing 965 transactions over eight months for soda, alcohol, fast food, and sweets. Each person’s name has been changed in the project to preserve their privacy–even if it never occurred to them to do so in the real world.
Duc says that finding the source data was incredibly easy. Unlike many tech companies’ APIs, Venmo’s API needs no authentication or permission to use it. As a result, she was able to download all of the public data from 2017–all 207,984,218 public transactions–simply by clicking on an easily accessible link. “It’s normal for users to say, ‘I expect this service to prioritize my privacy,'” Duc says. “But in the case of Venmo, you’d be disappointed. They just don’t care about that.”
After downloading all the data, Duc dug through it using simple searches, like one for the highest numbers of transactions. That search yielded another story she calls “The Corn Dealer,” where she delves into the data for a fruit cart vendor who has more than 8,000 transactions for 2017. On the site, Duc visualizes the number of times the vendor’s most frequent customer visited him–34 times in 2017–and showed what she ordered on each visit.
While she highlights specific stories on the Public by Default site, these aren’t isolated instances. There were many dozens of other stories Duc could have chosen.
Her ultimate goal? Convince people to change their privacy settings. A button that lives on the top right of the project’s website walks visitors through a step-by-step guide to do just that, including making all your past transactions private as well.
It’s mind-boggling to think that all of this information about unsuspecting users is out there on the internet. While Duc has good intentions, there are others who don’t. Some people use Venmo to stalk their exes, and some even discover cases of infidelity using the seemingly innocent public feed. In the case of the woman who frequents the fruit cart, a more nefarious actor could follow her Venmo transactions to track down her location. According to MarketWatch, the company views its social feed as its “secret sauce,” and the primary reason people log back into the app. In a statement, a Venmo spokesperson told Fast Company that Venmo takes privacy seriously and that users have control over whether posts are public or private. They did not comment on why Venmo’s feed is public by default.
“I understand they want to create a social network around financial transactions,” Duc says. “But this is just a security thing as well. They don’t care, so at this point, we as users have to care.”
You can learn how to change your Venmo privacy settings here.