US President Joe Biden – and his wife Dr. Jill Biden – have removed their personal accounts and information held on mobile payment service, Venmo.
The move comes after BuzzFeed reported it found the accounts in 'less than 10 minutes', sparking a discussion about how easy it is to find individuals on the app and access what should be private information.
When was the account discovered?
On 14 May, the New York Times published an article regarding the US president's eye for detail and penchant for consulting experts on the most pressing issues of our time. This article included a passing mention of Biden's Venmo account, mentioning that he had used the mobile payment service to send money to his grandchildren.
BuzzFeed then searched for the account mentioned using 'only a combination of the app's built-in search tools and public friends feature'. According to the news site, it took less than 10 minutes to uncover the President's personal account. They claim their search led them to other members of the Biden family as well as, more worryingly, senior White House Officials and all of their contacts.
BuzzFeed has chosen not to reveal the usernames of these accounts, citing 'national security concerns'. Shortly after the discovery was made, several accounts were removed, including the President's. The site also reported that, during their investigation, they discovered a stranger had been using Venmo to contact members of the Biden family demanding money from the president.
How was this possible?
Venmo makes all transactions public by default. It is possible to make them private, just like President Biden's were – but contact lists always remain public. It is perhaps the only app that forces users to keep user friends lists public with no way to hide them.
The reason for this can be traced back to Venmo's creation. Launched 13 years ago, the now PayPal-owned service piggybacked off the success of the hyper-connected online world created by sites like Facebook.
How dangerous is this website mechanic?
BuzzFeed details several ways in which a friends list – which on the face of it seems pretty innocuous – can be used to extract information about individuals.
The feature has been invoked in everything from the criminal proceedings surrounding the death of rapper Mac Miller to finding out who won a series of popular dating show, The Bachelor.
Venmo has also apparently been used by violent individuals to track down former partners, BuzzFeed says, and therapists have been left shocked that their client's personal information is accessible when their appointments should be confidential. The inability to make friends lists private has also made impersonation scams possible.
Journalists regularly use Venmo for leads too, the most notable recent example being the on running Matt Gatez scandal. BuzzFeed also says in its report, however, that journalists had officials from the Trump administration on their friend lists, possibly revealing their sources.
Too little, too late
The worryingly public nature of transactions on Venmo has long been the subject of complaints. Just two years ago, The Electronic Frontier Foundation and Mozilla wrote an open letter to Venmo, asking the company 'to clean up its privacy settings, which leaves sensitive financial data exposed to the public.'
BuzzFeed itself has also reported on similar issues with Venmo back in 2019. Before then, security researcher Hang Do Thi Duc raised the alarm after monitoring over 200 million public transactions in 2018. That same year, PayPal settled with the FTC over a case that alleged the company had misrepresented the privacy and security features on the app, as well as not providing adequate instructions on how to make transactions more private.
But the organization's problems go back even further than that. Two years before the aforementioned case leveled by the FTC in 2018, Texas's attorney general settled a case with the company regarding a plethora of safety, security, and privacy issues, and another article published by Slate the year prior highlights similar issues.