Cookies: How Ad Platforms Steal Your Mind (Part 1)
Download MP3Technology Blows Episode 13 Cookies Part 1
===
[00:00:00]
Intro/physical cookies
---
Dan Slimmon: welcome listeners, welcome. If you are interested in the infinite ways that technology fails to serve humanity, you've come to the right place.
Technology Blows is the name of this Techno pessimist podcast, and the name of me, your host is Dan Slim, and today I am truly thrilled to welcome back to the show, beloved friend of the pod software engineer CJ Horton. Cj, you're back for another two-parter. How you feeling about [00:01:00] that?
CJ: I'm glad. My jokes about Jira, resonated enough with listeners to justify a return engagement.
Dan Slimmon: I think a lot about, I think a lot about, uh, JIRA and the things that you said about it and, um, it's filled my heart with frustration with Jira, but love for you.
CJ: That's the kind of the optimal, uh, you know, um, results of, uh, making terrible jokes about your.
Dan Slimmon: Now, do you cj Uh, so I, I have a serious problem with cookies. If they're cookies in my vicinity, I will eat them compulsively until all the cookies are gone. It doesn't really matter what kind, it doesn't really matter. You know, they could be chocolate chip, uh, is obviously the og, but I'll fuck up a box of Milanos, uh, sugar cookies, peanut butter, oatmeal raisin.
Even. I just, I'm, I'm that much of a, of a, of a cookie freak. I can't stop myself. It's actually created a lot of problems for me in my marriage, [00:02:00] which I won't get into. But cj what's your relationship with these? With these delightful little butter and sugar bombs that we call cookies?
CJ: No, I'm actually not as much of a cookie fiend as I used to be. Um, uh, at some point in the my, my Sweet Tooth. Kind of died off. And, uh, I will, I will eat like maybe two or three cookies and then I'm like, you know, I just don't really want anymore, which is really a strange development in my life. Um,
Dan Slimmon: that's crazy. I can't imagine what that would feel like. congratulations.
sometimes I don't even like cookies that much. I just, I just have to put them in my face until there aren't any more cookies. It's almost like I hate them.
Right. I just like need to erase them from the world
CJ: home.
Dan Slimmon: Yeah. I love talking about cookies, but we can't just talk about cookies for this whole show as much as I'd like to because we've gotta talk about. Cookies. CJ I checked, I checked earlier, right? Yeah, I checked earlier and my [00:03:00] browser is currently holding onto cookies from about 1100 domains, totaling 15 gigabytes of cookies.
And, and approximately 25% of these cookies are for domains, I think I've never, ever even navigated to.
CJ: So your browser is also a cookie fiend. Um,
Dan Slimmon: That's true.
CJ: from this.
Dan Slimmon: That's true. Uh, I mean, it's made by Google, so it loves cookies. It, it wants to just collect all the cookies and then it doesn't, it never destroys them. so they're just sitting there on my, on my hard disc. I have for this app that we're recording this podcast in, that that app is the one with the most gigabytes of cookies.
15 gigabytes of cookies.
CJ: Wow, that's. It seems excessive. Um, but, uh, you know,
Dan Slimmon: What?
CJ: do a
Dan Slimmon: What could they,
CJ: front end development these days, so I'm like,
Dan Slimmon: yeah.
CJ: trouble. Imagining [00:04:00] what, what could possibly even be in 15 gigabytes of cookies for a single Huh?
Dan Slimmon: I tried to figure out what exactly was in there, but, um, you, they're all stored in a, you can't, Chrome doesn't let you look at the cookies directly. You can find them in a SQL light database on your disc, but I couldn't find the SQL light database and, um, I lost interest. But, that's too many, that's too many cookies even for me.
CJ: Reaching the limits of your cookie fee and ness.
Dan Slimmon: Yeah, yeah, yeah. No, thank you. but since we're talking about cookies today, we're also gonna be talking a lot about the ad industry, right? Uh, the, the, that's, that's the main thing that I think people associate with, with cookies is ad companies selling our data, uh, by using cookies to track us.
CJ: And also clicking so many of those little popup banners that are, uh, ask
Dan Slimmon: Jesus fucking Christ.
CJ: about the, the cookie,
Dan Slimmon: Yeah. How about, how about, no. [00:05:00] Right? How about, how about like, just don't fucking ever, but there's, that's not a button on it. Um,
I, I don't know. They can't, they can't build this stuff. We'll talk about why they can't build, build, build that button. but I, I think personally, I think modern marketing is one of the worst disasters ever to befall humanity.
It's, it's, it's a fous so pervasive that we no longer even really perceive it. Most of the time, just like someone in ancient Rome would no longer have perceived the miasma of human waste that hung over the city all summer, we, we don't, we don't notice. Advertising. That's, that's all over us all, all over, the, the world, all everywhere we go.
And, and I know this is not an original thought. I know I'm not the first person to be like, oh, I hate ads. You know, ads suck. Nobody likes them. But we just kind of accept them because what else can you do? Right?
CJ: Literally everything on the web is monetized. [00:06:00] Um, um, almost everything, unless you actually send money personally to a particular, uh, organization or person. Um, you.
Dan Slimmon: Right, like you donate to Wikipedia or what? Or archive.org or something? Sure.
CJ: Patreon or, yeah. Um, uh, but like most blogs and so on, if somebody's going to like actually, um, make a living from creating content on the internet, it is because of ads. Um,
Dan Slimmon: Yeah.
CJ: pretty
Dan Slimmon: Yeah, it's pretty, it's pretty bleak And we can't do anything about it. 'cause our lives are built around, our whole society is built around property relations and property owners can earn, you can't stop 'em from earning passive income by selling ad space, right? And, and if you don't like it, you know the subway station has ads plastered everywhere.
You can't just walk, walk into subway station with a bucket of black paint and splash paint everywhere you get arrested. Trust me.[00:07:00]
CJ: Sounds like, uh uh, something you know from experience.
Dan Slimmon: it does, doesn't it?
Time traveling to save the world
---
Dan Slimmon: So, so cj, I, I don't know if you get this a lot, but people are always asking me if I would go back in time to 1889 and kill baby Hitler. It's, it's sort of like the sci-fi version of the trolley problem. Right. Uh, have you ever, have you ever grappled with this, this, this moral riddle?
Would you, would you time travel and kill Hitler when he was a baby?
CJ: Uh, you know, my, my answer is, is, um, I is, is, is kind of unsatisfying. It's just that it's, it's hard to come up with a definite answer to that problem because it's impossible to fully understand the consequences of doing that. It's, uh, while this podcast is suddenly, suddenly getting, um, uh, very, very deep,
Dan Slimmon: Well, it's admirable to be cautious. I mean, I, I appreciate, I appreciate that, that you, you know, you're right. They could, it would have, it could have implications that, that far, you know, that, that you could never have [00:08:00] foreseen.
CJ: baby
Dan Slimmon: me, I.
CJ: does that, um, uh, simply open up a space for another dictator who was worse?
Dan Slimmon: right. Double Hitler.
CJ: the old
Dan Slimmon: well,
CJ: as we say,
Dan Slimmon: you know, thank you for being a foil to me, because for me, the right answer to this question is yes, absolutely no, no, no questions asked. Put the, you know, gimme the rock. but you know, there's, there's lots of different perspectives on this, but, so, so say I say I do it right.
Okay, fine. So there I am standing by the crib. History's greatest monster, safely dead before he could even grow his first little mustache. What's my next move though? Right? Do I do I get back in my DeLorean and, and swoop right back to good old Hitler free 2025. See, I figure. I'm already in Austria-Hungary.
