Third-party cookies and the fight for personal data : Planet Money 30 years ago, Lou Montulli set out to solve a fundamental problem with the internet, and accidentally created an entirely different one. On today's show, how the cookie went from an obscure piece of code designed to protect anonymity, to an online advertiser's dream, to a privacy advocate's nightmare.

Subscribe to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney

How the cookie became a monster

  • Download
  • <iframe src="https://www.npr.org/player/embed/1137657496/1137923902" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

SYLVIE DOUGLIS, BYLINE: This is PLANET MONEY from NPR.

(SOUNDBITE OF COIN SPINNING)

ALEXI HOROWITZ-GHAZI, HOST:

Whenever Lou Montulli goes online, he, just like the rest of us, gets weirdly specific ads.

What's the strangest thing that you maybe casually looked up on the internet that seems to follow you everywhere as an ad, no matter what website you go to?

LOU MONTULLI: Gutter protection.

(LAUGHTER)

MONTULLI: You look that up one time, and you just get bombarded. And I actually did buy gutter protection. And they just kept advertising to me for seemingly forever.

HOROWITZ-GHAZI: Does any part of you think, like, I kind of did this to myself?

MONTULLI: Yeah, I do feel somewhat responsible for the state of the world.

SARAH GONZALEZ, HOST:

Lou Montulli is kind of responsible for the state of the world, at least the online world.

MONTULLI: I'm the inventor of the internet cookie.

HOROWITZ-GHAZI: The internet cookie.

GONZALEZ: So, you know when you go to a new site, you usually have to, like, accept the cookies or reject the cookies? Yeah, those are the cookies that Lou made.

MONTULLI: People go, oh, you're the reason I have to keep clicking cancel all the time, so...

(LAUGHTER)

HOROWITZ-GHAZI: You may have a vague sense that cookies play some nefarious role in online tracking. But cookies do a lot of things. Cookies allow you to sign in to a website. They're what allows you to comment on stuff online. And, yes, cookies are also the thing that lets advertisers follow you around the internet to serve you that same gutter protection ad everywhere you go. But the strange thing about the cookie is that when Lou first cooked it up in a internet-lifetime ago, he specifically designed it to protect people's anonymity as they surfed the early web. But that is not how things turned out for the cookie.

MONTULLI: No matter your best intentions, technology, once released into the wild, will be used however people choose to use it. You're going to build something, and then, it will evolve over time, and you will have no control over it. And a certain point, you just have to deal with it.

(SOUNDBITE OF GEORGE GEORGIA'S "FRUIT SALAD")

HOROWITZ-GHAZI: Hello, and welcome to PLANET MONEY. I'm Alexi Horowitz-Ghazi.

GONZALEZ: And I'm Sarah Gonzalez.

HOROWITZ-GHAZI: Nearly 30 years ago, Lou Montulli set out to solve a fundamental problem with the internet and accidentally created an entirely different one. His invention went from an obscure piece of code designed to protect anonymity to an online advertiser's dream to a privacy advocate's nightmare, unleashing a corporate arms race to extract as much of our digital data as possible.

GONZALEZ: Today on the show, how the cookie became a monster, why the world's biggest internet browsers have decided to finally let the cookie crumble - to make the cookie disappear from the internet - and what a World Wide Web without cookies might even look like.

(SOUNDBITE OF GEORGE GEORGIA'S "FRUIT SALAD")

HOROWITZ-GHAZI: The story of the cookie begins back in 1994. The World Wide Web was still pretty new. There weren't a ton of websites yet. And like a lot of people, Lou Montulli had the sense that the internet offered the chance to uplift humanity, but only if it was designed in the right way. Lou was 23 at the time, studying computer science.

MONTULLI: We were thinking, being naive, young college students, that information would set us all free.

HOROWITZ-GHAZI: OK, so the stakes were, like, the future of the free world?

MONTULLI: (Laughter) Yes, the future of the free world was at stake.

GONZALEZ: Lou dropped out of college to work at a new startup called Netscape. Now, Netscape was setting out to create a new web browser - so, like, you know, Chrome and Safari but before Chrome and Safari existed.

