Dex Pokorny is not a real person. He is, however, a plausible one — a composite drawn from documented accounts of Netscape's engineering team in 1994, built to carry a true story in a voice that belongs to no one in particular and could belong to several people who were actually there. The technical history is real. The opinions are invented. The bewilderment is probably accurate.

We spoke over video call. Pokorny, 56, was in what appeared to be a home office in Bend, Oregon. Behind him: a bookshelf, a framed photo of a trout, and a coffee mug that read "I SURVIVED THE BROWSER WARS." He wore a flannel shirt and seemed amused that anyone wanted to talk to him.

You were at Netscape in the summer of 1994, when HTTP cookies were first implemented. What was the actual problem you were trying to solve?

Dex: Shopping carts. That's the whole thing. HTTP is stateless, by design. Tim Berners-Lee wanted it that way. Every request is a stranger walking into a store for the first time. Which is elegant if you're serving physics papers at CERN, but MCI wanted to sell stuff online, and their constraint was they didn't want to hold session state on their servers.¹ So the question was: can you make the browser remember something between page loads?

That's it. That's the whole question.

That sounds almost trivially simple.

Dex: It was! Lou had the idea to take the old Unix magic cookie concept and adapt it for HTTP.² A website hands your browser a little piece of text. Your browser hands it back next time. Server recognizes you. Shopping cart persists. Done. We wrote the spec in, I don't know, a few days? Four pages.³

There were fourteen people at the company.

Dex: Something like that.⁴ We were shipping a browser. We were not convening a standards body.

Here's what I find striking about the documented history. The team explicitly considered and rejected a simpler solution: just giving every browser a unique ID.

Dex: Right. That was the obvious approach. Permanent identifier, baked into the browser, websites read it, done. And we looked at that and said absolutely not. Because if every site can read the same ID, they can compare notes. You've just built a tracking system. Lou was very clear on this. That was a privacy nightmare.⁵

So the cookie was the careful version. Domain-restricted. Your bank sets a cookie, only your bank reads it. The store can't see your bank. The bank can't see your store. That was the entire point.

So the thing that became synonymous with online surveillance was originally the privacy-preserving alternative.

Dex: [laughs, then stops laughing] Yeah. We sat in a room and said "the easy solution is dangerous because it enables tracking." And then we built the thing that actually enabled tracking, just through a mechanism we hadn't imagined yet.

I sometimes think the easy solution might have been more honest. At least everyone would've known what it was.

I'm not sure I believe that, actually. I think we were right to reject the universal ID. But the irony is... considerable.

When did you realize something had shifted?

Dex: '96. Ad networks figured out that if they served ads from their domain across a bunch of different publisher sites, they could track you everywhere those ads appeared.⁶ And the domain restriction worked exactly as designed. A cookie from site A couldn't be read by site B. But if DoubleClick is serving ads on both sites, then DoubleClick's cookie follows you across both.

We hadn't thought about that because in 1994 there were no ad networks. There was barely advertising on the web at all.

Koen Holtman apparently warned the IETF working group about something like this as early as 1995.⁷

Dex: He did, and he was right. But here's the thing people don't appreciate about 1994. There was no JavaScript. No SSL. No XML.⁸ The web was documents. The idea that a third-party advertising server would embed itself on thousands of sites and use your cookie mechanism to build behavioral profiles? You might as well have warned us about drone warfare. The conceptual vocabulary didn't exist yet.

The IETF did try to fix it. RFC 2109, published February 1997, recommended blocking third-party cookies by default.⁹

Dex: Yep.

And Netscape — your employer — ignored it.

Dex: [long pause] Yep.

Can you say more about that?

Dex: I can say that by 1997 we were in a war with Microsoft that we were losing badly. Lou has talked about this publicly. He was fighting to get the third-party recommendation implemented, and it just... didn't happen.¹⁰ The browser was the product. The product needed market share. Advertisers were a constituency. Users who understood cookie mechanics were not.

I don't want to make it sound like there was a villainous meeting where someone said "let's enable surveillance capitalism." It was more that the people who understood the problem couldn't make it matter enough to the people making shipping decisions. And Microsoft wasn't going to block third-party cookies either, so doing it unilaterally looked like handing them market share for free.

You're describing a situation where the people who feel the consequences aren't the people who can act.

Dex: Worse than that. The people who were going to feel the consequences didn't even know yet. In 1997, "online privacy" was a niche concern. The Financial Times had broken the cookie story in '96¹¹, there was some noise, but the average person using Netscape Navigator had no idea what a cookie was. Let alone that ad networks were building profiles. You can't advocate for a problem you don't know you have.

Your four-page spec became the foundation of an industry worth hundreds of billions of dollars.

Dex: Surreal. I solved a shopping cart problem. I did not build an advertising platform. But the mechanism, the plumbing, turned out to be load-bearing for an economy nobody was planning.

Do you feel responsible?

Dex: For the cookie? No. For the third-party loophole? I feel like we should have seen it. But I also think if it hadn't been cookies, it would have been something else. The money was going to find a way. We just made it easy by accident.

The thing that haunts me isn't that we built it. It's that we tried to fix it, and it didn't matter. RFC 2109 was a real attempt. Documented, published, specific. Ignored. That's the part I still don't have a good answer for.

The cookie is finally dying now. Google's been trying to deprecate third-party cookies for years.

Dex: [laughs] "Trying" is doing a lot of work in that sentence.

But yeah. Thirty years. That's how long it took to undo a decision that fourteen people made in a few days, that an IETF working group tried to reverse within three years, and that the entire industry decided to keep anyway.

Footnotes

1. Wikipedia, "HTTP cookie" — MCI's constraint and the shopping cart origin: https://en.wikipedia.org/wiki/HTTP_cookie ↩

2. Lou Montulli, "The reasoning behind Web Cookies" (2013): http://montulli.blogspot.com/2013/05/the-reasoning-behind-web-cookies.html ↩

3. lcamtuf, "HTTP cookies, or how not to design protocols" (2010): https://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html ↩

4. Montulli, commenting on lcamtuf's blog, on team size in summer 1994 ↩

5. Montulli's blog (2013) and Quartz interview (2021): https://qz.com/2000350/the-inventor-of-the-digital-cookie-has-some-regrets ↩

6. Digital Content Next, "To understand where the cookie is headed" (2020): https://digitalcontentnext.org/blog/2020/11/16/to-understand-where-the-cookie-is-headed-lets-look-at-its-history/ ↩

7. Digital Content Next, referencing Koen Holtman's 1995 warning to the IETF working group ↩

8. Montulli, commenting on lcamtuf's blog: "JavaScript or any web browser scripting language did not exist, nor did SSL or XML" ↩

9. Wikipedia, "HTTP cookie" — RFC 2109 publication and third-party cookie recommendation ↩

10. Montulli, Quartz interview (2021), on fighting the third-party cookie battle while losing the browser war to Microsoft ↩

11. Governing with Code case study, "Cookies" (academic): http://governingwithcode.org/case_studies/pdf/Cookies.pdf ↩

12. Lawrence Lessig, quoted in Governing with Code case study ↩