←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 8 comments | 21 Apr 20 17:01 UTC | HN request time: 0s | source | bottom
Show context
pc ◴[21 Apr 20 17:42 UTC] No.22937303[source]
Stripe cofounder here. The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Stripe.js collects this data only for fraud prevention -- it helps us detect bots who try to defraud businesses that use Stripe. (CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings.

If you don't want to use Stripe.js, you definitely don't have to (or you can include it only on a minimal checkout page) -- it just depends how much PCI burden and fraud risk you'd like to take on.

We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.

(Updated to add: further down in this thread, fillskills writes[1]: "As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase." This is what we're aiming for (and up against) with Stripe Radar and Stripe.js, and why we work on these technologies.)

[1] https://news.ycombinator.com/item?id=22938141

replies(52): >>22937327 #>>22937331 #>>22937352 #>>22937362 #>>22937385 #>>22937475 #>>22937518 #>>22937526 #>>22937559 #>>22937599 #>>22937775 #>>22937815 #>>22937962 #>>22938015 #>>22938068 #>>22938208 #>>22938310 #>>22938383 #>>22938533 #>>22938646 #>>22938728 #>>22938777 #>>22938855 #>>22938884 #>>22939026 #>>22939035 #>>22939376 #>>22939803 #>>22939814 #>>22939916 #>>22939952 #>>22940051 #>>22940090 #>>22940177 #>>22940282 #>>22940315 #>>22940317 #>>22940352 #>>22940686 #>>22940751 #>>22941252 #>>22942502 #>>22942538 #>>22942710 #>>22942907 #>>22943100 #>>22943453 #>>22944163 #>>22944509 #>>22944652 #>>22945170 #>>22946136 #
beervirus ◴[21 Apr 20 18:23 UTC] No.22937775[source]
How long is this data retained, and what does it actually include?

> This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Unless Stripe goes bankrupt, in which case it'll be liquidated along with all the other assets.

replies(2): >>22937812 #>>22938882 #
1. pc ◴[21 Apr 20 18:26 UTC] No.22937812[source]
I'll ask our legal team if we can somehow contractually preclude ourselves from sharing this data in the case of liquidation or otherwise bind ourselves in a useful fashion...

To your question about what the data actually includes and what the retention policies are -- we'll put together a summary of this on the page I mentioned in GP.

replies(6): >>22938332 #>>22939013 #>>22940261 #>>22940388 #>>22941849 #>>22944933 #
2. pilingual ◴[21 Apr 20 19:13 UTC] No.22938332[source]
If you get clarity on liquidation, please consider open sourcing it à la YC's startup documents. It's something I've long wanted to include in my projects.
3. rkagerer ◴[21 Apr 20 20:29 UTC] No.22939013[source]
I hope the result has some teeth to it, and I'd like to see follow up once this item is complete.

If I were negotiating for a vendor to collect such an invasive level of personal data about me or my customers, I would insist on accordingly strong protections.

At a minimum there should be clause in your ToS making our consent expressly contingent on you upholding your protection commitments, particularly around what data is collected, who it's shared with, and when it is destroyed or 100% anonymized. It should insist you have contracts containing terms of equal strength in place with any of your vendors, subcontractors, partners, etc. who might conceivably gain access to the sensitive data.

The clause should be written such that the liability follows along to any assigns, heirs, successors, etc, and it should be excluded from any loopholes in other portions of the contract (particularly any blanket ones which allow you to change the ToS without gaining fresh, explicit consent) and preferably free from any limitations of liability.

I'm glad Stripe is taking a responsive approach to the matter and I hope you'll consider this feedback when you revisit your legal agreements.

4. lucb1e ◴[21 Apr 20 23:04 UTC] No.22940261[source]
Will you post the response from the legal team here or is there some other place we should watch like the blog?
5. nerdponx ◴[21 Apr 20 23:25 UTC] No.22940388[source]
And what happens if Stripe is hacked?
replies(1): >>22940615 #
6. taurath ◴[22 Apr 20 00:00 UTC] No.22940615[source]
Your credit card information is stolen.
7. beefee ◴[22 Apr 20 03:37 UTC] No.22941849[source]
Thanks for answering questions about this and being so open! In your top-voted comment, you claimed that this data will never be sold to advertisers. Are you now saying that you're unsure? If so, it would be helpful to update the comment, since it seems it's not accurate.

> This data has never been, would never be, and will never be sold/rented/etc. to advertisers

8. bill_mcgonigle ◴[22 Apr 20 12:47 UTC] No.22944933[source]
> I'll ask our legal team if we can somehow contractually preclude ourselves from sharing this data in the case of liquidation or otherwise bind ourselves in a useful fashion...

Attack real problems on all flanks, but I don't think you can get an affirmative from Legal.

Do you have cryptographers on staff? The "technology as a contract" approach is to implement a homomorphic encryption technique to do your cross-site correlation without being able to unmask the individual who is using multiple sites.

That way you don't have to trust your users, customers, sysadmins, big-data people, LEO, OR creditors. Keep it as secret sauce, or even better, drop an open-source library on github to advance the state of privacy. I would like to be able to ask vendors, "why AREN'T you protecting users' privacy this way?".