HOROWITZ-GHAZI: Back in the early '90s, the internet was still kind of an obscure network, mostly used by academics and hobbyists. Regular people who wanted to casually hop on the internet probably did it through a platform like AOL of "You've Got Mail." It wasn't a browser, but you could access parts of the internet through it. You could read the news, send emails, play games.

GONZALEZ: So if the internet was like a giant, open meadow, AOL had put these walls around its own private sections. And if you were an AOL customer, that was your internet world. Netscape - Netscape wanted the Internet to be the whole open meadow, a place where you could wander around freely and go to whatever website you wanted. If AOL wanted to stay within its own little walls, they could do that.

HOROWITZ-GHAZI: There were a few smaller browsers already. But Netscape wanted to make a browser that was so smooth and easy to use it would open up the web to millions of people across the world. And they wanted to do it before the giant tech company of the day, Microsoft, got into the game. We should also say Microsoft is a sponsor of NPR.

MONTULLI: This isn't a kind analogy, but certainly at Netscape, we thought of ourselves as the Rebel Alliance and Microsoft as the Empire.

HOROWITZ-GHAZI: Did you see yourself as more of, like, a Luke Skywalker type? Or were you a Han Solo sort of guy?

MONTULLI: (Laughter) God, I wish I could be a Han Solo type of guy.

GONZALEZ: I'm definitely a BB-8 kind of guy. I know that.

HOROWITZ-GHAZI: I love that for you.

GONZALEZ: Lou and his fellow Netscape Rebels, there are, like, a dozen of them at the beginning. They are working like the future of the internet is literally at stake - 14-hour days, not practicing much of what we would now call self-care.

MONTULLI: Oh, I had a terrible habit of like, ten, Mountain Dews per day or something like that.

HOROWITZ-GHAZI: Oh, my God.

MONTULLI: I'm surprised I'm still here (laughter).

HOROWITZ-GHAZI: Me, too. I'm glad you survived.

GONZALEZ: In order to create a utopian vision of the web, Lou wanted to figure out a way to grow the internet meadow so that it was way bigger than any walled-off version, so that there was, like, so many websites, thousands of companies, an internet too big to be controlled by any one AOL or Microsoft tech giant.

HOROWITZ-GHAZI: And Lou knew there was one very effective way to make things grow fast - capitalism. If they could figure out a way to unleash commerce on the internet, the meadow would grow so fast and so wild that nobody would want to stay in their walled gardens anymore.

GONZALEZ: Sure, capitalism might not be what you would think the Rebel Alliance would gravitate to. But they were sort of like, we know this is going to get the job done.

HOROWITZ-GHAZI: But at the time, you couldn't really do the most basic things that would make the internet appealing to businesses. You could barely shop. And there was one big reason - the web did not have a memory.

MONTULLI: So essentially, the web server would completely forget every one of its visitors every single time they connected.

GONZALEZ: The web server would forget its visitors. So, like, no one could save anything. You couldn't put stuff you wanted to buy in a shopping cart. The shopping cart did not exist, so online shopping was not really a thing.

MONTULLI: You couldn't save anything in a way that allowed you to come back later.

HOROWITZ-GHAZI: So, like, grocery stores didn't have their products listed on websites back then. But if they did and you wanted to make a pie and you go to pattispieparts.com (ph) or something like that, you would have to pay for one item at a time. You would have to go to the eggs page, check out, go to the unsalted butter page, check out, go to the peach page, check out again - so inconvenient.

GONZALEZ: Lou says there was one obvious solution to the whole the-website-doesn't-remember-you problem. Netscape could just give every web user a unique ID, kind of like a wristband attached to your browser. And every time you went to any website, your browser would, like, show your wristband, and the website would know who you were. It would be one wristband for the whole internet.

HOROWITZ-GHAZI: That way, when I popped from the unsalted butter page to the peach page, my web browser would tell Patti's Pie Parts (ph), it's that one guy making a peach pie, he's been here before, every time I appeared. And Patti's Pie Parts could have a shopping cart that would keep track of all the things I wanted.

