On August 11, 1994, a 21-year-old named Phil Brandenberger used his credit card to buy Sting’s “Ten Summoner’s Tales” for $12.48 plus shipping through a website called NetMarket. The CD was mailed to Philadelphia, and the transaction used PGP encryption to protect the card number as it crossed the open internet. That single purchase, arranged by NetMarket founder Dan Kohn, became the first documented secure retail sale conducted over the World Wide Web, a moment that forced the tech world to reckon with a simple question: if encryption could make one CD sale safe, what else could the web sell?
How a $12.48 CD purchase rewired expectations for web commerce
The sale did not happen in a vacuum. Months earlier, the National Science Foundation had funded development of the Mosaic browser at the University of Illinois, giving millions of people their first graphical window onto the web. Mosaic made browsing easy, but it did not make buying safe. Credit card numbers sent through a standard browser traveled in plain text, visible to anyone with the right tools. The missing piece was encryption, and two separate efforts converged to fill that gap in 1994.
In May of that year, MIT released PGP version 2.6, distributing strong public-key cryptography software that anyone in the United States could legally download. PGP had existed before, but MIT’s release resolved lingering patent disputes and put a clean, freely available copy into wide circulation. Within weeks, developers at NCSA folded PGP support into XMosaic, the research version of the browser. That integration gave NetMarket the technical path it needed: a browser that could encrypt a credit card number before sending it, paired with a server that could decrypt it on the other end.
The hypothesis that the NetMarket sale, rather than Mosaic’s own feature set, drove broader adoption of browser-based encryption holds up under scrutiny. Mosaic made the web usable, but the August 1994 transaction made encrypted commerce visible. The New York Times ran a headline reading “Attention Shoppers…The Internet Is Open,” treating the sale as proof that ordinary consumers could trust the web with their money. That coverage reached an audience far larger than any technical mailing list, and it framed encryption not as an abstract security feature but as the thing that made online shopping possible. The demonstration effect, a real person buying a real product with a real credit card, carried persuasive weight that a spec sheet could not.
NetMarket’s PGP claim and the primary evidence trail
The strongest near-contemporaneous record of the sale comes not from a corporate press release but from a mailing-list post in the Internet Marketing archives dated days after the transaction. In that post, NetMarket stated it was “first to support automatic public-key encryption of credit card information,” while clarifying that the PGP code itself had been added to XMosaic by NCSA, not by NetMarket’s own engineers. The distinction matters: NetMarket built the storefront and the checkout flow, but the encryption engine came from a federally funded research center. Dan Kohn described the sale in later interviews, recounting how he set up the transaction partly to prove that secure web commerce was technically feasible and partly to attract press attention.
Phil Brandenberger, the buyer, was identified by name in coverage that followed. The item, Sting’s “Ten Summoner’s Tales,” cost $12.48 plus shipping and was mailed to his address in Philadelphia. No primary transaction log, server record, or payment-processor receipt from NetMarket has surfaced publicly to independently confirm the date and dollar amount. The factual record rests on Kohn’s account, Brandenberger’s identification in press reports, and the mailing-list post that appeared shortly after. Institutional files from NSF and NCSA, including archival holdings at the University of Illinois, contain materials related to Mosaic’s development but no direct references to the NetMarket sale or its use of encryption for commerce.
Gaps in the record 25 years after the Sting CD sale
Three specific gaps limit what can be stated with full confidence about the August 11, 1994 transaction. First, no independent digital or paper receipt has been made public. The date and price are consistent across multiple accounts, but they all trace back to the same small circle of participants. Second, MIT’s 1994 PGP announcement addressed privacy and email encryption broadly; it did not discuss web-browser integration or commercial applications. The link between MIT’s PGP release and the NetMarket checkout depends on the mailing-list claim that NCSA built PGP into XMosaic, a claim that has not been contradicted but also has not been confirmed by NCSA’s own institutional records. Third, the NSF’s account of Mosaic’s development focuses on the browser’s role in expanding web access, not on how third parties used it for encrypted transactions.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
