Also:
`The Stripe library generates a new request like this every time a user views a new page in my app.`
In "your" app! How do you not know all the side effects you dependencies may have when before adding them? What else is going in that site, Michael?
> "Stripe is Silently" - can I just say how much I detest clickbait with "silently" in the title? It is purposefully negative, meant to make Stripe look bad. What did you want? A foghorn?
I struggled a lot with the title, as I didn't want to project intention onto Stripe.
That said, the behavior is pretty subtle. They don't disclose it in the npm package or the JS documentation. Other API calls initiated by your app show up in your Stripe dashboard, but these ones don't appear anywhere. You can only discover them by inspecting HTTP traffic.
> In "your" app! How do you not know all the side effects you dependencies may have when before adding them? What else is going in that site, Michael?
I'm having trouble understanding this. Assuming you're being sincere: I can't possibly know the side effects of every piece of code in my app. Assuming you're being sarcastic: I'm not sure what your point is. Since I don't 100% understand every dependency in my app, I have no grounds to be bothered when one of my dependencies does something that violates my expectations?
I fail to see how it's clickbait. "Silently" conveys to the readers that the recordings were done without the user's consent or knowledge.
>In "your" app! How do you not know all the side effects you dependencies may have when before adding them? What else is going in that site, Michael?
Way to victim blame.
I also took out "your". That's a standard moderation trick since second-person pronouns in titles tend also to be clickbait: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
We particularly edit titles that users have started complaining about: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que.... Experience has shown that to be the way to minimize off-topic title complaints (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...).
The meaning of the title in this case hasn't changed. Websites don't make noises when they record things.
Edit: out of curiosity, I looked for some other cases where we took out the word 'silently'. Here are some:
https://news.ycombinator.com/item?id=22678471 (changed from "~30% of Android apps silently inspect other apps installed on your smartphone")
https://news.ycombinator.com/item?id=20453115 (changed from "Apple is silently updating Macs * again* to remove Zoom's insecure software")
https://news.ycombinator.com/item?id=16715835 (changed from "Giraffes Silently Slip onto the Endangered Species List")
People have made HN title trackers over the years. My favorite is https://hackernewstitles.netlify.app/ (via https://news.ycombinator.com/item?id=21617016). It's not perfect because it can't distinguish what submitters did from what moderators did, doesn't know what the software changed, etc. But it gives the basic picture.
Perhaps we all have a natural unconscious bias against being "edited" ("you're not in control of me [or the OP]!!"). But seeing the edits over time in the open really makes one appreciate the moderation work. Maybe it's worth making this more official somehow (e.g., adding a footnote in the submission page or to the FAQ) - because like you say, it must surely minimize off-topic discussions as well.
Anyway, thanks for your work!
https://news.ycombinator.com/item?id=20429573
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...
1) Is it fair to include the word "silently" in this post's title? [I think so, especially since it's part of the original article and reflects the author's emphasis.]
2) Does the word "silently" make Stripe look sneaky and bad? [Yes.]
3) Is Stripe's level of tracking invasive? [Yes.]
4) Should Stripe have been more forthcoming about the level of tracking they practice? [Most definitely! In this age of data breaches, users-as-the-product, and sneaky, untrustworthy online companies, Stripe should DEFINITELY have been more open about this, and should let its payment-service customers know what they're signing up for, in clear terms. Fraud prevention is a desirable feature, but potential customers should also be able to weigh that against the cost of invasive tracking. Furthermore, as a payment-processing company which can make loads of money in a very straightforward way (through commissions), Stripe should be content to be just that, and should get rid of any ideas, visions, or TOS language involving payment-service-tracking-derived advertising. If Stripe wants to take the high road, they could consider adding a "no data sold to advertisers" canary in its TOS that can assure the privacy-conscious of Stripe's pure intentions--or warn them when an undesirable corporate change happens that may prompt them to look for a service more aligned with their own priorities. Personally, I'm tired of companies that want to take over the world and seek profit in every area at any cost. Sheesh!]
Do you? You've audited 100% of the code you use? At best you're careful when choosing your dependencies and you have a reasonable degree of trust.
The idea of marking every single edit, or publishing a complete moderation log, feels like asking for trouble. I fear that it would lead to more objections of the litigious, bureaucratic, meta type. Even though it's a tiny minority of users who make such objections, they have a lot of energy for it and there are many more of them than us. That kind of thing could quickly burn us out, like an unintended DoS attack. On the other hand, maybe it would just work fine; it's hard to know.
Also, I'm skeptical that it would create more confidence in the site, because the users who want to feel that way basically already do, and the ones who don't probably wouldn't be persuaded by more data. There's always going to be something that's not included, or the suspicion that there is.
Because of this, the way we address concerns is to answer people's individual questions, here and by email. We're happy to do that, and there basically isn't anything we aren't willing to explain. That's by design. We try never to do anything that isn't defensible to the community. Even when there are genuine secrets that can't be spelled out, like how the anti-abuse software works, we can say what they are at a high level and why a secret is needed. Those cases are rare.