Why not stick around, enjoy the lovely countryside, maybe take a yodeling class, and then take a nice leisurely train ride into Vienna. And I, I could probably live very well in Vienna in 1889 [00:09:00] because I could just steal Einstein's physics ideas. You know, just walk up to the head of the, the University of Vienna's Physics Department and be like.
Uh, Hey, what's up man? I'm from the future. Hey, have you ever noticed how if you shoot ultraviolet light at a cathode, it makes a current, but it doesn't work with infrared light. Weird, right. Anyway, if you gimme 50,000 flor ins, I'll tell you why that happens. Oh, also, radium atoms take twice as long to decay.
If you speed 'em up to about 86% of the speed of light, you know, chew on that one and then maybe send me a couple more flor ins. Right? So they, these guys, these guys will pay me. They've got plenty of money. So I could just chill for a while, spend my florins, maybe go to some operas, you know, no reason not to enjoy myself.
I got two years just to hang out. Vienna, but then come November of 1891, I would take a walk down to the home of the little newborn nephew of Sigmund Freud named Edward Bernays. Bernays would go on to essentially invent modern advertising, [00:10:00] marketing, and public relations before Bernays. Advertising was really just about telling you how how good a product is, so that you want the product because it's good, right?
Through the work of Bernays and many others. But largely Bernays advertising becomes about convincing you that a product will make you the kind of person you want to be, right? which is, if you ask me what turns it into this, this horrible disease that it's become, and I'm not saying, don't get me wrong, I'm not saying I kill baby Edward Bernays.
I, you know, I don't think I'm a natural at killing babies. I think probably having killed one baby would would've taken the wind outta my sails. Probably made me very sad. So I wouldn't, I wouldn't kill, I wouldn't kill him, but I would, I slow him down a little bit, right? Would I put a little peach schnapps in his peach baby food?
I think I, I think I could do that. Just get just a little bit of brain damage. Make 'em a little dumber, right? I mean. Self defense, his influence is gonna give the entire world low grade brain [00:11:00] damage, essentially. So, you know, why not,
CJ: Get to
Dan Slimmon: and I,
CJ: whether, whether or not this type of advertising is inevitable. Like if he doesn't invent it, will somebody else. Um, oh.
Dan Slimmon: I mean, well, sure. Maybe Albert Lasker, so that's a good point. So.
CJ: Um.
Dan Slimmon: Albert Lasker maybe had a deep, deeper impact on advertising proper. Um, and, and I know about Albert Lasker, but, but like, do the math. I should probably, I have to kill Hitler first. Right? That's, that's a given. And then I should probably lay low for, for at least a year before I travel internationally, since, you know, I've just attacked my second baby.
So that puts us at 1892. Albert Lasker was born in 1880, so by the time, by the time I get to Albert Lasker, he's 12 at the youngest. Right? Like this is a very different proposition from smothering an infant. Now I'm fighting a 12-year-old, a Texas 12-year-old. I'm not confident I could win that fight,
CJ: This is,
Dan Slimmon: so
CJ: feel like this is, this is maybe getting out of hand a little bit.
Dan Slimmon: right.
CJ: killing of children, [00:12:00] um, to solve all of the world's problems. Huh?
Dan Slimmon: I agree. It gets outta hand. It gets outta hand pretty fast, which is why I haven't done it yet. yeah. So, and I can,
CJ: of a time machine is also a small, um,
Dan Slimmon: lack of a time machine is also a major factor. Yeah. Um.
CJ: Um.
Dan Slimmon: Right, right. And I may also have ru ruined 2025, right? Like if I go back to 20, I just advanced physics by 15 years, right?
Maybe, maybe Austria-Hungary now has the atom bomb by World War I. You know, I could have fucked up history even way worse than, than, um, if I had just not messed with things. So, you know, who knows? but, but anyway, as you say, I don't have a time machine anyway, so for now, this is all moot. Our, our actual story about cookies begins in the 1990s.
Um, and to, and to really paint a picture of how unavoidable advertising is by the 1990s. Here's Philip J. Fry from the animated series Futurama. Upon [00:13:00] learning that in the year 3000 companies now have technology to beam advertisements directly into your dreams.
Didn't you have ads in the 20th century? Well, sure, but not in our dreams. Only on TV and radio, and in magazines and movies, and at ball games, and on buses and milk cartons and t-shirts and bananas, and written on the sky, but not in dreams. No siry.
Dan Slimmon: So, so Fry's f Fry's list is pretty good. but. since that episode aired, I would add a, a few more things to the list. Uh, the of of places where you see advertisements all the time. That includes gas pumps, in space. If you count the Tesla Roadster that Elon Musk sent up there and played some Spotify song, this big ad for SpaceX.
The web before cookies
---
Dan Slimmon: And then of course websites. You use these things. You've been on a website.
CJ: I, I, I am familiar with the concept of, uh, of, of a
Dan Slimmon: Yeah.
CJ: um,
Dan Slimmon: Once, once you built enough of 'em, you said you sort of, you sort of like lose the taste for visiting 'em, right?[00:14:00]
CJ: right. Recreational, um, uh, web browsing.
Dan Slimmon: yeah. It just doesn't do it for you anymore. Anyway, so let's talk about websites. You're, you're about, I think you're about my age. You must remember the early internet. How old were you when you first got on the internet?
CJ: Oh man. Uh, I wanna say somewhere around middle school. well, middle school is the first time I remember actually like, um, uh. Browsing the internet, like just going on, kind of noodling around, um, like visiting websites.
Dan Slimmon: Right. Right. Yeah. It was about 19 94, 19 95 for me, which was around middle. I was like 10 or 11,
CJ: Um,
Dan Slimmon: when my family first got an internet, internet connection.
CJ: my family also had dial up during this period, so that kind of limited
Dan Slimmon: yeah. Oh yeah. I, I would spend, I remember there was a, there was a Hawaiian Punch ad that I saw on TV where it [00:15:00] was like, go to this website and you could download a whole, like essentially audio play about the Hawaiian Punch guy. And I was like, I have to, I have to have it. And uh, it took like three hours to download this, you know, two minute long audio file.
CJ: It worth it.
Dan Slimmon: Um. Worth it, worth it. And of course, everything was worth it. And it immediately came to dominate my life. The internet. I, I mean, I could, I could email my friends, I could learn about bands. I could look up video game cheat codes, and, you know, and, and don't get me started on porn. I mean, wow. What a, what a what a time.
What a time to be alive.
it, it was, it was wonderful. The worldwide web just felt like a wonderful free place where you could get information and learn from different people around the world. There weren't really any stores yet, or web forums or Wikipedia or fucking, you know, websites you have to log into to make an appointment for your haircut or whatever, That's because these kinds of things are extremely hard to build without what we call session state. So [00:16:00] what's, what's session state? Um, you know, what session state is, but, but I, I think we all intuitively know. Yeah. I think we all, I think we all intuitively know what state is we, we talk about the state of the world.
The state of the union. You know, my, my parents used to get on my case about the state of my bedroom. State, state is just the totality of how something is at a given moment. And, and that's the sense in which we mean state when we talk about the web. So in 1993 on the web, there were only two kinds of state.
so you had your client state. State, which is the state of your browser client, basically means browser. So this is things like what site you have open, what images you have, cached. Where all the shapes and texts on your webpages are being displayed. That's stuff that's all in your browser.
And then you have server state, the state of the web server that serves you up. Content that that state is usually stored in a big, it's in memory on the, on the server. And it's, it's in, [00:17:00] there's a big database usually, uh, of, of data that, that's persistent. And that was it. Was it, that was all the state.
Each time your browser made a web request for imdb.com, which surprisingly did exist in 1993. Uh, it was like you were an entirely new person to the server and, and so was everyone else, which meant that the server couldn't distinguish between people, uh, and had no idea who you were. You would just get, you would just get the same content everybody else got right.
