fortune cookie drawing fortune cookie drawing fortune cookie drawing

Most of us encounter cookies in the same way we encounter any quiet technology. They are there before we notice them. A site remembers our language. A cart stays full when we return. A login persists for days. Behind those conveniences sits a simple mechanism: a website asks the browser to store a small record and return it on later requests. That record is a cookie. It holds a name and value, an expiration time, and rules about where and when it should be sent. With something so small, the web becomes a place that can remember.

The web did not begin with memory. Early sites responded to each page as if it came from a stranger. In 1994, Netscape engineer Lou Montulli adapted an older computing idea called a magic cookie to solve this. In operating systems and network software, a magic cookie was a small token that one program gave another in order to recognise a later request. The web version worked the same way. A server handed the browser a token. The browser returned it on the next visit. The name “cookie” stuck because the concept already had currency among rogremmers and because the metaphor of a small packet with a hidden message was easy to remember.

From that modest start, cookies became the basic tool for continuity online. Session cookies keep you logged in as you move from page to page. Preference cookies can hold a cart or a multi-step form in place long enough for you to finish a task. These are practical uses. They make the web function in ways people expect.

The same mechanism also supports practices that are far less visible to the user. When a page includes content from other companies, such as advertising tags, analytics scripts, or social widgets, those outside companies can set and read their own cookies. As you move across sites that reuse the same outside services, those companies can link your visits and assemble a picture of your habits. They learn which pages you read, which products you consider, which devices you use, and where you are roughly located. Over time, even simple identifiers can support detailed profiles. The purpose is usually targeted advertising and measurement. The effect is that browsing becomes traceable beyond the site you intended to visit.

Security concerns sit alongside these privacy questions. An authentication system often relies on a session cookie that proves you are logged in. If someone else obtains that cookie, they can act as you without needing your password. Attackers can attempt to steal cookies through unencrypted connections, malicious scripts that read cookies not marked HttpOnly, or poorly scoped rules that allow cross-site request forgery. Sensible settings help. Sites should use HTTPS, mark sensitive cookies as Secure and HttpOnly, set SameSite attributes to limit cross-site use, shorten lifetimes for session tokens, and rotate identifiers after login. These steps do not eliminate all risk, but they significantly increase the difficulty of turning a small token into a key that opens the wrong door.

Another problem is simple opacity. A single visit can create dozens of cookies with different names, values, domains, and expiration dates. Some last minutes, others last years. Most users never see what is stored or understand which company placed each record. Consent dialogs attempt to surface the choice, but they often steer people towards accepting everything. Privacy policies describe sharing with trusted partners, a phrase that is both broad and vague. The result is that people cannot form a clear picture of what they have agreed to or how long the agreement will last.

My project is a small response to this gap between function and knowledge. I am making physical fortune cookies with fortunes that state, in blatant language, what digital cookies and trackers can reveal. The object is familiar and ordinary. The message inside is not meant to shock, but to be specific and honest, though what is revealed could be shocking.

The installation uses a plain white cookie jar. I will ask visitors, “Do you want a cookie?” and I will not explain anything further at that moment. The setup mirrors the way consent often works online. People are often prompted to accept something before they have context or a clear sense of scope. The jar is intentional. It is neutral, familiar, and ordinary. The interaction feels harmless. That is the point.

Each cookie contains a two-sided slip. The first side reads: “You agreed to cookies. Open your fortune to reveal your fate. Good luck.”

The visitor then turns over the fortune. The reverse side presents one factual fact about common data practices, such as: “a third-party pixel followed this visit to your next site.” Or: “Your browser sent a unique ID that links today’s pages to last week’s.” Each sentence names a practice that is common, routine, and usually invisible.

Beneath the fortune is a short instruction, different on each card: “To avoid this, next time only accept only necessary cookies. Your fate is only up to you.” or “To avoid this, next time don’t agree to something you know nothing about. Your fate is only up to you.”

After the viewer opens their fortune cookie, I will then explain to them what I just described to you. Hopefully, visitors will leave understanding that necessary cookies keep a site working, and non-essential cookies can be refused.

My intention is not to lecture or shame the viewer. Most of us appreciate sites that remember what is useful, from logins to items in our cart. The real question or task is to decide where that memory should end and to make those boundaries explicit, so people can see them and choose accordingly.