Stripe CEO Patrick Collison stresses that the collection of e-commerce client site interactions, mouse metrics, and company IDs is only intended to help fight fraud – though he admits that the disclosure of the payment platform could be better.
The data transmitted goes beyond what is necessary for a transaction. According to Lynch, the library, when present on a page, reports the URL even if the page does not include a Stripe payment form, and includes mouse motion telemetry and unique identifiers that allow Stripe to compare visitors with data from other sites implementing Stripe.
Address Lynch's concerns by a publication On Hacker News, Collison emphasized that Stripe does not use the data for advertising purposes or to investigate the habits of their users.
“Stripe.js only collects this data for fraud prevention purposes – this helps us detect robots that are trying to defraud companies that use Stripe,” he wrote. “(CAPTCHAs use similar techniques but cause more friction with the user interface.) Stripe.js is part of [machine learning] stack that helps us stop literally millions of fraudulent payments a day and techniques like this help us block fraud more effectively than almost anything else on the market. “
“The companies that use Stripe would lose a lot more money if it did not exist. We see it directly: some companies do not use Stripe.js and they are often suddenly and unpleasantly surprised when they are attacked by networks of sophisticated fraud. “
Collison said traders don't need to use the Stripe.js library at all, although they run a higher risk of defrauding a chargeback without it. Although Stripe recommends loading the code “on every page, not just the payment page” to spot abnormal behavior, it can be limited to where transactions occur and it can be unloaded if desired.
From Libra at the start: eBay, Visa, Stripe, PayPal, others are fleeing Facebook's crypto-coin
Collison added that Stripe intends to clarify that its library is optional and to elaborate in more detail on its anti-fraud page.
In a telephone interview with The register, Lynch said better disclosure is needed. “Patrick's response gives me hope. But I would like to see them follow.”
The register understands that Stripe is working to clarify his disclosures and intends to publish a blog on the subject in the near future.
Bennett Cyphers, staff technologist at the Electronic Frontier Foundation, said The register in a telephone interview, “Stripe needs to be much clearer with the sites that use it. They need to be clear with users that this type of tracking occurs, that they create a user profile to determine if they are fraudulent or not. “
And he expressed concern about collecting data on pages not designed for payment, noting that the digital advertising industry does a lot of data collection based on similar scripts to determine whether viewers are humans. or robots.
Webcast: Build the Next Generation of Your Business in the Public Cloud