I know what you did on Venmo: Discovering privacy leaks in mobile social payments
Authors: Rajat Tandon (University of Southern California Information Sciences Institute), Pithayuth Charnsethikul (University of Southern California Information Sciences Institute), Ishank Arora (University of Texas, Austin), Dhiraj Murthy (University of Texas, Austin), Jelena Mirkovic (University of Southern California Information Sciences Institute)
Volume: 2022
Issue: 3
Pages: 200–221
DOI: https://doi.org/10.56553/popets-2022-0069
Abstract: Venmo is a US-based mobile social payments platform. Each Venmo transaction requires a “payment note”, a brief memo. By default, these memos are visible to all other Venmo users. Using three data sets of Venmo transactions, which span 8 years and a total of 389 M transactions with over 22.5 M unique users, we quantify the extent of private data leaks from public transaction notes. To quantify the leaks, we develop a classification framework SENMO, that uses BERT and regular expressions to classify public transaction notes as sensitive or non-sensitive. We find that 41 M notes (10.5%) leak some sensitive information such as health condition, political orientation and drug/alcohol consumption involving 8.5 M (37.8%) users. We further find that users seek privacy by making their notes private, inconspicuous or cryptic. However, the large increase in Venmo’s user base means that the number of users whose privacy is publicly exposed has grown substantially. Finally, the privacy of a user who transacts with a group on Venmo can be reduced or eliminated through the actions of other users. We find that this happens to around half of Alcoholics Anonymous, gambling and biker gang group members. Our findings strongly suggest that public-by-default payment information puts many users at risk of unintended privacy leaks.
Keywords: Venmo, privacy, sensitive information
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.