CJ: Like from the perspective of 2025, kind of beautiful, like, man, just every, every request is like this brand new open, white, open space of
Dan Slimmon: It's very beautiful.
CJ: uh, request possibly, possibly be coming from? Oh.
Dan Slimmon: that was, that was kind of nice. Like, like you say, like you get information trivially, um, and, and you don't have to worry about logging into anything or whatever.
but that also meant that [00:18:00] you couldn't save any of your IMDB preferences, right. You couldn't, you know, get. All those personalized recommendations that, that we all get from IMDV notifications when movies on your watch list open in theaters, vote you couldn't vote in IMDV polls, you know all these, all these modern IMDB features that are so essential to everyone's modern life, right?
CJ: As you're saying this, I'm realizing that I have never done anything on IMTB other than look up a specific movie and see if I, um, uh, if, if the particular cast member I'm thinking of, was in it or not.
Dan Slimmon: Yeah, same. Yeah, same. Uh, IMDB was maybe a bet.
CJ: into IMDB
Dan Slimmon: Yeah. I didn't, I didn't either. You, you can, I mean, the, the app is always asking me for my credentials and I'm always telling it, like, I don't, I just want to know if Tom Cruise was in this stupid fucking movie. So, you know, all you could do on it was, was just get information about movies and then, then leave.
right. And, and [00:19:00] so during, during this early era. With the, with only client state and server state, a lot of web applications that we would take for granted even a handful of years later were impossible to build, or at least extremely hard to build. you know, think about, think about the shopping cart experience, right?
You, you find an item you want, you click add to cart, and it gets stored in your cart. While you keep poking around the store and going to different pages, you know how, how, how could you build that with only client, state and server state
CJ: you would have to, uh, purchase each product in a completely separate transaction, which
Dan Slimmon: Yeah.
CJ: as I say that
Dan Slimmon: Again.
CJ: might not be the worst thing in the world, but
Dan Slimmon: You know, um, yeah. Now we're, now we're cooking with gas.
CJ: Right. We're just gonna fix the whole, whole web right here. Uh.
Dan Slimmon: Yeah, so we just, so we just didn't have shopping carts on websites. We just didn't have 'em. And, and it was widely known among web enthusiasts and software engineers that it would be very useful to have some kind of [00:20:00] consistency across multiple web requests between a user and a website. It was, it was, everybody was talking about it.
but every solution people came up with was rejected. Mostly they were rejected because of privacy considerations. So for example. One of the things people talked about was, Hey, what if a browser has a unique identifier that never changes? Then, then websites can keep track of, you know, browser seventeens, shopping cart and browser 94, shopping cart, and so on.
We think about that.
CJ: um, uh, that's, that's another sort of like quaint early internet. Like, um, remember when people were worried about privacy, um,
Dan Slimmon: Right?
CJ: not being identifiable, um, across websites, huh?
Dan Slimmon: Yeah, I mean, we've always been, um, we've, we've always been worried about that. Way back from the beginning. We've, there've been people who've been worried about privacy and a lot of this story about cookies is, is how, how the advertising industry,
CJ: How we lost
Dan Slimmon: uh, made an end [00:21:00] run around those people. Uh, right.
CJ: though, um, to, to, to be able to kind of imagine a world where, like you, you could, um, uh. You know, and, and this information would not be used for nefarious purposes.
Dan Slimmon: right. Uh,
CJ: might
Dan Slimmon: yeah.
CJ: ID that, uh, um, identifies you to websites and you won't have to log into each one separately.
But, um, then you poke at
Dan Slimmon: Don't worry.
CJ: bit more and it turns into a nightmare.
Dan Slimmon: The people making these websites all are all just care about knowledge and bringing knowledge to people.
CJ: Exactly. They would never, you know, correlate your activity across websites to uh
Dan Slimmon: Gimme a break. You're being paranoid.
CJ: oh.
Dan Slimmon: yeah. So I'm glad we didn't do that one. That's a privacy nightmare. instead we searched around for some kind of compromise and
Lou Montulli invents the cookie
---
Dan Slimmon: in 1994. The person who finally cut the Gordian knot and gave us the compromise that stuck for session State was a 20-year-old college dropout named Lou Montulli.
[00:22:00] Lou was a recent college dropout working for Netscape on their browser. Netscape Navigator. He was employee number nine at Netscape. And Netscape was a, was a thrilling place for, for a young software engineer to work. It had a bold vision of a decentralized worldwide web where everyone could own their own little slice, slice of the, their own little island of the internet.
And the, the islands would be connected by, by ships, you know, could sail from one island to the other, right? Not permanent bridges. you know, you could, go to somebody else's island and check out what's on their islands, kind of like, um. Animal crossing the, the early vision of the internet,
CJ: It's exactly what I was
Dan Slimmon: um, that Netscape had.
It was not everyone's vision. Yeah. Yeah. Um, I've never played, um, animal crossing, but my wife played probably 400 hours of it. So I've, I've seen, I know, know a little bit about know animal crossing.
so Netscape, so, what distinguished, so this, like this, this, vision. This decentralized vision distinguished Netscape from say America Online AOL's attitude was like. [00:23:00] We are the web. The web is us. You'd, you'd open a OL and search for keywords and you'd land on AOL's content or some closely affiliated site.
It would try to keep you like inside AOL's small ring of trusted content providers. Right.
CJ: honestly, the
Dan Slimmon: pro.
CJ: the only piece of a OL software I remember is a L Messenger, which is kind of its own little.
Dan Slimmon: I, I'll definitely do an episode on a OL instant messenger sometime. Um, I, I loved it. Uh, but there's, there's a, there's a, there's a, see there's a very seedy story there.
CJ: A
Dan Slimmon: net. So Netscape,
CJ: Oh.
Dan Slimmon: yeah. Dif different different episode. Different episode. Um. Right. So, so net, so Netscape envisioned the web in instead of being centralized, as being distributed over many independent sites connected to one another, only through like hyperlinks and shared protocols that were established among, among people, which, which is great, I think like that's a much better vision for what the internet should be like.
However, this decentralized model makes [00:24:00] the state problem even harder for Netscape than it is for a OL. Because, 'cause like if a, if as a user you're interacting with many different websites and you don't have prior trust relationships with any of them, then how can you establish sessions in order to, for example, buy things from them or use their discussion forum or, or whatever you wanna do without giving them personal data that they can use to track your, your private information
CJ: A tricky problem.
Dan Slimmon: Exactly.
and so Lou Montulli is the guy who comes up with the solution to this problem. And that solution, which is quite elegant, is called the Cookie. And it works like this. You make a, you make a request. So let's say you're shopping on kazoos.com. Let's say you're shopping on fancy kazoos.com and you make a web request to add a new, you know.
Elephant Ivory kazoo to your shopping cart. The, the website sends a response to the request that you made tags on a new header, uh, called set cookie, a he a header header's like a little bit of metadata that [00:25:00] tags, along with web requests and, and responses and tells, tells you things other than the main content of, of what you're the, the, the, the transaction.
So, so the main part of a request says like. I want the webpage specified by this address, but the request also includes some number of headers that, that, that specify how you want the page returned, what kind of browser you're using and stuff like that. Right. Do you have a favorite HT TP header?
CJ: You know, um, I, I, I, um, I, I am fond of said Cookie as a, as a header.
Dan Slimmon: It's really good.
CJ: it's, it's pretty solid. There's, there's
Dan Slimmon: It's, it's one of the best.
CJ: um,
Dan Slimmon: Authorization kicks ass. Um,
CJ: Great
Dan Slimmon: here, let's see.
