Last week, PayPal's (NASDAQ: PYPL) Venmo announced that it would be removing the global social feed that makes transactions visible to strangers on the app. Instead, Venmo users will be restricted to connecting with their chosen friends via a "friends feed".
"As part of our ongoing efforts to continually evolve the Venmo platform, while staying true to the heart of the Venmo experience, we are removing the global feed," the company said in its press release. "The Venmo community has grown to more than 70 million customers, so this change allows customers to connect and share meaningful moments and experiences with the people who matter most."
This privacy update comes a few months after Buzzfeed News published a report showing that the private friends network of President Joe Biden could be found "after less than 10 minutes of looking for it". While transactions could be set to private, users at the time had no control over who could see their friends lists. Within a few weeks of the report, Venmo updated its privacy controls to allow users to hide their networks.
However, some argue that the global feed represented an even greater privacy threat. Strangers could view the user names, emojis, and likes attached to transactions, allowing them to create a picture of the person's network potentially including their hobbies, habits, and other incidental information.
Digital rights activists like Gennie Gebhart called the feed "not a disaster waiting to happen, [but] a disaster that's already happened so many times to so many people."
"You think of a lot of really sensitive use cases," Gebhart told WIRED. "You think about therapists, you think about sex workers. You think about the president of the United States. It doesn't take a big imagination to imagine places where these defaults could go horribly wrong and cause real harm to real people."
Despite criticism regarding privacy concerns, Venmo maintained the feed as a part of the company's commitment to its "public-by-default" position.
"From the beginning we have been calling on Venmo to be private by default, because so many Venmo users don't actually know that their transactions are public to the world," Kaili Lambe, a campaigner focused on internet openness and accessibility, told WIRED. "Even people who've been using Venmo for years might not know that their settings are public."
While the removal of the global feed appears to be a step in the right direction, privacy experts like programmer Dan Salmon say that the app is still alarmingly vulnerable. Salmon previously created a script that allowed him to scrape millions of Venmo payments. Venmo has now put restrictions in place to block this access.
"Venmo basically had a firehose I could connect to of transaction data," Salmon told WIRED. "Now that that is cut off, the transactions are still out there; it will just take a few more steps to go get them."
According to Salmon, it would take him roughly an hour to create a new script to once again gain access to the transaction data.
The recent removal of the global social feed came with an overhaul of the app's design, including additional navigation options on the bottom of the screen and expanded user privacy controls.
The July update also included a feature allowing users to categorize payments as for "goods or services", making the payment eligible for Venmo's Purchase Protection Program, announced in June. Under this program, "the buyer and seller may be covered if the transaction doesn't go as expected."
"With this new functionality, customers will be able to buy and sell in new and exciting ways - from selling concert tickets to a friend of a friend or purchasing a couch from a local ad listing," wrote the company.
The new program will charge users a small fee to receive payments, roughly 2%, but in exchange, refunds may be covered by Venmo. This is similar to protections offered to buyers and sellers by Venmo's parent company, PayPal.