Most active commenters
  • dahart(3)

←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 15 comments | 21 Apr 20 17:01 UTC | HN request time: 0.81s | source | bottom
Show context
pc ◴[21 Apr 20 17:42 UTC] No.22937303[source]
Stripe cofounder here. The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Stripe.js collects this data only for fraud prevention -- it helps us detect bots who try to defraud businesses that use Stripe. (CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings.

If you don't want to use Stripe.js, you definitely don't have to (or you can include it only on a minimal checkout page) -- it just depends how much PCI burden and fraud risk you'd like to take on.

We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.

(Updated to add: further down in this thread, fillskills writes[1]: "As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase." This is what we're aiming for (and up against) with Stripe Radar and Stripe.js, and why we work on these technologies.)

[1] https://news.ycombinator.com/item?id=22938141

replies(52): >>22937327 #>>22937331 #>>22937352 #>>22937362 #>>22937385 #>>22937475 #>>22937518 #>>22937526 #>>22937559 #>>22937599 #>>22937775 #>>22937815 #>>22937962 #>>22938015 #>>22938068 #>>22938208 #>>22938310 #>>22938383 #>>22938533 #>>22938646 #>>22938728 #>>22938777 #>>22938855 #>>22938884 #>>22939026 #>>22939035 #>>22939376 #>>22939803 #>>22939814 #>>22939916 #>>22939952 #>>22940051 #>>22940090 #>>22940177 #>>22940282 #>>22940315 #>>22940317 #>>22940352 #>>22940686 #>>22940751 #>>22941252 #>>22942502 #>>22942538 #>>22942710 #>>22942907 #>>22943100 #>>22943453 #>>22944163 #>>22944509 #>>22944652 #>>22945170 #>>22946136 #
1. beervirus ◴[21 Apr 20 18:23 UTC] No.22937775[source]
How long is this data retained, and what does it actually include?

> This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Unless Stripe goes bankrupt, in which case it'll be liquidated along with all the other assets.

replies(2): >>22937812 #>>22938882 #
2. pc ◴[21 Apr 20 18:26 UTC] No.22937812[source]
I'll ask our legal team if we can somehow contractually preclude ourselves from sharing this data in the case of liquidation or otherwise bind ourselves in a useful fashion...

To your question about what the data actually includes and what the retention policies are -- we'll put together a summary of this on the page I mentioned in GP.

replies(6): >>22938332 #>>22939013 #>>22940261 #>>22940388 #>>22941849 #>>22944933 #
3. pilingual ◴[21 Apr 20 19:13 UTC] No.22938332[source]
If you get clarity on liquidation, please consider open sourcing it à la YC's startup documents. It's something I've long wanted to include in my projects.
4. dahart ◴[21 Apr 20 20:15 UTC] No.22938882[source]
> Unless Stripe goes bankrupt

Yep. Also: sale, acquisition, merger, as well as government requests for data, and third party access. Speaking from experience selling a company, it’s difficult to plan for unknown eventualities, and even more difficult to keep any promises about what happens to data you have. The only effective way I know of to guarantee data you have doesn’t get shared is to delete it.

replies(3): >>22938918 #>>22941263 #>>22945687 #
5. amenod ◴[21 Apr 20 20:18 UTC] No.22938918[source]
FTFY: ...is to not have it.
6. rkagerer ◴[21 Apr 20 20:29 UTC] No.22939013[source]
I hope the result has some teeth to it, and I'd like to see follow up once this item is complete.

If I were negotiating for a vendor to collect such an invasive level of personal data about me or my customers, I would insist on accordingly strong protections.

At a minimum there should be clause in your ToS making our consent expressly contingent on you upholding your protection commitments, particularly around what data is collected, who it's shared with, and when it is destroyed or 100% anonymized. It should insist you have contracts containing terms of equal strength in place with any of your vendors, subcontractors, partners, etc. who might conceivably gain access to the sensitive data.

The clause should be written such that the liability follows along to any assigns, heirs, successors, etc, and it should be excluded from any loopholes in other portions of the contract (particularly any blanket ones which allow you to change the ToS without gaining fresh, explicit consent) and preferably free from any limitations of liability.

