Echoes
A 1994 session-state hack became the foundation of internet advertising. Google spent five years trying to remove it, then stopped trying.
Echoes
A 1994 session-state hack became the foundation of internet advertising. Google spent five years trying to remove it, then stopped trying.
The Cookie That Couldn't Be Killed
In 1994, a Netscape engineer needed websites to remember shopping carts. He made three small design choices: cookies would set silently, persist across sessions, and be readable across sites. Practical, almost obvious. Those same three properties turned out to be the exact foundation that behavioral advertising would later require at scale. By the time anyone tried to undo them, the cookie was load-bearing for an industry worth hundreds of billions of dollars. Google spent five years trying. The story of what happened is also the story of why it couldn't.
The Cookie That Couldn't Be Killed
In 1994, a Netscape engineer needed websites to remember shopping carts. He made three small design choices: cookies would set silently, persist across sessions, and be readable across sites. Practical, almost obvious. Those same three properties turned out to be the exact foundation that behavioral advertising would later require at scale. By the time anyone tried to undo them, the cookie was load-bearing for an industry worth hundreds of billions of dollars. Google spent five years trying. The story of what happened is also the story of why it couldn't.
The Replacement Nobody Wanted
Google spent six years engineering a replacement for third-party cookies. The Privacy Sandbox moved ad targeting onto the device through Topics API, Protected Audience, and Attribution Reporting. Technically functional. Also, by every independent measure, significantly less capable than what it replaced.
Criteo's testing showed publisher revenue dropping 60%. Index Exchange measured CPMs falling by a third. Latency doubled. And the whole time, third-party cookies kept working fine in Chrome's 70% of the browser market.
By October 2025, Google began retiring the major APIs. The only survivors, CHIPS and FedCM, solved problems without asking anyone to sacrifice performance. Everything that required the ad industry to trade revenue for privacy died waiting for volunteers who never showed up.
We Solved a Shopping Cart Problem — A Fictional Interview About the Birth of the Cookie
CONTINUE READINGCompounding Consequences
The Consent Layer That Can't Keep Up
A session-state mechanism from 1994 sits beneath a $900 million compliance industry. Cookie consent banners interrupt every site visit in Europe, powered by platforms that largely fail at what they promise. Each regulatory layer was built to manage the consequences of the one before it. The regulation meant to finally clean up the whole structure was recently withdrawn. What remains is a stack of workarounds, still compounding.
The Split Web
The same mechanism also fractured the web along a seam most people never notice. Safari and Firefox block third-party cookies by default. Chrome does not. Which privacy architecture governs your browsing depends on which browser icon you tap. Advertisers now maintain parallel infrastructure for both regimes. The split exists because the original cookie was never replaced. Half the web removed it. The other half kept going.
Further Threads
Past Articles
IPv6 launched in 1994 to solve address exhaustion. Thirty years later, adoption hovers around 45%. HTTP/2 launched in 20...
Teams writing browser automation tests today assume certain infrastructure just works. Write a script monitoring ai...
India processes 2.5 billion authentication transactions monthly through a system that verifies identity locally. When a ...
HTTPS worked perfectly in 1995. Banks used it, e-commerce used it, everyone else ignored it for twenty years. This Octob...