(Page 2 of 7)

Mr. Montulli's first description of cookies can still be found on Netscape's Web site. The document describes how a relatively few bits of text can perform tasks like identifying a visitor, tracking the items he is preparing to buy and setting a date for the cookie to be destroyed. In a whimsical example drawn from Saturday morning cartoons, Mr. Montulli displayed a cookie that might be set on a customer's computer by the fictional Acme Corporation:

Cookie: CUSTOMER=WILEE COYOTE; PARTNUMBER= ROCKETLAUNCHER0001

The document was technically thorough. But one word appears nowhere within it: privacy.

Microsoft Takes Notice

The engineers did build in a few privacy precautions, however. Cookies did not identify the user by name. Instead, each site issues a unique ID number to each visitor's computer. Mr. Montulli said that he also considered and rejected an idea for creating a single ID number that a person's browser would use in all Web explorations; while convenient, it would be, he knew, a privacy nightmare. "We didn't want cookies to be used as a general tracking mechanism," he recalled.

But, Mr. Montulli said, he had also planned for cookies to be a flexible tool — like all Netscape creations. "We were designing the next-generation communications system," he said, and the designers of revolutions don't think small.

"We wanted people to be able to use it for other uses" besides shopping carts, Mr. Montulli said, including "things we hadn't thought about."

By 1995, as Netscape's browser introduced millions of people to the wonders of the Web, another company had taken notice of its success and wanted in on the game. Microsoft aimed at the market for Internet browsers and servers and began a concerted effort that became the focus of the federal antitrust suit against Microsoft.

But when it came to keeping track of online shopping carts, Microsoft decided not to reinvent the wheel, said Michael Wallent, the head of the company's browser efforts. The company's entry in the browser wars, Internet Explorer, largely incorporated Netscape's cookie system as a "no brainer," Mr. Wallent said.

"I don't think anyone ever thought that cookies were anything that could be excluded in the browser and have that browser become a success in the marketplace," he said.

Like Netscape, Microsoft kept its cookies under the table: cookies were designed to be exchanged silently, without alerting the user. With other Web browser functions, like encrypted communication, an icon appears on the computer screen when the technology is in use. Mr. Wallent explained that privacy was not, at the time, a central consideration because the Web "was a very different place."

"While privacy was an issue, it was much less of an issue than you see today," he said.

Although they were not obvious to the average computer user, cookies were quickly noticed within the technology community. Members of the Internet Engineering Task Force, a group that evolved from the time of the Internet's predecessor, the Arpanet, to become the standards-setting body for the ever-evolving worldwide computer network, started in April 1995 to discuss cookies.

Despite Mr. Montulli's prowess, the technology was less than robust. Simon St. Laurent, the author of "Cookies," a technical work, said of Mr. Montulli's original version: "It kind of works, but it's definitely concocted overnight." Discussions began among Internet experts about the kinds of things that Internet engineers fret over, like ways to make the system more secure and reliable. Within the discussion, some were pressing for consideration of privacy issues.

And so, in 1995, a group was formed to come up with proposed standards for cookies and their uses; it was led by David M. Kristol, a scientist at Bell Laboratories whose outside interests included the intricate interplay of chamber music. He estimated that the job would take a few months.

He worked on it for nearly six years.

Like all such groups, the work was public and carried out largely through online postings and e-mail. Mr. Montulli was an active participant — at least at the beginning. "I remember saying that it was very important that if we made any changes at all to the way things work, that it needed to be a more forward-compatible kind of thing: the old stuff should still work, and people's general idea of cookies will stay the same."

The members of the working group agreed: although they wanted to improve on cookies technology, they realized that whatever recommendations they came up with should work a lot like the current cookies, or the effort would be wasted.

Increasingly, the group became concerned about the ways that cookies might be used to violate consumer privacy. Mr. Holtman, the Dutch computer scientist, issued a warning to the group in December 1995 that would turn out to be prophetic.

Although cookies can only be read by the site that created them or a related site — another of Mr. Montulli's early privacy measures — Mr. Holtman realized that companies could, by agreement, place cookies across a network of related sites, and that those cookies could be used to track users.

"Someone is bound to try this trick," he wrote, "and it will, when discovered, generate a lot of bad publicity for the whole Web."