Venmo did not immediately respond to Wired’s request for comment. “We take our customers’ privacy seriously, which is why we let customers choose the privacy settings on Venmo on their personal payments and friends lists, and we make it very simple for customers to privatize those customers if they choose to do so.”
“From my point of view, as a veteran, everyone has the right to use the applications and services they think they live,” said Tara Lemieux, a 35-year veteran of the U.S. intelligence community, including the National Security Agency, the Department of Homeland Security and support agencies. “That is, when you post anything in a third-party application and don’t understand how to share or utilize that information, you are risking for our country and it’s unacceptable.”
For Lemieux, while public transactions about Venmo may appear harmless, foreign intelligence services (especially the signals are intelligence agencies), you will look for patterns: who is paying, when to pay, when to pay. “Say they are paying for their kids – now you have a point of leverage. If someone wants to target you, they can use this information and start to make you feel scared about your kids’ safety.”
“The digital world is already faster than we can keep it in hand,” she added. “If you have all this information – what if you want to put toothpaste back into the tube?”
Mike Yeagley, an expert on business data and its security risks, has spent more than 15 years suggesting the U.S. Department of Defense on how allies and opponents can use what he calls “digital exhaust” (seemingly mundane details) (seemingly social connections, service transactions, service transactions, and metadata trails trails in Duthday Apps in Dyverydey Appss in Duppy Appss). “Whatever administration, the highest level of our national security leadership must have some understanding of our data and what we project,” he said.
“What is the risk of using Venmo at the cabinet level to pay for its personal trainer? On the surface, it doesn’t look much,” Yeagley said. “But now I know who that coach is, or the gardener or who, suddenly, I expand my goals by identifying people around the officials.”
“Our opponents are sophisticated and carnivorous in data collection,” Yeagley added, meaning “the smallest daylight is a complex daylight for someone. They will use that data point. They will build from it.”
According to VEMMO, its “touch synchronization” feature allows users to upload their phone contacts to the app, allowing them to find people they know. When these exposed Venmo accounts are set up (before 2020), the app will display a prompt that allows users to sync their phone contacts and automatically populate their friend list with anyone in the address book that has already used the platform. Venmo said the feature was deprecated more than two years ago. Today, Contact Sync no longer creates connections by default. To add someone as a friend, the user must search for them, send a request and accept it.
However, according to Venmo’s privacy policy, anyone’s network is still visible unless the user proactively changes their privacy settings. This means that even if users set their account to private, their friend list is still visible unless they take additional steps. As of publication, hidden contacts need to be navigated to settings > privacy > Friends list and choose Private.
Stephen Lurie contributed the report.
