A researcher has analysed millions of public transactions to prove just how much the app reveals about our life and habits

Anyone can track a Venmo user’s purchase history and glean a detailed profile – including their drug deals, eating habits and arguments – because the payment app lacks default privacy protections.

This was the finding of a Berlin-based researcher, Hang Do Thi Duc, who analysed the more than 200 million public Venmo transactions made in 2017. Her aim was to highlight the privacy risk from using a seemingly innocuous peer-to-peer app.

By accessing the data through a public application programming interface, Do Thi Duc was able to see the names of every user who hadn’t changed their settings to private, along with the dates of every transaction and the message sent with the payment. This allowed her to explore the lives of unsuspecting Venmo users and learn “an alarming amount about them”.

The default state for transactions when a user signs up to the app is “public”, which means they can be seen by anyone on the internet. Users can change this to “private” by navigating to the app’s settings, but it’s not clearly highlighted during sign-up.

Venmo is unusual because it combines social media with financial transaction. It’s hard to gauge expectations of privacy

Do Thi Duc showcases the level of personal data exposed through Venmo through her project website “Public by Default”, named because when anyone makes a payment through the app, it is public unless that person has locked down their privacy settings. Here she has honed in on five individual users, including a man who sells cannabis in Santa Barbara and a pair of lovers who pass money between each other accompanied by flirting, arguing, apologies and threats.

In the case of the cannabis seller, Do Thi Duc could see 920 incoming payments throughout 2017, accompanied by messages including words like “CBD” (an abbreviation of cannabidiol, one of the active ingredients in cannabis) “delivery”, “order” or emojis depicting trees, which have become a common shorthand for marijuana. She could also see that the dealer appeared to hire a second person, making 19 payments to them throughout the year with references to cannabis sales.

Do Thi Duc was also able to find entire conversations between couples who may not have realised that their comments were also public by default. “Please leave me alone,” said the woman, who Do Thi Duc refers to as Susana.

“I just love you. I’m sad that you don’t understand,” replies the man.

In a later exchange, he says: “It’s pretty damn clear that you were using me all along. Took me a while to figure that out.” The next morning, he’s repentant. “I’m sorry. I take everything I said back.”

Facebook Twitter Pinterest Messages sent between lovers through Venmo. Photograph: Public By Default / Hang Do Thi Duc

Do Thi Duc also examined a user who runs a successful food cart selling mangos, chicharrones, and other snacks near the University of Santa Barbara campus. The vendor made more than 8,000 transactions in 2017, and his most frequent customer, who Do Thi Duc refers to as Cecile, visited the truck 34 times around the same time each week.

'Data is a fingerprint': why you aren't as anonymous as you think online Read more

“While Cecile’s hunger being public knowledge may not seem a big deal to you, many people have reason to keep their whereabouts private. Victims of domestic abuse, for example. I had to wonder if these hungry students understood that they were broadcasting their location with every bite,” wrote Do Thi Duc on her website.

A young female user, nicknamed the YOLO-ist, made 965 transactions for sodas, alcoholic drinks, fast food and sweets in eight months.

Facebook Twitter Pinterest Transactions between one junk food fan and her three friends. Photograph: Public By Default / Hang Do Thi Duc

“She’s really enjoying unhealthy drinks and food. I could imagine insurance companies might want to look at her data and make judgements about her health,” Do Thi Duc said.

Although she had access to their full real names, Do Thi Duc has not published them.

“I don’t want to attack or expose any particular person,” she told the Guardian. “It’s just about demonstrating the value of your data.”

“Venmo is an unusual app because it combines social media with financial transactions,” said the Electronic Privacy Information Center’s Christine Bannon. “One of those is usually fairly public and one is usually very private, so it’s hard to gauge consumer expectations of privacy.”

Facebook Twitter Pinterest Pizza is the most commonly referenced item in Venmo transactions. Photograph: Public By Default / Hang Do Thi Duc

“A lot of the transactions might seem trivial but they can be very revealing. It shows who is in your network, who you went out to eat with, how much rent you pay,” she added.

Do Thi Duc hopes her project encourages people to change the settings of Venmo transactions to make them private by default. Users can also change all their past transactions to private.

The fallout from #PlaneBae shows how voyeurism has been normalised | Arwa Mahdawi Read more

“If you’re not a Venmo user, I hope you can look at this project and wonder about all the other platforms you have used,” she said.

A Venmo spokeswoman said that the “safety and privacy” of its users is “one of our highest priorities”.

“Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed.”