Recently, a friend asked me to pay him back for movie tickets via Venmo. For those of you born before 1985, Venmo is a mobile app owned by PayPal which allows users to “[p]ay anyone with a Venmo account instantly using money you have in Venmo, or link your bank account or debit card quickly.” Simply, instead of “divvying up the check”, people can now electronically transfer funds back and forth through Venmo, using Venmo “wallets” or a direct link to their bank. Suffice it to say, I refused. While we joked about my age, “youngsters and their ‘future money’” and “financial black magic”, my refusal was not based in age, fear, or lack of understanding. Instead, it was based off of an informed and objective analysis of the interaction of mobile apps and security.
Well, it appears my fears were well founded. According to PayPal’s 2016 1st Quarterly Report for the SEC, Paypal admitted that it was under investigation by the Federal Trade Commission (“FTC”) for unfair or deceptive acts and practices as related to Venmo.[i] While Paypal does not elaborate on the nature of the investigation, it seems apparent that the FTC’s investigation is focused on a host of privacy violations.
In March 2016, the parties filed an “Assurance of Voluntary Compliance” (the “Assurance”) in In the Matter of State of Texas and Paypal, Inc. (the “Paypal Litigation”). The Paypal Litigation derived from an investigation of Paypal by the Texas Attorney General for potential violations of Texas’ deceptive trade practices and consumer protection law. The Assurance lays out a litany of privacy violations concerning Venmo, most notably:
- Auto-friending, which permits Venmo to access and assimilate a user’s contact list in order to add those contacts to the user’s Venmo Friends list, all without a deliberate action by the user or adequate choice. It appears that Venmo was also accessing users’ contacts lists without any real privacy notice. See Assurance, ¶6(A)(i).
- Potential misrepresentations about the level of security provided by Venmo. See Assurance, ¶6(B).
- Venmo’s default “audience setting” is set to public – which publishes a “timeline” of your Venmo financial transactions. This setting can be changed to private, but according to the Assurance, it seems that this is not commonly known and Venmo doesn’t exactly make it easy to accomplish.[ii] See Assurance ¶6(C) (“At the time of … any transaction, [Venmo] shall clearly and conspicuously disclose the audience setting for the transaction in close proximity beneath, beside, or adjacent to any field … or call to action.”).
If you look closely at the screen shot above, you will see how Venmo creates a crawling “ticker” of your financial transactions. Think of a Twitter feed, but the updates are your financial transactions using Venmo.
Based on the Paypal Litigation and the Assurance, it seems to be a pretty safe bet that the FTC investigation of Paypal/Venmo settles smack dab in the wheelhouse of Section 5 of the FTC Act.
The 3 violations asserted in the Paypal Litigation are serious, especially considering the apparent lack of notice provided to Venmo users about the app’s information sharing practices. However, I have a couple of other concerns about Venmo that were not addressed by the Assurance – 1 practical and 1 policy.
First, the practical. Signing in with Google or Facebook accounts has become very popular. After all, it’s easy, right? Venmo advertises this feature on its website. See https://venmo.com/. But have you ever stopped to consider HOW Venmo is able to create an account for you and log in by using your Facebook account? Or, is it just yet another mystical Internet transaction that doesn’t concern you?
In order for Venmo to log you in using Facebook, an authentication process must occur, called “OAuth.” Now, OAuth is by all accounts, a pretty decent way to do this. OAuth creates “tokens” which allow the third party app to access your Facebook account and do the things you have allowed it to do.[iii] However, some services don’t exactly tell you what permissions you are giving away, or instead bury them in hard-to-find-and-harder-to-understand privacy notices
- Account Information – text-enabled cellular/wireless telephone number, machine or mobile device ID and other similar information.
- Identification Information – your name, street address, email address, date of birth, and SSN.
- Device Information.
- Social Media Information.
- Financial Information – bank account and routing numbers and credit cards linked to your Venmo account.
Finally, Venmo makes the incredible caveat that it “may collect additional information from or about you in other ways not specifically described here.” That stipulation conveniently seems to counteract the entire purpose of a privacy notice. But, that is another topic for another day.
Back to the issue at hand. It seems insane to sign into Venmo using Facebook. The whole point of Venmo is that it is a financial app with a direct link to your bank account or credit card information. While Venmo makes it very clear that it “does not share financial information with third party social networking services” there is no reason to disbelieve that a hacker infiltrating Facebook could somehow “back-door” into Venmo, and thus, users’ financial information.
What’s more, Facebook just had an epic security breach in 2013 where 6 million users were compromised. Facebook is one of the largest social media platforms and is a high profile target for hackers. With all due, respect, this layman will presume that logging into Venmo with my Facebook account will potentially expose my financial information.
Now the policy concern. Venmo illustrates the one of the barriers to comprehensive federal cybersecurity legislation – the allocation of risk. This struggle has occurred across sectors, but is very evident amongst retail and banking/financial. And, I believe, with good reason.
An app like Venmo needlessly puts users’ financial information at risk, and banks will ultimately be the ones left holding the proverbial bag should Venmo get hacked and that financial information is used to infiltrate the banks’ networks. If a bank is compromised through information obtained in a Venmo hack (think Target and Fazio, as I previously wrote about: https://informationsecurity.attorney/2016/03/20/information-security-and-privacy-round-up-memphis-neurology-fazio-mechanical/#more-133 ), then the bank, through no real fault of its own, will be subject to regulatory action and perhaps even civil liability.
Quite legitimately, we are talking about the potential exposure of: (1) Venmo users; (2) their banks; (3) their credit card companies; and (4) all of the OTHER customers of the banks and credit card companies. We are also talking about legal consequences for the banks and credit card companies for the disclosure. From a legal and policy perspective, it is problematic that the fate of a regulated entity may be so significantly intertwined with and affected by the security of an unregulated entity.
It’s no wonder that the banking and financial industry are supporting federal data security and breach notification standards. They are subject to heightened standards and are exposed when an unregulated entity fails to take security seriously. In fact, according to a spokesperson: “Financial institutions have had this obligation for 15 years, and it’s long overdue for Congress to pass legislation ensuring that everyone has a similar mandate to keep customer data safe.”[iv] Translation: banks are mad as hell.
The morale of the story is that, until everyone is regulated, consumers have to be careful. While the FTC does have jurisdiction over interstate commerce, they are limited to investigating unfair and deceptive trade practices. A strong information security regulatory framework with a private right of action would go a long way to ensuring that all entities collecting personal information have sufficient security.
Call me old and out of touch. Call me a curmudgeon. Mock my puritanical sensibilities. I don’t care. There is no chance that I will ever divvy up the bar bill using Venmo.