←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 3 comments | 21 Apr 20 17:01 UTC | HN request time: 2.25s | source
Show context
pc ◴[21 Apr 20 17:42 UTC] No.22937303[source]
Stripe cofounder here. The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Stripe.js collects this data only for fraud prevention -- it helps us detect bots who try to defraud businesses that use Stripe. (CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings.

If you don't want to use Stripe.js, you definitely don't have to (or you can include it only on a minimal checkout page) -- it just depends how much PCI burden and fraud risk you'd like to take on.

We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.

(Updated to add: further down in this thread, fillskills writes[1]: "As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase." This is what we're aiming for (and up against) with Stripe Radar and Stripe.js, and why we work on these technologies.)

[1] https://news.ycombinator.com/item?id=22938141

replies(52): >>22937327 #>>22937331 #>>22937352 #>>22937362 #>>22937385 #>>22937475 #>>22937518 #>>22937526 #>>22937559 #>>22937599 #>>22937775 #>>22937815 #>>22937962 #>>22938015 #>>22938068 #>>22938208 #>>22938310 #>>22938383 #>>22938533 #>>22938646 #>>22938728 #>>22938777 #>>22938855 #>>22938884 #>>22939026 #>>22939035 #>>22939376 #>>22939803 #>>22939814 #>>22939916 #>>22939952 #>>22940051 #>>22940090 #>>22940177 #>>22940282 #>>22940315 #>>22940317 #>>22940352 #>>22940686 #>>22940751 #>>22941252 #>>22942502 #>>22942538 #>>22942710 #>>22942907 #>>22943100 #>>22943453 #>>22944163 #>>22944509 #>>22944652 #>>22945170 #>>22946136 #
carapace ◴[21 Apr 20 18:43 UTC] No.22938015[source]
FWIW, reading this I thought "Isn't that for fraud detection?" and then I got to the part where your agent says "it's for fraud detection"...

I'm normally against this sort of thing (even though everybody does it, it seems like) but in this case, it's clear that this really is "works as intended" at least to me, FWIW.

replies(1): >>22938248 #
skoskie ◴[21 Apr 20 19:07 UTC] No.22938248[source]
My thoughts exactly as I was reading. Analytics gathering that’s not related to UI improvements wouldn’t bother to collect information on pointer movements.

But it turns out to be a pretty good tool for bot detection. That’s why you can now just check a box to verify you’re human (Something about that sentence feels quite dystopian).

I just don’t see the issue with Stripe’s practice here. They have a clear business model, and selling user data could severely undermine that model.

replies(2): >>22938869 #>>22938902 #
1. amenod ◴[21 Apr 20 20:17 UTC] No.22938902[source]
Sure, but business models change.

The main issue here is that this behavior is enabled by default and hidden. If API would be used like this, I would see no problem:

``` import { ensureUsersAreTrackedForFraudPrevention, loadStripe, } from '@stripe/stripe-js';

ensureUsersAreTrackedForFraudPrevention() ```

Of course, they will never do that, because then many developers would opt-out, and they need the masses to make fraud prevention work.

replies(2): >>22943002 #>>22943526 #
2. djur ◴[22 Apr 20 07:06 UTC] No.22943002[source]
If the API was used like that it could be disabled trivially by someone committing fraud.
3. hjnilsson ◴[22 Apr 20 08:51 UTC] No.22943526[source]
Likely many developers would opt-in when business sees the 5% surcharge for extra fraud.

And regardless, stripe explicitly says in their documentation that you should include stripe.js on every page of your app, so they can do tracking of pointers movements for fraud detection. This has not been hidden in any way from devs.