Planet Money - How the cookie became a monster
Episode Date: November 19, 202230 years ago, Lou Montulli set out to solve a fundamental problem with the internet, and accidentally created an entirely different one. On today's show, how the cookie went from an obscure piece of c...ode designed to protect anonymity, to an online advertiser's dream, to a privacy advocate's nightmare.Subscribe to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoneyLearn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
Support for NPR and the following message come from the Kauffman Foundation, providing
access to opportunities that help people achieve financial stability, upward mobility, and
economic prosperity, regardless of race, gender, or geography.
Kauffman.org.
This is Planet Money, from NPR.
Whenever Lou Montulli goes online, he, just like the rest of us, gets weirdly specific ads.
What's the strangest thing that you maybe casually looked up on the internet that
seems to follow you everywhere as an ad, no matter what website you go to?
Gutter protection. You look that up one time and you just get bombarded. And I actually did buy gutter protection and they just kept advertising to me for seemingly forever.
Does any part of you think like, I kind of did this to myself?
Yeah, I do feel somewhat responsible for the state of the world.
Lou Montulli is kind of responsible for the state of the world, at least the online world.
The internet cookie.
So, you know, when you go to a new site, you usually have to, like, accept the cookies or reject the cookies.
Yeah, those are the cookies that Lou made.
People go, oh, you're the reason I have to keep clicking cancel all the time.
You may have a vague sense that cookies play some nefarious role in online tracking,
but cookies do a lot of things.
Cookies allow you to sign into a website.
They're what allows you to comment on stuff online.
And yes, cookies are also the thing that lets advertisers follow you around the internet
to serve you that same gutter protection ad
everywhere you go. But the strange thing about the cookie is that when Lou first cooked it up
an internet lifetime ago, he specifically designed it to protect people's anonymity
as they surfed the early web. But that is not how things turned out for the cookie.
No matter your best intentions, technology once released
into the wild will be used however people choose to use it. You're going to build something and
then it will evolve over time and you will have no control over it. And at a certain point,
you just have to deal with it. Hello and welcome to Planet Money. I'm Alexi Horowitz-Ghazi.
And I'm Sarah Gonzalez.
Hello and welcome to Planet Money. I'm Alexi Horowitz-Ghazi.
And I'm Sarah Gonzalez.
Nearly 30 years ago, Lou Montulli set out to solve a fundamental problem with the internet and accidentally created an entirely different one.
His invention went from an obscure piece of code designed to protect anonymity
to an online advertiser's dream, to a privacy advocate's nightmare.
Unleashing a corporate arms race to extract as much of our digital data as possible.
Today on the show, how the cookie became a monster.
Why the world's biggest internet browsers have decided to finally let the cookie crumble
to make the cookie disappear from the internet.
And what a world wide web without cookies might even look like.
The story of the cookie begins back in 1994. The World Wide Web was still pretty new. There
weren't a ton of websites yet.
And like a lot of people, Lou Montulli had the sense that the internet offered the chance to uplift humanity, but only if it was designed in the right way. Lou was 23 at the time,
studying computer science. We were thinking, being naive young college students, that
information would set us all free. Okay, so the stakes were like the future of the free world?
Yes, the future of the free world was at stake.
Lou drops out of college to work at a new startup called Netscape.
Now, Netscape was setting out to create a new web browser.
So like, you know, Chrome and Safari, but before Chrome and Safari existed.
Back in the early 90s, the internet was still kind of an obscure network,
mostly used by academics and hobbyists. Regular people who wanted to casually hop on the internet
probably did it through a platform like AOL of You've Got Mail. It wasn't a browser,
but you could access parts of the internet through it. You could read the news, send emails, play games.
So if the Internet was like a giant open meadow, AOL had put these walls around its own private sections.
And if you were an AOL customer, that was your Internet world.
Netscape wanted the Internet to be the whole open meadow, a place where you could wander around freely and go to whatever website you wanted.
If AOL wanted to stay within its own little walls, they could do that.
