Some may prefer a simple peach emoji, while others opt for a chaotic mess of eggplants, martinis and vomiting faces, but many of us have at some point sent a Venmo payment with a tasteless joke attached. Because Venmo requires users to add a message to every transaction, the mobile banking app basically encourages blatant oversharing from those who skipped out on last night’s bill.
Sadly, though, the joke may be on Venmo users. As covertly hilarious as we may try to be, researchers recently found that millions of people had unintentionally shared personal and sensitive information on the app — including drug and alcohol use, political affiliation, email addresses, phone numbers and occasionally Wi-Fi, bank account and Netflix passwords.
“I was a little shocked by what we found, details about user payments from everything from birthday cupcakes to AA membership,” Jelena Mirkovic, an associate professor at the University of Southern California Viterbi School of Engineering, said in a press release. She suspects that many users don’t know that other people can see these messages, as Venmo makes user settings public by default. “You can be careful, but if you’re not making your notes private, then whatever you do with that group has the potential of revealing your membership,” Mirkovic added. “There are risks to oversharing.”
The forthcoming study, titled “I Know What You Did on Venmo: Discovering Privacy Leaks in Mobile Social Payments,” is the most rigorous analysis of Venmo transactions scientists have ever conducted, at a total of 389 million public messages over an eight-year period starting in 2012. While the full dataset won’t be published until July, preliminary results indicate that nearly 40 percent of users shared sensitive information at least once, and oftentimes inadvertently.
About 25 percent of all notes reviewed contained only emojis, and scientists categorized an additional 25 percent of notes as “cryptic” — these typically consisted of random numbers, greetings like “hi” or a single word like “the.” Perhaps more surprising, 41 million transactions, or about 10.5 percent of the transactions examined, leaked highly personal information like a health condition.
Mirkovic and her team distinguished between sensitive and non-sensitive transactions by using a machine-learning model to classify the information in each message. Then, they divided the sensitive information into 14 separate groups, such as criminal and violent behavior, sexual orientation, health and physical location. For example, by zeroing in on certain keywords and AA-specific phrases, along with a high volume of payments between users, Mirkovic was able to identify several AA groups that were intended to be anonymous. “You can be careful, but if you’re not making your notes private, then whatever you do with that group has the potential of revealing your membership,” she explained.
Some of the Venmo messages tracked were, again, obviously jokes, albeit in poor taste, like, “sexual pleasures,” “Lesbian Activities,” “Bush did 9/11” or “weed and other very bad drugs.” But others seemed like people just didn’t know how to use the app, and sent messages like, “Call me [Phone number],” and “Send it to my PayPal [Email@gmail.com].” Whereas others appeared to be some combination of the two, like “[Name] man, thank you 4 everything. The password to my Bank account is [Password.] take what you want.”
Mirkovic also identified a demand for more privacy among users. Although only 25 percent of Venmo users had private profiles in 2013, that number jumped to 37 percent by 2018, the study notes. Still, after several attempts to reach Venmo to make privacy recommendations, Mirkovic and her colleagues were ultimately unsuccessful. “We tried through multiple channels but couldn’t get anyone,” she said.
It’s worth noting that this isn’t the first time Venmo has been criticized for the lack of privacy built into the platform, since the app was founded in 2009 and sold to PayPal in 2012. Notably, the company reached a settlement with the Federal Trade Commission in 2018 after they were accused of misleading consumers “about the extent to which they could control the privacy of their transactions.”
As of now, Venmo continues to default to public settings for unsuspecting users, but Mirkovic isn’t telling anyone to stop using the app. She just thinks they should set it to private. “There’s no real benefit in going public on Venmo,” she reasoned. “Users should make everything private, including their list of friends.”
After all, you can save your terrible jokes for when you see them in person.