#Stripe is Silently Recording Your Movements On its Customers' Websites
@Gargron heh I find it interesting that I see this right after my teammate suggests we use stripe for a project and I said I didn't have the time/energy to look into whether I considered it ethical... not that I think they'll care.
@Gargron Isn't that the point of things like the Facebook/Twitter/Reddit/etc. buttons and reCaptcha?
> Does anyone know of *any* better alternatives
Yes, I do: don't use a payment service at all, ask people to do a bank transfer (? German: #Überweisung").
I outlined this here some time ago:
@Gargron ah yeah, it is, just read. And the way provided is similar to what I've seen in Discord — library loaded only when proceeding to payment. Not sure about unloading in JS, though… it's held in memory after load, delete you script or don't.
But deferring the load then means you void their fraud detection mechanism and take responsibility for that…
Guess this is not *that* bad, has its purpose, but this behaviour should be well documented and togglable.
" I noticed that every page navigation generated a new HTTP POST request to a Stripe URL"
"This was strange because none of the pages I visited contained any calls to Stripe’s library."
oh my stars these are directly contradictory what business does this author have ANYWHERE near a website that handles money
"Based on the name mouse-timings, it seems that Stripe is recording my users’ mouse movements."
luckily for us Stripe didn't name it dna-transcript, then it would be recording our DNA.
@Gargron PS. I spoke with Patrick (their CEO) and he’s put my mind at rest. Birdsite link (sorry): https://twitter.com/aral/status/1252685385626460160?s=20
@Gargron To be fair, they're pretty plain about this in the integration docs -- it's hard to miss:
> To best leverage Stripe’s advanced fraud functionality, include this script on every page, not just the checkout page. This allows Stripe to detect anomalous behavior that may be indicative of fraud as customers browse your website.
Workaround is to just not do that (as we do).
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!