CJ: Oh,
Dan Slimmon: I'm not a huge fan of the date header. I think that's a little unnecessary. here, let's see. I'm gonna load example.com and see what headers I I get. I'll, maybe they'll remind me off all my favorite http headers. I, uh, [00:26:00] last modified, last modified rules.
CJ: it's a great one. love last modified.
Dan Slimmon: They're great. I love HTTP headers. Great invention. So there's this new, there's this new cookie now that Lou Montulli is saying everybody should start setting called set cookie. And all this header does is in the response, you get a set cookie header and it says. Maybe like, maybe you requested youtube.com.
And youtube.com sends you a header in your response. That's, uh, says set cookie and then some text. And that that text can be any text that the server wants to send you in the set cookie header, essentially. Um, there's a little bit of, there's a little bit of formatting to it. Um, there's, there's like a couple pieces of even sub metadata inside the header, header field.
but. The, the, the like nut of the, of the set cookie header is just a arbitrary block of text, and your browser is now supposed to hold onto that piece of text, save [00:27:00] it in memory, or save it in disc for later, And then when you, later, when you click, you know, click something else on the page or you load another page, part of the page, For example, you go to the add to cart page for that elephant ivory kazoo you were looking at. And uh, by the way, cj, you should really look into the environmental impact of all these endangered species, kazoos ke you keep ordering, uh, I'll send you a New Yorker article about, it's really irresponsible.
So, so you click add to cart, and the server says, okay, you know, I've added that to the cart, and also includes the header that says Set cookie, um, set dash cookie. No spaces with the value like shopping cart contains one ivory kazoo and your browser.
Saves that locally in the client state so that when you make your next request to forbidden kazoos.com or whatever it was, your, your browser sends another new request header with its request and that header just says [00:28:00] cookie, and it echoes back the contents of the cookie that was set by the set cookie header earlier.
CJ: So I feel like in this scenario, um, uh, the, the cookies are rapidly becoming a liability for me, um, purchasing these
Dan Slimmon: Hmm.
CJ: kazoos made of illegal materials. Um,
Dan Slimmon: Yeah.
CJ: I don't know, if this is, uh, you know, session, session state is a good thing for me in this scenario. Um.
Dan Slimmon: Yeah. Uh, the, if, if the FBI finds your, finds your cookies and it says you are ordering 20 plutonium kazoos, they're gonna have a lot of questions. yeah. But, but, but also it allows you to build lots of incredible things, right? Like it's pretty, it's pretty ingenious. And also it's, it's a little bit of a privacy, boon compared to the other ideas that they had. 'cause like, you don't have to send, you're not sending the server anything about yourself. You're not telling it anything about yourself. It's coming up with a, with a, a string that it wants you to repeat back to it. Right.[00:29:00]
CJ: Um, so the, the, the protocol can, can remain stateless, but um, still, you're not stuck with, uh, this, this, uh. You know, as fun as it is for the, for the, to, to imagine the server, just sort of like having no idea who anybody is on, on any particular request.
Dan Slimmon: Right.
CJ: of a nice, it's, it's, it's, it's really pretty elegant techno, little, little bit of technology.
um,
Dan Slimmon: It is.
CJ: having the client echo, echo back these little bits of state to, to the server.
Dan Slimmon: It is, it's, it's, I'm, I'm not mad at it as an invention. I think it's pretty great. so like, you don't, you don't have to give the server any information about yourself in order to be, to be logged in or tracked. But, um, you might decide to give the website other information like your, your name or your credit card number or your, your mother's maiden name.
And then of course they can input in their database, they can associate that information you gave them with your cookie. Uh, by the way, cj, what's your [00:30:00] mother's maiden name? Nevermind, nevermind. Don't answer that.
CJ: You're just,
Dan Slimmon: Um.
CJ: know, I see this podcast as a whole front, uh, social engineering front, so
Dan Slimmon: It was, dammit. I fucked up. I fucked up at the last, I fumbled the bag at the last minute.
CJ: it was a long setup, but, uh, you know,
Dan Slimmon: Well, listeners, uh, everybody just write in, tell me your mother's maiden names. Um, you know, maybe that'll, maybe that'll work.
CJ: up on,
um.
Dan Slimmon: Yes. You grew up on a street? Yes. Uh, so actually I think cookies are pretty good and they're pretty good for, um, privacy.
Origin of the name "cookie"
---
Dan Slimmon: Now why, why is it called a cookie though? What, what does any of this have to do with those sugary biscuits that we eat for dessert sometimes?
Well, uh, Lou Montulli. Got the name for something he read in a text in a software textbook, but he's not sure which one and he can't find it anymore. Uh, some cursory searching on Google Books turns up the joy of X by Nile Mansfield published in [00:31:00] 1993, which which may be it, I, I'm not sure. This is the book, but it, it does mention a technique called magic cookie.
And this is where the server gives the client an arbitrary string of data, and then when the client connects, it's supposed to pass that data back to the server unaltered. And that's how the server knows that the client is allowed to connect to it because it has the secret data from earlier. that's still though, but go ahead.
CJ: Oh, I was just gonna say, I, I, that doesn't actually explain why it's called a cookie specifically.
Dan Slimmon: it really fucking doesn't. Does it? Yeah. Why would you call that a cookie?
CJ: I was so ready for the, for the reveal. I
Dan Slimmon: Right?
CJ: unsatisfied. Oh.
Dan Slimmon: This, this is the explanation you find everywhere. It's like, uh oh, they're called cookies because he found it in a book and it was a thing called a cookie in the book, and it's like, okay. But, but why though? Uh, well, here's, here's Lou Montulli in a 2023 interview explaining it
This concept was called a cookie or a magic cookie, [00:32:00] and it's, uh, it's really akin to a fortune cookie in which you have a message written, uh, into a cookie, uh, or a fortune cookie, and then that is held by somebody and then the cookie returned back to that person. And the, you know, the message is read, uh, at that point.
CJ: Still
Dan Slimmon: Okay.
CJ: explanation of the name, but take it.
Dan Slimmon: that's not how fortune cookies fucking work. I've never gone to a Chinese restaurant and gotten a fortune cookie, and then when the waiter comes back later, I have to give the fortune cookie back to her unopened so she can verify that the fortune inside was the same fortune she gave me earlier.
CJ: this will be kind of a fun ritual I have to say.
Dan Slimmon: Yeah, sure,
CJ: Here's a fortune cookie. Remember to give this back to me before I leave. What? Or before you leave. Oh.
Dan Slimmon: sure, sure. But it would be called something else.
CJ: yes. Um, I can, I [00:33:00] can see, I can see the, like the fortune cookie analogy where there's like, um, there is some secret information. Hidden inside this thing, and you have to break it open
Dan Slimmon: guess
CJ: to, see it.
But yeah, the, the, the cookie exchange part is pretty hilarious.
Dan Slimmon: you're, uh, you're more, you're more charitable than I am to metaphors. Yeah, I, and that's as far as like that's, I mean, he's the, this is the guy and that's, this is the most he says about why it's called that. So I don't fucking know.
CJ: I love how many things like that there are in, in computing history where it's like, why is it called this? Or why does it work that way? And it's like, ah, I just, you know, I had to call it something and.
Dan Slimmon: Right.
CJ: was thinking about fortune cookies. So, um, now
Dan Slimmon: was, yeah, I was hungry. I'd just gone. I, I wanted to go out for noodles. Yeah, I was, it's like, uh, we're using Bugzilla and so we're gonna call it our tool. Go Jira, go, go Zilla. And now it's called Go Jira. And now it's called Jira. Uh, right. Doesn't, doesn't make, it, doesn't have to make sense. That's how, that's how names are, I guess.
anyway, so [00:34:00] e even though it has a, an inappropriate name, this cookie mechanism that Lou Montulli invents is wildly useful. You can use it to build so many kinds of web applications that couldn't exist before. Now that the server can keep track of data about the user across sequence of requests. We can build shopping carts, reading apps that bookmark your place.
