While it's good that he replied, his answer is unsatisfying: That's great! Yeah, except until it is. We see this from companies all the time. They say they don't do something, then they get bought...
While it's good that he replied, his answer is unsatisfying:
The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative.
That's great!
This data has never been, would never be, and will never be sold/rented/etc. to advertisers.
Yeah, except until it is. We see this from companies all the time. They say they don't do something, then they get bought by a larger company, and suddenly they're doing that thing they promised they'd never do.
We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.
This is the thing that gets me the most. Why didn't they do that in the first place? They're trying to prevent fraud, so they know full well that their customers are concerned about fraud. But because of the unclear language they used, it seemed like they were doing something skeevy. As evidenced in the article, lots of other people have run into this same issue and even contacted them about it, yet they've let it go on for years. That fact really makes me question the CEO's sincerity. (Well that and the way they've acted in the past.) Sorry, but I don't trust anything they're saying here.
Honestly, I'm willing to give the company a pass on this. It seems like another news cycle of manufactured Silicon Valley-patented outrage over mostly nothing. If you don't trust Stripe, don't...
Honestly, I'm willing to give the company a pass on this. It seems like another news cycle of manufactured Silicon Valley-patented outrage over mostly nothing. If you don't trust Stripe, don't load their code.
This data has never been, would never be, and will never be sold/rented/etc. to advertisers.
Yeah, except until it is. We see this from companies all the time.
Well, this is true for basically every website and organisation in existence—you can't ding just Stripe here. As Patrick has made clear, they need this data for anti-fraud purposes. So, of course they need to collect it. What more can you ask them to do in this situation? Pinky promise they won't sell it? Stating up-front it isn't sold is as best as you can do here, Patrick is being completely reasonable in his response.
This is the thing that gets me the most. Why didn't they do that in the first place?
Because Stripe is a company run by humans, and humans are only human? People make mistakes, lack of foresight is common, and hindsight is 20/20. This isn't maliciousness or corporate authoritarianism, this is literally someone forgot to update the docs, or a team meeting wasn't held to discuss this, or people were too busy doing other things. Companies consist of people and those people are usually dealing with dozens of things at once.
That fact really makes me question the CEO's sincerity. Well that and the way they've acted in the past.
I've never seen anything that has made me question Stripe's, or Patrick's, authenticity. Could you provide something that might make me reconsider?
I want to piggyback on this: I have nothing but goodwill for Stripe. They seem like a company that wants to do their genuine best for its customers and the world. They seem like such angels that...
I've never seen anything that has made me question Stripe's, or Patrick's, authenticity
I want to piggyback on this: I have nothing but goodwill for Stripe. They seem like a company that wants to do their genuine best for its customers and the world. They seem like such angels that if they do something wrong, I shudder to think about the worse things the others are doing.
They don't need it. It's valuable to their business, it's an important aspect of dealing with money, it's an active move against fraudsters – but they don't need it: they want it. They should...
So, of course they need to collect it. What more can you ask them to do in this situation?
They don't need it. It's valuable to their business, it's an important aspect of dealing with money, it's an active move against fraudsters – but they don't need it: they want it. They should allow users to opt in – encourage them, even – but not make spying a fucking default. Apparently we've just collectively accepted that this is the way of things: that services will spy on us.
As for what do: I'd prefer transparency. Something that makes clear how they deal with the information.
Of course, data going out from a single source of truth is not going to be immediately trustworthy – especially when it's in the source's potential interest to maintain a cover over its true operations.
Opening an API to request stats would only serve as an additional attack surface.
Open-sourcing it... without giving malicious actors access to the raw data and still being transparent... yeah, I'm not seeing it, either. Then again, I'm just talking out of my ass here. Maybe there's a way.
The HN thread has a comment from a Stripe customer who saw their fraud rate go from 2% to 0.5%: Opting out of mouse tracking and similarly invasive methods of fraud detection will make things more...
The HN thread has a comment from a Stripe customer who saw their fraud rate go from 2% to 0.5%:
Opting out of mouse tracking and similarly invasive methods of fraud detection will make things more expensive, and while you may be willing to pay more, most people won't.
