In 1994, Lou Montulli needed HTTP to remember things. The protocol that made the web work was stateless by design. Every request arrived as if from a stranger. Good for simplicity. Useless for shopping carts.

Montulli, a 22-year-old engineer at Netscape, adapted a concept from Unix programming called a "magic cookie." A small text file. The server sends it to the browser; the browser sends it back on subsequent requests. HTTP now had memory. The cart worked.

The fix was modest. Montulli was solving one specific problem: bolting state onto a protocol that had deliberately avoided it, with the lightest possible mechanism. The kind of engineering decision that gets made on a Tuesday and ships on a Thursday.

The advertising industry found the second use. A cookie set by an ad network could follow a user across every site hosting that network's ads. Third-party cookies turned Montulli's stateless-protocol patch into the substrate for a surveillance infrastructure worth hundreds of billions annually. The small text file that gave HTTP memory gave the ad industry something more consequential: continuity of identity across the open web.

By the time the privacy implications became politically unavoidable, the dependency was structural. Safari blocked third-party cookies by default in 2020. Firefox had been blocking known trackers since 2019. But Chrome held roughly 65% of the browser market, and Chrome was made by the company whose advertising business depended most on the infrastructure Montulli's patch had enabled.

In January 2020, Google announced the Privacy Sandbox: a suite of new APIs to phase out third-party cookies in Chrome "within two years." What followed was six years of incremental proposals and mounting paralysis. Advertisers feared the replacement would hand Google an even larger advantage, since Google had first-party data from Search, Gmail, YouTube, and Android that competitors lacked. The cookie had become a competitive equalizer, and the companies that relied on it understood that better than the company trying to remove it. The UK's Competition and Markets Authority scrutinized whether the new APIs would be anticompetitive. Google delayed the timeline repeatedly. By July 2024, the company had reversed its deprecation plan entirely. Third-party cookies would stay.

Meanwhile, the attempt at removal had generated its own weight. Ad-tech companies built for both futures simultaneously. Publishers maintained dual infrastructure. Thousands of organizations hedged against a transition that never arrived, absorbing costs that were individually manageable and collectively enormous. The announcement of a transition had created its own constituency. Companies that had invested in Privacy Sandbox APIs now had reasons to advocate for their continuation. Companies that had built workarounds now had parallel systems to maintain regardless of outcome. The longer the transition took, the more expensive it became to complete.

Then, in October 2025, Google confirmed that most Privacy Sandbox APIs were being retired, citing low adoption. The initiative designed to replace the workaround was itself abandoned. Six years, and the thirty-year-old text file outlasted the project meant to succeed it.

A trillion-dollar company spent half a decade trying to remove a small engineering patch and couldn't. The text file itself was trivial to replace. The economic and political dependencies layered on top of it had become something else entirely, something no single actor could unwind after decades of ad spend, competitive dynamics, and regulatory scrutiny had made them load-bearing.

The protocol is still stateless. The workaround is still doing the remembering.