Paid subscriptions, web games that take longer than one sitting to play chat rooms, forums, email, clients, you name it. All be on the web now because of this extremely important invention. The cookie.
1999's Sexiest Internet Mogul of the Year Award
---
Dan Slimmon: Um, by the way, did you notice that sexy music earlier?
Uh,
uh, let's, let's, let's hear it again just to make sure we, we, we know.
Remember how sexy it was Yeah. Music like that really makes you wonder. Did the editor of this interview wanna fuck Lou Montulli? Montulli Well If they did wanna fuck Lou Montulli they're not alone.
Uh, because in 1999, Lou Montulli was one of the runners up for people's ma people magazine's. Sexiest Man Alive Award. He was named the [00:35:00] Sexiest Internet Mogul.
CJ: now I gotta know who else was, was competing for that category.
Dan Slimmon: I don't know who else was in the internet. Mogul category was 19 nine was 1999. I can't, I can't imagine they would put Bill Gates on the list. Uh,
CJ: Surely not.
Dan Slimmon: surely not Bill Gates. I don't know. I don't, they're not sexy to me.
CJ: accounting for taste, but uh.
Dan Slimmon: Um, the winner, the winner was, uh, the winner for that year was Richard Gere So, you know, no shame to to Lou Montulli You gotta can't, can't be Richard Gere for sexy. Um. Also the Rock was one of the runners up now known as Dwayne Dwayne Johnson.
CJ: What a strange
Dan Slimmon: yeah. What a strange time. It was. Like who?
CJ: there was, an entire, uh, I'm, I'm still stuck on the fact that there was an entire subcategory of internet
Dan Slimmon: Yeah.
CJ: um, in the sexiest man alive
Dan Slimmon: Yeah. Peter Thiel.
CJ: field.
Dan Slimmon: Thiel was around then. Maybe it could have been Peter Thiel instead, but it was, it was, [00:36:00] um, Lou Montulli
Cookies get a standard
---
Dan Slimmon: anyway, so he comes up with this cookie idea and initially he just circulates his proposal internally at Netscape and his coworkers love it, It goes out in October of 1994 as part of Netscape Navigator and websites.
Websites start using cookies right away because of all the awesome shit I just listed that they can build now. Um, so, so Lou's cookie invention was hugely popular and it intra attracts the intent. It attracts the attention of the IETF, uh, which is the internet engineering task force. So the IETF is a volunteer organization of mostly software engineers and researchers who collaborate mostly by email to develop standards for the web.
And the IETF wants to write some standards around what cookies are and how they work, right? Because at this point, the only source of truth about what cookies are and how they work is. Navigator. You know, there are other browsers. There's Mosaic, uh, which was developed by a sentient hyper libertarian egg named Mark [00:37:00] Andreessen.
Microsoft is working on a browser. Then there's, there's all this web server software like Apache that is gonna be responsible for sending the, the set cookie headers. All this stuff has to agree on how to behave and how to communicate for cookies to, to work consistently, right? Uh, so the I-E-I-E-T-F wants to write a well thought out, well specified standard for how session state is gonna work on the web so that all the clients and servers will, will, you know, agree on exactly how to do things.
Otherwise, it would just be chaos.
CJ: At this point, is this a kind of a, a new idea in, um, had, had, had we gotten to the point of like any kind of browser standardization at all before this? Um, um, or was, was, uh, or, or cookies, the, the. Primary thing that just kind of, uh,
Dan Slimmon: so there, they're all, it's not a new idea.
CJ: drove
Dan Slimmon: It's not a new idea. Um, because the IETF has been working on, I mean, they've been, they've been around for a long time. Coming up. First they had to come up [00:38:00] with like the layer two protocols, and then they had to come up with the layer three protocols. And, uh, you know, by this time they've gotten to H TT P.
Right. And they've, they've written a lot of, they've, they've written a lot on what HTTP is and how HTTP works. There's, there's other headers that the IETF has defined in there. Right. Um, but cookies became one of the hardest ones for them to, to write a standard on. they're already, by this point, by, by December of 1995, when the ITF gets to, to writing this document, they're already hundreds of websites using cookies.
Hundreds. Can, can, can you believe that? Cj? Hundreds of websites. That's so many websites.
CJ: Literally hundreds. There are dozens of them.
Dan Slimmon: Yeah. Yeah. Uh,
CJ: Oh.
Dan Slimmon: it's, it's, uh, it's very funny to read these emails 'cause you can still go back and read all the emails. The IETF publishes all of their emails, uh, in their working groups and they archive them online. So I, I, I went back and I read [00:39:00] a bunch of the emails from this, from the beginning of this RFC process, and you get to see the whole conversation among all the people.
Um, which is a fascinating resource.
CJ: It did. It is interesting to know. I didn't, I didn't, I didn't realize that this, um, uh, creating the spec for cookies was kind of like a thing that happened after they were starting to be
Dan Slimmon: Yeah, yeah, yeah. Yeah.
CJ: which is, you know, not an uncommon thing to happen in general as like somebody comes up with this cool idea for, um, you know, a new technique and then, uh, start using it.
And then after the fact it's like, oh wait, we need to actually this and sort of agree and, um,
Dan Slimmon: Right.
CJ: how it's going to be used.
Dan Slimmon: Yeah. Wait, hold up.
CJ: upfront, um, design. Uh,
Dan Slimmon: Uh, exactly.
CJ: um.
Dan Slimmon: Yeah. And so the IETF is kind of playing catch up here, um, as they, as they often are, and so Lou Montulli starts working with David Kristol of Bell Labs under the auspices of the IATF on an on an [00:40:00] RFC for session. State management. RFC stands for request for comments, and an RFC is a document usually like 10 to 20 pages long that specifies how a given protocol on the web will work.
Cj, are you familiar with RFCs?
CJ: uh, again, like websites, I am generally familiar with the idea. I've seen, seen one or two in my tie,
Dan Slimmon: I am, I am kidding. Of course, because,
CJ: a handful.
Dan Slimmon: cj, CJ and I have both written and read lots and lots of RFCs during our time working together, and we are fucking sick of RFCs.
CJ: They're, they're, they're, they're a great invention and also a terrible
Dan Slimmon: That's right. Much like cookies.
CJ: oh yes, exactly. Oh,
Dan Slimmon: Uh, but they're, yeah, they're right. They're very use, they're very useful. You need 'em.
CJ: uh, I'm sure this RFC is extremely tedious. Like our, all, all of the best
Dan Slimmon: Yeah.
CJ: um,
Dan Slimmon: If it's not tedious, what's the point?
CJ: exactly.
Dan Slimmon: [00:41:00] Uh, yeah. It's, it's incredibly grueling to write this. RFC, writing an RFC, any RFC involves a ton of back and forth discussion and edits and more discussion. More edits. And that goes double for cookies because. Everybody has an opinion about this, and, and the idea is super, super controversial. Most people recognize the need for some protocol to serve this function of, of session state, but the question of what exactly it should be and how exactly it should work become the subject of many long, long, long email threads.
Um, you know, it's a, it's a democratic process. A democracy is hard.
CJ: Governing by consensus is always its own
Dan Slimmon: Exactly,
CJ: Oh,
Dan Slimmon: that's part of the thing. You have to, you have to come up with gr we have to reach a gr um, um, a rough consensus. And that a lot of the discussions in the, that, in the threads are about like, what does rough consensus really mean though is would this count as a consensus? So it's just shut the fuck up and make the protocol guys.
