Public By Design
How a Moody College professor used big data to uncover Venmo privacy leaks.
In 2018, Journalism and Media Professor Dhiraj Murthy and School of InformationAssistant Professor Amelia Acker became fascinated with this new and novel mobile payment app called Venmo that functioned a lot like social media. People followed their friends, posted messages, made jokes about drugs and shared eggplant emojis.
At the time, the research community didn’t really see Venmo as a way to glean insight about social behavior, the way they did Facebook and Twitter. Murthy was among the first to make the case that Venmo is a social media platform.
“You could see people dating on Venmo, you could see people breaking up and having a tough time with friends,” Murthy said. “People are actually having meaningful communication.”
Murthy didn’t know at the time that his research into Venmo would consume the next five years of his life and that he would uncover data breaches and privacy leaks, things that have surprising, real-world implications for its users. He thought he’d just be learning more about how people use emojis.
“In the beginning it didn’t seem dangerous in a sense,” he said. “The biggest thing I’ve learned through this research is how much sensitive information is shared.
Murthy, who is the founder and director of the Computational Media Lab at UT, is one of many Moody College researchers involved in computational communication research, which means they use big data to understand more about how people interact and communicate. It allows them to study social questions at scale, using a breadth of information that wouldn’t be available by looking at a handful of study participants.
In Murthy’slatest research, he and a team of computer science and electrical and computer engineering students, in partnership with researchers at the University of Southern California, analyzed nearly 400 million public messages on Venmo. They relied on supercomputers at the Texas Advanced Computing Center at UT Austin to request data, sort messages and find trends. It’s a task that’s nearly impossible without machine learning and supercomputing power.
And their latest findings will make people think twice when they make comedic references to sex and drugs in their Venmo transactions (something very common on the app).
Murthy and his team were able to find out a ton of sensitive information: if Venmo users were inmotorcycle gangs, if they used drugs and alcohol, their sexuality and often their passwords, email addresses and other personal information. The way people tag their transactions can be very revealing.
Using common phrases in Alcoholics Anonymous, Murthy and his team were able to identify members, when they joined or left AA and even track their meeting times and locations.
Murthy finds this troublesome for several reasons. Not only could it lead to stalking, but people can also find out sensitive information users might not want others to know, like substance use problems or their sexuality.Murthy said these information leaks can also potentially affect people’s ability to get hired. “Cyber vetting” is a common practice for many employers today, meaning they mine the internet for information about job candidates, including searching their social media accounts. More and more, this task is being performed by artificial intelligence systems.
“You might think it’s funny to post something about buying weed, but there might be systems out there that are unsophisticated in how they are reading you,” Murthy said.
“If you post something on the internet, know it will be there forever and be happy with what you put up there. It can be used in a lot of different ways.”
Perhaps most troublesome, though, is the potential for identity theft. Often, hackers use personal identifying information from multiple sources, including social media, to uncover details about people that can help them crack passwords and steal account information. Venmo could prove useful to hackers, since they can easilyfigure out things like someone’s birthdays through “Happy Birthday” posts —something that is usually a security question for most accounts —or even their home addresses based on activities they post about.
There are ways to hide your information on Venmo, Murthy said. Like most social media platforms, you can set your posts as private. But the payment app is “public by design,” meaning when you install it, your feed is automatically set as public so that everyone can see your transactions. You have to go into settings to change that, something many people neglect to do. Murthy and others have been vying for Venmo to change this feature for quite some time to protect its users, with no success. While that is an ultimate goal, Murthy said, first and foremost, he hopes his research will motivate people to think twice about what they post and make sure everyone in their feed can’t see it.
“If the one takeaway people have is to go check their Venmo privacy settings, I think I’ve accomplished my job in terms of my research,” he said.