This article is more than 1 year old
Stripe is absolutely logging your mouse movements on websites' payment pages – for your own good, says CEO
Online transaction biz intends to clarify its analytics harvesting habit
Stripe CEO Patrick Collison insists his company's collection of e-commerce customers' site interactions, mouse metrics, and identifiers is solely for fighting fraud – though he allows that the payment platform's disclosure could be better.
On Tuesday, developer Michael Lynch questioned Stripe's data collection in a blog post, noting that the biz's JavaScript library, used by web merchants to implement client-side aspects of Stripe's payment system, records browsing activity and reports the data back to the company.
The data transmitted goes beyond what's necessary for a transaction. According to Lynch, the library when present on a page reports the URL even if the page does not include a Stripe payment form, and includes mouse movement telemetry and unique identifiers that let Stripe match visitors against data from other Stripe-implementing sites.
Responding to Lynch's concerns in a post on Hacker News, Collison insisted Stripe doesn't use the data for advertising or to investigate their users' habits.
"Stripe.js collects this data only for fraud prevention – it helps us detect bots who try to defraud businesses that use Stripe," he wrote. "(CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the [machine learning] stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market."
"Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings."
Collison said merchants don't need to use the Stripe.js library at all, though they bear more risk of fraud chargebacks without it. While Stripe recommends loading the code "on every page, not just the checkout page" for spotting anomalous behavior, it can be confined to just where transactions occur and it can be unloaded if desired.
Collison added that Stripe intends to clarify that its library is optional and to elaborate more fully on its anti-fraud page.
In a phone interview with The Register, Lynch said better disclosure is necessary. "The response from Patrick makes me hopeful. But I would like to see them follow through."
The Register understands that Stripe is working on clarifying its disclosures and intends to publish a blog post on the subject in the near future.
Lynch said it's ultimately up to website owners to understand what's going on when integrating a partner's code. "There does need to be a lot of trust when you install JavaScript from a third-party," he said.
Bennett Cyphers, staff technologist at the Electronic Frontier Foundation, told The Register in a phone interview, "Stripe has to be a lot more clear with the sites using it. They have to be clear with users that this kind of tracking is happening, that they're building a profile of users to determine whether they're fraudulent or not."
And he expressed concern about data collection on pages not designed for checkout, noting that the digital ad industry does a lot of similar script-based data collection to determine whether viewers are humans or bots.
"No amount of privacy policy language will make this okay," said Cyphers. "Stripe should not be profiling people's behavior on web pages where [the e-commerce form] isn't present." ®
Biting the hand that feeds IT
