Venmo did not immediately respond to Wired’s request for comment. In a statement given to wired in response to questions about my Waltz and Wiles account, spokesman Erin Mackey said:
“From my perspective, as a veteran, everyone has the right to use the applications and services they think are necessary to lead their lives,” says Tara Lemieux, a 35-year veteran of the US intelligence agency, including the National Security Agency, the Department of Homeland Security and the aid agency. “That being said, if you post something to these third-party applications and don’t understand how that information will be shared or misused, you are taking the risk of our country. That’s not acceptable.”
In the case of Lemieux, public transactions with Venmo may seem harmless, but foreign intelligence agencies (particularly Intelligence Agency) are looking for patterns. “I told them they’re paying the kids – now you have a point of leverage. If there’s someone there who’s trying to target you, they can use that information and feel terrifying about your child’s safety,” Lemieux says.
“The speed of the digital world is outweighing its ability to handle it,” she adds. “With all this information, how about putting toothpaste back into the tube?”
Mike Yegley, an expert on commercial data and its security risks, has spent more than 15 years with the US Department of Defense on how to leverage what both allies and enemies call “digital exhaust.” “No matter what management, at the highest level of national security leadership, we need to be aware of our data and discoverable projects,” he says.
“What is the risk for someone at the cabinet level to pay for a personal trainer using a benmo? On the surface, it doesn’t look much,” says Yeagley. “But now, I’ve expanded my ability to target by identifying who that trainer is, or who the gardener, or anyone – and then suddenly, I’ve expanded my ability to target by identifying that official people.”
Yeagley adds, “Our enemies are refined and carnivorous in data collection.” So, “A little bit of sunlight is interesting for those with sophisticated people. They use that data point. They build from it.”
According to Venmo, the “Contact Sync” feature allows users to upload phone contacts to the app and find people they know. When these exposed Venmo accounts are set up, all before 2020, the app will prompt you, allowing users to sync phone contacts, and automatically embed your friend list with someone in your address book that is already using the platform. Venmo says the feature was discontinued more than two years ago. Today, contact sync no longer creates connections by default. To add someone as a friend, users must search for them, submit requests, and accept them.
Nevertheless, according to Venmo’s privacy policy, the network is visible to everyone unless users actively change their privacy settings. This means that even if a user sets their account to private, their friends list will continue to be displayed unless they take any additional steps. At the time of publication, to hide your connection, you must go to Settings > Privacy > Friends list and choose Private.
Stephen Lurie contributed the report.
