Re: Disavowing Legal Liability [OT]

on 9/20/01 1:00 PM, Andreas Färber at andreas.faerber@web.de wrote:

> But what you're saying basically means to
> me that your service has been dependant on a small number of browsers,
> namedly Microsoft Internet Explorer 3+, Netscape Navigator 3+, Opera and
> some others. Additionally you seem to require your or others' users to
> accept one or more Cookies in order for your service to work (otherwise you
> would not have any problem with IE6 blocking Cookies based on P3P). Using
> Cookies to save user preferences is clearly not unethical or something, I do
> the same thing on one of my sites. But you already have two factors of
> uncertainty there.

Well, again, I think you're approahing this from a philosophical
perspective.

The "two factors of uncertainty" really aren't. We successfully deliver a
web-based product specifically designed to be used in browsers. IE3+, NN3+
Opera and the rest are something that I can pretty much bank on. My logs and
industry logs show that.

We, of course, tell our users from the outset that cookies must be there to
begin with, and error them out if they're not enabled.

We have 220,000 (and growing daily) users making it past these "two factors
of uncertainty" perfectly fine.

All I'm saying is in reality... today... now... a use of cookies (an old and
well-adopted standard) is now broken by a new standard's implementation and
that it is necessary (or forced) that I get this working to ensure our users
have *the same functionality they've always had*. We're not talking some
obscure JavaScript that takes advantage of a proprietary DOM here... we're
talking simple cookies.

I've worked hard to try toimplement P3P correctly. Lorrie Cranor has been
kind enough to help me and has found errors I've made. I've read tons of
stuff both at the MS site and the W3C site. I seem basically compliant
here...

<http://validator.w3.org/p3p/20001215/p3p.pl?uri=frame.my-cast.com%2Fstd%2Fl
ogin.jsp>

...and though there are things I'm *sure* that need fixing, the CP has none
of the things that IE6 is supposed to reject.

It's a very plain reality to me that this does force additional work. Being
in support of privacy concepts in general, and wanting our product to work
as always for our customers, I'm fine with that and have spent many hours
trying to get it working.

I've been web programming for years and am quite familiar that the ground is
constantly shifting. I would like to use CSS-2, but can't due to lack of
support. I would like to not use structural tables, but can't avoid it in
some cases. But IE6+P3P(CP) doesn't let me decide. I must comply (which
isn't exactly clear how to), or have whatever percentage of 220,000 users
manually set the privacy, or redesign and reprogram a complex interdependent
backend, or fail. No other options.

Add in the fact that sometimes the HTTP response is handles by the server
and sometimes by the backend (Java in our case) and implementation becomes
tougher still.

This might seem very easy and 'cut and dry' to those 'in the know', but
IE6+P3P is brand new news with not the greatest tools and test capabilities
for implementation.

> ...if you want to have your system functioning in these different
> situations, you need a system that does not *depend* on Cookies...

When we started this huge project, there was no risk that anyone had heard
of that simple cookies going back to the minimal domain that wrote them was
going to be an issue. The W3C obviously understands this kind of issue as
(for example) the HTML spec has always taken pains to be backward
compatible.

Also, there would be *a lot* of work to get session tracking to work in our
JSP environment since we are load balanced.

Besides, a key desire in our product is to just hit the page and already be
logged in. Cookies are really what we and our customers want.

We are a legitimate company trying to use a good and time-tested technology
(cookies) in a way that is meant only to serve the customer. Though we
offend none of the stated unsatisfactory IE6 compact tokens (in reality and
in the actual CP), our product is broken in IE6.

Now, you could say IE6+P3P is not forcing anything. Of course... I could
become a farmer and IE6 would not affect me. But since I simply want to
continue to deliver web content that way I always have, well yes... I'm
forced.

> If you are "supportive of P3P" then you clearly see that the approach Mr.
> Wright is trying to take is not the right one and does not solve the problem
> of Cookies not being sent to the server.

I've obviously moved this to a different discussion, but though I am quite
supportive of a structured, standardized way to deal with privacy, if there
is the possibility that *a P3P policy can be used legally against someone*
then I think it may need to accomodate the unfortunate subtlties of law that
corporations require. I.e. if it can be used legally, it should address
legal concerns. I otherwise have no comment or opinion to those ends.

Ken Martin

Received on Thursday, 20 September 2001 15:10:00 UTC