Gordon Yu


Venmo, Strava, and Why They Haven’t Been Fined €20,000,000

A feature for Advancing Women in Product.

Gordon’s new book, An American’s Guide to European Data Protection Law and the General Data Protection Regulation (GDPR) is available at Amazon and other fine retailers.

GDPR Article 25 mandates data protection “by design” and “by default.”

“By design” means that product managers should discuss the privacy and security of user data at every stage of the product development lifecycle. Technologies (such as pseudonymization) and principles (such as processing the least amount of data possible) should be considered, and such consideration documented.

“By default” means that the default settings only process the minimum amount of data to accomplish your product’s “specific purpose.”

(If you’re unfamiliar, “processing” is a broad concept that means everything you could possibly do with data: collecting, publishing, analyzing, storing, deleting, and so on.)

GDPR Article 83(4) imposes fines up to €10,000,000 on products that do not practice data protection by design and by default.

Since the GDPR became effective, Facebook and Google have been sued for €7 billion.

So, why haven’t Venmo and Strava been at least fined €10,000,000 each?

Venmo describes itself on Google as “a free digital wallet.” A Paypal subsidiary, it allows people to request and send payments through their phones. In Q1 2018, it transferred $12 billion in payments. People have told me they’ll “venmo me,” forcing me to join the platform. Nobody has ever said they would “square me” or “zelle me.” On the other hand, Venmo “doesn’t directly generate all that much revenue.”

Venmo’s distinguishing characteristic is that it shoves the financial activity of people you might possibly know in your face in real time. To achieve this feat, it:

  1. Defaults the privacy setting to “Public” on install. This violates data protection by default.
Note the tiny “Public” text and even tinier world clipart

2. Publishes incorrect instructions on how to make activity private (allegedly). If true, this violates data protection by design (because well-designed data protection means you understand how your product works.)

3. Hides the settings to make activity private behind a byzantine process (allegedly). Federal Trade Commission lawyers took 5 pages to document this process. If true, this violates both data protection by design and default.

(“Accomplishments” 2 and 3 may have been patched following Paypal’s recent settlement with the FTC.)

These “accomplishments” have had the following results:

  1. Venmo users may be data-mined to discover their habits, such as how often they gamble, how much money they gamble away, and with whom:

2. Venmo users experience “Venmo anxiety”:

“Seeing these transactions — even among people I have no desire to be hanging out with — creates a sense of emptiness and unease. It’s like, ‘S–t, everybody is doing something on Thursday night, and I’m sitting and reading my book. Am I a loser?’”

3. Venmo was fined under the GDPR. Wait, it hasn’t been. Why not?

Venmo hasn’t been fined because the GDPR only applies to data controllers and processors operating in the European Economic Area (EEA) or targeting people therein.

This is a common mistake American companies made right before the GDPR became effective. They would publish statements such as “this policy was updated to comply with the GDPR” or “our Data Protection Officer is Abradolf Lincler.”

Are you subjecting yourself to GDPR jurisdiction for no reason? Are you aware of the duties you owe to a Data Protection Officer?

If you are interested in a review of these or related matters, feel free to contact me.

Strava describes itself on Google as “Run and Cycling Tracking on the Social Network for Athletes.” It also publishes a Heatmap of aggregated, anonymous user activity:

In the third world, Strava’s Heatmap revealed secret locations, such as CIA safehouses and missile batteries:

Strava responded by — get this — refusing to take down its Heatmap and, according to one commentator, blaming its own users for not understanding its “7-step privacy protocol.” Indeed, Strava’s default privacy setting is still:

The basic level is to choose to not use any privacy controls and make your info available publicly, like it would be on Twitter, for example.

To my knowledge, no one’s been killed because they used Strava. One guy was arrested because he used Strava. But he had it coming.

Nonetheless, Strava created problems similar to Venmo and, by leaking worldwide information, lacks Venmo’s defense. So why hasn’t it been fined? Three potential reasons:

  1. Strava’s Heatmap arguably implements data protection by design! Recall that psuedonymization is an approved way to achieve data protection by design. Arguably, Strava’s Heatmap is better than psuedonymous: it’s anonymous! While the Heatmap reveals state secrets, it (arguably) does not reveal individual user secrets.
  2. Strava arguably implements data protection by default! Unlike Venmo, which bills itself as a “digital wallet” — and wallets don’t vomit your activity all over your social network — Strava actually calls itself a “social network.” So, to a certain extent, individual users (arguably) know they’re going to vomit their activity all over Strava’s network.
  3. The fines are coming. Indeed, Strava has been searching for a “part-time” Data Protection Officer.

As a product manager, these are the types of questions you should ask, research, and document as you fulfill your obligation of data protection by design and by default. It does not mean blindly adhering to the GDPR, or ignoring it, either. It means making intelligent choices to maximize both.

Oh, and if you are located in the European Union and interested in filing a complaint against Strava, feel free to get in touch with me. It’ll be fun.

Gordon’s new book, An American’s Guide to European Data Protection Law and the General Data Protection Regulation (GDPR) is available at Amazon and wherever good books are sold.

Topics of interest

More Related Stories