Private by Default

Your financial data is exposed. Transactions, notes, pay tos and pay froms. At least, if you use Venmo, all of that data is likely exposed. And this isn’t from a data breach. This data is exposed because Venmo, like many other tech companies, embraces the idea of “public by default.”

In Venmo’s case, all user data is public by default. This data includes transaction information and enough personally identifiable information to allow ANYONE to discern your identity. This isn’t just a violation of privacy, it’s unsafe.

Not convinced that Venmo is making too much data available, here’s a snapshot of just some of the data highlighted by Hang Do Thi Duc on her site Public by Default.

That is a distribution of last name frequency from Venmo’s public API. Sure, that by itself doesn’t mean much. But it does show that Venmo is releasing extremely sensitive data by making all transaction data public unless users actively change their privacy settings.

But what happens when you try to change your privacy settings in the app?

Venmo questions your choice. Venmo encourages you to consider making individual transactions private. Venmo pushes you away from protecting your data. And they’re not alone. The website Dark Patterns highlights many of the tricky user interface design decision companies use to force you into making a “choice” that suits their needs. So, later, when questioned about why the company is releasing so much private data to the public, they can say things like:

The API is only populating the feed with information our customers choose to make public.

Above is a snippet of the response Venmo provide The Next Web when they reached out for comment. The full text is worth reading and illustrates how tech companies position themselves to defend privacy issues by blaming the users.

All of this highlights the need for a paradigm shift in how software companies operate. Sure, everyone is looking for the big network effect to help their app catch on and grow through the roof. But it’s time to stop leverage user data to make that happen. It’s time all applications are private by default.

Graphite, a secure and decentralized productivity suite, is private by default. It’s encrypted by default. Users own their data and Graphite neither shares nor has access to that data. If you’re interested in experiencing private by default in action, give Graphite a shot.