There were a few smaller browsers already, but Netscape wanted to make a browser that was so smooth and easy to use, it would open up the web to millions of people across the world.
easy to use, it would open up the web to millions of people across the world. And they wanted to do it before the giant tech company of the day, Microsoft, got into the game. We should also say
Microsoft is a sponsor of NPR. This isn't a kind analogy, but certainly at Netscape, we thought of
ourselves as the Rebel Alliance and Microsoft as the Empire. Did you see yourself as more of like a Luke Skywalker type or
were you a Han Solo sort of guy? God, I wish I could be a Han Solo type of guy.
I'm definitely a BB-8 kind of guy. I know that. I love that for you.
Lou and his fellow Netscape rebels, there are like a dozen of them at the beginning,
they are working like the future of the internet is literally at stake.
14-hour days, not practicing much of what we would now call self-care.
Oh, I had a terrible habit of like 10 Mountain Dews per day or something like that.
Oh my god.
I'm surprised I'm still here.
Me too. I'm glad you survived.
In order to create a utopian vision of the web, Lou wanted to figure out a way to grow the internet meadow
so that it was way bigger than any walled-off version,
so that there was, like, so many websites,
thousands of companies,
an internet too big to be controlled
by any one AOL or Microsoft tech giant.
And Liu knew there was one very effective way
to make things grow fast.
Capitalism. If they could figure out a way to unleash commerce on the internet,
the meadow would grow so fast and so wild that nobody would want to stay in their walled gardens
anymore. Sure, capitalism might not be what you would think the rebel alliance would gravitate to,
but they're sort of like, we know this is going to get the job done.
But at the time, you couldn't really do the most basic things
that would make the internet appealing to businesses.
You could barely shop.
And there was one big reason.
The web did not have a memory.
So essentially, the web server would completely forget
every one of its visitors every single time they connected.
The web server would forget its visitors.
So, like, no one could save anything.
You couldn't put stuff you wanted to buy in a shopping cart.
The shopping cart did not exist.
So online shopping was not really a thing.
You couldn't save anything in a way that allowed you to come back later.
So, like, grocery stores didn't have their products listed on websites back then. But if they did,
and you wanted to make a pie and you go to pattiespieparts.com or something like that,
you would have to pay for one item at a time. You would have to go to the eggs page,
check out, go to the unsalted butter page, check out, go to the peach page, check out again.
So inconvenient.
Lou says there was one obvious solution to the whole the website doesn't remember you problem.
Netscape could just give every web user a unique ID, kind of like a wristband attached to your browser.
And every time you went to any website, your browser would like show a wristband attached to your browser. And every time you went to any website,
your browser would like show your wristband and the website would know who you were.
It would be one wristband for the whole internet.
That way, when I popped from the unsalted butter page
to the peach page,
my web browser would tell Patty's Pie Parts,
it's that one guy making a peach pie.
He's been here before.
Every time I appeared.
And Patty's Pie Parts could have a shopping cart that would keep track of all the things I wanted.
Okay, but the problem with this wristband ID approach is that it would make it extremely easy to track everything everyone did on the internet.
And Lou, he's a free and open internet guy.
And to him, you cannot have a free and open internet
if everyone is being watched. So he thinks, I wonder if I can make a better anonymous wristband.
And he remembers this kind of coding tool from a computing class he took in college,
something he'd heard called a magic cookie. I think the cookie term comes from the fortune
cookie, where you essentially have a message wrapped in something that you can't see the message.
A cookie with a hidden message inside.
And Lou thinks we shouldn't have just one identifying wristband for everything you do on the Internet.
There should be a whole bunch of them, a different wristband for every site you go on.
So Patty's Pie Parts could give you a wristband
just for them. They could call you Paddy's Pie Customer 1234. Nobody else would see it. And that
way, an oppressive government or a nosy company couldn't follow your trail across the internet.
Lou says actually writing the program to do this was not that complicated.
It was maybe an hour's worth of coding.
That's like two or three Mountain Dews worth.
Exactly.
They do, of course, workshop the design for a couple weeks,
and Blue decides to drop the magic from the magic cookie's name.
And so I just started calling it cookies right away.
Nobody minded the name. It just stuck.
In 1994, the internet cookie goes out into the world
with the launch of the Netscape browser.