GONZALEZ: OK. But the problem with this wristband-idea approach is that it would make it extremely easy to track everything everyone did on the internet. And Lou, he's a free-and-open internet guy. And to him, you cannot have a free-and-open internet if everyone is being watched. So he thinks, I wonder if I can make a better anonymous wristband. And he remembers this kind of coding tool from a computing class he took in college, something he'd heard called a magic cookie.

MONTULLI: I think the cookie term comes from the fortune cookie, where you essentially have a message wrapped in something, that you can't see the message.

HOROWITZ-GHAZI: A cookie with a hidden message inside. And Lou thinks we shouldn't have just one identifying wristband for everything you do on the internet; there should be a whole bunch of them, a different wristband for every site you go on. So Patti's Pie Parts could give you a wristband just for them. They could call you Patti's Pie Customer 1234. Nobody else would see it. And that way, an oppressive government or a nosy company couldn't follow your trail across the internet. Lou says actually writing the program to do this was not that complicated.

MONTULLI: It was maybe an hour's worth of coding.

HOROWITZ-GHAZI: That's, like, two or three Mountain Dews' worth.

MONTULLI: (Laughter) Exactly.

HOROWITZ-GHAZI: They do, of course, workshop the design for a couple weeks. And Lou decides to drop the magic from the magic cookie's name.

MONTULLI: And so I just started calling it cookies right away. Nobody minded the name. It just stuck.

GONZALEZ: In 1994, the internet cookie goes out into the world with the launch of the Netscape browser. Baked right into the browser was the cookie. The cookie let you sign in to websites. It let you make comments online. And it solved the shopping cart problem. Netscape's browser was, like, the first really polished browser out there. And when it came out, it blew up.

MONTULLI: It's fair to say that it took the world by storm. There were a few million people who were online. And within about five months, I think, 90% of them had switched over to use the Netscape browser.

HOROWITZ-GHAZI: Netscape grows superfast. They go public within a year, start hiring hundreds of people. And unsurprisingly, all this hoopla provokes a massive response from their main competitor, Microsoft, which kicks into gear by releasing their own browser, Internet Explorer. And within a few months, they decide to include cookies in their browser, too. Because why wouldn't they? Cookies were a game changer.

GONZALEZ: So basically overnight, cookies have gone from barely a twinkle in Lou's eye to this, like, fundamental part of how the internet works. And it's in the midst of this that Lou's cookies get used in a wildly different way from what Lou had imagined by people with a very different goal in mind.

HOROWITZ-GHAZI: So did you guys kind of weaponize the cookie?

KEVIN O'CONNOR: We say weaponized. I think we were accused, falsely accused, of weaponizing the cookie.

HOROWITZ-GHAZI: This is Kevin O'Connor, one of the founders of a company that came to be called DoubleClick. And back in the spring of 1995, Kevin was living in Atlanta, looking to get in on the online gold rush. And his approach to the internet was a bit more practical than utopian.

O'CONNOR: And there was a lot of people who didn't want it to be commercialized and wanted it to sort of remain pure. But that's pretty, pretty tough in a free market. So we were trying to figure out, you know, how are people going to make money?

HOROWITZ-GHAZI: Kevin and his co-founder, a programmer named Dwight Merriman, eventually settle on advertising. They realized there would be a lot of money to be made if they can become the middlemen connecting advertisers with the growing number of new websites. And they figure out that Lou Montulli's baby, the cookie, would be an essential ingredient to unlocking the potential for advertising on the internet.

GONZALEZ: They thought it could be way more targeted than advertising on the radio or on TV 'cause - like, let's say you're a truck company. You sell trucks.

O'CONNOR: So I'm looking at, OK, who likes to buy my truck? Let's say it's men, 25 to 40, buy my trucks. OK. Well, where do these men, 25 to 40, go on TV? Well, they go to NFL football.

GONZALEZ: So you think, OK, I need to buy an expensive TV time slot ad during an NFL football game. But then, you're basically, like, also paying to advertise to people who are watching the game but will never buy trucks 'cause they hate trucks or because they, like, missed the commercial. So you don't know if you actually reached your target audience. With the cookie, you could.

O'CONNOR: I mean, the cookie told us, OK, User 123 saw this Ad A, you know, two times, Ad B four times, on these sites and, you know, responded.

