I know what you did on Venmo

In the biggest quantitative study of its kind, a team of researchers — including Jelena Mirkovic, research associate professor at the USC Viterbi School of Engineering and a project leader at the USC Information Sciences Institute; USC Ph.D. students Rajat Tandon and Pithayuth Charnsethikul; Dhiraj Murthy, director of the Computational Media Lab at the University of Texas at Austin; and Ishank Arora, a master’s degree student in computer science also at the University of Texas — detailed how millions of Venmo users reveal extremely personal information about themselves including drug and alcohol use, political leanings, email addresses, phone numbers, and even Wi-Fi, bank account and Netflix passwords.

In the most comprehensive analysis to date of Venmo transactions (which require messages along with payments and which Venmo by default, makes public), the researchers examined 389 million public messages over an eight-year period from 2012 to 2020. Nearly 40% of the users in a data set had publicly shared sensitive information on the financial app at least once, in many cases inadvertently. They found that 41 million transaction notes, or 10.5% of the electronic missives, leaked “some sensitive information such as [a] health condition, political orientation and drug and alcohol consumption,” according to the study.  

In their paper, “I Know What You Did on Venmo: Discovering Privacy Leaks in Mobile Social Payments,” to be published in the Privacy Enhancing Technologies Symposium, the researchers, using a powerful machine learning model, classified information contained in transaction notes as sensitive or non-sensitive. They further refined the data by grouping sensitive information into 14 categories, including criminal and violent behavior, sexual orientation, health and physical location.

Some of the Venmo messages exchanged between users included “Sexual pleasures”; “for aids treatment. Get well soon”; “Lesbian Activities”; “Bush did 9/11”; “weed and other very bad drugs”; “[Name] man, thank you 4 everything. The password to my Bank account is [Password.] take what you want”; “Call me [Phone number]”; and “Send it to my PayPal [Email@gmail.com].”

Tandon and colleagues sought to quantify privacy risks of groups, like Alcoholics Anonymous, gambling groups and biker gangs, that collect membership dues on Venmo and may thus expose membership information through public notes of their members.

Leveraging a machine learning classifier to recognize and sort certain keywords, such as AA-specific phases (e.g., 7th tradition), along with a high number of payments received from many users, Mirkovic and Tandon identified several specific AA groups. Based on public notes to these groups, the researchers mapped out membership connections.

“The notes of other users and sometimes the group’s display name on Venmo expose the sensitive nature of everyone’s membership,” Tandon said.

“I was a little shocked by what we found, details about user payments from everything from birthday cupcakes to AA membership,” Mirkovic said. “I was thinking, I bet these people don’t know that anyone can see these messages.”

In other words, what happens on Venmo doesn’t necessarily stay on Venmo.

“You can be careful, but if you’re not making your notes private, then whatever you do with that group has the potential of revealing your membership,” Mirkovic said.

“There are risks to oversharing,” Mirkovic added.

“If you share something that’s sensitive, like ‘Here’s money for drugs or drinks’ or ‘It was a great party in Vegas,’ that can have implications later on. For instance, it could affect your job prospects,” added Mirkovic. Taken even further, victims of domestic abuse might have their whereabouts and activities unmasked whenever they exchange payments and messages with friends.

The team found that an increasing number of Venmo users have opted to make their settings private. In 2013, 25% of users had nonpublic profiles. Five years later, that number had jumped to 37%, according to the study.

Other times, Venmo users, unable or unwilling to change their app settings to private, went to great lengths to obscure their activities. Around 25% of all notes reviewed contained only emojis. The researchers classified another 25% of notes as “cryptic,” meaning that they contained only random numbers, greetings such as “hi” and “hey,” or a single word like “too” or “the.” These patterns illustrate that users care about their privacy, but are not sure how to fully reclaim it.

“There’s no real benefit in going public on Venmo,” she said. “Users should make everything private, including their list of friends.”