The topic of Why We Accepted Surveillance as Default is currently the subject of lively debate — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
Posted on Apr 19
• Originally published at vivianvoss.net
In January 1996, two men in New York City founded a company called DoubleClick. Kevin O’Connor and Dwight Merriman had a product they called DART: Dynamic Advertising, Reporting, and Targeting. The premise was that advertisers should be able to follow a person across websites in order to serve them relevant ads. DoubleClick went public on NASDAQ in 1998. In 1999, it acquired Abacus Direct, a consumer-purchasing data broker, and merged the offline and online identity databases. The FTC opened an investigation. DoubleClick was forced to back down. In April 2007, Google announced its acquisition for $3.1 billion. By March 2008, the EU had approved it. By the time the regulators were finished arguing about competition, the architecture of the web had quietly become a surveillance system.
Advertising funds the web. Tracking enables advertising. Therefore we track. The argument is presented as a chain of inevitabilities, each link cited in defence of the next. The cookie banner is the modern receipt: you clicked “Accept”, you consented, the system is fair.
The receipt does not record that “Reject all” was hidden behind three dropdowns and a confirmation. The receipt does not record that the website would not load until you clicked something. The receipt does not record that the alternative to consent is exit.
In 1996, banner ads existed but were random. DoubleClick’s innovation was the third-party cookie: a small file set by a server you never visited, allowed to follow you across every other website that loaded its pixel. The cookie was originally designed by Lou Montulli at Netscape in 1994 as a way for a single site to remember its own users. The third-party cookie was a creative reinterpretation. It was technically permitted by the design. It was never socially negotiated.
By 1999, DoubleClick had bought Abacus Direct and was openly planning to merge offline purchasing histories with online browsing behaviour, identifying users by name. The FTC investigated. Public outcry forced DoubleClick to delay the merger indefinitely. The investigation was closed in 2001, after the Bush administration changed the priorities of the agency.
In April 2007, Google announced it would acquire DoubleClick for $3.1 billion. The FTC and the EU spent the next year reviewing the deal under competition law. They focused on the advertising market. They did not meaningfully focus on what merging Google’s search history with DoubleClick’s cross-site cookie tracking would mean for any user. The acquisition closed in March 2008. The architecture was complete.
The average website now loads seven third-party trackers. That figure is from the top 10,000 sites measured by WhoTracks.me, which is the better-behaved end of the internet. 41.1% of all top-site traffic carries trackers.
Compliance has become an industry of its own. Research presented at CHI 2025, examining over 254,000 websites across 31 countries, found that 67% of cookie banners are provided by Consent Management Platforms, of which three companies hold 37% of the market. Only 15% of the websites surveyed were minimally GDPR-compliant. When “Reject all” is hidden behind multiple clicks, up to 90% of users accept. This is not consent. It is exhaustion industrialised.
There is also a physical cost. The Ghostery/CliqZ “Tracker Tax” study showed that each additional tracker adds about 2.5% to page load time. Sites with the most trackers ran roughly ten times slower than the same sites with trackers blocked. Globally, real-time bidding now processes around 600 billion bid requests per day, roughly 6.9 million per second. Programmatic captured 91.3% of display ad spend in 2024. Every banner, every dialog, every shadow request: bandwidth, batteries, electricity. Tracking is not weightless.
And it is not even clean. Juniper Research estimates global ad fraud at around $84 billion in 2023, projected to reach $172 billion by 2028. Roughly 20-25% of programmatic impressions are at risk of fraud without verification. The same pipeline that carries the surveillance carries an industry of fake clicks, bot traffic, and laundered inventory. The grey economy was always part of the design.
The two men were not the problem. If DoubleClick had not existed, someone else would have built it. It was a logical response to the incentive: ad networks wanted reach, publishers wanted revenue, third-party cookies enabled both.
The deeper question is architectural. Browsers were designed to load content. They could just as easily have been designed to protect users from being stalked, and from the grey-zone fraud economy that grew up inside the same pipes. The technologies was always there.
Apple App Tracking Transparency (iOS 14.5, April 2021) demonstrated this in one of the most remarkable corporate experiments of the decade. A single OS-level prompt: may this app track you across other companies’ apps and websites? Between 15 and 25% of users said yes. Meta lost roughly $10 billion in revenue in 2022 alone, as confirmed in CFO Dave Wehner’s earnings call. Lotame estimated industry-wide losses at around $16 billion. Apple proved, in one quarterly earnings call, that the surveillance was never necessary. It was simply the default.
Safari Intelligent Tracking Prevention, Firefox Enhanced Tracking Protection, Brave’s default blocking: each of these shows the same thing. Default-on tracking was a choice browser vendors made. Default-off was always available.
What if browsers had treated personal data the way they now treat unsigned binaries: blocked unless explicitly permitted? What if the protocol itself had defended the user, not the advertiser? What if the cookie had been scoped to the issuing site, with cross-site tracking requiring an explicit opt-in dialog from day one?
DoubleClick was founded thirty years ago this month. The infrastructure of the modern web was largely built in the decade that followed. The architectural decisions that produced the current state were not inevitable. They were defaults set by a small number of vendors at a small number of moments. Every default could have been the other way.
By Vivian Voss — system Architect & Software Developer. Follow me on LinkedIn for daily technical writing.
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment’s permalink.
For further actions, you may consider blocking this person and/or reporting abuse
DEV Community — A space to discuss and keep up software development and manage your software career
Built on Forem — the open source software that powers DEV and other inclusive communities.
Why it matters
News like this often changes audience expectations and competitors’ plans.
When one player makes a move, others usually react — it is worth reading the event in context.
What to look out for next
The full picture will become clear in time, but the headline already shows the dynamics of the industry.
Further statements and user reactions will add to the story.