HOROWITZ-GHAZI: Here is what's happening behind the scenes. You know how websites had cookies now, little wristbands to keep track of their customers? Well, Kevin and Dwight realize an ad on one of those websites can have its own little wristband, too. Every ad slot that his company, DoubleClick, got on a website gave them the ability to place a specific DoubleClick cookie, or wristband, on your browser.

GONZALEZ: So in addition to the main site's wristband that says you are Patti's Pie Parts Customer 1234, you now have one that says you are also DoubleClick Customer 567. That is what let DoubleClick keep track of how many times you saw their particular ad.

HOROWITZ-GHAZI: But DoubleClick had a plan to do a lot more with that information. Because as DoubleClick gets more and more websites to let them handle their ad banners at the top of the page, DoubleClick will be able to learn a little bit more about what you're doing online.

GONZALEZ: So if you went to, I don't know, like, Teen Vogue and they maybe had a DoubleClick ad slot on their site and then you went to, like, Foreign Policy and then to Modern Farmer...

HOROWITZ-GHAZI: Oh, yeah.

GONZALEZ: ...And they also maybe had a DoubleClick ad slot, now, DoubleClick knew you were the type of vague, anonymous DoubleClick Customer 567 person who liked teen fashion and farmers and foreign policy. DoubleClick would be able to use that detailed profile of your very specific browsing behavior to charge more from advertisers looking for customers with very specific kinds of tastes.

HOROWITZ-GHAZI: This kind of supersophisticated targeting was still years away. But even in the mid-'90s when DoubleClick was first getting started, their ad tracking was a huge success. But for Lou, who'd created the original cookie for Netscape and cared about user privacy on the internet, DoubleClick's model caught him off guard.

When did you first hear that cookies were being used in a way that you hadn't originally intended?

MONTULLI: I got word of it, I think, through a CNET article. And they found that the advertising network was using cookies to track ads across multiple websites. And that could imply that that ad network could know when a browser had visited multiple sites.

HOROWITZ-GHAZI: And how did you feel when you first read that?

MONTULLI: I was a little shocked, honestly, 'cause, you know, we had specifically designed this not to be possible. This was a big violation of the spirit of cookies so - felt that we needed to do something about it.

GONZALEZ: A violation of the spirit of cookies. Lou goes to his bosses at Netscape. Like, did you know that our cookie is being used like this? And the bosses are kind of like, OK, Lou, figure it out.

MONTULLI: It was left to me entirely because nobody else really wanted to deal with it. And, yeah, I wasn't entirely comfortable with having all that power.

HOROWITZ-GHAZI: Lou, he is just 25 years old at this point. And to be clear, he did have the power to kill the cookie. Netscape had some 80% of the browser market. So if they decided to disable the cookie, they would basically be pulling the plug on it for the whole internet. So in order to make his decision, he starts digging into how DoubleClick is actually using the cookie.

MONTULLI: An important thing that we discovered in the research was that ad tracking enabled significantly more revenue for a site using advertising as their primary revenue source and that if we completely disabled ad tracking that, we would likely kill about 90% of the revenue going to the web at that time.

GONZALEZ: It's hard to know exactly how much of the web's revenue this would have actually cut off. But a huge amount of money flowing into the web did come from this ad-tracking model. It was basically funding the internet. And scuttling the cookie would mean blowing up the whole system.

MONTULLI: Turning it off would be - you know, would be a heavy, heavy hammer. You won't really be able to come back from that.

HOROWITZ-GHAZI: So Lou was facing a kind of devil's bargain. If he didn't do something, he'd be betraying his utopian vision of the internet. On the other hand, if he fully disabled the cookie, he would also risk hobbling the internet just as it was starting to gather speed.

GONZALEZ: So Lou decided to split the difference. He decided, from now on, users have to be told, hey, we're attaching some cookies to you. And users would also now have the option to clear all the cookies off their browser whenever they wanted. But the whole, like, cookie-advertisers-can-track-you thing - that stays.

