Lou Montulli invented the HTTP cookie in June 1994 at Netscape. He was 23 years old. His goal: solve the shopping cart problem. Web pages had no memory—add something to your cart, click to another page, and the cart forgot you existed. The cookie fixed that. But within two years, advertisers discovered they could exploit it for cross-site surveillance. The Financial Times broke the privacy story on February 12, 1996 (Digital Content Next). The IETF tried to fix it in 1997 by recommending browsers block third-party cookies by default. Netscape and Internet Explorer ignored them.
The 1996 Hack That Changed Everything
The original cookie design was privacy-focused. Montulli explicitly rejected creating a permanent browser ID because that would enable exactly the kind of cross-site tracking that now dominates the internet. A cookie from yourstore.com could only be read by yourstore.com. That was the whole point.
“That’s the one gotcha we had,” Montulli said later (Quartz), referring to third-party cookies as the unintended consequence of his invention.
The gotcha: ad networks figured out a workaround. If doubleclick.com served ads on both Site A and Site B, they could set their own cookie on your browser from both sites. Suddenly, they knew you visited Site A, then Site B, then Site C. Cross-site tracking was born—not from the cookie technology itself, but from how advertisers exploited it.
What Montulli Actually Built
The HTTP cookie is a small text file stored on your device to maintain state between page loads. Before cookies, the web was stateless—each page request was independent, with no memory of what came before.
This created practical problems:
- Shopping carts couldn’t exist. No way to remember items between pages.
- Logins couldn’t persist. Every page required re-authentication.
- Preferences couldn’t stick. Language settings reset with every click.
Montulli, one of the founding engineers of Netscape Navigator (Hidden Heroes), invented cookies to solve these problems. The technology was elegant: a small piece of data the server could store on your browser and retrieve on subsequent visits. Cookie patent US 5774670 was granted in 1998.
You may be interested in: Your Shopping Cart Cookie Is Not the Enemy: Separating Essential Cookies From Tracking Cookies
The Timeline of Corruption
June 1994: Montulli invents the cookie at Netscape. First cookies ship in Netscape Navigator beta. Design explicitly prevents cross-site tracking—cookies are domain-specific.
1995-1996: Ad networks realize they can bypass the single-domain restriction. By serving ads from their own domain across multiple publisher sites, they can track users everywhere those ads appear.
February 12, 1996: The Financial Times breaks the cookie privacy story. The public learns cookies exist—and that advertisers are using them for surveillance. This is less than two years after the invention.
1997: The IETF working group recommends blocking third-party cookies by default (Digital Content Next). This would have stopped surveillance advertising before it started. But Netscape and Internet Explorer ignored the recommendation. The business model was already too valuable.
1998: Cookie patent granted. By now, the advertising industry has built its surveillance infrastructure on the third-party cookie exploit.
2024 and beyond: Browsers finally start doing what the IETF recommended in 1997. Safari blocks third-party cookies. Chrome announces deprecation. Thirty years too late.
First-Party vs. Third-Party: The Critical Distinction
Understanding the difference matters for every store owner dealing with privacy regulations:
First-party cookies are set by the domain you’re visiting. When yourstore.com sets a cookie, only yourstore.com can read it. This is Montulli’s original design. Your cart cookie, login session, and site preferences work this way. These face minimal regulatory restrictions because they serve legitimate single-site purposes.
Third-party cookies are set by domains other than the one you’re visiting. When an ad network serves ads across thousands of sites, they can track you across all of them. This is the 1996 advertising hack—not a feature of cookies, but an exploitation of how browsers implemented them.
The villain isn’t the cookie. The villain is the business model that corrupted it.
You may be interested in: People Don’t Hate Cookies—They Hate Being Followed
Why This History Matters Now
Understanding cookie history prevents bad decisions today:
Don’t disable all cookies. First-party cookies enable basic functionality. Your WooCommerce cart breaks without them. The problem was never first-party cookies—it was third-party surveillance.
Don’t conflate analytics with advertising. Tracking your own site’s visitors (first-party) is different from cross-site surveillance (third-party). The regulatory frameworks distinguish between them for good reason.
Recognize what’s actually changing. Browsers blocking third-party cookies are finally implementing what the IETF recommended in 1997. They’re not attacking cookies—they’re attacking the advertising hack that corrupted cookies.
The First-Party Future
As third-party cookies die, first-party data collection becomes essential. The technology Montulli invented—single-site, privacy-respecting, functional cookies—remains valid. What’s dying is the advertising industry’s exploitation of it.
First-party server-side tracking operates in this original spirit. Data flows through your domain, for your purposes, without enabling cross-site surveillance. Transmute Engine™ runs as a first-party Node.js server on your subdomain—data.yourstore.com collecting your analytics, not ad networks building profiles across the internet.
The technology was never the problem. The business model was. And the business model is finally being corrected.
Key Takeaways
- Lou Montulli invented cookies in June 1994 at age 23 to solve the shopping cart problem
- The original design was privacy-focused—explicitly rejected cross-site tracking
- Advertisers discovered the exploit by 1996—third-party cookies enabled surveillance
- The IETF recommended blocking third-party cookies in 1997—browsers ignored them
- First-party cookies remain legitimate—the villain was the advertising hack, not the technology
Lou Montulli invented the HTTP cookie in June 1994 at Netscape when he was 23. He created it to solve the shopping cart problem—web pages couldn’t remember what you’d added between page loads. The original design was privacy-focused and explicitly rejected permanent browser IDs.
Advertisers discovered the third-party cookie exploit in 1996, within two years of the cookie’s invention. By placing cookies from their ad-serving domains across multiple websites, they could track users across the internet—exactly what Montulli tried to prevent.
First-party cookies (set by the site you’re visiting) aren’t the problem. Third-party cookies (set by ad networks across multiple sites) enable cross-site surveillance. The cookie technology was fine—the advertising business model corrupted it.
Ready to collect data the first-party way? Learn how Transmute Engine works →
