We made some big architectural mistakes in how the web works, and I want to talk about two of them. Not the dramatic, catastrophic kind — the kind that individually seem fine and collectively make everything worse.
Cookies Went to the Wrong Layer
Cookies should have been a user concern, not a software concern. In a saner world, you’d configure your cookie preferences once — at the browser or OS level — and every site would respect that. Instead, we pushed the decision down to each individual application, which is better for advertisers and worse for everyone else.
The result: you get asked about cookies a thousand times a day. Every site, every visit, a modal you don’t read blocking content you came to see. The EU meant well with GDPR. The implementation landed in the worst possible place.
Auth Left the Building
In the desktop era, the operating system knew who you were. You logged in once. Applications ran in your session. Identity was solved at the right layer.
The web broke that. Your browser knows you’re you, but the software runs somewhere else. So every application has to independently verify your identity, and they do — constantly. “Excuse me, who are you?” Over and over.
Excuse me, who are you?
How much engineering productivity does Okta alone steal from companies? Not through malice — through architecture. The session expired. The token rotated. The SSO redirect loop ate three minutes you’ll never get back. Multiply that across every engineer, every day, every tool. It adds up to something real.
The Local Optima Trap
This is the heart of enshittification. None of these interruptions are individually unreasonable. A cookie consent banner? Fine, legally required. An auth prompt? Sure, security matters. A survey? Feedback is valuable. A subscription nudge? The business needs revenue.
But nobody is holistically responsible for the user’s experience of being a user. Everyone is responsible for the user’s experience of their specific app. So each team independently decides to ask for just one tiny piece of your attention, and the aggregate experience is death by a thousand prompts.
Auth prompts. Cookie prompts. Survey prompts. Subscription prompts. Feedback prompts. Notification permission prompts. Newsletter popups. App store review dialogs. “Rate your experience” overlays. And this is before we even get to the advertisification of every square inch of the observable universe.
There Is No Solution Here
I don’t have a fix. The older I get, the more I think algorithms that curate content should be illegal. Algorithms that optimize for engagement — not satisfaction, not value, engagement — should be illegal.
Marketing can be good. Creative, powerful, genuinely useful. But it’s cheaper and easier for it to be shitty and lame. The incentive gradient points downhill. It’s very Pareto — a small amount of marketing is excellent and the vast majority is extraction wearing a smile.
The attention economy is optimized to create bad experiences for users. Not because anyone set out to do that, but because a thousand teams each optimizing for their own tiny slice of your attention produces exactly this outcome. Every time.
Nobody planned this. That’s what makes it so hard to fix.