It's not the only way to prevent fraud, but it's (apparently) an effective way. You get less fraud if you stop every kid with Selenium and Hola from being able to stuff your site full of stolen...
It's not the only way to prevent fraud, but it's (apparently) an effective way. You get less fraud if you stop every kid with Selenium and Hola from being able to stuff your site full of stolen credit card numbers until they find one that works. Convincing mouse movements take work to fake, and if you can do that work maybe you have something better to do with your time than credit card fraud.
How else do you propose Stripe implement anti-fraud detection then? Generally, that relies on sniffing various properties of an entity performing a transaction to ensure authenticity. They do need...
but they don't need it: they want it.
How else do you propose Stripe implement anti-fraud detection then? Generally, that relies on sniffing various properties of an entity performing a transaction to ensure authenticity. They do need this data to implement the suite of anti-fraud tools they operate.
but not make spying a fucking default.
Fraud detection via mouse movements isn't "spying". The goal isn't to spy on the user, it's to collect information which can lead to reduced credit card fraud. I don't consider that spying, and I think such flippant use of the word reduces its impact when genuine spying takes place.
They should allow users to opt in
I'm sure the people conducting internet credit card fraud will certainly opt-in.
The next time I have to remove a comment of yours, you will get a temporary ban for a week too. If you can't slow down and continue a discussion in good faith when someone is disagreeing with you,...
The next time I have to remove a comment of yours, you will get a temporary ban for a week too. If you can't slow down and continue a discussion in good faith when someone is disagreeing with you, just stop commenting in the thread.
Okay. The comment I held back on is that basic data collection isn't "spying". Using scary words to describe mundane activities is something I consider to be intellectually dishonest. It's FUD to...
Okay. The comment I held back on is that basic data collection isn't "spying". Using scary words to describe mundane activities is something I consider to be intellectually dishonest. It's FUD to tell people they're being "spied on", or using other emotionally-charged words when we're describing basic browser information that is collected transparently. The data and its use are described fully in their privacy policy.
The collected data is also useless except in the context of determining if someone is a bot, or at most understanding which devices they need to support. It's not being sold to advertisers, or insurance companies, or whoever the big bad is. Those things almost never actually happen, and in the rare case that they do, the companies involved won't be so open and honest about it as Stripe is being.
You can ask them to be bound by a real contract, one that they can't just unilaterally amend at any time and assume you accept like with standard terms of service. If I have a contract with Stripe...
What more can you ask them to do in this situation?
You can ask them to be bound by a real contract, one that they can't just unilaterally amend at any time and assume you accept like with standard terms of service.
If I have a contract with Stripe that prohibits them from selling my or my customers' data, or prohibits them from using it for advertising purposes, in consideration for my allowing them to collect, retain, and use the data for fraud prevention, then that contract binds them and anyone who buys them, and if they don't follow it I can sue for breach of contract.
If you don't have a real contract with Stripe that requires them to perform any particular tasks in any particular way, then what are you doing trusting them with your customer's data and your money?
Sure, that explains why they didn't document it the first time it came up. But as we saw from the post, there were a bunch of reports of this on the web, and it was causing some serious confusion...
Because Stripe is a company run by humans, and humans are only human?
Sure, that explains why they didn't document it the first time it came up. But as we saw from the post, there were a bunch of reports of this on the web, and it was causing some serious confusion to developers. Over the course of 3 years, it kept coming up, and they kept doing nothing about it until it hit HackerNews. I can give them a pass the first time, and of course they'd need time to fix the issue once they realized it existed. But 3 years? Come on!
I've never seen anything that has made me question Stripe's, or Patrick's, authenticity. Could you provide something that might make me reconsider?
I have on occasion received receipts that belonged to another person. When I contacted Stripe, they said it was no big deal and they'd remove my email address from being associated with that card. I'm sorry, but if you're randomly sending the wrong people other people's receipts, which contain pretty personal information, it's not "no big deal." Now I don't know whether other people have been receiving my receipts or what might have been in them if they did. The fact that they act like this was just a casual mistake really turned me off.
