On Second Thought ■ Episode 04
In January 1996, two men in New York City founded a company called DoubleClick. Kevin O'Connor and Dwight Merriman. The product was called DART, an acronym one doubts was agonised over: Dynamic Advertising, Reporting, and Targeting. The premise was that advertisers should be able to follow a person across websites to serve them relevant ads. In 2007, Google acquired DoubleClick for $3.1 billion. By the time the FTC and the EU had finished arguing about market competition, the architecture of the web had quietly become a surveillance system.
Nobody voted on this. It happened.
The Axiom
The argument for the current arrangement is presented as a chain of inevitabilities, and chains of inevitabilities tend to discourage close inspection. Advertising funds the web. Tracking enables advertising. Therefore we track. The cookie banner is the modern receipt: you clicked "Accept", you consented, and the system, therefore, is fair. A tidy logic. One admires the shape, if not the premise.
The Origin
In 1996, banner advertisements existed. They were, in a word, random. DoubleClick's innovation was the third-party cookie: a small text file set by a server you never visited, allowed to follow you across every website that loaded its pixel. The technical mechanism was mundane. The architectural consequence was not.
By 1999, DoubleClick had acquired Abacus Direct, a consumer-purchasing data broker, and proposed merging the two databases. The US Federal Trade Commission investigated. DoubleClick, chastened, backed down. Google bought it in 2007 anyway. The investigation was ancient history. The infrastructure was not.
As a footnote to the founders' trajectories: Kevin O'Connor left DoubleClick in 2001 to run the venture capital firm ScOp Venture Capital, where he now funds the next generation of technology companies. Dwight Merriman, DoubleClick's CTO for ten years, went on to co-found MongoDB in 2007 with Eliot Horowitz, another DoubleClick alumnus. The same team that built the cross-site surveillance pipeline also built the document database that powers a substantial portion of the modern web. The DoubleClick alumni network is, one suspects, among the more consequential talent diasporas in contemporary technology.
The Pattern Predates DoubleClick
DoubleClick was not, in fact, the first to discover that user data, once collected for an operational purpose, becomes commercially interesting. Prodigy, the online service that operated from 1984 to 2001, pioneered an early version of the same logic: caching data on or near users' personal computers in order to minimise networking and server expenses. The justification was infrastructure cost. The side effect was an unprecedented quantity of behavioural data sitting in rather convenient places.
The pattern is older than the web. It is older than the third-party cookie. It is, in essence, the observation that any data path optimised for cost will eventually be re-purposed for value extraction. The architectural question, then, is not when this began, but why no protocol layer ever resisted it.
The Cost
The average website now loads seven third-party trackers per page, and that figure describes the top 10,000 sites, which is to say the better-behaved end of the internet. 41.1 per cent of all traffic on those sites carries trackers. Compliance, meanwhile, has become its own industry: 67 per cent of cookie banners are served by a Consent Management Platform, three firms controlling 37 per cent of that market between them. Only 15 per cent of websites are minimally GDPR-compliant. When the "Reject all" button is hidden behind multiple clicks, up to 90 per cent of users accept. This is not consent. It is exhaustion.
There is also a distinctly physical cost. Each additional tracker adds roughly 2.5 per cent to page load, and tracker-heavy sites run approximately ten times slower than the same pages with tracking blocked. Real-time bidding processes roughly 600 billion requests per day, in the region of 6.9 million per second. Every banner, every dialog, every shadow request: bandwidth, batteries, electricity. The invoice is paid by everybody, itemised to nobody.
The Proof
The two men were, in the end, not the problem. If DoubleClick had not existed, someone else would have built it. It was a logical response to a commercial pressure: ad networks wanted reach, publishers wanted revenue, and third-party cookies enabled both. One could not reasonably blame the men. One could, however, reasonably ask why the browser helped.
The deeper question is architectural. Browsers were designed to load content. They could just as easily have been designed to protect users from being stalked, and from the grey-zone fraud economy that grew up inside the same pipes.
Apple App Tracking Transparency, introduced in iOS 14.5 in April 2021, demonstrated exactly this. One OS-level prompt, asking users whether an app may track them across other apps and websites. Opt-in rates settled at 15 to 25 per cent. Meta's CFO David Wehner estimated the 2022 revenue loss at roughly $10 billion. The technology was always there. Default-on tracking was a choice browser vendors made.
The Question
What if browsers had treated personal data in the way operating systems now treat unsigned binaries: blocked unless explicitly permitted? What if the protocol itself had defended the user, rather than the advertiser? What if cross-site requests had always been accompanied by the same scepticism one applies to a stranger on the train offering a parcel for safekeeping?
Thirty years on, the question is still unanswered. The infrastructure persists because it was built, and persists because undoing it would be inconvenient for the organisations that built it. Apple's one prompt shifted $10 billion in a single year. What might a dozen prompts have shifted? What might a refusal to ship third-party cookies at all, in 1996, have shifted?
One does not know. One merely notes that nobody was asked.
January 1996: two men in New York founded DoubleClick. 2007: Google paid $3.1 billion for it. Today: 7 trackers per page, 41.1% of traffic, 90% accept when "Reject all" is hidden, 600 billion bid requests per day. Apple ATT 2021: one prompt, -$10B Meta revenue. The technology was always there. Nobody voted on this.