After the New York Times published a story on Friday that mentioned President Biden sending his grandkids money over Venmo, a group of journalists at BuzzFeed News decided to track down his account and pulled it off in less than 10 minutes, thanks to a privacy hole in the app that has been known for years.
The ease with which reporters were able to track down Biden’s account, as well as his connections on the app, presents a national security threat, notes BuzzFeed, as well as privacy concerns for anyone who uses Venmo to exchange funds with friends.
The app feature that enabled this rapid sleuthing is Venmo’s public friends lists. Users can opt to keep their transactions private, but there is no way to keep their friends in the app from public view. By looking up Biden’s family members, BuzzFeed reporters were able to find the president himself and then map out “a social web that encompasses not only the first family, but a wide network of people around them, including the president’s children, grandchildren, senior White House officials, and all of their contacts on Venmo.”
The national security concern here is twofold. The public nature of Venmo contacts for high-powered officials can expose those officials’ social circles and habits, posing a risk to the safety of all involved contacts. It can also expose these contacts to harassment and spamming by users. BuzzFeed found that at least one stranger had already tried to spam Biden’s extended family with requests in the app. Similarly, when people tracked down the Venmo accounts of Trump adviser Kellyanne Conway and then-White House Press Secretary Sean Spicer in 2017, both were flooded with bogus payments and payment requests in the Venmo app.
After BuzzFeed contacted the White House for comment, all of these friends attached to Biden’s account disappeared. Venmo told BuzzFeed, “The safety and privacy of all Venmo users and their information is always a top priority, and we take this responsibility very seriously.”
This episode highlights what has been a years-long campaign by media and internet privacy experts asking Paypal, which owns Venmo, to enable users to make their contacts in the app private. They’ve also pushed Venmo to make transactions in the app private by default; currently, those transactions are public unless users change their settings.
These settings have been shown time and again to pose a privacy risk. In 2018, one researcher was able to use publicly accessible information on Venmo to uncover the intimate details of users’ lives, from the mundane—like grocery trips or vet appointments—to the salacious, like flirting, breakups, and drug deals. The next year, another researcher did something similar, scraping transaction data for 115,000 users per day. Just last month, the Daily Beast was able to uncover payments by Rep. Matt Gaetz (R-Fla.) to an accused sex trafficker, thanks to the public transactions in his Venmo account. Similarly, federal prosecutors recently used public Venmo information to track down and charge an alleged murderer.
The public friends lists, too, have exposed a number of secrets. One fan was able to use them to figure out who won a 2020 season of the Bachelor. BuzzFeed used public contacts on Venmo to track down reporters who were friends with Trump administration officials and congressmen who were roommates. Recently, several state bar associations have started issuing guidance for attorneys about using Venmo to accept payment from clients, assessing how the public nature of the app might mix with the confidentiality requirements to which lawyers are beholden.
Former Venmo employees told BuzzFeed that the public friends lists and transaction logs were integral to Venmo’s early design, which sought to replicate the success of social networks in order to attract more users and cultivate trust among them.
This episode exposing the accounts of the president, his wife, and their family and closest associates is now the latest to highlight the privacy pitfalls of this social, public-by-default design.