I'm sorry but if your module(s) load a library and the library docs say they check traffic and their support says they check traffic then this is not stealth tracking. You loaded their code, their...
I'm sorry but if your module(s) load a library and the library docs say they check traffic and their support says they check traffic then this is not stealth tracking. You loaded their code, their code tracks users.
They're not doing anything particularly malicious, you are loading their code. If you don't trust stripe, don't load their code. If you only want it on certain parts of your site, then only load it on certain parts of your site.
Currently, the only page that includes any third-party assets at all is the one that redirects to a Stripe Checkout page when making a donation. This may be required again for some other donation methods or other very specialized uses, but in general there shouldn't be any third-party scripts or assets used on the site.
This means that when people are using Tildes, their device is communicating only with Tildes servers, not other companies that are tracking and collecting their data.
Tbf Stripe is more prevalent than you think. In fact, I bet a lot of people don't even know who they are, despite being the most highly valued unicorn right now. They're really gated about their...
Tbf Stripe is more prevalent than you think. In fact, I bet a lot of people don't even know who they are, despite being the most highly valued unicorn right now.
They're really gated about their numbers, but apparently half of all US online purchases were made through Stripe in 2019. I'm guessing a large chunk of that was just Amazon, but still.
The CEO responded on Hacker News.
While it's good that he replied, his answer is unsatisfying:
That's great!
Yeah, except until it is. We see this from companies all the time. They say they don't do something, then they get bought by a larger company, and suddenly they're doing that thing they promised they'd never do.
This is the thing that gets me the most. Why didn't they do that in the first place? They're trying to prevent fraud, so they know full well that their customers are concerned about fraud. But because of the unclear language they used, it seemed like they were doing something skeevy. As evidenced in the article, lots of other people have run into this same issue and even contacted them about it, yet they've let it go on for years. That fact really makes me question the CEO's sincerity. (Well that and the way they've acted in the past.) Sorry, but I don't trust anything they're saying here.
Honestly, I'm willing to give the company a pass on this. It seems like another news cycle of manufactured Silicon Valley-patented outrage over mostly nothing. If you don't trust Stripe, don't load their code.
Well, this is true for basically every website and organisation in existence—you can't ding just Stripe here. As Patrick has made clear, they need this data for anti-fraud purposes. So, of course they need to collect it. What more can you ask them to do in this situation? Pinky promise they won't sell it? Stating up-front it isn't sold is as best as you can do here, Patrick is being completely reasonable in his response.
Because Stripe is a company run by humans, and humans are only human? People make mistakes, lack of foresight is common, and hindsight is 20/20. This isn't maliciousness or corporate authoritarianism, this is literally someone forgot to update the docs, or a team meeting wasn't held to discuss this, or people were too busy doing other things. Companies consist of people and those people are usually dealing with dozens of things at once.
I've never seen anything that has made me question Stripe's, or Patrick's, authenticity. Could you provide something that might make me reconsider?
I want to piggyback on this: I have nothing but goodwill for Stripe. They seem like a company that wants to do their genuine best for its customers and the world. They seem like such angels that if they do something wrong, I shudder to think about the worse things the others are doing.
They don't need it. It's valuable to their business, it's an important aspect of dealing with money, it's an active move against fraudsters – but they don't need it: they want it. They should allow users to opt in – encourage them, even – but not make spying a fucking default. Apparently we've just collectively accepted that this is the way of things: that services will spy on us.
As for what do: I'd prefer transparency. Something that makes clear how they deal with the information.
Of course, data going out from a single source of truth is not going to be immediately trustworthy – especially when it's in the source's potential interest to maintain a cover over its true operations.
Opening an API to request stats would only serve as an additional attack surface.
Open-sourcing it... without giving malicious actors access to the raw data and still being transparent... yeah, I'm not seeing it, either. Then again, I'm just talking out of my ass here. Maybe there's a way.
