When Tim Berners-Lee pr… When Tim Berners-Lee prop… When T… When Tim Bern… oh come on! When Tim Berners-Lee proposed the idea
for the World Wide Web back in 1989, he wrote about a “universal linked
information system”. His exact words: “a place to be found for any
information or reference which one felt was important, and a
way of finding it afterwards”. Three decades later, and you’ve possibly
noticed that the web is a bit of a mess. What happened to that
universal information system? What even is a cookie, and
why do we need to accept them? There are two reasons that
the web is terrible right now: first, advertisers. And second, people. ...I actually just realised that I just
implied that advertisers are not people, and there’s some really interesting stuff
about corporate personhood and, employees acting as a
hive-mind there, and-- Anyway! Let’s talk
about the advertisers. The first versions of the web
were simple. Text and images and links to other text and images.
You could use forms to send information, but the whole thing was ‘stateless’.
This means neither the web browser nor the web server kept track of you
from one page to the next: you just sent a request for a document,
you got the document back, and that was it. If you submitted a form, that one response could be
tailored, but after that, nope, the server’s forgotten about you
because it can’t tell you apart from anyone else who’s using the same network. Now this wasn't, long-term, a great plan. In theory you could hack together
something more complicated, send forms back and forth, and people
did build things like that, but they’d break very, very easily. It was impossible to have something
both reliable and personalised. Then in 1994, a programmer called
Lou Montulli, who was building a web browser at a company called
Netscape, came up with “cookies”, adapting an old computer science
technique called “magic cookies”. They were so useful that every other
browser started to use them as well, and they got built
into the web standards. A cookie is “client-side storage”:
your web browser sends the request to the server, as usual, but the server sends back
two things: the page you asked for, and a little text file called a cookie
that your browser then saves. After it’s saved, every time that browser
makes a request to that same server, it sends the cookie along with it.
So that cookie could contain your preferences: if you choose “dark mode”,
then the browser would now send a “dark mode” preference, in that cookie,
every single request. If the server asked for it,
then that cookie would last even if you closed the browser,
and restarted your computer. For years and years and years. Or a cookie could be used for
authentication: so after you’ve logged into a site, that site gives your
browser a cookie that’s just a long, random string of characters. But because no-one except the server and that cookie
have that long string of characters, it can act like a password: the browser sends it
back along with every page request, and the server looks at it and
goes “oh, yeah, I remember you”. The designers of cookies looked at that,
and they knew that they could be used to track people, so there was a
very, very important rule for privacy: from the very start, only the site that set the
cookie can read the cookie back. Except. Because of the way the web
is built, sites can include material from other servers. A web page can
pull in an image from somewhere else, or some scripting code, or even an
entire other web site, included in a frame. And those other servers could
all set and read their own cookies. “Third-party cookies”, they were called. So when web pages included advertising,
well, those adverts came from the advertising company’s servers, so those advertisers
could set a cookie that tracked people across the entire web. If the same
ad company partnered with loads of different web sites, they could start
building up some very detailed profiles. No, they might not know who you
are at first. But they knew you visited that web site about your hometown, then
you visited that web site about your college, and then you visited that web site about
a very specific medical condition. Oh, and then you bought something
from an online shop, so they can work behind-the-scenes combine the details from that shop
and their cookies, and add your name and address
to the profile. All those fancy “share with Facebook”
buttons? Well, yeah, loads of them could report back to Facebook where
you were going. "Hey, this person's looking at all these sites!
So now you can tailor adverts for them!" Which is why you could be on a site that seems
to be completely disconnected from Facebook, and still see adverts that were uncannily linked to
things you’ve been thinking about. It took a long while before
regulators decided that, maybe, advertising companies having
enormous databases on basically everything that people were thinking
might be a bit of a privacy problem. The European Union acted
first. The “Cookie Law”, which was the euphemistic name for, um,
this mess... meant that all the EU member
countries had to put a law in place requiring consent to place cookies. That wasn’t particularly well-thought-out, because “consent” requires clicking OK, and if there’s a confusing box
in between the average person and the article they want to read, look, nearly everyone is
just going to just click OK. And by this point, browser makers
were starting to give users options to block third-party cookies anyway,
so advertisers were adjusting, they were tracking people not through cookies,
but through “fingerprinting”: looking at all the apparently-innocent
individual quirks of how that exact computer was set up
and how it rendered a web page. The fonts you had installed, the size of your monitor,
the web sites you've visited in the past, all things that individually appear
innocent and safe but which together uniquely identify each person. Browser makers and advertisers ended up in
an odd war with each other about privacy: occasionally a civil war, given that one of the
most popular browsers and also one of the major advertising companies were under the same corporate umbrella. So later, the General Data
Protection Regulation, GDPR, put even stronger requirements in
place, at least for EU citizens. Not just “no cookies without consent”:
no tracking without consent. At all times, the user must have full knowledge
what they are signing up for, and must consent to it.
Even if the company’s not in the EU. Even if they’re storing data
on EU citizens "outside", it still applies to them. The potential maximum fine is 4% of the
company’s global annual revenue. Not profit, revenue. Or €20 million, whichever is higher. And yeah, sure, maybe the EU couldn’t
easily fine an all-American company, but they can definitely stop them
doing business in Europe if they don't pay. So all the advertisers had two options. Number one: stop tracking people! Or number two, add a big box on each page
saying “hey, is it OK if we track you?” And legally, you should
be able to easily say no and still access the site. Opting out should
be a simple, one-click process. And anyone who’s been on the web
lately knows that’s often not true. So, yes, at least some of those popups
and frustrations are because of advertisers. Certainly, they normalised
the idea of intrusive popup boxes. But why can they put those
boxes there in the first place? The web is built around freedom
of design. It’s one of the most fundamental principles: within the
box that the web browser gives you, a designer can put almost anything. For decade after decade after decade, programmers have pushed the limits
of what’s possible: someone has even managed to emulate an
entire Windows 95 computer in the web browser. I don’t mean just making a web page
look like Windows 95, I mean an entire virtual machine that thinks
it’s running on regular computer hardware but is actually just simulated
in code, in a web browser. And that's incredible! Give people power to create and
some will make amazing things. But some will look at the ability
to run almost any code and put almost anything on screen,
at least within that box, and go “maybe I can get some more newsletter signups
if I interrupt the reader”. Or "maybe I can make people’s browsers
mine cryptocurrency in the background "while they’re on my site!" So the war starts again. Most web browsers now have a separate view
that you can switch into, that shows just
the text you want. It might be called “article view” or “reader mode”. The browser tries to figure out what the main content is,
what the user actually wants to see, and puts just that text on screen. Stripping out the adverts,
removing all the popup boxes, and, yes, losing all the creativity
and design that the web allows. But that ‘reader view’ is a lot closer
to Tim Berners-Lee’s original design: a place for information, and
a way to find it afterwards. Of course, there are already techniques
to detect and defeat reader view, and make sure that the user has to see the
adverts, or the newsletter popups, or whatever else. Every bit of freedom that a
designer has for creativity and good is also freedom for abuse.
That’s true not just on the web, but in every single aspect
of the online world.