But the game came to life as millions of people were using email for the first time. While just a few years earlier, chain letters and scams may have gained steam through email or similar tools like Usenet, executables were a new phenomenon for most. And there were already signs that sending executables through email was risky behavior.
Just six months earlier, millions of computers were seriously affected when a Microsoft Word “macro virus” called Melissa tore through the internet. In the ensuing years, email would be the key vector for some extremely damaging viruses, like ILOVEYOU, Sircam, and a virus named for tennis star Anna Kournikova. Their methods were different; their vector, across the board, was the same.
Security experts, understandably had concerns. A 1999 piece written by David Wilson of the Philadelphia Inquirer lays out the concerns like this: This random game which was just emailed you without your consent just so happens to use your internet connection. And it doesn’t tell you off the bat. Ergo: Downloading executables and immediately running them is a bad idea.
Wilson interviewed experts from places like the Electronic Privacy Information Center and Carnegie Mellon University to bolster his case against downloading random apps from any-which-where.
“Experts say the game is a good example of why Internet users should avoid opening unsolicited programs received via email,” Wilson wrote. “It illustrates how computer users often lack privacy protection.”
However, the piece somewhat overplayed what the internet connection actually allowed. Per another piece nearby in Allentown, Pennsylvania’s Morning Call that same week, the app simply contacted a server owned by a company to track where the game was being played, and whether the user clicked the link to the company’s website when they were done. The company also used the internet connection to allow users to share high scores, and discussed the potential of distributing updates via an internet connection.
“We were a small company without a budget to get our name out to corporations,” CEO Michael Bielinski said to Direct Marketing News. “We were trying to think of different ways other than putting up banner ads.”
On a base level, yes, the game tracked where a user was coming from, as a primitive form of analytics. But it’s a real stretch to call what they did “spyware.” If you’ve used a website on the internet in the past ten minutes, that page has likely done far worse. Google Analytics does far worse things than this by accident. It was nowhere near as bad as much of the crapware being made at the time, either.
The company denied it was doing anything nefarious other than releasing an offbeat elf bowling game into the wild. It wasn’t like they were the ones who started the email chains—they were distributing the games on their website, a safe and reputable source, after all.
“Absolutely no information is sent back to the company from the user’s computer,” NVision’s Bielinski emphasized to the Inquirer.
Somewhere along the line, though, the legitimate privacy concerns highlighted by the media got turned into something approaching a full-blown hoax. Email, the same medium that made Elf Bowling a hit, gave it an unfounded reputation as a piece of malware. The company spent weeks fighting the claims, which were further ratcheted up by the Inquirer story, which the company reportedly called “irresponsible and inaccurate”—considering it turned the story from a fake virus story into a spyware story, they probably have a case.
“Absolutely no information is collected from your computer and transmitted over the Internet by Elf Bowling or other games. At the beginning of each game, Elf Bowlingtests to see if the computer has a live Internet connection since registering scores online is one of the functions of the games,” the company wrote, according to a Geocities page from the era that collected the company’s correspondence from the time. “To determine if there is a live Internet connection, it sends an HTTP request command to nstorm.com, requesting nstorm.com to send it a blank HTML page. If it receives the blank HTML page, it sets a variable for Internet connectivity to TRUE.”
Symantec, to this day, has a page up on its website emphasizing that NVision’s game were never, at any point, laden with viruses. Sophos says the same thing, though it adds it might have been infected with one later.
To this day, if you look around hard enough on respected sites like TechTarget, Elf Bowling will get accused of being one of the first pieces of spyware. Based on my research, this widely repeated claim appears to be based on a brief mention in a Wikipedia article on spyware that dates to 2005 but was removed in 2006 because there was no source to support the claim that Elf Bowling spied on its users.
It was nothing more than a promotional game that just happened to become insanely popular. It was not spying on you.
Now, were there issues with Elf Bowling and its sibling Frogapult? Yes, there were—though neither were the fault of NVision, when you break it down, and both related to its unusual distribution mechanism.
The first problem is that it’s pretty easy to take an EXE file of a virus or trojan, rename it, and then send that to a user who thinks you’re sending them Elf Bowling—and that’s a concern that was raised by the University of Michigan’s Virus Busters program.
“One needs more than just a file name to identify a piece of software—additional information like the size and date help, and some sort of checksum is necessary before one can have any degree of certainty that what was being described and what is at hand have any correlation with each other,” the university’s Bruce P. Burrell wrote.
The other, more serious problem, was due to the size of the attachment. These days, we think nothing of sending a one-megabyte attachment. But back then, that was a significant size, especially as many offices were only just getting broadband at that point. A 2001 Network World article highlighted how the file created major strain issues on networks far and wide because numerous copies of the executable file were being created. (Apparently, nobody knew what a URL was in 1999.) This was a problem, and Elf Bowling was one of many causes.
It was a security risk and an infrastructure risk, but not because it was Elf Bowling. It was risky because it was an executable being shared like a chain letter on corporate email servers around the country.
But this game’s reputation was forever shattered by some jackass claiming it was a virus, and then by some legitimate reporting that overstated the nature of what the program actually did.
If you look at all the fake news we have going on these days—about topics far more culturally important than elves that get hit with bowling balls by Santa Claus—the parallels are clear. Small pieces of information have a tendency of getting twisted. The loudest claim wins out, even if it’s wrong. And things that are actually true can be twisted and misconstrued under the wrong set of eyes.
This all happened before we gained any of the social mediums we do today. If this is what can happen with just email and Windows, imagine what people might fall for today.
The public deserves to have this wildly popular, if not exactly innovative, game back in its life. And it deserves to have it without the stink of a couple of accusations it never deserved.