BuzzFeed News found President Joe Biden’s Venmo account after less than 10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app.
On Friday, following a passing mention in the New York Times that the president had sent his grandchildren money on Venmo, BuzzFeed News searched for the president’s account using only a combination of the app’s built-in search tool and public friends feature. In the process, BuzzFeed News found nearly a dozen Biden family members and mapped out a social web that encompasses not only the first family, but a wide network of people around them, including the president’s children, grandchildren, senior White House officials, and all of their contacts on Venmo.
The president’s transactions are not public, and BuzzFeed News is not identifying the usernames for the accounts mentioned in this story due to national security concerns.
After BuzzFeed News reached out to the White House for this story, all the friends on the president’s Venmo account were removed. A White House spokesperson did not have an immediate comment.
After this story was published, a Venmo spokesperson told BuzzFeed News: “The safety and privacy of all Venmo users and their information is always a top priority, and we take this responsibility very seriously. Customers always have the ability to make their transactions private and determine their own privacy settings in the app. We’re consistently evolving and strengthening the privacy measures for all Venmo users to continue to provide a safe, secure place to send and spend money.”
By late Friday night, the Venmo accounts tied to the president and first lady Jill Biden were no longer online.
Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people — including the president of the United States — at risk.
While many critics have focused on how the app makes all transactions public by default, Venmo’s friend lists are arguably a larger privacy issue. Even if a Venmo account is set to make payments private, its friend list remains exposed. There is no setting to make this information private, which means it can provide a window into someone’s personal life that could be exploited by anyone — including trolls, stalkers, police, and spies.
No other major social network or service has contact-based friend lists that are publicly accessible by default to anyone — and that cannot be made private. People use Venmo to get paid, often using their real names. They often also import their phone contact lists or Facebook friend lists — which the app highly encourages when you sign up — creating networks where people automatically “friend” dozens if not hundreds of other Venmo users to allow them to find people they want to pay more easily.
Venmo makes it impossible for users to hide their list of friends. To remove someone as a friend, a user has to unfriend the person manually.
Several former Venmo employees told BuzzFeed News that Venmo’s public transaction feed and friend lists were integral to the app’s early design. Launched in 2009 as a simple and free way to transfer money between friends, it relied heavily on the social dynamics pioneered on Facebook. People were unafraid to publicly share that they had paid their friends for pizza after a night out or were splitting a gas bill among their roommates.
The idea, according to one former engineer, is that building off someone’s social network was a much easier way for someone to trust who they were paying or receiving money from. Since then, the app has become one of PayPal’s main drivers of growth, clearing $51 billion in payments during the first three months of 2021.
At first glance, disclosing connections among people may seem trivial: Who cares if you know whom someone is connected to? But these public connections can be used to expose very private information. Using the public friend list, for example, a motivated fan was able to figure out who won a season of The Bachelor.
Some examples are much more serious. US government agencies like the Drug Enforcement Administration have used this feature in criminal cases, such as in the overdose death of rapper Mac Miller.
Using public friend lists and transaction feeds, BuzzFeed News found two members of Congress who were roommates in Washington, DC, as well as reporters who were on friend lists with Trump administration officials, potentially exposing their sources. BuzzFeed News has also spoken with survivors of domestic violence and abuse who suspected that former partners used Venmo to track them and therapists who use Venmo to receive payment from clients and were unaware their friend lists showed who they were working with.
Last year, Nick Cadena, then a student at Louisiana State University, told BuzzFeed News he had been the victim of an impersonation scam on Venmo. A scammer took his photo and profile details and created a similar account, and then used it to request money from Cadena’s friends. Some people completed the transactions, believing that they were paying the real Cadena.
“Venmo’s privacy failures are already a big problem for everyday folks who use Venmo, and that’s been the case for years,” Gennie Gebhart, the acting activism director at the Electronic Frontier Foundation, a digital rights organization, told BuzzFeed News. “All of those problems are magnified when we’re talking about a major public figure.”
Ever since 1998, when Bill Clinton sent an email to then-senator John Glenn, presidents have struggled to use new technology while safeguarding national security and complying with public records laws. After months of wrangling, Barack Obama was allowed to use a personal BlackBerry while in office, Donald Trump’s Twitter account was reportedly hacked by correctly guessing his password — maga2020! — and candidate Hillary Clinton faced her own controversy after she set up a private email server at her home while she was secretary of state.
Venmo poses a new challenge, though this is not the first time a government official’s Venmo account has been easily discovered through publicly available information. In early 2017, people found White House press secretary Sean Spicer’s Venmo account and spammed it. The account of Trump’s daughter Tiffany was also found. This year, transactions between Rep. Matt Gaetz and alleged sex trafficker Joel Greenberg appeared to pay three young women for “tuition” and “school.” (In an op-ed, Gaetz claimed he had “never, ever paid for sex.” Greenberg pleaded guilty to federal charges.)
Accounts belonging to celebrities have also been found, and in 2017, privacy researcher Hang Do Thi Duc created the Public by Default project, which scraped public Venmo transactions for terms and emojis commonly associated with drugs. The project revealed how much people don’t pay attention to their privacy settings, even when doing personal transactions.
Venmo’s parent company PayPal settled an FTC suit in 2018 over how it allegedly failed to properly explain its privacy settings. “We are pleased to conclude this process with the FTC in a cooperative way,” a PayPal spokesperson said at the time, and while Venmo streamlined its settings, crucially, transactions were still left public by default for new users.
President Biden’s transactions were not public, and he had fewer than 10 friends on Venmo. But he was easily verifiable by the people he was connected to, including an account that appeared to be for his wife, first lady Jill Biden. Jill Biden’s account, in turn, was linked to various aides, senior Biden staffers, and family members, including an account that appeared to be for the president’s son Hunter Biden.
“For one of the most heavily guarded individuals in the world, a publicly available Venmo account and friend list is a massive security hole. Even a small friend list is still enough to paint a pretty reliable picture of someone’s habits, routines, and social circles,” Gebhart said.
On Friday, the Times wrote that a Biden adviser said the president “had sent the grandchildren money using Venmo.” Some of those grandchildren are locatable on Venmo, posing an avenue for possible harassment. On the accounts for at least two extended family members, BuzzFeed News saw that the same stranger had spammed them with requests, asking them to get President Biden to give him money.
“If somebody wanted to map out the activities of the first family, they could just look at their activities on the social network and figure out what the family is up to by looking at what their associates are doing,” Vahid Behzadan, the director of the Secure and Assured Intellect Learning Lab at the University of New Haven, told BuzzFeed News. “I assume that the extended associates, like friends, grandchildren, don’t enjoy the same level of security as the first family, and so it may be easier to monitor them passively through their network.”
By finding these accounts, a person could physically stalk the president, his aides, or members of his family, creating a physical risk for the White House. There are also espionage risks. A spy or political opponent could also use this information to find out personal information about those close to the president, or to pose as a member of Biden’s inner circle and communicate with the president or others under false pretenses. There are other possible consequences. A connection between a White House official and a journalist, for example, could potentially expose a whistleblower.
“This is a great example of why apps with social features should not default to allowing strangers to see each others’ data,” said Stanford University professor and former Facebook chief security officer Alex Stamos. “As we’ve seen with other products such as exercise apps, national security–sensitive information can be easily gathered by intelligence services as well as from more prosaic adversaries, such as abusive spouses and stalkers.” ●
Source link Politics