• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Jun 08, 2016 Leave a Comment

What’s App-Ening To Your Financial Data?

 

Picture1 Recently, a friend asked me to pay him back for movie tickets via Venmo.  For those of you born before 1985, Venmo is a mobile app owned by PayPal which allows users to “[p]ay anyone with a Venmo account instantly using money you have in Venmo, or link your bank account or debit card quickly.” Simply, instead of “divvying up the check”, people can now electronically transfer funds back and forth through Venmo, using Venmo “wallets” or a direct link to their bank.  Suffice it to say, I refused.  While we joked about my age, “youngsters and their ‘future money’” and “financial black magic”, my refusal was not based in age, fear, or lack of understanding.  Instead, it was based off of an informed and objective analysis of the interaction of mobile apps and security.

Well, it appears my fears were well founded.  According to PayPal’s 2016 1st Quarterly Report for the SEC, Paypal admitted that it was under investigation by the Federal Trade Commission (“FTC”) for unfair or deceptive acts and practices as related to Venmo.[i]  While Paypal does not elaborate on the nature of the investigation, it seems apparent that the FTC’s investigation is focused on a host of privacy violations.

In March 2016, the parties filed an “Assurance of Voluntary Compliance” (the “Assurance”) in In the Matter of State of Texas and Paypal, Inc. (the “Paypal Litigation”).  The Paypal Litigation derived from an investigation of Paypal by the Texas Attorney General for potential violations of Texas’ deceptive trade practices and consumer protection law.  The Assurance lays out a litany of privacy violations concerning Venmo, most notably:

  1. Auto-friending, which permits Venmo to access and assimilate a user’s contact list in order to add those contacts to the user’s Venmo Friends list, all without a deliberate action by the user or adequate choice. It appears that Venmo was also accessing users’ contacts lists without any real privacy notice.  See Assurance, ¶6(A)(i).
  2. Potential misrepresentations about the level of security provided by Venmo. See Assurance, ¶6(B).
  3. Venmo’s default “audience setting” is set to public – which publishes a “timeline” of your Venmo financial transactions. This setting can be changed to private, but according to the Assurance, it seems that this is not commonly known and Venmo doesn’t exactly make it easy to accomplish.[ii]  See Assurance ¶6(C) (“At the time of … any transaction, [Venmo] shall clearly and conspicuously disclose the audience setting for the transaction in close proximity beneath, beside, or adjacent to any field … or call to action.”).

If you look closely at the screen shot above, you will see how Venmo creates a crawling “ticker” of your financial transactions.   Think of a Twitter feed, but the updates are your financial transactions using Venmo.

Based on the Paypal Litigation and the Assurance, it seems to be a pretty safe bet that the FTC investigation of Paypal/Venmo settles smack dab in the wheelhouse of Section 5 of the FTC Act.

The 3 violations asserted in the Paypal Litigation are serious, especially considering the apparent lack of notice provided to Venmo users about the app’s information sharing practices.  However, I have a couple of other concerns about Venmo that were not addressed by the Assurance – 1 practical and 1 policy.

First, the practical. Signing in with Google or Facebook accounts has become very popular.  After all, it’s easy, right?   Venmo advertises this feature on its website.  See https://venmo.com/.  But have you ever stopped to consider HOW Venmo is able to create an account for you and log in by using your Facebook account?  Or, is it just yet another mystical Internet transaction that doesn’t concern you?

Picture2 In order for Venmo to log you in using Facebook, an authentication process must occur, called “OAuth.”  Now, OAuth is by all accounts, a pretty decent way to do this.  OAuth creates “tokens”  which allow the third party app to access your Facebook account and do the things you have allowed it to do.[iii]  However, some services don’t exactly tell you what permissions you are giving away, or instead bury them in hard-to-find-and-harder-to-understand privacy notices

Picture3For example, the first time anybody sees Venmo’s privacy notice is after they’ve chosen to start the Facebook login process.  Further, notice the tiny “privacy policy” link in the bottom left hand corner.  Like most privacy notices, it is not clear and conspicuous.  However, if one bothers to read the privacy notice, they will discover that Venmo collects the following information from its users:

  • Account Information – text-enabled cellular/wireless telephone number, machine or mobile device ID and other similar information.
  • Identification Information – your name, street address, email address, date of birth, and SSN.
  • Device Information.
  • Social Media Information.
  • Financial Information – bank account and routing numbers and credit cards linked to your Venmo account.

