Is the Data We Share with Pay Apps Private at all

The pandemic has more people using apps like Venmo and PayPal. But not all pay apps treat data privacy equally By Sara Harrison Virtual peer-to-peer payments are the currency of the pandemic: the coin of the COVID-19 realm. In a world where no one wants to come close enough to exchange money (and possibly germs, too), use of payment apps like PayPal, Venmo, Cash App, and Zelle has exploded. Between April and June, PayPal processed more than year-over-year increase. Similarly, in the second quarter of 2020, Venmo, which is owned by PayPal, processed $37 billion in transactions, . And in July, Early Warning Services, the parent company of the mobile payment platform Zelle, reported that the number of users who had sent a payment through the service in the last 90 days was . $220 billion in transactions, a nearly 30 percent a 52 percent increase over the year before up 43 percent over the previous year But while payment apps can help protect users from the dangers of person-to-person COVID-19 transmission, these virtual systems introduce problems of their own. Using a payment app of any kind, no matter how privacy-preserving it is, always introduces a middleman: an agent that uses data to execute a demand. Apps can’t send money if they don’t have some kind of access to the account from which users send and receive money. And not all apps treat that data the same way. What Data Do Apps Collect and Why? All pay apps say they need access to certain personal information, including names, Social Security, and bank account numbers. They also collect information about activity in the app, such as transaction histories that show when and where, and to or from whom, users made or received payments. PayPal’s privacy policy, for example, explains that the company like birthdays, browsing histories, and IP addresses so it can identify fraud. If, say, a young student living in Brooklyn were to suddenly start paying for lavish dinners in Kazakhstan, that might tip off the service that the account was hacked. collects things It’s very likely customers don’t realize companies are monetizing their transaction information. - Alan Butler, Electronic Privacy Information Center Apps may also connect to biometric information like face ID or touch ID, saying they need to as a security measure. And some, like Venmo and Cash App, also say they collect lists of contacts so it’s easier for users to find their friends and send payments to the right person. But while apps may need this information to run their services effectively, they may also profit from the data users divulge. “It’s very likely customers don’t realize companies are monetizing their transaction information,” said Alan Butler, interim executive director at the Electronic Privacy Information Center (EPIC). Butler said that it’s commonplace in the financial services industry for individuals to use financial services for free, so consumers often don’t think about how those systems make money. Some, but not all, payment apps do so by sharing data. What Data Do Pay Apps Share, and Who’s Doing It? that, in addition to sharing data with financial institutions and credit and fraud detection agencies, the company shares data that may include email, device ID, and IP address with many third parties, including Google, Facebook, Twitter, and AdRoll for advertising purposes. Similarly, Venmo says it for advertising purposes. PayPal discloses shares geolocation data Cash App specifies that it shares information with third parties including Google but that the so individual user identities are protected. data is aggregated and anonymized Notably, with third parties, and users’ contact information, bank account, and Social Security numbers, and their transaction and credit histories. Neither app collects geolocation data or browsing histories of its users, and neither shares information with advertisers. While information about browsing history, the app itself does not sell information about user behavior to third party advertisers. Google Pay does not sell or share data AppleCash collects only Zelle’s website collects and sells $220B: Amount in transactions processed by PayPal between April and June this year. When it comes to sharing information with law enforcement, Venmo, PayPal, Cash App, and Zelle all specify in their privacy policies that they cooperate with law enforcement if subpoenaed, but those policies do not say whether the company would inform users if that happened. