Spyware accidentally invented October 16, 1995

30 years ago today, on October 16, 1995, Roland Vossen accidentally invented spyware in a Usenet post. Well, not exactly. He didn’t invent spyware so much as he invented the term. His Usenet post contained the first recorded use of the word “spyware.”

The first recorded use of the term spyware was in this Usenet post by Roland Vossen in 1995.

For context, his post contained about 150 lines of pseudocode, making fun of Microsoft’s release cycles, marketing hype, and other aspects of its business model. One of the include statements in the code referenced a file called spyware.h. It was in close proximity to lines that referenced files called lies.h and nonsense.h.

If only Roland Vossen knew how prophetic his parody was. My blog post on defeating the spying mechanisms in Windows 11 is fairly popular. Every consumer operating system today is spyware to one degree or another.

Things got a lot worse before they got better. And I’m not quite sure that “better” would be the right word, because spyware never really went away. It just takes a different form now than it did in the ’90s.

Spyware in the ’90s

In the ’90s, a very popular business model was giving stuff away for free and then trying to figure out how to make money off it. Geocities‘ business model was giving away web hosting. Mark Cuban’s Broadcast.com gave away regional radio broadcasts. But my favorite extreme case is Cyberrebate. Cyberrebate gave away actual physical merchandise. I remember going into a guy’s office in late 1998 or early 1999, and he showed me this box of junk he’d just received for free. Well, it wasn’t exactly free. It was an online store that promised 100% rebates. So you had to fill out a bunch of paperwork, mail it in within a certain length of time, not make any mistakes, and wait months for the rebate check to arrive. But if you were willing to do all of that, you could get a bunch of trinkets for free.

This was more than 25 years ago but I remember it like it was yesterday. The absurdity of someone being so excited about getting a $6 laser pointer for free stuck with me.

A majority of people never send the rebate paperwork in, and some additional percentage mess it up. But this particular company grossly underestimated how many people would put in the effort to get it right, especially if they had ordered a large amount.

The business model of giving away software

Giving away actual physical merchandise was an extreme example, however. A much more common business model was giving away software. People would write a useful or just fun piece of software, and then monetize it by injecting a couple of DLLs into it. Sometimes these DLLs collected telemetry that was useful to marketers, sometimes it just displayed random ads, and some of it did both. Whoever provided them the DLLs paid them based on the results they delivered, so the more popular your program was, the more money you’d make from the spyware.

Some of it behaved really poorly too. The telltale sign of where the ads were coming from was when something called advert.dll would crash and Windows would give you a message that it had shut it down.

I knew when people were infected when I got help desk tickets complaining that users were seeing ads on internal websites.

After Napster got sued out of business, companies who decided they wanted to enter the file sharing business realized they needed to have a revenue stream just in case they got sued. So they included spyware along with their file sharing client.

The problem with this business model was too many people were doing it. A system would get loaded down with too much spyware, and the system would start failing to do seemingly unrelated tasks until it became essentially unusable.

The problem got so bad that an entire product category sprung up to fight it. You didn’t necessarily just need antivirus software. You needed anti-spyware software. Anti-spyware didn’t need to do realtime scanning like antivirus software at least. It was sufficient to just run a scan on a weekly or monthly basis or whenever your system was misbehaving. I even had a blog post telling people how to fix a system just enough so they could run antispyware tools.

When enough people started using anti-spyware software, companies started looking for other more sustainable sources of revenue.

The exception being the operating system vendors. All of the mainstream operating systems are spyware. No, Linux and FreeBSD are not mainstream operating systems, at least not on the desktop. Microsoft does it, but it’s not just Microsoft. Apple and Google do it too.

But outside of operating systems and web browsers, traditional spyware is fairly rare. Today. The operating system and browser vendors have figured out how to spy on you without making your system crash. Since almost nobody notices, almost nobody complains. So when I say things like Apple, Google, and Microsoft spy on you, I sound like the one who needs a head examination.

Social media spies on you too. We voluntarily give social media companies a tremendous amount of information by interacting with businesses on their sites, reacting to the posts that we see, and they can even tell things by how long you linger on a particular post. They use this information to keep you engaged, keep you addicted, and they sell the information.

So while it seems like the spyware problem has gone away, it’s a misnomer to say the problem doesn’t exist anymore. The spyware just got much better at not causing problems that blow its cover and not getting caught. It causes different problems that most people never relate back to the original source.

But I don’t blame Roland Vossen for any of this. He was just making a joke that, in October 1995, was genuinely funny. At least to people like me.