When Tim Berners-Lee proposed the idea for the World Wide Web back in 1989, he wrote about a “universal linked information system”. His exact words:
“a place to be found for any information or reference which one felt was important, and a way of finding it afterwards”
Three decades later, and you’ve possibly noticed that the web is a bit of a mess. What happened to that universal information system? What even is a cookie, and why do we need to accept them?
There are two reasons that the web is terrible right now: first, advertisers. And second, people.
Let’s talk about the advertisers. The first versions of the web were simple. Text and images and links to other text and images. You could use forms to send information, but the whole thing was ‘stateless’. This means neither the web browser nor the web server kept track of you from one page to the next: you just sent a request for a document, you got the document back, and that was it. If you submitted a form, that one response could be tailored, but after that, nope, the server’s forgotten about you because it can’t tell you apart from anyone else who’s using the same network.
This wasn't, long-term, a great plan. In theory, you could hack together something more complicated, send forms back and forth, and people did build things like that, but they’d break very, very easily. It was impossible to have something both reliable and personalized.
Then in 1994, a programmer called Lou Montulli, who was building a web browser at a company called Netscape, came up with “cookies”, adapting an old computer science technique called “magic cookies”. They were so useful that every other browser started to use them as well, and they got built into the web standards.
A cookie is “client-side storage”: your web browser sends the request to the server, as usual, but the server sends back two things: the page you asked for, and a little text file called a cookie that your browser then saves. After it’s saved, every time that browser makes a request to that same server, it sends the cookie along with it. So that cookie could contain your preferences: if you choose “dark mode”, then the browser would now send a “dark mode” preference, in that cookie, every single request. If the server asked for it, then that cookie would last even if you closed the browser, and restarted your computer. For years and years and years.
Or a cookie could be used for authentication: so after you’ve logged into a site, that site gives your browser a cookie that’s just a long, random string of characters. But because no-one except the server and that cookie have that long string of characters, it can act like a password: the browser sends it back along with every page request, and the server looks at it and goes “oh, yeah, I remember you”.
The designers of cookies looked at that, and they knew that they could be used to track people, so there was a very, very important rule for privacy: from the very start, only the site that set the cookie can read the cookie back. Except...
Because of the way the web is built, sites can include material from other servers. A web page can pull in an image from somewhere else, or some scripting code, or even an entire other website, included in a frame. And those other servers could all set and read their own cookies. “Third-party cookies”, they were called.
So when web pages included advertising, well, those adverts came from the advertising company’s servers, so those advertisers could set a cookie that tracked people across the entire web. If the same ad company partnered with loads of different websites, they could start building up some very detailed profiles. No, they might not know who you are at first. But they knew you visited that website about your hometown, then you visited that website about your college, and then you visited that website about a very specific medical condition. Oh, and then you bought something from an online shop, so they can work behind-the-scenes combine the details from that shop and their cookies, and add your name and address to the profile.
All those fancy “share with Facebook” buttons? Well, yeah, loads of them could report back to Facebook where you were going. "Hey, this person's looking at all these sites! So now you can tailor adverts for them!" Which is why you could be on a site that seems to be completely disconnected from Facebook, and still see adverts that were uncannily linked to things you’ve been thinking about.
It took a long while before regulators decided that, maybe, advertising companies having enormous databases on basically everything that people were thinking might be a bit of a privacy problem.
The European Union acted first. The “Cookie Law”, which was the euphemistic name for, um, this mess... meant that all the EU member countries had to put a law in place requiring consent to place cookies.
That wasn’t particularly well-thought-out, because “consent” requires clicking OK, and if there’s a confusing box in between the average person and the article they want to read, look, nearly everyone is just going to just click OK. And by this point, browser makers were starting to give users options to block third-party cookies anyway, so advertisers were adjusting, they were tracking people not through cookies, but through “fingerprinting”: looking at all the apparently-innocent individual quirks of how that exact computer was set up and how it rendered a web page. The fonts you had installed, the size of your monitor, the websites you've visited in the past, all things that individually appear innocent and safe but which together uniquely identify each person.
Browser makers and advertisers ended up in an odd war with each other about privacy: occasionally a civil war, given that one of the most popular browsers and also one of the major advertising companies were under the same corporate umbrella.
So later, the General Data Protection Regulation, GDPR, put even stronger requirements in place, at least for EU citizens. Not just “no cookies without consent”: no tracking without consent. At all times, the user must have full knowledge what they are signing up for, and must consent to it. Even if the company’s not in the EU. Even if they’re storing data on EU citizens "outside", it still applies to them. The potential maximum fine is 4% of the company’s global annual revenue. Not profit, revenue. Or €20 million, whichever is higher. And yeah, sure, maybe the EU couldn’t easily fine an all-American company, but they can definitely stop them doing business in Europe if they don't pay.
So all the advertisers had two options. Number one: stop tracking people! Or number two, add a big box on each page saying “hey, is it OK if we track you?” And legally, you should be able to easily say no and still access the site. Opting out should be a simple, one-click process. And anyone who’s been on the web lately knows that’s often not true.
So, yes, at least some of those popups and frustrations are because of advertisers. Certainly, they normalized the idea of intrusive popup boxes. But why can they put those boxes there in the first place?
The web is built around freedom of design. It’s one of the most fundamental principles: within the box that the web browser gives you, a designer can put almost anything.
For decade after decade after decade, programmers have pushed the limits of what’s possible: someone has even managed to emulate an entire Windows 95 computer in the web browser. I don’t mean just making a web page look like Windows 95, I mean an entire virtual machine that thinks it’s running on regular computer hardware but is actually just simulated in code, in a web browser.
And that's incredible! Give people power to create and some will make amazing things. But some will look at the ability to run almost any code and put almost anything on screen, at least within that box, and go “maybe I can get some more newsletter sign-ups if I interrupt the reader”. Or "maybe I can make people’s browsers mine cryptocurrency in the background "while they’re on my site!" So the war starts again.
Most web browsers now have a separate view that you can switch into, that shows just the text you want. It might be called “article view” or “reader mode”. The browser tries to figure out what the main content is, what the user actually wants to see, and puts just that text on screen. Stripping out the adverts, removing all the popup boxes, and, yes, losing all the creativity and design that the web allows. But that ‘reader view’ is a lot closer to Tim Berners-Lee’s original design: a place for information, and a way to find it afterwards.
Of course, there are already techniques to detect and defeat reader view, and make sure that the user has to see the adverts, or the newsletter popups, or whatever else. Every bit of freedom that a designer has for creativity and good is also freedom for abuse. That’s true not just on the web, but in every single aspect of the online world.