CJ: I [00:42:00] don't actually know how the IETF, is there, is there a, like a formal definition of consensus or,
Dan Slimmon: Not really.
CJ: oh.
Dan Slimmon: Yeah. It, it's kind of just what it, what it feels like.
CJ: of people arguing with each other until somebody stops. Uh, somebody, somebody gets too
Dan Slimmon: Like,
CJ: to
Dan Slimmon: like all democratic processes, right? It's, it's all just stuff we made up and we, and a lot of latitude is left to the people in the process to convince each other that things are acceptable, right?
CJ: Oh.
Working group discussions foreshadow trouble
---
Dan Slimmon: So, yeah, so I read one of these, it's one of these threads from December of 1995. So right at the very beginning of the cookie RFC project with has the subject making progress on state info, which is very funny subject for this process that would end up taking like two and a half years.
Uh, and in the, in the first email in this thread, David Kristol says, quote, whether or not there's a rough consensus, there's another important issue. will the browser vendors actually implement it absent their acceptance? This whole exercise is academic. Hmm. [00:43:00] Yes.
CJ: point. it's only coming up, um, well into
Dan Slimmon: Right.
CJ: discussion.
Dan Slimmon: Great point, Dave. Kristol, let's put a pin in that. Let. Also in this email thread is a Dutch engineer named Koen Holtman, and near the end of this email thread, uh, I like this guy. He seems like kind of a pain in the ass. I like him. Um, and near the end of this email thread, Holtman posts a long response containing the incredibly prophetic warning.
If less ethical service providers implement a large scale user tracking scheme using persistent cookies, the discovery of that scheme and subsequent media coverage may cause a crisis in user trust that will impact on the acceptance of all web applications. That
CJ: Oh man.
Dan Slimmon: bad, right?
CJ: talk about the gift of prophecy. Wow. Um,
Dan Slimmon: Yeah.
CJ: well, partial prophecy, I guess. Um.
Dan Slimmon: Spot fucking on in [00:44:00] December, 1995. Um, too bad. Too bad, and he couldn't, couldn't do anything about it.
RFC 2109 and unverifiable transactions
---
Dan Slimmon: eventually in February of 1997, the IETF publishes this RFC, which is RFC 2109, and contrary to the modern reputation of cookies, it has a lot of very good and reasonable privacy protections in it.
Any given cookie is supposed to be allowed only to be set for a specific domain. So when a server sets a cookie for you, that cookie domain has to be the same domain that your browser made a request to in the first place. So, for example, say you make a request to your favorite website, www dot clown penis dot fart, and the website tries to give you a cookie with a domain of, you know, virus hacker.
RFC 2109 says, your browser must reject that cookie because the domain doesn't match. Great idea. Right? We don't want clown penis fart giving us cookies for virus. Hacker. Yeah. Smart. Um, another, another protection, and this is, this [00:45:00] to me is the most interesting thing in the document, is that by default, browsers should reject any cookie they receive during what's called an unverifiable transaction.
So what does that mean? Right?
CJ: Yeah. What does that mean?
Dan Slimmon: Transaction just means an exchange between the client and the server where the client sends a request and the server sends a response to that request. That's a transaction. The RFC says, quote, A transaction is verifiable. If the user has the option to review the request, URI, prior to its use in the transaction, a transaction is unverifiable.
If the user does not have that option.
CJ: Interesting. I'm not sure I know what that means. That actually means in practice, um
Dan Slimmon: So say I'm, say I'm browsing cloud penis fart again. You just can't, can't keep me off that website. And on cloud penis fart, there's an image that's hosted by a different domain. Edwards Edward Bernays.com So my browser says, oh, let me go fetch that image from Edward Bernays.com That image fetch [00:46:00] when it go, when it goes to request that image.
Uh, that would be an unverifiable transaction Because I, the user didn't get a chance to read that image's URL before my browser went and fetch it.
CJ: Gotcha. Okay. well that's, uh, that says pretty, pretty, pretty broadly applicable.
Dan Slimmon: Seems like a great idea, right?
CJ: Yeah. Yeah. Uh, it seems like a fantastic, fantastic addition to the, to the cookie protocols. Uh
Dan Slimmon: Very smart. Very smart.
CJ: Can't send, send cookies to, to random other websites. Uh.
Dan Slimmon: Um, unfortunately. What he's des what he's describing here is the exact way that in the modern, on the modern web advertisers track you with third party cookies. That's exactly, this is exactly how they do it. They put a little tiny image in the page. I mean, they do it a bunch of ways, but one of the main ways is they put a little tiny image in the page that's loaded from their domain and then you, um, request it and they give you a cookie when you request it.
Right.
CJ: The infamous Facebook.
Dan Slimmon: The Facebook pixel. Perfect. That's [00:47:00] exactly right. That's exactly right. The Facebook pixel. man, Facebook, I have an episode, I'm writing an episode on the Metaverse coming up, and God, I didn't, I knew Facebook had many crimes to answer for, but, uh, the, you know, it's just crimes all the way down
CJ: Oh man. Oh.
Dan Slimmon: anyway. Um,
CJ: Uh, this is off topic for the
Dan Slimmon: yeah.
CJ: but did you read, um, uh, that, blanking on the name right now, but the, the book that the Insider, um, book about, about Facebook that came out relatively recently by the, the person who was, is, was at least nominally in charge of, Facebook's, um. Interactions, like international relations, um, like, um, it is wild. Um,
Dan Slimmon: I'll find the name, find the name of it for me. Send me that. I, uh, I will read that.
CJ: Is, yeah, it's wild and very good, but also yeah, full of, full of, full of crimes and
Dan Slimmon: incredible.
CJ: like Mark Zuckerberg wants to meet this foreign president, [00:48:00] um,
Dan Slimmon: Oh boy. I. I can't wait. I, I can't wait to, to, I, mark Zuckerberg is one of my very favorite people to talk shit about, so I'm very excited about the Metaverse episode. Uh.
clipWeb growth explodes, standards can't keep up
---
Dan Slimmon: Okay, so, so they had this, they had this unverifiable transactions thing written into the RFC, which is very, very reasonable and would would've prevented, uh, ad networks from, from tracking us with third party cookies across the web.
but like I said, it was a real slog to get this RFC out. It took a long, long, long, long time. Uh, the, the first Netscape Navigator release supporting cookies came out in October of 1994, and it wasn't until February of 1997. So 28 months later, that RFC 2109 was published. And meanwhile, in those 28 months from October 94 to February 97, the following things happened.
amazon.com made its first $10 million in sales, a [00:49:00] website called Auction Web later, later known as eBay, hosted more than 200,000 auctions. Geo cities registered hundreds of thousands of amateur web homesteaders. They called them onto their make personal websites on their platform and software behemoth.
Microsoft launched their own web browser, internet Explorer, which had its own implementation of cookies and had grown to about 20% of the browser market share. That that all happened within those 28 months. That is a shitload of growth in the worldwide web over a very, very short period of time. And it's all dependent on cookies.
CJ: I assume at this point the IATF is getting more and more stressed out because they haven't finished this
Dan Slimmon: They're, they're, they're shitting themselves in frustration as they watch all this happen. I mean, my God,
CJ: would, would we have ever gotten that RFC at all? If, if it hadn't happened though? If they hadn't, if, would they have just argued themselves in circles for infinity?
Dan Slimmon: pop, pop, pop, pop possibly. I mean, they do, they do publish things eventually. [00:50:00] Um, it's just, you know, it's herding cats. Engineers are the worst kind of cats to herd.
CJ: Of course. Yeah. Um, getting, getting, you know, what is, what is, what is the joke? If you have three engineers a room in a, in a room, you have four different opinions. Um.