MONTULLI: I was quite torn. And I wasn't terribly confident that I'd made the right decision until years later, when I really came to the realization that if advertising is going to exist and there's going to be ad tracking, that having a singular system that allows visibility and user control was the best way to approach it.

HOROWITZ-GHAZI: To see that there are cookies and to be able to say no to them - that was the price Lou paid to keep the cookie alive.

(SOUNDBITE OF JONATHAN THOMAS MILLER'S "THE STRIPPER AND THE FROG")

HOROWITZ-GHAZI: But after the break, the cookie might finally meet its baker.

(SOUNDBITE OF JONATHAN THOMAS MILLER'S "THE STRIPPER AND THE FROG")

GONZALEZ: In the years since Lou Montulli made the decision not to kill the cookie and to let advertisers extract our data, that model went on to explode across the internet. A bunch of companies copied DoubleClick's model. Google acquired DoubleClick, and ad tracking became one of their fundamental profit engines. And along the way, the level of targeting that all these companies were able to do got more and more sophisticated.

HOROWITZ-GHAZI: They figured out that if you click on an ad for, I don't know, maybe a denim onesie...

GONZALEZ: Really going out on a limb there, Alexi.

HOROWITZ-GHAZI: ...Yes, a total wild card-example - but then you get distracted or decide not to buy it for whatever reason, it would be a much more effective targeting strategy for them to now bombard you with ads for that onesie. They found you'd be much more likely to buy it, that sales would go up, which meant their technology was worth even more to advertisers.

GONZALEZ: I'm not going to lie. I really like that ads follow me around the internet. I think it makes it very easy for me to shop.

HOROWITZ-GHAZI: Obviously, for some people, ad tracking can be this useful way of showing the thing you never knew you needed before. But for others, it's meant something a little more sinister.

BENNETT CYPHERS: The cookie is kind of the root of all evil in terms of internet tracking.

HOROWITZ-GHAZI: Bennett Cyphers works with the Electronic Frontier Foundation, an organization focused on digital civil liberties. He says this cookie overload has been building for years.

GONZALEZ: By the 2010s, when you went to open up a website, there were cookies all over that thing. A single pixel, like a pixel in an image - that can have a cookie. The weather widget on the top right - that can have a cookie. The Facebook like button, the little Facebook thumb they used to have next to, like, a BuzzFeed listicle - that thumb like button had a cookie that was sending information back to Facebook even if you didn't click it.

CYPHERS: And so then Facebook says, like, good to see you, Bennett. I hope you enjoy the 10 cats who look like Disney princesses.

HOROWITZ-GHAZI: Finally, in 2016, lawmakers in Europe were like, enough with all the creepy hidden data harvesting. They passed a new set of laws that pushed back against Big Tech.

CYPHERS: The first and only really big milestone in privacy regulation around the world has been GDPR, the General Data Privacy Regulation.

HOROWITZ-GHAZI: Gidper (ph).

CYPHERS: Gidper, as we say in the biz.

GONZALEZ: You know that thing that happens when you now open a new website and it's like, do you want to accept all the cookies on this page? That's because of Gidper. One of the big principles behind this is that web users should be even more clearly informed that they are being tracked and should have to theoretically make clear decisions about what they will allow.

HOROWITZ-GHAZI: Not going to lie. I actually just mash that accept all cookies a lot of the time just to get to the website.

GONZALEZ: Yeah, I used to. Now I'm, like, a strictly-necessary-cookies-only...

HOROWITZ-GHAZI: Ooh, good for you.

GONZALEZ: ...Kind of person.

HOROWITZ-GHAZI: Anyway, in addition to making cookies more cumbersome to use, these regulations also brought a lot of negative attention to how much tracking is being done using cookies. And eventually, even some of the big tech companies themselves were like, oh, yeah, we hate tracking too, super sketchy.

GONZALEZ: In 2017, Apple said its Safari browser would start limiting how advertisers could use cookies to track people. Apple, by the way, is an NPR sponsor. Then in 2020, Apple went even further.

CYPHERS: Safari made a big splash when it became the first major browser that by default would block access to third-party cookies in most contexts. So that was a really big deal.