Baked right into the browser was the cookie.
The cookie let you sign into websites.
It let you make comments online.
And it solved the shopping cart problem.
Netscape's browser was like the first really polished browser out there.
And when it came out, it blew up.
It's fair to say that it took the world by storm. There were a few million people who were online,
and within about five months, I think, 90% of them had switched over to use the Netscape browser.
Netscape grows super fast. They go public within a year, start hiring hundreds of people.
And unsurprisingly, all this hoopla provokes a massive response from their main competitor, Microsoft,
which kicks into gear by releasing their own browser, Internet Explorer.
And within a few months, they decide to include cookies in their browser, too.
Because why wouldn't they? Cookies were a game changer. So basically overnight, cookies have gone from barely a twinkle in Lou's eye to this like fundamental part of how the Internet works.
And it's in the midst of this that Lou's cookies get used in a wildly different way from what Lou had imagined by people with a very different goal in mind.
So did you guys kind of weaponize the cookie?
When you say weaponize, I think we were falsely accused of weaponizing the cookie.
This is Kevin O'Connor, one of the founders of a company that came to be called DoubleClick.
And back in the spring of 1995, Kevin was living in Atlanta,
looking to get in on the online gold rush.
And his approach to the internet was a bit more practical than utopian.
And there was a lot of people who didn't want it to be commercialized.
They wanted to sort of remain pure.
But that's pretty tough in a free market.
So we were trying to figure out, you know, how people are going to make money.
Kevin and his co-founder, a programmer named Dwight Merriman,
eventually settle on advertising.
They realized there would be a lot of money to be made
if they can become the middlemen connecting advertisers with the growing number of new
websites. And they figure out that Lou Montulli's baby, the cookie, would be an essential ingredient
to unlocking the potential for advertising on the internet. They thought it could be way more
targeted than advertising on the radio or on TV.
Because, like, let's say you're a truck company.
You sell trucks.
I'm looking at, OK, who likes to buy my truck?
Say it's men 25 to 40 buy my trucks.
OK, well, where do these men 25 to 40 go on TV?
Well, they go to NFL football.
So you think, OK, I need to buy an expensive TV time slot ad during an NFL football game. But then you're basically like also paying to advertise to
people who are watching the game, but will never buy trucks because they hate trucks or because
they like miss the commercial. So you don't know if you actually reached your target audience.
With the cookie, you could. I mean, the cookie told us, okay, user one,
two, three, you saw this ad A, you know, two times, ad B, four times on these sites and,
you know, respond it. Here is what's happening behind the scenes. You know how websites had
cookies now, little wristbands to keep track of their customers? Well, Kevin and Dwight realize an ad
on one of those websites can have its own little wristband too. Every ad slot that his company
DoubleClick got on a website gave them the ability to place a specific DoubleClick cookie or wristband
on your browser. So in addition to the main site's wristband that says you are Patty's Pie Parts
customer 1234, you now have one that says you are also DoubleClick customer 567. That is what
let DoubleClick keep track of how many times you saw their particular ad. But DoubleClick had a
plan to do a lot more with that information because as DoubleClick had a plan to do a lot more with that information. Because as DoubleClick gets more and more websites to let them handle their ad banners at the top of the page,
DoubleClick will be able to learn a little bit more about what you're doing online.
So if you went to, I don't know, like Teen Vogue, and they maybe had a DoubleClick ad slot on their site,
and then you went to like Foreign policy and then to modern farmer.
And they also maybe had a double click ad slot. Now DoubleClick knew you were the type of vague,
anonymous DoubleClick customer, five, six, seven person who liked teen fashion and farmers and
foreign policy. DoubleClick would be able to use that detailed profile of your very specific
browsing behavior to charge more from advertisers looking for customers with very specific kinds of
tastes. This kind of super sophisticated targeting was still years away. But even in the mid-90s,
when DoubleClick was first getting started, their ad tracking was a huge success.
But for Lou Montulli, who'd created the original cookie for Netscape and cared about user privacy on the internet, DoubleClick's model caught him off guard.
When did you first hear that cookies were being know when a browser had visited multiple sites.
