Posted by Harlan Messinger on 09/13/06 14:23

Eric B. Bednarz wrote:
> Harlan Messinger <hmessinger.removethis@comcast.net> writes:
>
>> Jukka K. Korpela wrote:
>
>>> then someone else can quite innocently follow a link and arrive at a
>>> page without seeing any reference to any contract, as I wrote.
>> And the company's web logs will show the the EULA was never requested
>> by the user.
>
> Oh. How?

How do you tell from a web log whether a request for a particular page
by a particular person at a particular time did or not occur? By looking
at it, no?

>
>> (It seems to me a hack is easily prevented, by inserting
>> a random string into a hidden INPUT tag [ObHTML] and expecting to
>> receive that same string from the same IP
>
> If the form is available with different protocols, I would settle for
> one particular. :)
>
>> to which it was sent and/or
>> from within the same user session.)
>
> ISPs can assign a different address to every request of one particular
> user.

Theoretically, but they don't, do they? Even if it happens every so
often, how does that affect the usual case where the IP *hasn't* changed
from one request to the next?

I don't think a judge is going attribute much likelihood to a scenario
where the DNS operator at an ISP is eavesdropping on users' sessions and
swapping IPs when they reach EULA pages and agreeing to the EULAs in
their stead so that they can later get in trouble for using software
without a license. Courts don't ordinarily base their rulings on the
remotest of possibilities.

> Or the other way round. But I agree that this sort of prevention
> is easy to implement, just like identifying the browser with the
> user-agent field.

[Back to original message]