(Page 5 of 7)

Whether willingly, begrudgingly or unknowingly, however, most Web users have already traded a slice of their privacy for the convenience that cookies bring to the Web. Most people accumulate cookies unknowingly; a search on the average Internet user's machine will turn up dozens, or even hundreds, of the small files.

Thanks to cookies, a customer shopping at a site who walks away from the shopping cart before buying can come back later to have the site ask if he wants to complete the order. Cookies also allow sites to show advertisements tied directly to the parts of the site a visitor has seen, so that someone visiting a health-oriented site who reads information about diabetes drugs might see an advertisement for a newly approved medication for the condition.

All these functions can be performed without knowing the name of the visitor because the anonymous, unique identifier included in the cookie is enough. But if a Web site owner can combine that identifier with personal information, say from having visitors register with the site, then the cookie becomes a powerful mechanism for personal tracking.

"Before cookies, the Web was essentially private," said Lawrence Lessig, a professor at Stanford Law School who studies the ways that software code and public policy collide. "After cookies, the Web becomes a space capable of extraordinary monitoring."

Most business Web sites now use cookies (including the sites of The New York Times Company and most use them responsibly, privacy experts say. But many in business fear that privacy concerns could put a further drag on the hobbled high- technology economy. "The danger to the digital economy's longevity is not from the bursting of the dot-com bubble," said Richard H. Brown, chief executive of the technology giant EDS, in a recent speech.

He cited examples like Toysmart, a company that offered to sell its customer records as part of its bankruptcy settlement — potentially including children's names and addresses. "Those effects are minuscule compared with those inflicted by breaches of trust," Mr. Brown added.

Still, cookies are not going away, said Koen Holtman, a Dutch computer scientist and privacy advocate who has fought to limit the expanding abilities of cookies.

Web users "can't really live with cookies because of user-tracking issues," he said, "but also can't live without them because that would lose them some important functionality or reliability."

Mr. Montulli's first description of cookies can still be found on Netscape's Web site. The document describes how a relatively few bits of text can perform tasks like identifying a visitor, tracking the items he is preparing to buy and setting a date for the cookie to be destroyed. In a whimsical example drawn from Saturday morning cartoons, Mr. Montulli displayed a cookie that might be set on a customer's computer by the fictional Acme Corporation:

Cookie: CUSTOMER=WILEE COYOTE; PARTNUMBER= ROCKETLAUNCHER0001

The document was technically thorough. But one word appears nowhere within it: privacy.

Microsoft Takes Notice

The engineers did build in a few privacy precautions, however. Cookies did not identify the user by name. Instead, each site issues a unique ID number to each visitor's computer. Mr. Montulli said that he also considered and rejected an idea for creating a single ID number that a person's browser would use in all Web explorations; while convenient, it would be, he knew, a privacy nightmare. "We didn't want cookies to be used as a general tracking mechanism," he recalled.

But, Mr. Montulli said, he had also planned for cookies to be a flexible tool — like all Netscape creations. "We were designing the next-generation communications system," he said, and the designers of revolutions don't think small.

"We wanted people to be able to use it for other uses" besides shopping carts, Mr. Montulli said, including "things we hadn't thought about."

By 1995, as Netscape's browser introduced millions of people to the wonders of the Web, another company had taken notice of its success and wanted in on the game. Microsoft aimed at the market for Internet browsers and servers and began a concerted effort that became the focus of the federal antitrust suit against Microsoft.

But when it came to keeping track of online shopping carts, Microsoft decided not to reinvent the wheel, said Michael Wallent, the head of the company's browser efforts. The company's entry in the browser wars, Internet Explorer, largely incorporated Netscape's cookie system as a "no brainer," Mr. Wallent said.

"I don't think anyone ever thought that cookies were anything that could be excluded in the browser and have that browser become a success in the marketplace," he said.

Like Netscape, Microsoft kept its cookies under the table: cookies were designed to be exchanged silently, without alerting the user. With other Web browser functions, like encrypted communication, an icon appears on the computer screen when the technology is in use. Mr. Wallent explained that privacy was not, at the time, a central consideration because the Web "was a very different place."

"While privacy was an issue, it was much less of an issue than you see today," he said.