[swanson]

Bots that use stolen cards to make purchases (or use legitimate SaaS apps as a vector to test if a card number if valid)

Stripe "tracks" user data that they run through some fancy ML thing to try to detect if the person is a bot or a real human -- based on, presumably, patterns in user mouse movement, delay in moving between inputs, interval between keystrokes, etc.

[amelius]

But we have other ways of testing for bots. See for example Google's Recaptcha (again, example, and not my main point). I don't see why we need to give away our personal information to yet another big company, especially if the information comes from web surfing behavior that has nothing to do with payment.

And in case this is all still necessary, can't this be handled by some trusted party instead of the company that already knows about all our online payment transactions? Compartmentalization is a very important concept in user privacy.

https://en.wikipedia.org/wiki/Compartmentalization_(informat...

[akersten]

How do you think ReCaptcha (at least ReCaptchaV3) works? It's gathers the same kind of "personal" data (mouse movements, etc.) to feed an ML model to determine whether the client is a robot.

[amelius]

Yes, but only from the page the captcha is visible on.

In contrast, Stripe collects also data from webpages that are not payment pages.

[loeg]

And it adds much more user friction, essentially requires having a logged in Google account, and may not be as accurate. Nevermind that it is outsourcing that protection to Google, who will definitely use your personal data to sell targeted ads. I don't think Stripe's fraud detection behavior is unreasonable here, and if you're willing to accept fraud liability, you're given the option to disable it (and run your own recaptcha, if you like).

[gpm]

I don't think this is true anymore?

https://webmasters.googleblog.com/2018/10/introducing-recapt...

[nulbyte]

> In contrast, Stripe collects also data from webpages that are not payment pages.

Like recaptcha, whether the Stripe code is included on a given page is solely up to the author of that page.

While I may tend to agree with OP's requests for increased transparency, that desire does not lend its support to other claims about how Stripe's code works. Putting it on every page is not required. Unless I am mistaken, putting it on every page is not even suggested by Stripe. Why anyone would put Stripe or any other third-party code on every page indiscriminately, without considering whether it was necessary, is beyond me.

[quelltext]

> Unless I am mistaken, putting it on every page is not even suggested by Stripe.

https://stripe.com/docs/js/including

> Include the Stripe.js script on each page of your site—it should always be loaded directly from https://js.stripe.com, rather than included in a bundle or hosted yourself.

> To best leverage Stripe’s advanced fraud functionality, include this script on every page, not just the checkout page. This allows Stripe to detect suspicious behavior that may be indicative of fraud as customers browse your website.

[nulbyte]

Oh wow. I stand corrected. They should really nix that; well intended, I'm sure, but fairly egregious.

[anon102010]

You realize for recaptcha to work best you are supposed to use it on all forms and actions and background of pages?

"reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics."

When you say reCaptcha doesn't capture user data are you lying? Have you actually implemented any of this and tried to fight fraud. I ask because you and the original author are making a lot of big claims and ill intent assumptions that literally ANYONE dealing with large scale fraud attempts would see through immediately.

Seriously, everyone else is sticking all sorts of beacons on websites for this - that's currently how it is being done.

[jmull3n]

I'm not sure Google's Recaptcha is a good example. They use the same methods and their business model is using your personal data to target ads to you.