The HN thread has a comment from a Stripe customer who saw their fraud rate go from 2% to 0.5%:
Opting out of mouse tracking and similarly invasive methods of fraud detection will make things more expensive, and while you may be willing to pay more, most people won't.
This argument rests on the notion that tracking mouse movements and other such invasive methods is the only way to prevent fraud.
It's not the only way to prevent fraud, but it's (apparently) an effective way. You get less fraud if you stop every kid with Selenium and Hola from being able to stuff your site full of stolen credit card numbers until they find one that works. Convincing mouse movements take work to fake, and if you can do that work maybe you have something better to do with your time than credit card fraud.
How else do you propose Stripe implement anti-fraud detection then? Generally, that relies on sniffing various properties of an entity performing a transaction to ensure authenticity. They do need this data to implement the suite of anti-fraud tools they operate.
Fraud detection via mouse movements isn't "spying". The goal isn't to spy on the user, it's to collect information which can lead to reduced credit card fraud. I don't consider that spying, and I think such flippant use of the word reduces its impact when genuine spying takes place.
I'm sure the people conducting internet credit card fraud will certainly opt-in.
The next time I have to remove a comment of yours, you will get a temporary ban for a week too. If you can't slow down and continue a discussion in good faith when someone is disagreeing with you, just stop commenting in the thread.
I'm not sure that 99.9% of customers being unscreenable for fraud prevention would really improve things.
Okay. The comment I held back on is that basic data collection isn't "spying". Using scary words to describe mundane activities is something I consider to be intellectually dishonest. It's FUD to tell people they're being "spied on", or using other emotionally-charged words when we're describing basic browser information that is collected transparently. The data and its use are described fully in their privacy policy.
The collected data is also useless except in the context of determining if someone is a bot, or at most understanding which devices they need to support. It's not being sold to advertisers, or insurance companies, or whoever the big bad is. Those things almost never actually happen, and in the rare case that they do, the companies involved won't be so open and honest about it as Stripe is being.
You can ask them to be bound by a real contract, one that they can't just unilaterally amend at any time and assume you accept like with standard terms of service.
If I have a contract with Stripe that prohibits them from selling my or my customers' data, or prohibits them from using it for advertising purposes, in consideration for my allowing them to collect, retain, and use the data for fraud prevention, then that contract binds them and anyone who buys them, and if they don't follow it I can sue for breach of contract.
If you don't have a real contract with Stripe that requires them to perform any particular tasks in any particular way, then what are you doing trusting them with your customer's data and your money?
Sure, that explains why they didn't document it the first time it came up. But as we saw from the post, there were a bunch of reports of this on the web, and it was causing some serious confusion to developers. Over the course of 3 years, it kept coming up, and they kept doing nothing about it until it hit HackerNews. I can give them a pass the first time, and of course they'd need time to fix the issue once they realized it existed. But 3 years? Come on!
I have on occasion received receipts that belonged to another person. When I contacted Stripe, they said it was no big deal and they'd remove my email address from being associated with that card. I'm sorry, but if you're randomly sending the wrong people other people's receipts, which contain pretty personal information, it's not "no big deal." Now I don't know whether other people have been receiving my receipts or what might have been in them if they did. The fact that they act like this was just a casual mistake really turned me off.
I'm sorry but if your module(s) load a library and the library docs say they check traffic and their support says they check traffic then this is not stealth tracking. You loaded their code, their code tracks users.
They're not doing anything particularly malicious, you are loading their code. If you don't trust stripe, don't load their code. If you only want it on certain parts of your site, then only load it on certain parts of your site.
That's exactly what Tildes does:
https://docs.tildes.net/philosophy/site-implementation#zero-third-party-scriptsassets-during-normal-use
Yup. It's not like there isn't a wide selection of payment providers to pick and choose from these days.
Tbf Stripe is more prevalent than you think. In fact, I bet a lot of people don't even know who they are, despite being the most highly valued unicorn right now.
They're really gated about their numbers, but apparently half of all US online purchases were made through Stripe in 2019. I'm guessing a large chunk of that was just Amazon, but still.
Apparently even Tildes uses it.