←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 4 comments | 21 Apr 20 17:01 UTC | HN request time: 0.617s | source
1. WesolyKubeczek ◴[21 Apr 20 19:18 UTC] No.22938375[source]
This is not the only thing that bothers me about Stripe.

For example, if you run a Stripe Connect platform, and you set up webhooks to receive some events asynchronously, Stripe will send you all events of the types you select about the accounts connected to your platform, no matter if the events are related to your platform or not.

There may be applications which might need to receive all the activity, but in a simple case of a marketplace which allows merchants to sell stuff and collect a small fee, this is a disturbing amount of information. If I were a bad actor, I could silently collect the information about my merchants' activity on the marketplaces of my competitors.

Moreover, if your platform has enough merchants, you could track their buyers. Stripe will readily hand over all this information to you. In a charge.succeeded webhook alone, you get quite enough information to fingerprint a customer, and if you use some deduction, you can identify them, too.

This sounds like putting a Ring of Power into the Gollum's hand all of a sudden.

I'm wondering if the marketplaces should hang a big warning, for privacy reasons, that "this site uses Stripe for payments. Any payment information might be shared with an unknown number of third parties, and there's diddly we can do about this."

replies(2): >>22938464 #>>22939503 #
2. ryneandal ◴[21 Apr 20 19:28 UTC] No.22938464[source]
Almost like a...services agreement (https://stripe.com/legal#section_d)?
replies(1): >>22945810 #
3. scrollaway ◴[21 Apr 20 21:26 UTC] No.22939503[source]
Don't single out Stripe, this is how many parts of the world work. Like @ryneandal said, what you're allowed to do with the data is usually covered by legal contracts.

Mastercard and Visa see all the transactions processed for the cards and so does the institution that issued your card (your bank). Unlike Stripe, they do a lot of non-fraud-related analysis on that information.

But putting fintech aside, GCP and AWS have access to everything on their customers' platforms, unless it's E2EE. They could (very illegally, and very stupidly) access all that data. There is no concrete difference between this and what you're talking about.

No matter how much encryption you put on it, your ISP has access to a history of a the IPs you directly connect to. To all the connections you make through them.

It's the nature of a middleman service provider to have access to these things. We can push to improve the status quo (more E2EE, decentralized designs and what not) but a better alternative has to exist before you can cry wolf about those that follow the norm.

4. WesolyKubeczek ◴[22 Apr 20 14:18 UTC] No.22945810[source]
Look, I'm just a random Joe who wants to buy a handmade mug on a marketplace with handmade mugs. I don't even know at any point that this is powered by Stripe. When I buy the mug, lots and lots of PII flies, via the webhook, not only to the marketplace through which I bought the mug, but also to that other place to which my particular seller is connected, maybe they sell handmade Bilbos. And that place which is an aggregator of spaces-to-let. You name it. It's not Stripe per se, it's the unknown number of unknown third parties.

And at this point, a wild commenter appears and tells me, the random Joe, that Gotcha!, you should read all that legalese for Stripe! Dammit, should I also fire up the web inspector on each site I visit, just in case they use something I should be privy to the legal terms of?

Listen, bub, at no point I (the buyer) and Stripe even enter a contract. I want to buy a fricking mug and I'd just be happy if that information stayed between me and whoever sold that to me.