> How do you then explain that's what Firefox has done all the way up until now?

The fact that for a long, long time the vast majority of Firefox's income has come from search engine partnerships, a category google dominates?

Also: Firefox has been rather poor about user privacy. Integrating third party stuff that's difficult to remove, like Pocket, for example.

There was the whole "Looking Glass" debacle where they dropped in a Mr. Robot promotional plugin into Firefox completely silently.

When someone posted in bugzilla about it, the project manager for the plugin made the thread employee-only. It was then changed back to public briefly, before disappearing for good, reportedly being locked so even employees can't see it:

https://bugzilla.mozilla.org/show_bug.cgi?id=1424977#c21

Ask yourself: "why is a bug files about a promotional plugin so secretive that not even employees can view it?"

BTW: Guess where that project manager used to work before she worked at Mozilla? Answer: an online advertising and analytics firm (according to her LinkedIn profile at the time.)

>Also: Firefox has been rather poor about user privacy. Integrating third party stuff that's difficult to remove, like Pocket, for example.

1) Mozilla owns pocket, it's not third party. https://blog.mozilla.org/en/mozilla/news/mozilla-acquires-po...

2) This is completely irrelevant to user privacy, because Pocket doesn't exfiltrate any data. The source code for the integration is open source, you can go look this up yourself.

Couldn't a smart person have figured out exactly how that cookie model could be abused like, within days of it existing? Was it really something that only got figured out with time?

You have hindsight.

In the early days, the internet was seen as a massively playfield-leveling and decentralizing force ("the net interprets censorship as damage and routes around it"), not a massively centralizing one (Facebook is the world's only newspaper).

In a model where everything is decentralized and leveled , no player is big enough to worry about.

A smart person could have figured it out, but it was extremely unlikely.

The economics sub-discipline of economic geography was being developed at about the same time as Eternal September.

The key insight (one of the key insights) from that research is that as the absolute cost of transport goes down, previously insignificant differences in cost become important. This leads to to the development of "hubs" - centralization.

(Here we're talking about information transport, and the cost being time per bit.)

But as you say, at the time the tech world could never have believed that centralization was the default expectation, nor designed things to compensate.

Can you provide further reading on the insight that shows the formation of hubs/centralization? It seems interesting.

The classic text is Fujita, Krugman and Venables, MIT Press 1999, The Spatial Economy.

The internet observation is an adaptation of the original work on goods trade to other transport forms. I forget where I first read it--sorry! Maybe someone like Clay Shirky, but not the man himself.

>A smart person could have figured it out, but it was extremely unlikely.

Additionally, would they have been listened to?

Sure, the realization might taken a decade but the change took two decades at least. So it seems a little late.

Someone could, and people did. DoubleClick was founded in 1995 and was using cookies for tracking user interest across sites by 1997 (or earlier; hard to pin down). There was lots of discussion of this at the time:

Any web site that knows your identity and has cookie for you could set up procedures to exchange their data with the companies that buy advertising space from them, synchronizing the cookies they both have on your computer. This possibility means that once your identity becomes known to a single company listed in your cookies file, any of the others might know who you are every time you visit their sites. The result is that a web site about gardening that you never told your name could sell not only your name to mail-order companies, but also the fact that you spent a lot of time one Saturday night last June reading about how to fertilize roses. More disturbing scenarios along the same lines could be imagined. There are of course many convenient and legitimate uses for cookies, as Netscape explains. But because of the possibilities of misuse we recommend disabling cookies unless you really need them. https://web.archive.org/web/19970713104838/http://www.junkbu...

(Disclosure: I work in a part of Google that's descended in part from DoubleClick. Speaking only for myself.)

Thanks, that’s what I was thinking, that advertisers figured it out early on, and they aren’t smarter or dumber than the rest of the professional population, so this shouldn’t be some surprise that took years to work out.

(I personally remember thinking exactly that, that cookies allow universal tracking, as soon as I learned of the concept, but I don’t want to put too much stock into that belief because of the possibility of hindsight bias and misremembering.)

The entire internet was built on the assumption of good actors and until recently non-secure protocols & models were the default.

Only in the past decade has there been serious consideration for encryption and security on the internet.

Before Let's Encrypt was launched in 2014, HTTPS was the exception, rather than the norm. It was only in 2016 that greater than 50% of internet traffic was encrypted.

Secure DNS is still very much a work in progress.

BGP was built with the assumption of good actors, and doesn't include any security mechanisms.

Email still doesn't have any good options for E2E encryption.

> Couldn't a smart person have figured out exactly how that cookie model could be abused like, within days of it existing?

They almost certainly did, and considered it acceptable at the time.

The first cookie RFC, rfc2109 (1997), was even more conservative:

An origin server could create a Set-Cookie header to track the path of a user through the server. Users may object to this behavior as an intrusive accumulation of information, even if their identity is not evident. (Identity might become evident if a user subsequently fills out a form that contains identifying information.) This state management specification therefore requires that a user agent give the user control over such a possible intrusion... --https://datatracker.ietf.org/doc/html/rfc2109#section-7.1

Early versions of Internet Explorer used to follow this and prompt about cookie storage all the time, to everybody’s great annoyance. Eventually it defaulted to always allow.

Now with GDPR prompts we’ve come full circle, but instead get the UI of the web site instead of the user agent, allowing all kinds of dark patterns to be exploited and requiring re-prompts all the time for those of us who don’t allow the page to keep cookies in the agent.

Advertising targets1 trust Google. There is no reason for them not to trust this company. Google has the privacy of its advertising targets as its highest priority.

Mozilla gets 90+% of it operating budget via a deal with Google, but Firefox developement is not influenced at all by Chrome. Totally independent.

Big Tech exists for users, not advertisers. Privacy must come first and money must come second. Thats why we have more privacy than ever and Google does not make much money. Government regulation is totally unnecessary. All incentives are aligned toward greater privacy.

Google will "build a more private web" for its advertising targets. Sorry advertisers. :(

1. Also known as "users".

Mozilla was doing this literally before Google existed. The origins of how cookies work predate Google as a company let alone as an advertiser platform. At the time Netscape was not beholden to an advertising company at all.

The previous poster is correct on their historical analysis. Your comment does not change the accuracy at all.