You have hindsight.

In the early days, the internet was seen as a massively playfield-leveling and decentralizing force ("the net interprets censorship as damage and routes around it"), not a massively centralizing one (Facebook is the world's only newspaper).

In a model where everything is decentralized and leveled , no player is big enough to worry about.

A smart person could have figured it out, but it was extremely unlikely.

The economics sub-discipline of economic geography was being developed at about the same time as Eternal September.

The key insight (one of the key insights) from that research is that as the absolute cost of transport goes down, previously insignificant differences in cost become important. This leads to to the development of "hubs" - centralization.

(Here we're talking about information transport, and the cost being time per bit.)

But as you say, at the time the tech world could never have believed that centralization was the default expectation, nor designed things to compensate.

Can you provide further reading on the insight that shows the formation of hubs/centralization? It seems interesting.

The classic text is Fujita, Krugman and Venables, MIT Press 1999, The Spatial Economy.

The internet observation is an adaptation of the original work on goods trade to other transport forms. I forget where I first read it--sorry! Maybe someone like Clay Shirky, but not the man himself.

>A smart person could have figured it out, but it was extremely unlikely.

Additionally, would they have been listened to?

Sure, the realization might taken a decade but the change took two decades at least. So it seems a little late.

Someone could, and people did. DoubleClick was founded in 1995 and was using cookies for tracking user interest across sites by 1997 (or earlier; hard to pin down). There was lots of discussion of this at the time:

Any web site that knows your identity and has cookie for you could set up procedures to exchange their data with the companies that buy advertising space from them, synchronizing the cookies they both have on your computer. This possibility means that once your identity becomes known to a single company listed in your cookies file, any of the others might know who you are every time you visit their sites. The result is that a web site about gardening that you never told your name could sell not only your name to mail-order companies, but also the fact that you spent a lot of time one Saturday night last June reading about how to fertilize roses. More disturbing scenarios along the same lines could be imagined. There are of course many convenient and legitimate uses for cookies, as Netscape explains. But because of the possibilities of misuse we recommend disabling cookies unless you really need them. https://web.archive.org/web/19970713104838/http://www.junkbu...

(Disclosure: I work in a part of Google that's descended in part from DoubleClick. Speaking only for myself.)

Thanks, that’s what I was thinking, that advertisers figured it out early on, and they aren’t smarter or dumber than the rest of the professional population, so this shouldn’t be some surprise that took years to work out.

(I personally remember thinking exactly that, that cookies allow universal tracking, as soon as I learned of the concept, but I don’t want to put too much stock into that belief because of the possibility of hindsight bias and misremembering.)

The entire internet was built on the assumption of good actors and until recently non-secure protocols & models were the default.

Only in the past decade has there been serious consideration for encryption and security on the internet.

Before Let's Encrypt was launched in 2014, HTTPS was the exception, rather than the norm. It was only in 2016 that greater than 50% of internet traffic was encrypted.

Secure DNS is still very much a work in progress.

BGP was built with the assumption of good actors, and doesn't include any security mechanisms.

Email still doesn't have any good options for E2E encryption.

> Couldn't a smart person have figured out exactly how that cookie model could be abused like, within days of it existing?

They almost certainly did, and considered it acceptable at the time.

The first cookie RFC, rfc2109 (1997), was even more conservative:

An origin server could create a Set-Cookie header to track the path of a user through the server. Users may object to this behavior as an intrusive accumulation of information, even if their identity is not evident. (Identity might become evident if a user subsequently fills out a form that contains identifying information.) This state management specification therefore requires that a user agent give the user control over such a possible intrusion... --https://datatracker.ietf.org/doc/html/rfc2109#section-7.1

Early versions of Internet Explorer used to follow this and prompt about cookie storage all the time, to everybody’s great annoyance. Eventually it defaulted to always allow.

Now with GDPR prompts we’ve come full circle, but instead get the UI of the web site instead of the user agent, allowing all kinds of dark patterns to be exploited and requiring re-prompts all the time for those of us who don’t allow the page to keep cookies in the agent.