People who use Venmo to make payments are “vulnerable to stalking, snooping, or hacking,” due to the company's default privacy settings, browser developer Mozilla and the digital rights group Electronic Frontier Foundation said Wednesday.
They are calling for the PayPal-owned payment platform to revise its settings by making transactions private automatically, and by enabling users to keep their friends' identities confidential.
“We are writing to express our deep concern about Venmo’s disregard for the importance of user privacy,” the EFF and Mozilla wrote in a public letter to PayPal CEO Dan Schulman.
Venmo, which allows people to transfer money to each other, displays all peer-to-peer transactions on its social news feed by default.
The digital rights group and Mozilla reference a report by computer science student Dan Salmon, who said in a Wired op-ed this June that he was able to scrape data for millions of Venmo transactions in a six-month period.
“As I pored over the trove, I became concerned that I had been able to amass such a large collection of people’s financial activity so easily, even if it was for mostly innocuous activities like splitting the cost of a pizza,” he wrote.
Salmon added that fraudsters could use that data for cyberattacks.
“The amount of specific information available via the app would make for a very convincing phish,” he wrote. “An attacker could easily find a list of the people that their target most frequently interacts with, as well as that person's common spending habits.”
The EFF and Mozilla add in their letter that users don't necessarily realize that Venmo makes transactions public by default.
“It appears your users may assume that, like their other financial transactions, their activity on Venmo is both private and secure,” the letter states. “They might not know that they must change their newsfeed privacy settings.”
The organizations also say Venmo should give users a way to keep their friend lists private.
“The list of people with whom you exchange money paints a startlingly clear picture of the people who live, date, and do business with you,” the EFF and Mozilla write.
Last year, the Federal Trade Commission prosecuted Venmo for allegedly misleading users about whether their transactions were private.
The FTC alleged that Venmo's privacy settings were confusing. At the time, the company required users who wanted to keep their transactions private to change two separate account settings -- both of which had similar labels, according to the FTC.
PayPal settled those allegations by agreeing to several conditions, including a requirement to make "clear and conspicuous" disclosures about how it shares information.