Skip to navigationSkip to content
QZ&A

The inventor of the digital cookie has some regrets

Cookie inventor Lou Montulli poses for a photo in what appears to be an elementary school classroom.
Courtesy of Lou Montulli
Lou Montulli invented cookies in 1994.
  • Nicolás Rivero
By Nicolás Rivero

Tech Reporter

You’re reading a Quartz member-exclusive story, available to all readers for a limited time. To unlock access to all of Quartz become a member.

When Lou Montulli invented the cookie in 1994, he was a 23-year-old engineer at Netscape, the company that built one of the internet’s first widely used browsers. He was trying to solve a pressing problem on the early web: Websites had lousy memories. Every time a user loaded a new page, a website would treat them like a stranger it had never seen before. That made it impossible to build basic web features we take for granted today, like the shopping carts that follow us from page to page across e-commerce sites.

Montulli considered a range of potential solutions before settling on the cookie, as he later explained in a blog post. A simpler solution might have been to just give every user a unique, permanent ID number that their browser would reveal to every website they visited. But Montulli and the Netscape team rejected that option for fear that it would allow third parties to track people’s browsing activity. Instead, they settled on the cookie—a small text file passed back and forth between a person’s computer and a single website—as a way to help websites remember visitors without allowing people to be tracked.

Within two years, advertisers learned ways to essentially hack cookies to do exactly what Montulli had tried to avoid: follow people around the internet. Eventually, they created the system of cookie-based ad targeting we have today. Twenty-seven years later, Montulli has some misgivings about how his invention has been used—but he has doubts about whether the alternatives will be any better.

This conversation has been edited for length and clarity.

QZ: What was your goal when you were creating the cookie?

We designed cookies to exchange information only between users and the website they visited. The founders of Netscape and many of the other denizens of the internet in that age were really privacy-focused. This was something that we cared about, and it was pervasive in the design of the internet protocols we built. So we wanted to build a mechanism where you could be remembered by the websites that you wanted to remember you, and you could be anonymous when you wanted to be anonymous.

How did you feel when you started seeing advertisers exploit cookies to track people?

Courtesy of Lou Montulli
Montulli circa 1992

That wasn’t something that we had really anticipated sites doing—although I guess one could have followed the money and could have imagined this happening. We became aware of this in 1996, and it was certainly very surprising and alarming to us. We were simultaneously fighting a knock-down, drag-out battle with Microsoft [for dominance of the browser market] and basically getting our clock cleaned. So there were a lot of other problems going on within Netscape besides just cookies. So it just fell to me to figure out what to do about cookies. People were like, “Well I don’t have time to deal with this. Can you deal with this?” And, you know, I’m just a lowly engineer. I don’t really have any experience dealing with policy.

But we were really faced with three choices: One would be to do nothing, to go “oops!” and throw up your hands and allow advertisers to use third-party cookies however they wanted. Another would be to completely block third-party cookies. And the third option was to try to create a more nuanced solution in which we try to give control of the cookie back to the user—especially control over the way advertisers used cookies to track them. That was the approach that we tried to take. And to do that we built out a bunch of functionality within the browser to let users see what cookies are on their device and allow them to control how they’re being used. So you could turn off third-party cookies entirely, or you could turn them off for a certain site.

So you had a chance to kill third-party cookies back in 1996—why didn’t you take it?

Advertising at that time was really the sole revenue stream of websites, because e-commerce was not as strong. Pretty much the entire web relied on advertising and by turning off advertising cookies, it would severely diminish the ability for revenue to be made on the web. So I can’t say that the decision was entirely financially neutral. We as a company believed very strongly in the future of the open web. We felt like having a revenue model for the web was pretty important, and we wanted the web to be successful. So we made the choice to try to give cookie options to the user, but not disable them.

Now, 25 years later, do you feel like you made the right choice?

I look at it from two different perspectives. If you agree that advertising is a reasonable social good, where we get free access to content in exchange for some amount of advertising, and if that advertising is reliant on some form of tracking, I would say the use of the cookie for tracking is a good thing for two reasons. First, it’s a known place where tracking is happening. And second, it’s a technology that is in large part under the user’s control. You can disable cookies in your browser or use an ad blocker plugin to block cookies. So the user has a fair amount of control over the advertising technology right now, and that’s only because it works through this particular technology. The alternative would be, if every ad network were to use a completely different technology, and that technology was not under the control of the user, we would no longer have a singular mechanism with which to personally disable that tracking network.

There’s another view, though, which I’ve only come around to recently. I now think the web’s reliance on advertising as a major revenue source has been very detrimental to society. Advertising perverts the user experience. Instead of incentivizing quality, it incentivizes getting as much interaction as possible. And I think that we’ve seen that those business models that seek to generate as much interaction as possible have caused people to behave very irrationally and not in the public good. So we may need to cut back on the advertising model to get some sort of sanity back in our online experience. I had a hand in building the web this way, but in my old age I’m looking back and thinking the world might have been a better place if we had spent more time working on micropayments or subscription-based content that would have allowed us to value quality over quantity.

Given that we know third-party cookies are dying, what do you think of the alternatives the ad industry is proposing to replace them?

On FLoC: This is an alternate form of expressing preferences for advertising without the traditional means of tracking you all over the web. And I think those forms are really interesting. But I also think that the public is likely to find them a little creepy at first because they won’t really understand it.

On Unified ID 2.0: That’s basically just another cookie. I don’t think it will get traction, because almost everyone will want to turn it off. And if you turn it off, it does advertisers no good.

On first-party data: It’s fine for really large, top 100 websites, but it really cannot be a useful technology for smaller sites. If you don’t have much traffic, collecting your own data has very little relevance to the larger ad-serving, ad-tracking world.

How optimistic are you that new technologies can fix the misgivings consumers have about ad tracking?

It’s my guess that as the third-party cookie gets phased out, ad tracking networks will try to migrate to cookie replacements that do almost the same thing as cookies but don’t have the same user control or supervision, like fingerprinting. I think these new technologies will just set off an arms race between advertisers, who are trying to figure out how to track users, and the browsers and privacy advocates who will come up with technological methods to fight back.

Ultimately, it comes down to: Do we want to fight a technological tit-for-tat war between the advertising companies and the browsers, or do we create public policy around what is and isn’t permissible? It’s very difficult to create a singular technology that is able to solve this problem. And as soon as you do, you have billions of dollars trying to work around it, which to me means if we care about it as a public policy initiative then we ought to put some restrictions around it. And that’s a little hard for me to say as a technologist, because oftentimes legislation has the best intentions, but it doesn’t really hit the mark very well. But sometimes you just can’t come up with a pure technological solution to a problem and you have to figure it out on a policy level.