Finally, Venmo makes the incredible caveat that it “may collect additional information from or about you in other ways not specifically described here.”  That stipulation conveniently seems to counteract the entire purpose of a privacy notice.  But, that is another topic for another day.

Back to the issue at hand.  It seems insane to sign into Venmo using Facebook.  The whole point of Venmo is that it is a financial app with a direct link to your bank account or credit card information.  While Venmo makes it very clear that it “does not share financial information with third party social networking services” there is no reason to disbelieve that a hacker infiltrating Facebook could somehow “back-door” into Venmo, and thus, users’ financial information.

What’s more, Facebook just had an epic security breach in 2013 where 6 million users were compromised.  Facebook is one of the largest social media platforms and is a high profile target for hackers.  With all due, respect, this layman will presume that logging into Venmo with my Facebook account will potentially expose my financial information.

Now the policy concern.  Venmo illustrates the one of the barriers to comprehensive federal cybersecurity legislation – the allocation of risk.  This struggle has occurred across sectors, but is very evident amongst retail and banking/financial.  And, I believe, with good reason.

An app like Venmo needlessly puts users’ financial information at risk, and banks will ultimately be the ones left holding the proverbial bag should Venmo get hacked and that financial information is used to infiltrate the banks’ networks.  If a bank is compromised through information obtained in a Venmo hack (think Target and Fazio, as I previously wrote about: https://informationsecurity.attorney/2016/03/20/information-security-and-privacy-round-up-memphis-neurology-fazio-mechanical/#more-133  ), then the bank, through no real fault of its own, will be subject to regulatory action and perhaps even civil liability.

Quite legitimately, we are talking about the potential exposure of: (1) Venmo users; (2) their banks; (3) their credit card companies; and (4) all of the OTHER customers of the banks and credit card companies. We are also talking about legal consequences for the banks and credit card companies for the disclosure. From a legal and policy perspective, it is problematic that the fate of a regulated entity may be so significantly intertwined with and affected by the security of an unregulated entity.

It’s no wonder that the banking and financial industry are supporting federal data security and breach notification standards.  They are subject to heightened standards and are exposed when an unregulated entity fails to take security seriously. In fact, according to a spokesperson: “Financial institutions have had this obligation for 15 years, and it’s long overdue for Congress to pass legislation ensuring that everyone has a similar mandate to keep customer data safe.”[iv]  Translation:  banks are mad as hell.

The morale of the story is that, until everyone is regulated, consumers have to be careful.  While the FTC does have jurisdiction over interstate commerce, they are limited to investigating unfair and deceptive trade practices.  A strong information security regulatory framework with a private right of action would go a long way to ensuring that all entities collecting personal information have sufficient security.

Call me old and out of touch.  Call me a curmudgeon.  Mock my puritanical sensibilities.  I don’t care.  There is no chance that I will ever divvy up the bar bill using Venmo.

[i]                  “On March 28, 2016, we received a Civil Investigative Demand (“CID”) from the Federal Trade Commission (“FTC”) as part of its investigation to determine whether we, through our Venmo service, have been or are engaged in deceptive or unfair practices in violation of the Federal Trade Commission Act.”
[ii]                 Venmo Likely Investigated Over User Privacy Violations, Jeff John Roberts, May 24, 2016, available at Fortune.com
[iii]                 http://lifehacker.com/5918086/understanding-oauth-what-happens-when-you-log-into-a-site-with-google-twitter-or-facebook
[iv]                 http://thehill.com/policy/cybersecurity/280905-financial-industry-spars-with-retailers-over-data-breach-bill

Categories: Consumer Privacy/Security, Cybersecurity, Data Breach, Data Security, Financial Privacy, Information Security, Online Privacy, Privacy

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 3 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 5 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Danielle Kuestner
Danielle Kuestner

5 out of 5 stars

posted 1 week ago

I'm a college kid who Mr. Holt assisted. I also have a lot of anxiety and Mr. Holt helped ease the process of what I was going through legally, always reached out, and communicated with me about my case and the progress of it.

Read All 44 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm