Venmo, the mobile payments app owned by PayPal, is working on changes to its privacy settings, following a BuzzFeed News story that uncovered President Joe Biden’s account earlier this month.
The move would allow people to make their friend lists private or restrict who can see them, adding a privacy feature to an app that digital rights groups and critics have called a security nightmare for years. Two weeks ago, BuzzFeed News used public friend lists, which currently cannot be made private, to find the president, the first lady, and members of their immediate family, showing how the payments app can put people at risk.
A spokesperson for Venmo confirmed that the hide friends feature will roll out in the future and told BuzzFeed News, “We are enhancing our in-app controls providing customers an option to select a public, friends-only, or private setting for their friends list.”
On Friday, Jane Manchun Wong, a software engineer who regularly exposes features being tested by companies like Facebook and Twitter before they are released, found that Venmo was building a way to allow people to make friend lists private and tweeted a screenshot. When she experimented with the feature, she said she could toggle options to make her friends list visible to the public, to her friends on the app, or only to her. There was also an option that apparently allowed her account to not appear in other people’s friend lists.
After several tests, a BuzzFeed News reporter could still see Wong’s friend list on Venmo after she had supposedly made her friend list visible only to herself, suggesting that the feature has not been completed.
“I’m glad Venmo is working quickly to fix this privacy flaw,” Wong told BuzzFeed News. “Having my Venmo friend list being visible to everyone, I found it odd that they didn’t provide an option for people to make it private.”
For years, digital rights groups like the Electronic Frontier Foundation, security researchers, and journalists have warned Venmo’s public friend lists were a threat to privacy. Founded in 2009 on the idea that payments could be another form of social content, Venmo allowed people to pay each other and post about those payments to its public feed and other social media platforms.
While many people have criticized the company for making transactions on the app public by default, Venmo’s public friend lists are a separate privacy issue. Even if a person were to set their Venmo account to make payments private, their friend list remains exposed, providing a window into someone’s personal life that trolls, stalkers, police, and scammers could exploit.
No other major social network has contact-based friend lists that cannot be made private. Because people use Venmo to get paid, they often use a variation of their real name and real photos of themselves. The app encourages people to to import their phone contact list or Facebook friend lists, creating networks where people can friend hundreds of other people on Venmo to allow them to pay others more easily.
To remove someone as a friend, a user has to unfriend the person manually.
“It’s past time for Venmo to take this step, and it’s definitely a step in the right direction,” Gennie Gebhart, the acting activism director at the Electronic Frontier Foundation, told BuzzFeed News. “What we’d really like to see Venmo do next is make privacy the default for friend lists and transactions, not just a settings option.”
Another privacy issue with Venmo is how it handles people’s photos. BuzzFeed News reported that Venmo stores all old profile photos on its servers, with no way for people to remove them. These old photos are also easily discoverable by lightly editing the image URL on the web version.
In 2018, PayPal settled charges from the FTC over its privacy settings, and made it easier for people to find the privacy settings for transactions. However, even after the FTC suit, the default for new users was to have all transactions public.
Even if the new feature were to be launched, it’s unclear whether friend lists will still be public by default.
“We applaud Venmo for taking a step in the right direction,” Kaili Lambe, a senior campaigner with Mozilla, told BuzzFeed News. “However, consumers shouldn’t have to dig around in product settings to find basic privacy protections. Consumers expect privacy to be the default and so do we.”