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), said companies should tell users if and when their information is subpoenaed, which could then give app users a chance to challenge the request in court. At the moment, she said, “if they just hand that information over, you will not know until it’s way too late.” There are other privacy issues to consider as well: PayPal has . In the past, the company also for legal goods like erotic books containing descriptions of incest, rape, or bestiality, and threatened to shut down booksellers’ accounts if they refused to remove listings for such books. (PayPal significantly narrowed this policy in 2020.) reportedly locked sex workers out of their accounts threatened to close accounts or stop processing payments Venmo Is Unique Venmo’s social media–esque timeline automatically reveals user transactions to anyone on the app, which leaves its users (at least those who don’t opt to make payments private) uniquely exposed. In 2017, a Mozilla Fellow named Hang Do Thi Duc created , a website that tells the stories of five unsuspecting Venmo users. Duc traced their drug deals, snack choices, lovers’ quarrels, and loan payments using only their public Venmo timelines. , and bad actors could use Venmo data to deanonymize the same Venmo users in other situations, potentially revealing highly personal information. Public by Default Combine such information with other data sets In 2019, another researcher, Dan Salmon, used an API to and collected information about seven million users. scrape Venmo’s public database Salmon says that Venmo has since slowed the scrape rate on their website, so programs can’t gather data as fast as he did. But he says the basic underlying problem remains. The app overall seems very secure. My only issue [with Venmo] is that I believe that people for the most part don’t realize that their transaction data is public by default. - Dan Salmon, data privacy researcher “The app overall seems very secure,” he wrote in an email to The Markup. “My only issue is that I believe that people for the most part don’t realize that their transaction data is public by default.” He adds that for any app, advertising revenue can run counter to privacy concerns. “The safety and privacy of PayPal and Venmo customers and their information is always a top priority,” Zoe Bendes, a spokesperson for Venmo’s parent company, Paypal, wrote to The Markup. “Our customers trust us with their money and their personal information, and we take this responsibility very seriously, as well as our legal obligations in accordance with all applicable privacy laws.” In 2018 to take action over Venmo’s public by default setting. But despite that complaint, and an open letter and petition from Mozilla and EFF , Venmo still hasn’t changed its privacy policy. The app has made it easier for users and to retroactively make all their past transactions private as well, but the onus is still on users to do so, and there is no way for users to make their contacts list private. EPIC urged the Federal Trade Commission signed by more than 25,000 people to change their privacy settings In an email to The Markup, Gennie Gebhart, activism director at EFF, said the company has not formally responded to EFF’s concerns or criticisms. “Among the various companies we direct campaigns and criticism at, Venmo stands out to me as being one of the least responsive,” she wrote. What Can Users Do to Keep Their Info Private? That depends on the app. Some information, such as bank account numbers, name, and transaction history, is necessary if users want to use the service. But these apps can work without certain features, if users want to share less data. Cash App allows users to opt in to share their contacts, and uploading a photo is optional. Most apps also allow users to change their settings to disable or decline cookies from tracking browser histories and to turn off geolocation sharing. Because these options require users to take initiative and opt out from these services, the likelihood of that happening rests on how easy it is to actually understand companies’ privacy policies. The payment that you make to your yoga instructor may have different concerns than the payment that you make for your mortgage…. - Eva Galperin, Electronic Frontier Foundation “Consumers have a right to understand,” says Kaili Lambe, a senior U.S. campaigner at the Mozilla Foundation. She says privacy policies should be as concise as possible and shouldn’t be full of legalese that could confuse users. But that’s not always the case. Take the example of Zelle, which tracks and shares user behavior differently depending on whether you’re using its website or its app—meaning users have to read carefully to understand which data is being collected, where, and why. Shelley Aul, senior manager in the privacy office at Early Warning, Zelle’s parent company, said the company is currently rewriting the privacy policy to eliminate the confusion. Mostly, experts suggest that people consider privacy each time they make a purchase and choose their payment method accordingly. “The payment that you make to your yoga instructor may have different concerns than the payment that you make for your mortgage or your deductible on your insurance when you’re getting cancer treatment,” said the EFF’s Galperin. Cash and checks are still an option for transactions you truly want to keep private, she said. “Really just think about the transaction and who do you want to know about this.” . Originally published as " How Private Is My Pay App? " with the Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) license