Can a tiger change its Stripe-(s)?
Recently a web app developer Michael Lynch posted a blog article regarding his discovery of Stripe, a very popular e-payment processor logging all visitor page browsing and mouse activity from most e-commerce website choosing their platform. Everything from start to finish even if the visitor did not sign in or go to the payments page. More alarming was the discovery all this data is being uploaded to Stripe and a tracking cookie is placed on the visitors browser that uniquely identifies them when they visit other e-commerce sites using stripe.
To cut to the chase let me boil this down for the non tech e-commerce shopper
When a e-commerce website partners with Stripe as their payment processor Stripe provides a software package. The website integrates the Stripe payment software into their website.
Prior to Michael Lynch’s discovery and blog post the e-commerce website was not clearly informed of how this software functions and the data it collects.
The software or “code” starts to track each page and the mouse movement the website visitor performed at the very first page viewed and every page there after even if the customer did not log in or initiate the purchase process.
Upon viewing the very first page of the website also downloads a persistent and uniquely identifying tracking cookie into the visitors browser.
If the visitor does perform a credit card payment even more personal identifiable information is added to the data.
All this data is uploaded to the Stripe third party platform and the visitor is tracked and identified if and when they visit another site integrated with the Stripe software.
Visitors are tracked the moment they go to a site using Stripe and their code even if they do not go to the payment page or initiate the purchase process.
A unique identifier is placed in the visitors browser. (A unique person but we do not know who they are).
If a person makes a purchase specific username data is sent to Stripe ( A unique person and we know who they are). The visitor is tracked across other Stripe enabled websites creating a data graph of the visitors browsing and online shopping details.
This process begins the moment a visitor goes to a Stripe enabled website and is not informed of the data collection or have the option to opt in or out. Most e-commerce sites were not aware of this tactic thus not disclosing in their data disclosure statement.
As this story made its rounds in the data security and privacy circles it finally was posted on Hacker News and got the attention of the Stripe leadership team.
Their response clarified the design was intended for detecting fraud. None of the data collected is sold to third parties.
Stripe admitted their data tracking practice was not clear and a bit deceiving in the terms of service and promptly clarified.
How could this impact the privacy minded web surfer?
There is much information and discussion about the privacy implications for anyone visiting a Stripe enabled website. One angle is very much overlooked and not considered. What about the discovery process and how could the data graph be disclosed to profile a subject under investigation (criminal or civil)? Remember, Stripe knows you as a person if you made a purchase on the website. Imagine if an astute analyst discovers a stripe transaction on a bank statement acquired by subpoena. That transaction could then trigger another subpoena to stripe requesting all data associated to the identifiers stored relating to that single transaction. What if the inquiry provided a treasure trove of 250 printed pages of web surfing detail for that one individual?
Stripe is one of many platforms collecting your personal browsing data and attempting to associate the data to you as a person. Stripe makes the promise the data is not shared or sold to third parties. The edge that stripe has is if you make a purchase they know who you are. All the other data collected from your browsing is associated to you as a person BUT it can be used against you in a legal process.
Our data privacy may at first appear to be insignificant. After all “I am not doing anything illegal so I have no concern” is common rationale. This all changes very quickly when our online activity is taken out of context to build a narrative against us.