Researchers and online activists are highlighting what they say is a serious flaw in Venmo, the popular mobile payments app. By default, the app makes much of users’ transaction data publicly viewable, allowing strangers to closely scrutinize individual behavior.
That fact is dramatically illustrated at Public By Default, a research project detailing the 2017 transaction records of five real people. Created by German artist, researcher, and recent Mozilla Media Fellow Hang Do Thi Duc, the site uses Venmo’s public data feed to show everything from extremely personal lover’s quarrels carried out in the public comments attached to payments, to detailed business records of a food cart operator and a cannabis retailer.
Venmo’s data feed also reveals user names by default—but Do Thi Duc chose to conceal these individuals’ identities. She told The Guardian that the goal of the project was to highlight Venmo’s privacy practices, not to expose individuals.
An even more dramatic illustration this week came in the form of a Twitter bot that searched Venmo data, then tweeted about transactions that seemed to be connected with drugs, alcohol, or sex—including the transactor’s first name and last initial. Like Public by Default, the bot was created by an activist, Joel Guerra, hoping to highlight Venmo’s shortcomings. He has since deactivated the bot.
Get Data Sheet, Fortune’s technology newsletter.
Venmo, a wildly popular way for the under-35 set to split restaurant bills, is actively designed to promote public sharing of financial transactions. A PayPal spokesperson told Gizmodo that “Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this.”
Of course, that’s one thing when you’re talking about photos shared on Facebook, but the implications of making a payments app “social” are a bit more complex. Do Thi Duc, for instance, suggests that the public records of one user’s unhealthy habits could be of interest to an insurance company. The data could also invite scrutiny from users’ bosses or other professional contacts.
Paypal told Gizmodo it has worked to clarify privacy settings with Venmo users, including with more detailed tutorials and more aggressive pop-ups in the app. But it hasn’t addressed the core issue—that users must actively change a default setting to stop the public sharing of their data. The fact that at least some users are publicizing possibly illegal activities suggests not everyone understands just what’s at stake.
