In an open letter to PayPal leadership published Wednesday, the Electronic Frontier Foundation and the Mozilla Foundation are urging Venmo to fix its privacy practices.
"We are writing to express our deep concern about Venmo’s disregard for the importance of user privacy, and to call on Venmo to make two critical changes to its privacy settings: make transactions private by default, and give users privacy settings for their friend lists," the letter states.
Venmo, which is owned by PayPal, is an app for charging and paying people for things as small as a bar tab and as big as rent checks and beyond. It's also full of security holes. Unless you change the default settings in Venmo, anyone can see everything you do on the transaction platform.
The platform's "public by default" settings have been under scrutiny for years: In 2018, privacy researcher Hang Do Thi Duc was able to use Venmo's publicly-accessible API to piece together the private lives and habits of user based on the emoji and messages they sent along with payments or requests.
And earlier this year, another researcher, Dan Salmon, was able to write a simple script to scrape the Venmo API and download the data from as many as 115,000 of other people's transactions per day. He eventually gathered seven million public transactions.
"It’s astounding that despite the ubiquity of data breaches, and despite multiple researchers exposing Venmo’s flaws, the app still hasn’t made user transactions private by default," Ashley Boyd, Mozilla's VP of Advocacy, told Motherboard. "You can infer so much about someone from their Venmo feed: Who they’re dating, where they eat, what they pay in rent. That information simply shouldn’t be public without users explicitly deciding to make it so."
In addition to the transactions themselves, Venmo doesn't offer an option to make your friends list private. Everyone who can see your Venmo account can also see your connections.
The EFF and Mozilla are calling for Venmo to make transactions, and friends lists, private by default.
"It appears that your users may assume that, like their other financial transactions, their activity on Venmo is both private and secure," the letter continues. "They might not know that they must change their newsfeed privacy settings—or, in the case of friend lists, that they have no option to do so. As a result, they are vulnerable to stalking, snooping, or hacking with so much of their data available to anyone on the web."