Note: This is the first article in a two-part series.

Almost a year ago, Google announced that Chrome would sunset support for third-party cookies by the end of 2021. These days, the discussion of the replacement technologies for “life after cookies” dominates the digital media industry press. The IAB’s Project Rearc, Google via its Privacy Sandbox, and multiple companies (including BritePool) have all developed or pledged to create technologies that will power advertising in the cookieless future.

To develop a perspective on third-party cookies and what should replace them, this is a deep dive into the cookie’s history.

Cookies came from a virtual shopping cart

The cookie was created in June 1994 by Lou Montulli. He was a programmer working at what would become Netscape Communications Corp., best known for its once-dominant web browser. Montulli was working on an e-commerce app for Netscape client MCI, which had effectively asked for a virtual shopping cart (a novel idea at the time).

Montulli and his team devised a way for the Netscape browser to place small files on a website visitors’ computer that tracked what each visitor did on that site. This allowed the telecom giant to avoid placing the data on its servers.

Grand ambitions with inherent problems

In a 2001 interview with The New York Times, Montulli said that he designed cookies to be a flexible tool, with the potential to be “a next-generation communications system.” He said, ”We wanted people to be able to use it for other uses” besides shopping carts. That included ”things we hadn’t thought about.”

In April 1995, a working group was established to propose a set of standards for cookie usage. David M. Kristol, a scientist at Bell Laboratories, led the group. But the longer the group collaborated, the greater its concerns about how cookies might invade consumer privacy.

Original restrictions to protect consumer privacy

According to the Times, the engineers developing cookies sought to avoid “a privacy nightmare” by deciding “not [to] identify web users by name” and rejecting “an idea for creating a single ID number that a person’s browser would use in all Web explorations.” Montulli said, “We didn’t want cookies to be used as a general tracking mechanism.” Instead, protocols required that sites assign a unique ID number to a visitor’s computer, one that could only be read by the issuing site or a sister web property.

At the time, the ability for companies to circumvent this restriction was foreseeable. A Dutch member of the 1995 working group, scientist Koen Holtman, warned that companies could, by agreement, place cookies across a network of related sites. Those cookies would be able to track user activities at multiple sites across the web.

Advertising co-opted the cookie

Holtman proved prescient as companies began working to do what he predicted. Soon DoubleClick, Engage, and others were serving banner ads across thousands of websites, using a shared cookie that allowed the issuing company to recognize a visitor wherever he or she went on the web. This innovation allowed these companies to control users’ ads as they moved from one site to another.

In 1996, to potentially provide privacy protection, Netscape and Microsoft both altered their browsers to distinguish “cookies coming directly from the site being viewed from third-party cookies.” This initiative proved meaningless, as consumer browsers automatically accepted third-party cookies by default.

In 1997, in a last-ditch effort to protect consumer privacy, Kristol’s working group tried to thwart the use of cookies for advertising tracking, recommending that browsers automatically block third-party cookies. This effort failed as Netscape and Microsoft’s Internet Explorer embraced these so-called third-party cookies despite Montulli’s protests.

Montulli described the advent and ascendance of third-party cookies, for advertising tracking, as a surprise. ”That’s the one ‘gotcha’ we had,” he told The New York Times.

Similarly, Lawrence Lessig, a Standard Law School professor and leading expert on the Internet and public policy, made this observation: “Before cookies, the web was essentially private. After cookies, the web becomes a space capable of extraordinary monitoring.”

Lessons for today

This brief history suggests two takeaways for managing the next quarter-century of web advertising:

First, while most of the critical technologies for web operations reflect several generations of development, the cookie, a 1990’s technology, has remained the fulcrum for Web advertising delivery. In essence, outdated technology is now central to managing over $300 billion in global annual spending on digital advertising.

Second, the initial development of cookies raised privacy concerns, which led developers to deploy safeguards. Subsequently, ad management firms circumvented these restrictions. Hence, it was inevitable that the unchecked and unregulated expansion of web advertising would invade consumer privacy.

---

Next (Part II): Privacy Ascendant and Life After Cookies

About the author

Bruce Judson is Vice President of Communications at BritePool. His 1996 book, NetMarketing (Random House/Wolff), was a sleeper bestseller which accurately anticipated the rise of the web as a powerful vehicle for the direct sale and marketing of products and services.