qpixel icon indicating copy to clipboard operation
qpixel copied to clipboard

Published 20 hours ago verified publisher icon codidact

[Privacy] Restrict when/where Stripe API is loaded

Open sau226 opened this issue 3 years ago • 3 comments

I recently ran a privacy check called Blacklight on the Codidact meta site. It uses Chromium via Puppeteer to visit sites and then uses a custom, open source module from its devs to analyze the activity it connects. You can read its exact methodology here.

The check picked up a canvas fingerprint attempt from the Stripe JS we have embedded on the meta site.

Can we please get a better disclosure of the Stripe JS usage in our privacy policy and/or limit it to run only on donation-specific pages?

I've attached a copy of the scan results below - you can see their result explanation README to understand what exactly the result files contain and how you might analyze them further: blacklight-inspection-meta.codidact.com.zip

sau226 avatar Sep 11 '22 19:09 sau226

Let's do both: load the Stripe JS only on the donations pages (that is, only for the "make a donation" path), and let's disclose that in our privacy policy.

cellio avatar Sep 11 '22 20:09 cellio

Gonna have to decline this. The Stripe docs say explicitly that while it can't be technically required, loading the API JS only on one page is inadvisable. The Stripe JS does fingerprint users and does other (unspecified) analysis of user behaviour and traffic patterns, which is all used for fraud detection and prevention.

While we're not moving huge amounts of money, I'm very loath to turn off fraud detection capabilities - they protect the organisation, the money we receive, our regulatory compliance, and our ability to respond to disputes. The on/off toggle that Taeir added in a recent PR covers cases for setups that won't be accepting donations at all.

Adding some details of what Stripe does to the privacy policy is a relatively easy job that we should do.

ArtOfCode- avatar Sep 12 '22 06:09 ArtOfCode-

#870 addresses not loading Stripe if donations aren't going to be accepted.

ArtOfCode- avatar Sep 23 '22 19:09 ArtOfCode-

After discussing this with the board, we've decided that we should in the end restrict where stripe.js is loaded, and only load it on donation-related pages, as opposed to what Art said above. In addition, we'll be adding disclosure to the privacy policy about Stripe fingerprinting on those pages.

superplane39 avatar Jan 09 '23 09:01 superplane39

This is done, right? I see a setting for whether to restrict where Stripe is loaded. Do we need to do any more work here @ArtOfCode- ?

cellio avatar Feb 19 '24 20:02 cellio

Looks done to me.

ArtOfCode- avatar Feb 19 '24 20:02 ArtOfCode-