Follow

is Silently Recording Your Movements On its Customers' Websites

mtlynch.io/stripe-recording-it

@Gargron heh I find it interesting that I see this right after my teammate suggests we use stripe for a project and I said I didn't have the time/energy to look into whether I considered it ethical... not that I think they'll care.

@Gargron

> #Stripe is Silently Recording Your Movements On its Customers' Websites

It's not the only one. This sort of client-side tracking (aka "real user monitoring") is…well, "pervasive" is probably putting it to strongly. But way more common than I'd like.

@Gargron stripe has always been a bit suspicious company . ô.o

@Gargron Isn't that the point of things like the Facebook/Twitter/Reddit/etc. buttons and reCaptcha?

@aral
Agreed. The trouble is, as screwed up as this is, the "alternatives" that I can think of are even worse (eg. PayPal, Google Wallet, Facebook payments etc). Don't even get me started on MasterCard and Visa...

Does anyone know of *any* better alternatives?
@gargron

@Blort

> Does anyone know of *any* better alternatives

Yes, I do: don't use a payment service at all, ask people to do a bank transfer (? German: ").

I don't know about other regions of the world, but for the -Area (which is quit big: ~ all of Europe), publish and and you're ready.

I outlined this here some time ago:

mastodon.social/@el_joa/103478

cc @laura @aral @Gargron

@el_joa

I like that this option minimizes the number of parties who know the details of your transaction (and yourself), however the country I live in, the banks charge you around $10-12 USD "handling charge" for every wire transfer you receive. :/

@laura @aral @gargron

@Gargron ah yeah, it is, just read. And the way provided is similar to what I've seen in Discord — library loaded only when proceeding to payment. Not sure about unloading in JS, though… it's held in memory after load, delete you script or don't.

But deferring the load then means you void their fraud detection mechanism and take responsibility for that…

Guess this is not *that* bad, has its purpose, but this behaviour should be well documented and togglable.

@Gargron

" I noticed that every page navigation generated a new HTTP POST request to a Stripe URL"

"This was strange because none of the pages I visited contained any calls to Stripe’s library."

oh my stars these are directly contradictory what business does this author have ANYWHERE near a website that handles money

@Gargron

"Based on the name mouse-timings, it seems that Stripe is recording my users’ mouse movements."

luckily for us Stripe didn't name it dna-transcript, then it would be recording our DNA.

@Gargron Worse, some websites don't load at all until js.stripe.com is allowed. I never dared to check in the #JavaScript code how that happens because it's too infuriating.

@Gargron PS. I spoke with Patrick (their CEO) and he’s put my mind at rest. Birdsite link (sorry): twitter.com/aral/status/125268

@Gargron To be fair, they're pretty plain about this in the integration docs -- it's hard to miss:

> To best leverage Stripe’s advanced fraud functionality, include this script on every page, not just the checkout page. This allows Stripe to detect anomalous behavior that may be indicative of fraud as customers browse your website.
- stripe.com/docs/js

Workaround is to just not do that (as we do).

@Gargron * if people put the Stripe JS bundle on every page, instead of just payment pages. Which they shouldn't do for lots of reasons anyway

Thanks for boosting awareness of this!

@vfrmedia

@Gargron looks like @stripe wanna to following the step of #Google and #FaceBook #amazon . They had been to public Evil. Is not the first time By Technology Giant in #BayArea.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!