And how did you feel when you first read that. I was a little shocked, honestly, because we had specifically designed this not
to be possible. This was a big violation of the spirit of cookies. So felt that we needed to do
something about it. A violation of the spirit of cookies. Lou goes to his bosses at Netscape like,
did you know that our cookie is being used like this? And the bosses are kind of like, okay, Lou, figure it out.
It was left to me entirely
because nobody else really wanted to deal with it.
And yeah, I wasn't entirely comfortable
with having all that power.
Lou, he is just 25 years old at this point.
And to be clear, he did have the power to kill the cookie. Netscape
had some 80% of the browser market. So if they decided to disable the cookie, they would basically
be pulling the plug on it for the whole internet. So in order to make his decision, he starts
digging into how DoubleClick is actually using the cookie. An important thing that we discovered in the
research was that ad tracking enabled significantly more revenue for a site using advertising as their
primary revenue source. And that if we completely disabled ad tracking, that we would likely
kill about 90% of the revenue going to the web at that time. It's hard to know exactly how much of the web's revenue this would have actually cut off.
But a huge amount of money flowing into the web did come from this ad tracking model.
It was basically funding the internet.
And scuttling the cookie would mean blowing up the whole system.
Turning it off would be a heavy, heavy hammer.
You won't really be able to come back from that.
So Lou was facing a kind of devil's bargain. If he didn't do something, he'd be betraying his
utopian vision of the internet. On the other hand, if he fully disabled the cookie, he would also
risk hobbling the internet just as it was starting to gather speed.
So Lou decided to split the difference. He decided from now on, users have to be told,
hey, we're attaching some cookies to you.
And users would also now have the option
to clear all the cookies off their browser
whenever they wanted.
But the whole cookie advertisers can track you thing,
that stays.
I was quite torn.
And I wasn't terribly confident that I'd made
the right decision until years later when I really came to the realization that if advertising is
going to exist and there's going to be ad tracking, that having a singular system that allows visibility
and user control was the best way to approach it. To see that there are cookies and to be able to say no to them.
That was the price Lou paid to keep the cookie alive.
But after the break, the cookie and to let advertisers
extract our data, that model went on to explode across the Internet. A bunch of companies copied DoubleClick's model.
Google acquired DoubleClick, and ad tracking became one of their fundamental profit engines.
And along the way, the level of targeting that all these companies were able to do got more and more sophisticated.
They figured out that if you click on an ad for, I don't know, maybe a denim onesie.
Really going out on a limb there, Lexi.
Yes, a total wildcard example.
But then you get distracted or decide not to buy it for whatever reason.
It would be a much more effective targeting strategy for them to now bombard you with ads for that onesie.
They found you'd be much more likely to buy it, that sales would go up, which meant their technology was worth even more to advertisers. I'm not going to lie. I really like that ads follow me around
the internet. I think it makes it very easy for me to shop. Obviously, for some people,
ad tracking can be this useful way of showing the thing you never knew you needed before.
But for others, it's meant something a
little more sinister. The cookie is kind of the root of all evil in terms of internet tracking.
Bennett Cyphers works with the Electronic Frontier Foundation, an organization focused
on digital civil liberties. He says this cookie overload has been building for years.
By the 2010s, when you went to open up a website,
there were cookies all over that thing. A single pixel, like a pixel in an image,
that can have a cookie. The weather widget on the top right, that can have a cookie. The Facebook
like button, the little Facebook thumb they used to have next to like a BuzzFeed listicle,
that thumb like button had a cookie that was sending information back to Facebook
even if you didn't click it.
And so then Facebook says like,
good to see you, Bennett.
I hope you enjoy the 10 cats
who look like Disney princesses.
Finally, in 2016, lawmakers in Europe
were like enough with all the creepy
hidden data harvesting.
They passed a new set of laws that pushed back against big tech.
The first and only really big milestone in privacy regulation around the world
has been GDPR, the General Data Privacy Regulation.
Gidper.
Gidper, as we say in the biz.
You know that thing that happens when you now open a new website and it's like, do you want to accept all the cookies on this page?
That's because of Gidper.
One of the big principles behind this is that web users should be even more clearly informed that they are being tracked and should have to theoretically make clear decisions about what they will allow.