I'm glad Stripe is taking a responsive approach to the matter and I hope you'll consider this feedback when you revisit your legal agreements.

7. lucb1e ◴[21 Apr 20 23:04 UTC] No.22940261[source]
Will you post the response from the legal team here or is there some other place we should watch like the blog?
8. nerdponx ◴[21 Apr 20 23:25 UTC] No.22940388[source]
And what happens if Stripe is hacked?
replies(1): >>22940615 #
9. taurath ◴[22 Apr 20 00:00 UTC] No.22940615{3}[source]
Your credit card information is stolen.
10. techntoke ◴[22 Apr 20 01:58 UTC] No.22941263[source]
If a company as big as Stripe hasn't already considered this and have to ask their legal team then they are playing dumb.
replies(1): >>22942407 #
11. beefee ◴[22 Apr 20 03:37 UTC] No.22941849[source]
Thanks for answering questions about this and being so open! In your top-voted comment, you claimed that this data will never be sold to advertisers. Are you now saying that you're unsure? If so, it would be helpful to update the comment, since it seems it's not accurate.

> This data has never been, would never be, and will never be sold/rented/etc. to advertisers

12. dahart ◴[22 Apr 20 05:07 UTC] No.22942407{3}[source]
I honestly don't think it's that simple, and in fact I suspect it gets harder the bigger the company. They could have every intention, even a plan and an working implementation today to keep any data they collect out of the hands of a buyer or the government, and still have a very hard time ensuring it when the time comes. It does sound like @pc is actively committed to it though.

I don't think anyone's playing dumb. I am completely speculating, yet absolutely certain, that they have actually considered future scenarios for collected data, and I believe that there are legitimate reasons to still need to discuss this and other scenarios that come up with a legal team every time. If it's not clear why this can happen, it will become clear if/when you run a company.

It's true that not collecting any data is a foolproof way to guarantee it doesn't get into the wrong hands, but that's tying both arms behind your back in the online world, and it would mean in this case choosing to not train any fraud detecting neural networks. There could be an even bigger mob if Stripe knew how to prevent certain kinds of fraud and chose not to for ambiguous privacy reasons.

13. bill_mcgonigle ◴[22 Apr 20 12:47 UTC] No.22944933[source]
> I'll ask our legal team if we can somehow contractually preclude ourselves from sharing this data in the case of liquidation or otherwise bind ourselves in a useful fashion...

Attack real problems on all flanks, but I don't think you can get an affirmative from Legal.

Do you have cryptographers on staff? The "technology as a contract" approach is to implement a homomorphic encryption technique to do your cross-site correlation without being able to unmask the individual who is using multiple sites.

That way you don't have to trust your users, customers, sysadmins, big-data people, LEO, OR creditors. Keep it as secret sauce, or even better, drop an open-source library on github to advance the state of privacy. I would like to be able to ask vendors, "why AREN'T you protecting users' privacy this way?".

14. thw0rted ◴[22 Apr 20 14:07 UTC] No.22945687[source]
IANAL and I don't claim to understand any of this well, but I would naively assume that if Company A collected data under a binding legal agreement that they can only use it for X, then they go bankrupt, that shouldn't give Company B the ability to buy the data as a "liquidation asset" then do anything they feel like with it. Shouldn't the binding restrictions "move" with the data?
replies(1): >>22949952 #
15. dahart ◴[22 Apr 20 20:40 UTC] No.22949952{3}[source]
This depends on how the company is liquidated/sold. In the cases I mentioned of sale or acquisition, often the corporate entity remains in existence through the transition, so the effect is that nothing changes wrt the binding legal agreement, but a large group of new people gain access to the data. Also while legal agreements are binding, they can usually be changed, it takes some careful planning to prevent a contract from being changeable by the new owner of the contract. Think about the question of who owns the collected data in the first place. If the company owns it, and the investors own the company, the company might have a tough time getting investors to agree to waive their right to sell what they consider to be a valuable asset in the case of bankruptcy. If the company doesn't ask the investors, or can't get them to agree, then whatever they do has grounds for future legal challenge. It's all around better to delete any such data before anything changes hands.