July 25, 2021

Stripe makes a change to its privacy policy after being accused by a developer of recording, among other things, mouse movements on its customers’ sites

Despite the current pandemic, Stripe has managed to raise $ 600 million, a fundraiser that has brought his valuation to nearly $ 36 billion. A situation that is not a brake for this player in the internet ecosystem, but rather an opportunity: while the total economic impact of COVID-19 remains an unknown, several years of offline-to-inline migration occur in the interval of several weeks. The current disruption underscores the need for a reliable and easy-to-use infrastructure for Internet businesses. In this context, Stripe’s mission – to grow the Internet’s GDP – means to provide a gateway to the digital economy for businesses around the world. The rate of new business start-ups on Stripe has accelerated since the start of the year.

If the payment platform is gaining popularity, a developer pointed out a few days ago that Stripe records activity on its customers’ websites:

When I needed a paid subscription feature for my new web app, Stripe seemed like the natural choice. After integration, however, I found that Stripe’s official JavaScript library logs all browsing activity on my site and reports them to Stripe. These data include:

  • every URL the user visits on my site, including pages that never display Stripe payment forms;
  • tlmetry on how the user moves the mouse cursor when browsing my site;
  • unique identifiers that allow Stripe to correlate visitors to my site with other sites that accept payments through Stripe.

In a blog post, he tried to give more details about his discovery. After a little research, he noted that the problem had been raised by other developers in the past.

Faced with the controversy aroused by his post, Patrick Collison, co-founder of Stripe, quickly reacted on social media:

The question asked (“Does Stripe collect this data for advertising purposes?”) Can be easily resolved in the negative. This data has never been, is not and will never be sold / rented / etc. to advertisers.

Stripe.js collects this data only for fraud prevention purposes – it helps us detect bots that attempt to defraud businesses that use Stripe. (CAPTCHAs use similar techniques, but cause more friction with the user interface.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses using Stripe would lose a lot more money if this feature didn’t exist. We see it firsthand: some companies do not use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud networks.

If you don’t want to use Stripe.js, you certainly don’t have to (or you can only include it on a minimum payment page) – it just depends on the PCI load and the risk of fraud you want to take.

We will immediately clarify language in the terms of use that makes this ambiguous. We will also display a clearer page on Stripe.js fraud prevention.

Changes made by Stripe

As promised, Stripe has made some changes. Among them, on the documentation intended for developers, Stripe now specifies the tracking behavior of their JavaScript library. Before these changes, the only clues were these two sentences:

To get the most out of Stripe’s advance fraud feature, make sure Stripe.js loads on every page, not just your checkout page. This allows Stripe to detect abnormal behavior that could be indicative of fraud when customers browse your website.

Sentences that omitted critical information and did not indicate what information the library collected and how it shared that data with Stripe’s servers.

In Stripe’s current documentation, the library includes a section titled Disabling Advanced Fraud Detection Signals, which returns a web page that explicitly defines the types of information Stripe collects to prevent fraud.

Stripe customers have the option to turn off tracking

Stripe has updated its JavaScript library to give customers the option to opt out of deep data collection. They can now load the beacon