Not going to lie, I actually just mash that accept all cookies a lot of the time just
to get to the website.
Yeah, I used to.
Now I'm like a strictly necessary cookies only kind of person.
Anyway, in addition to making cookies more cumbersome to use, these regulations also
brought a lot of negative attention to how much tracking is being done using cookies.
And eventually, even some of the big tech companies
themselves were like, oh yeah, we hate tracking too. Super sketchy. In 2017, Apple said its Safari
browser would start limiting how advertisers could use cookies to track people. Apple, by the way,
is an NPR sponsor. Then in 2020, Apple went even further. Safari made a big splash when it became the first major browser that by default would block access
to third-party cookies in most contexts. So that was a really big deal.
You may have seen Apple's recent video ad campaign about data privacy,
saying basically, we hate tracking, we're on your side. It's the kind of
funny one where an iPhone user stumbles across a secret auction where a bunch of companies are
bidding for her data. The next sale is a digital treasure trove charming Ellie's private data.
It's not creepy. It's commerce. Do I hear 600? 620? 640? 660? So. And it wasn't just Apple's Safari that did this.
Firefox, the third largest web browser by users, did the same thing.
And in early 2020, the big dog, Google Chrome.
Two-thirds of everyone who uses browsers uses Google Chrome.
And they announced that they, too, would be largely discontinuing the cookie.
Not the ones that allow you to comment
and fill your shopping cart,
just the ad tracking cookies.
But just because those cookies may be going away,
that does not mean ad tracking will be going with them.
Apple still collects customer data with consent
through its app store and uses that for targeted ads.
And Google has said that it won't discontinue
the cookie until it's come up with basically a replacement for it. One of their main proposals
has focused on the idea of putting people into buckets based on their behavior instead of
profiling them as individual users. So now you might be one of several thousand vegan kite surfers who enjoy slasher flicks instead of double click user 456.
And Bennett says some of these proposed cookie replacements might actually be worse in terms of data privacy.
Google originally planned to get rid of the cookie in 2022.
But after getting a bunch of pushback on their proposals from activists, regulators and other advertisers, Google announced they would be moving back the cookie's execution date to sometime in 2024.
So for the moment, the cookie lives to track another day.
With your consent, of course.
And whether or not the cookie does ultimately die, its creator, Lou Montulli, says what's clear is that the model that grew up around it is here to stay. It's very difficult to see a world where there is no ad
tracking at all. And if they're not using cookies, they will find other means to do tracking. So it's
just like a shell game where the ball moved to a different spot. In this cookie-less world, instead of accepting or rejecting tracking
every time you go to a new website, you may be agreeing to hand over your data just by logging
into Google Chrome or using your email to sign into a website. And Lou thinks those forms of
tracking may not be as transparent. So just on that question of legacy, like nowadays, like,
do you think of yourself as the person who allowed the internet to flourish and kind of pay for itself? Or, you know, the
reason a million ads and every website I go to won't let me forget about the time I googled like
knee-high sheepskin boots? Well, see, that's the thing is you can forget it anytime. Just go up to your cookie settings and tell it to forget, and it will forget.
That, folks, is news you can use.
Should we do this, Sarah?
All right, let's do this.
We're clearing our cookies.
Chrome.
Going up Chrome.
Clear browsing data.
Clear browsing data.
All right.
On three, two, one.
Wait, no, I don't.
I'm not.
No.
I don't want to clear my cookies.
Cancel.
I like my cookies.
I already did it.
Keeping my cookies.
Sarah.
If you have any weird internet histories you want to learn more about, tell us.
You can find us at planetmoney at npr.org and on all social media at Planet Money. Today's episode was produced by
Willa Rubin with help from Dave Blanchard. It was edited by Keith Romer and engineered by Alex
Drewenskas. Special thanks today to Marty Kahn. Jess Jang is Planet Money's acting executive
producer. I'm Alexi Horowitz-Ghazi. I'm Sarah Gonzalez. This is NPR. Thanks for listening.
And a special thanks to our funder, the Alfred P. Sloan Foundation,
for helping to support this podcast.