HOROWITZ-GHAZI: You may have seen Apple's recent video ad campaign about data privacy, saying basically, we hate tracking; we're on your side. It's a kind of funny one where an iPhone user stumbles across a secret auction where a bunch of companies are bidding for her data.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED ACTOR: (As character) The next sale is a digital treasure trove - charming Ellie's private data. It's not creepy. It's commerce. Do I hear 600? - 620, 640, 660.

(SOUNDBITE OF GAVEL)

UNIDENTIFIED ACTOR: (As character) Sold.

GONZALEZ: And it wasn't just Apple's Safari that did this. Firefox, the third-largest web browser by users, did the same thing. And in early 2020, the big dog, Google Chrome - two-thirds of everyone who uses browsers uses Google Chrome, and they announced that they too would be largely discontinuing the cookie - not the ones that allow you to comment and fill your shopping cart, just the ad-tracking cookies.

HOROWITZ-GHAZI: But just because those cookies may be going away, that does not mean ad tracking will be going with them. Apple still collects customer data with consent through its app store and uses that for targeted ads. And Google has said that it won't discontinue the cookie until it's come up with basically a replacement for it. One of their main proposals has focused on the idea of putting people into buckets based on their behavior instead of profiling them as individual users. So now you might be one of several thousand vegan kite surfers who enjoy slasher flicks instead of DoubleClick User 456.

GONZALEZ: And Bennett says some of these proposed cookie replacements might actually be worse in terms of data privacy. Google originally planned to get rid of the cookie in 2022, but after getting a bunch of pushback on their proposals from activists, regulators and other advertisers, Google announced they would be moving back the cookies' execution date to sometime in 2024.

HOROWITZ-GHAZI: So for the moment, the cookie lives to track another day, with your consent, of course. And whether or not the cookie does ultimately die, its creator, Lou Montulli, says what's clear is that the model that grew up around it is here to stay.

MONTULLI: It's very difficult to see a world where there is no ad tracking at all. And if they're not using cookies, they will find other means to do tracking. So it's just like a shell game, where the ball moved to a different spot.

HOROWITZ-GHAZI: In this cookieless world, instead of accepting or rejecting tracking every time you go to a new website, you may be agreeing to hand over your data just by logging in to Google Chrome or using your email to sign in to a website. And Lou thinks those forms of tracking may not be as transparent.

So just on the question of legacy, like, nowadays, like, do you think of yourself as the person who allowed the internet to flourish and kind of pay for itself or, you know, the reason a million ads on every website I go to won't let me forget about the time I Googled, like, knee-high sheepskin boots?

MONTULLI: Well, see, that's the thing, is you can forget it any time. Just go up to your cookie settings and tell it to forget, and it will forget. So...

HOROWITZ-GHAZI: That, folks, is news you can use.

Should we do this, Sarah?

GONZALEZ: All right, let's do this. We're clearin' our cookies - Chrome.

HOROWITZ-GHAZI: Going up - Chrome.

GONZALEZ: Clear browsing data.

HOROWITZ-GHAZI: Clear browsing data. All right, on three, two, one.

GONZALEZ: Wait. No, I don't - I'm not - no.

HOROWITZ-GHAZI: What?

GONZALEZ: I don't want to clear my cookies. Cancel. I like my cookies.

HOROWITZ-GHAZI: I already did it.

GONZALEZ: Keeping my cookies.

HOROWITZ-GHAZI: Sarah.

(SOUNDBITE OF GEORGE GEORGIA'S "BLUE AND GREEN")

GONZALEZ: If you have any weird internet histories you want to learn more about, tell us. You can find us at planetmoney@npr.org and on our social media - @planetmoney.

HOROWITZ-GHAZI: Today's episode was produced by Willa Rubin, with help from Dave Blanchard. It was edited by Keith Romer and engineered by Alex Drewenskus. Special thanks today to Marty Kihn. Jess Jiang is PLANET MONEY's acting executive producer. I'm Alexi Horowitz-Ghazi.

GONZALEZ: I'm Sarah Gonzalez. This is NPR. Thanks for listening.

(SOUNDBITE OF GEORGE GEORGIA'S "BLUE AND GREEN")

Copyright © 2022 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.