Venmo and Privacy

This story from BuzzFeed News published last Friday describes how a team of journalists were able to identify President Joe Biden as user on Venmo in about 10 minutes of research after he had very briefly mentioned using it to send money to his grandchildren, who were then able to map out a network of his contacts using this information. 

After BuzzFeed contacted the White House relevant accounts were removed or had their privacy settings updated, however we thought that the story is worth sharing because it is illustrative of a number of interesting ideas about our use of applications and social media, and how our own information-sharing even with the best of intentions can have innocuous effects. 

One of these ideas is the long-established understanding that there is a balance between security, functionality and ease of use: the easier it is to do something the less secure it will be, and the more functionality something has the less security it is generally likely to have. In this case Venmo makes it easy to make payments to people we know, but as a default makes our transactions and contact lists partially public as a default.

A second, is the importance of making sure that when we use apps we understand the privacy implications, ideally looking deeply in the settings to see which features are turned on and off, and understanding where the data we are sharing is going. This isn’t exactly new either and has been a matter of public discourse and debate regulary in relation to apps like Facebook, where these application’s business models are based on people being willing to share information.

Another which is a bit less straightforward is the implications from the point of view of an adversary or someone who was trying to collect data on you, and understanding how certain types of information can be used. An easy example of this is that by knowing that many people use derivative versions of their pet’s names for passwords, (up to 33% in the United States in one survey, and around 15% in the UK according to the National Cyber Security Centre) for someone who was trying to access an account an unrestricted social media post featuring a pet could send out a variety of suggestions about what a password could be. 

That’s quite an obvious one but as with President Biden’s Venmo issue some of the ways that this could work are much more subtle, and but even beyond teh first level user it is interesting to think about the second or third degrees of association too. You might have good data privacy and choose not to use social media but your own family or friends might be talking about you or posting your pictures in an unrestricted way perhaps even without your knowledge.

These types of open source data points or pieces of information are the kind of thing that hackers (ethical and criminal) use to find ways to unlock security systems online and in the physical world, and by law enforcement investigators who are trying to learn about people who deliberately do not have an online presence, where they will burrow into and map their personal networks an patterns of life by finding an associate that does not have good privacy and see where that leads. Often this source may be a more socially carefree spouse or partner.

Finally, from the venture point of view just as there are businesses seeking to extract and use or mine consumer data, there are also businesses deliberately choosing to make privacy a selling point for their services, and in this area there will be growing opportunities both for those with the skills and understanding of the issue to create those businesses and also for investors.