Security Experts:

PayPal Settles With Texas Over Venmo App Security Claims

Texas Attorney General Ken Paxton announced that Texas has entered into an Assurance of Voluntary Compliance agreement with PayPal over alleged privacy and security violations by Venmo, a company acquired by PayPal in 2013. Under this agreement, PayPal will pay $130,000 to the State of Texas, and a further $45,000 to the state Attorney General to cover attorneys' fees.

Venmo is a smartphone app that enables easy and instant transfer of funds from one user to another between their bank accounts. A typical application would be friends sharing the cost of a meal - one could pay the bill, while the other would transfer half of the cost without either of them leaving the table.

The compliance agreement (PDF) includes no admission of wrongdoing from PayPal, which continues to deny any infringement of the Texas Deceptive Trade Practices - Consumer Protection Act. Nevertheless PayPal has also agreed to make 'behavioral' changes in the way in which Venmo interacts with its users.

The two main concerns of the state center on allegedly confusing and deficient privacy and security disclosures; and clarification over when and how access to the user's contact list will be used. For the former, "PayPal shall not represent that it provides 'bank-grade security' unless such statement is true and correct." For the latter, PayPal will no longer make covert or unclear use of users' phone contact lists, and that it will 'clearly and conspicuously' tell its users what information it will make public unless they take steps to prevent it.

It requires, of course, that for efficient operation both parties use Venmo. To increase that likelihood, Venmo has been scraping the subscribers' contact list and emailing them with notification that their 'friend' is a now a Venmo user; that is, using an 'autofriend' feature. The compliance agreement does not forbid this practice, but demands that the user is better informed and more easily able to say no.

Another example is that Venmo publishes a news stream of financial transactions among friends and others - which could easily become embarrassing - unless the user specifically avoids inclusion within that feature. PayPal CEO Dan Schulman considers this aspect to be an important part of Venmo's success. He told Microsoft's Peggy Johnson at the recent Microsoft Envision that the app has taken a monetary transaction and "turned it into a social experience" loved by younger people today. "If a user bought dinner for someone, maybe others know they are starting to date, or whatever it may be."

The agreement between Texas and PayPal/Venmo is similar to one in March between the Consumer Financial Protection Bureau (CFPB) and Dwolla, another payment platform. Dwolla claimed that its security practices exceed or surpass industry standards (they did not); and that personal information (including the user's name, address, date of birth, telephone number, Social Security number, bank account and routing numbers) were encrypted (when not everything was). Dwolla had to similarly change its behavior, and was forced to pay $100,000 to the CFPB's Civil Penalty Fund.

PayPal may yet have further problems. It is now being investigated by the FTC. In its 10-Q filing for the period ending March 31, 2016, PayPal notes, "On March 28, 2016, we received a Civil Investigative Demand ('CID') from the Federal Trade Commission ('FTC') as part of its investigation to determine whether we, through our Venmo service, have been or are engaged in deceptive or unfair practices in violation of the Federal Trade Commission Act."

The FTC won't discuss ongoing investigations, but has confirmed its existence. PayPal, for its part, reported that the investigation "could lead to an enforcement action and/or one or more consent orders, which may result in substantial costs, including legal fees, fines, penalties, and remediation expenses and actions, and could require us to change aspects of the manner in which we operate Venmo." In other words, it could be a repeat of the Texas agreement, but perhaps on a larger scale.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.