1. 45
    1. 24

      Not nice! But seems like it might get fixed. PC, the co-founder, has shared some info on Hacker News:

      Stripe cofounder here. The question raised (“Is Stripe collecting this data for advertising?”) can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

      Stripe.js collects this data only for fraud prevention – it helps us detect bots who try to defraud businesses. CAPTCHAs use similar techniques but result in more UI friction. Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day; techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn’t exist.

      If you don’t want to use Stripe.js, you definitely don’t have to (or you can include it only on a minimal checkout page) – it just depends how much PCI burden and fraud risk you’d like to take on.

      We will immediately clarify the ToS language that makes this ambiguous. We’ll also put up a clearer page about Stripe.js’s fraud prevention.


      1. 4

        Stripe.js collects this data only for fraud prevention

        Who in their right mind would believe this? Especially people working in the industry, who would ever believe this? As people were pointing out in the HN thread: no one ever said “oh we can’t sell this data, that would be unethical!”.

        It’s not even illegal or forbidden for them to do it in any way. Sell the data and no one will be the wiser. How could one possibly know?
        Even if it was a crime it would be the easiest crime to get away with.

        In a world where breaking laws and security is a merely a business risk the only possible logical conclusion is that the data will be used outside fo Stripe, anything else is equivalent to covering your ears and yelling “bla bla bla can’t hear you”!

        It’s the same story as recaptcha - clearly it’s a malware that nobody likes yet it’s here to stay because users don’t have a enough of a unified voice and education in the matter.

        And for the record: I think collecting user information is absolutely fine as long as it’s clarified and doesn’t break the web (“please enable javascript and run this obfuscated code that could be doing basically anything”).

        1. 20

          They even could be taking a copy of your credit card information! They could be tracking your purchase history!

          …this sort of pearl-clutching is tiresome. There are very real security and privacy issues out there, but alarmist things like this don’t help. The article itself even explicitly mentions the multiple places in the docs where Stripe talks about this behavior.

          1. -1

            I’m not sure why are you replying to me?

            I explicitly pointed out that collecting user info is fine. The problem is the claim that “data will never be for sale” which we all know is bullshit and this sort of lying to deflect PR is just painful to observe — people should never believe that.

            1. 4

              Then why is recaptcha problematic? Why is it malware? I don’t understand how that’s any different from collecting user info. If anything, it’s pretty explicit to me.

              1. 1

                I said data collection is fine as long as it doesn’t break the web and recaptcha absolutely breaks the web.

                1. 1

                  … and recaptcha absolutely breaks the web.

                  I understand the data collection concern, but not how that relates to recaptcha. Is there some vendetta against recaptcha I’m missing? Does this apply to all captchas?

                  1. 1

                    reCaptcha topic has been discussed to death.

                    In summary I think reCaptcha is way ahead of it’s time - it’s the most successful malware in computing history. It tracks you everywhere and you don’t even know it or care about it, not only that they make you work for free to train their AI - how fucking brilliant is that!

                    • runs arbitrary obfuscated javascript to collect your fingerprint (your machine info, your mouse movements etc.).
                    • determines score based on your actions and fingerprint.
                    • stores your fingerprint and potentially uses it in the rest of google for marketing etc.
                    • if for some reason fingerprinting fails (i.e. new firefox obfuscation features to prevent fingerprinting) you’ll have low “score” and have to do absurd amount of captchas, people are spending 5 minutes working for google for free.
                    • makes users work for free and since this proof of work has value it’s in the interest of Google to make you work as long as possible.
                    • requires javascript and breaks programmable web (e.g. curl, non-js browsing, scraping). It’s a free tool meaning there’s no self-regulation - brainless developers put it everywhere and small minorities of web users suffer since they don’t have big enough voice.
    2. 15

      This is how most fraud protection services work…I’m not sure what the issue is. When it comes to credit card fraud, you don’t want your site to be used as a means for testing stolen card numbers. Too many bad authorizations and you start having to pay a lot more per transaction. CAPTCHA on checkout (apparently) causes conversions to plummet, so what do you do? Piss off a few nerds for the sake of your company and making fraudsters have to turn to another site to do their dirty work? Sounds like a good trade-off to me.

      I definitely understand the privacy implications here, and that is an unfortunate side effect, but without advanced monitoring like this, I’m really not sure how you would defend against sophisticated credit card bots.

    3. 9

      We use Stripe. This is super explicit in the documentation, like on the page talking about inserting the tag they say “we recommend using it on all pages for anti fraud tracking”

      It’s not necessarily obvious to users this is going on, though. Tracking urls on the same domain doesn’t bug me too much but cross domain is … a bit overzealous imo

    4. 5

      Hah! I’m glad we made Stripe loading ondemand (not a moment before explicitly chooses Stripe as a payment option). It seemed obvious at the time for GDPR if nothing else, and has since been a massive PITA for customers with overly aggresive adblockers, but turns out we were right about this all along.

      1. 2

        Funny you should mention this. I think I probably failed my company’s evaluation of Stripe’s fraud prevention because of implementing it exactly like this (unintentionally, since the integration was many years ago). I understand the privacy tradeoff, but this tracking can help fight fraud by a lot.

    5. 4

      I think a lot of people are outraged about the privacy implications, but my personal outrage would be that every vendor doing this exact thing means that my browsing halts to a crawl on all of these integration-heavy websites.

      Why is noone thinking about the environment? How many processing cycles are wasted for all this tracking that hardly adds any value to user experience? What is all this tracking even for? I don’t think anyone can really explain it with a straight face. They’re just doing the tracking merely because it’s technologically possible, and might be useful for something in the remote future.

    6. 4

      It’s worth reading this reply by one of the cofounders of Stripe