Stripe CEO Patrick Collison insists his company's collection of e-commerce customers' site interactions, mouse metrics, and identifiers is solely for fighting fraud – though he allows that the payment platform's disclosure could be better.
The data transmitted goes beyond what's necessary for a transaction. According to Lynch, the library when present on a page reports the URL even if the page does not include a Stripe payment form, and includes mouse movement telemetry and unique identifiers that let Stripe match visitors against data from other Stripe-implementing sites.
Responding to Lynch's concerns in a post on Hacker News, Collison insisted Stripe doesn't use the data for advertising or to investigate their users' habits.
"Stripe.js collects this data only for fraud prevention – it helps us detect bots who try to defraud businesses that use Stripe," he wrote. "(CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the [machine learning] stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market."
"Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings."
Collison said merchants don't need to use the Stripe.js library at all, though they bear more risk of fraud chargebacks without it. While Stripe recommends loading the code "on every page, not just the checkout page" for spotting anomalous behavior, it can be confined to just where transactions occur and it can be unloaded if desired.
From Libra to leave-ya: eBay, Visa, Stripe, PayPal, others flee Facebook's crypto-coinREAD MORE
Collison added that Stripe intends to clarify that its library is optional and to elaborate more fully on its anti-fraud page.
In a phone interview with The Register, Lynch said better disclosure is necessary. "The response from Patrick makes me hopeful. But I would like to see them follow through."
The Register understands that Stripe is working on clarifying its disclosures and intends to publish a blog post on the subject in the near future.
Bennett Cyphers, staff technologist at the Electronic Frontier Foundation, told The Register in a phone interview, "Stripe has to be a lot more clear with the sites using it. They have to be clear with users that this kind of tracking is happening, that they're building a profile of users to determine whether they're fraudulent or not."
And he expressed concern about data collection on pages not designed for checkout, noting that the digital ad industry does a lot of similar script-based data collection to determine whether viewers are humans or bots.
Sponsored: Ransomware has gone nuclear