Dan Slimmon: This is, uh, I'm sure you know this, this is a familiar feeling to, to you and me, uh, CJ and to anybody who's written RFCs in their job you're still writing, you're still coming up with the best way to do it, and you're watching it.
Just get overtaken by events and real time as somebody, as, as people do a completely different thing and you realize like, even if I finish this, nobody's, it's gonna be irrelevant by the time it's finished.
CJ: and you're kind of stuck in this position where you're like trying to, we are weirdly trying to get people to slow down on actually doing things so that you can finish writing about
Dan Slimmon: Yeah,
CJ: the thing. Um, honestly, like I am, I'm, I'm kind of like making fun of the IT if they're here, but I am deeply sympathetic with
Dan Slimmon: absolutely.
CJ: They're like, we wanna really think this through and like make sure that we're doing, we're handling this technology in a responsible way. [00:51:00] Um, and meanwhile
Dan Slimmon: Meanwhile, Microsoft's just like cookies for everyone.
CJ: chaos.
Dan Slimmon: Um, yeah. It's very, very frustrating and it gives me nightmares.
Targeted advertising becomes possible
---
Dan Slimmon: Uh, now content publishers and browser vendors weren't the only ones keeping busy during this heady era of the mid to late nineties. As soon as Netscape Navigator introduced cookies in 94 immediately, and I mean immediately ad networks look at this and realize how much fucking money this is gonna make them.
As long as they can make sure that this in unverifiable transactions rule never gets implemented, they can start collecting browser histories for everyone on the web who loads their ads. so like you know, Alice goes to www.ferrets.com. Her browser loads an ad for ferret pajamas. That ad is hosted by ano a different domain ad doubleclick.net.
She gets assigned a unique cookie for ad double click.net. And then the next day Alice goes to, you know, e [00:52:00] everyone's favorite website, fancy Kazoos Biz and loads another ad that's also from add doubleclick.net, which is the domain she has a cookie from, from earlier. And so now double click can be like, ah, this is the person from earlier who likes ferrets.
So, so the next time Alice loads the page, they can send her a targeted ad, which is a new concept for like a kazoo shaped like a ferret or maybe a kazoo that a ferret can play. I don't know. Um, point is.
CJ: Somehow there's crossover between these two, um, two
Dan Slimmon: Well, it's just Alice, but they can, but they, now they know there's one person out there and they can sell her this, you know, the yield for this, for this ad, these targeted ads will be immense, like 10 times higher than the, than the yield for a, um, a regular non-targeted ad. So if they can make this work, you know, the, the model is gonna become unbelievably.
Lucrative for, for online ad platforms who remember are absolute shameless bottom feeders that shouldn't be allowed to exist.
CJ: This [00:53:00] is, um, again, again, one of those stories of much like Jira of, uh. Of a a, a, tale of like with something, something with, with such good intentions, like, oh, we'll we will, we will have a, have a way for, for clients and browsers to, to share state this, um, uh, relatively privacy protecting way. Um, that, uh, just kind of took a, took a wrong turn somewhere.
Dan Slimmon: It is very sad. It took a wrong turn in 1892 when Edward Renee was born. now, so the ad platforms aren't doing targeted ads right off the bat. It takes a while. You, you need some infrastructure to build, to, to make that happen, um, which we'll talk about in part two, but, but one of the things they do right away is they get together with.
Other, and they start sharing cookies with each other in order to build more sophisticated models of, of consumers. Um, man, if only somebody could have predicted that, [00:54:00] that, that they might do that. Maybe, maybe somebody Dutch. Oh, well,
CJ: Yeah. What, what was, what was the name of that guy? Um, uh, I've already
Dan Slimmon: cone Koen Holman.
CJ: Uh, before his time, I wonder if, I wonder if he, he ever looks back on, um, that email and,
Dan Slimmon: I,
CJ: um, it's just like, wow. Um.
Dan Slimmon: if I, if I were him, I would post it on the door to my office, just so everybody knows how right. I was. Um,
CJ: never let anybody forget again, um, how
Dan Slimmon: yes,
CJ: Uh,
Dan Slimmon: would be so fucking smug and nobody could talk to me. so anyway, by 1998 The ad networks are already building sophisticated user profiles based on shared data data, which of course has been collected invisibly and without consent.
Um, and I, I, you know, I just. Not to belabor the point, I just find this so repugnant. I mean, here we are users of the web and we're trying to [00:55:00] go to websites. We're just trying to go learn about things that interest us on the web, you know, satisfy our curiosity by learning, which is a beautiful thing. Maybe look at a little porn, but mostly we're reading Wikipedia or we're reading like encyclopedias or whatever.
We're, we're, we're learning, we're, we're learning about our bands, our favorite bands and stuff. The, the content publishers, the people making the websites. Don't even know this is happening either. They're, they're just trying to make a little money from advertisements while they, while they, while we, you know, download their content.
And then these, these parasites, these absolute fucks show up and turn the whole thing into a way to spy on us so they can more effectively sell us labubus
CJ: in some ways I feel like it's almost inevitable that, um, something like that would have come up, but man, such a, such a, such a, sad story of, of good intentions gone wrong,
Dan Slimmon: Sure. Yeah. I, I can't, I'm not like, there's nobody who's come up in this story yet because we haven't talked, been talking about the odd people who I would [00:56:00] say like. You, you ruined it. All right. They were all, everybody was making reasonable decisions. Um, and it all got, it all got corrupted because of the way we organize our society.
CJ: I mean, in some ways I can't totally like, The, the, the vision of targeted advertising, at least to some extent, is like, we will show you advertising for stuff that you're actually interested in.
Dan Slimmon: yeah. Right.
CJ: we'll, uh, you know, uh, help you, help you discover new things that you might not other otherwise have come across because of your interests.
Dan Slimmon: Yeah, that's how they want you to believe that it, they're thinking about it, right? But, but like,
CJ: I know that's
Dan Slimmon: it just makes it harder to ignore. If it's, if it's a targeted ad, then I can't, then it's harder to ignore, which is the point. But then that's the only thing I ever wanna do to ads, is ignore them, preferably not be shown them in the first place.
CJ: if there must be ads, at least let them be targeted as pretty, pretty grim
Dan Slimmon: yeah. right.
CJ: itself.
Dan Slimmon: Just make them,
CJ: there [00:57:00] be
Dan Slimmon: make them all be ads for cigarettes, you know? Then, then, then I can get,
CJ: Everybody loves
Dan Slimmon: I can get like very good at not looking at the, any picture of a cigarette that I see. so like. You, you may be wondering, wait, what ha, what about all that verifiable transaction stuff that was in the RFC?
How, how is double click assigning all these third party cookies? aren't these unverifiable transactions? And, and they are, uh, according to RFC 2109, if you didn't explicitly type ads DoubleClick net into your. Browser address bar, then your browser should not accept cookies from ads doubleclick.net.
Sorry. Not, not just, should not, must not in all caps. right. That's how we do things in RFCs, is if, if we really want something to never happen, we write must not in all caps,
CJ: was it bolded though? Huh?
Dan Slimmon: uh. I don't, I think they don't, I think they only had ask you back then. So,
CJ: Oh, this is all.
Dan Slimmon: however, first of all, [00:58:00] RFC 2109 isn't even out yet. They're, they're doing this, they're doing all the, they're sharing the cookies before the RFCs, even out David Kristol's still trying to herd these goddamn cats, right?
And second of all, even once 2109 does come out, the browser companies are gonna have basically zero interest in implementing it. I mean, cer certainly, certainly not Microsoft. They, they've, Microsoft has entered the advertising business themselves with MSN, which launched in 1995. And, and Netscape, I mean, Netscape is moving fast and breaking things.
They're, they're widely criticized for inventing their own defacto standards like they did with cookies, and then just ignoring what the IETF thinks.
CJ: As old as
Dan Slimmon: right,
CJ: Oh,
Dan Slimmon: right. Um, surely, surely we would never do that anymore. So.
CJ: we in the modern and uh, in the modern world would never go ahead and ship something that hadn't been thoroughly examined by
Dan Slimmon: Certainly not. Certainly not.
The ad industry responds to RFC 2109
---
Dan Slimmon: so basically RFC 2109 comes out and everyone [00:59:00] just ignores it. Actually, that's not true. Not everyone ignores it. The advertising industry goes fucking ape shit over it. Dave, Dave Kristol later wrote that the advertising networks felt that the language in R FFC 2109 was a dagger aimed at the heart of their business.
And they were kind of right. Uh, that is, that is where the dagger was aimed, and that is exactly where the dagger should have gone because fuck these companies and for a while. It looked like the dagger might actually be driven home. And so the ad platforms banded together in November of 1999 to form a trade group called the Network Advertising Initiative.
The very, the very first version of the NA i's website promised, forthcoming information on disclosure of data. Notice and choice about personally identifiable information and ad delivery data. Like who got what ad, ad management and reporting data and third party compliance audits. Presumably like checking [01:00:00] if they're handling privacy appropriately.
That's what they wanted, that's what they wanted the, the regulatory scheme for, for net online ads to be like, and I find it breathtaking. How well these bullet points from 1999 describe the state of the web advertising accountability landscape in 2026. I mean, this is the regime that came to be. We got privacy policies, we got reporting, um, we got opt-out instead of opt-in.
The only part that didn't really come true was the audits, because at least in the US we never ended up passing any significant laws to regulate these dip shits Anyway, so you know, some dagger.
CJ: Yeah, some dagger that's, not to to, to belabor the analogy, but was turned aside by the armor of money.
Dan Slimmon: Many such cases.
RFCs 2964 and 2965
---
Dan Slimmon: now the IETF didn't just give up. Once it becomes clear that RFC 2109 is dead in the water, Kristol and Montulli write another RFC on cookies RFC 29 65, [01:01:00] which supplants. The earlier one in October of, of 2000, and this new RFC is accompanied by a companion RFC.
They released two of them together as a, as a twofer. Um, the companion is called use of HTTP State Management by Keith Moore and Ned Free, and that's, that's less of a technical specification and more of like a, a set of recommendations about how. Companies and people should use cookies and how they should not use them.
Um, so the technical one, RFC 29 65 defines a new header to replace set cookie it, which is called set cookie two. And it has somewhat different behavior. and as you've, as a software engineer, I'm sure you've seen many examples of, of a new thing replacing the old thing, being called the old thing too, and you know about how well that generally works.
CJ: Either that I, I feel like there's two possible outcomes of, of that naming scheme. And one is that there's a lot of questions in, uh, in a few [01:02:00] years about why, what happened to, to, to version one of this thing. Why do we call this thing two? or we, they, they, uh, thing two never, never gets adopted at all.
Dan Slimmon: Mm-hmm. Mm-hmm. Um, well, have you ever heard of said cookie two?
CJ: never heard of set cookie two, I feel like that's uh
Dan Slimmon: Yeah, everybody was like, we already have cookies. They're working fine. Fuck off. the other one is very interesting. It, it, it's an very interesting read. It makes statements like HTTP state management must not, again, all caps must not, must not be used to leak information about the user or the user's browsing habits to other parties beside the user or service without the user's explicit consent.
It also says it is generally inappropriate to use the HTTP state management protocol as an authentication mechanism. So basically, don't let cookies use, don't let cookies leak user data to third parties. [01:03:00] And don't use cookies for authentication.
CJ: We know how well
Dan Slimmon: We know, we know, we know now, uh, how well that worked. These are, these are the two most common things that cookies are used for on the modern web. This is what you use cookies for,
CJ: I'm trying to imagine other, other use cases
Dan Slimmon: right? Right.
CJ: I'm sure there are some, but.
Dan Slimmon: Yeah. You'd have to search pretty, pretty long, pretty, pretty long to find other uses that are current for these things. That's what we use them for. Um,
CJ: Uh,
Dan Slimmon: is very funny that this, that this is a still, this is still, this is still the I ETF's standard on official stance on how should be used. Yes.
CJ: so we've all just to politely ignore the.
Dan Slimmon: Right. It reminds me of how Q-Tips were never supposed to be inserted into your ear canal, but that's how literally everyone used them, and most people probably still do. So now [01:04:00] they have this completely ineffectual warning on the box that nobody reads about how you should never stick a Q-tip in your ear.
CJ: Which everybody promptly ignores
Dan Slimmon: just completely ignores.
CJ: it feels great to stick a Q-tip in your
Dan Slimmon: It's awesome. It's awesome. And it feels great. It feels great to send somebody an authentication cookie.
CJ: Similarly
Dan Slimmon: Yeah.
CJ: um, for the, for the server, I'm sure.
Dan Slimmon: Yeah.
CJ: oh.
Dan Slimmon: So, but if you ever hear, if you ever hear the noises that servers make in the data center when they're sending people cookies, it's, it's pretty obscene. Uh.
So long for now
---
Dan Slimmon: So now we've witnessed the half decade long slow motion train wreck in which cookies go from being a perfectly reasonable solution to a privacy challenge, to being the keystone of the absolute privacy nightmare That is the modern web.
Um, you know, we, we got to watch the piece of shit that is, the advertising industry hit the fan of browser non-compliance, and now we know why everything's covered in shit. So, uh, so next week. We'll talk about some of the [01:05:00] efforts that we've undertaken as a society to get all this shit off ourselves. So look forward to that.
how you doing cj?
CJ: I feel like I've, I've, I've really, um, expanded my understanding of, of cookies today. I love, I, I kind of love that the origin story for cookies is this, uh, you know, back and forth between a bunch of engineers trying to stay ahead of, you know, trying to like along ahead of the avalanche, so to speak, of,
Dan Slimmon: It's,
CJ: of, uh, people trying to make money off
Dan Slimmon: it's so easy to imagine our myself in their shoes. Right? And how awful it would be.
CJ: Um, I, I can, I can also imagine myself in the shoes of like, um, somebody working in one one of these browser companies
Dan Slimmon: Yeah.
CJ: being like, well, we, we're, um, um, we can't wait for, for the committee to sign off on everything we do.
Dan Slimmon: Right, right. Uh, and
CJ: to let users, trying to let people bid on, uh, [01:06:00] auctions or whatever.
Dan Slimmon: right Microsoft, Microsoft is bundling their browser with their operating system. Is that, can they do that? That's crazy.
CJ: Yeah,
Dan Slimmon: eating our whole entire market share. We, we don't have time to change the way cookies work. Are you fucking joking?
CJ: participate in this, you know, however many, uh, message long email thread about
Dan Slimmon: Right. Um,
CJ: c.
Dan Slimmon: well this is one of the few technology blows episodes where I think. The first part is more depressing than the second part, but you, I'll let you be the, I'll let you be the judge of that. Um, anyway, thank you for being here. Um, get, get, get some rest. You, you know, I, I know. We thank you for being here when you're, when you're sick.
I know that's not easy. Uh, I really, really appreciate you.
CJ: It was a lot of fun. Um, hopefully, hopefully, I'm, I, I didn't cough too loudly. Um, in a way that you can
Dan Slimmon: You coughed it right, the right, the perfect, perfect volume. And thank you listeners for being here. If [01:07:00] you like this show, uh, please follow our social media where tech blows on Blue Sky and TikTok technology blows on YouTube and LinkedIn, and we love you.
Until next week, I'm Dan Slim and this is Technology Blows.
See you around.
