cross-posted from: https://lemmy.cafe/post/4800845
tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.
There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks, forever, and they give us no option to opt out of it. Not even a private profile will stop it from scouring your friends’ lists, the forums, your avatars and name history. So what’s the purpose of it?
Stalking. I’m a victim of it.
And despite all of my efforts to not leave a trail leading to my new Steam account, SteamHistory enabled my stalkers to find me.
There are a number of unfortunate folks that have dedicated their time to follow me into whatever game servers I visit and spoil my day. I had deleted my old Steam account and repurchased all of my games on a new account that was privated from the start. I was very careful to not disclose any information that could lead to my identification, including using VPNs and prepaid methods to avoid leaking my real name to Steam. Despite that, my stalkers managed to attribute my new anonymous account to me, even though my profile is private and haven’t posted anything. But how? Well, they were “kind” enough to tell me how.
How did they find me? Enter SteamHistory.
The task itself would have been impossible without a massive database of Steam friend networks, but the website simplifies such an endeavor that it is basically trivial. Assume the role of a stalker for a second and that you know nothing about your victim’s new account. All you know is that they have a few friends with whom they sometimes play and their profiles are also private. What can you do? Initially, it seems like a lost cause, SteamHistory gives you a lead.
Go on their website and look up your victim’s friends. Despite that all involved profiles are private, it is unlikely that the victim’s friends would create new Steam accounts and repurchase their games. It’s more likely that they would simply private their profiles. With this knowledge, look at each friend’s friend history and find the friends that they all have in common, then eliminate all of those in this intersection that you are sure are not your victim. This process will always narrow the scope into only one last person: the target. Bingo. You’ve found your victim. And you didn’t even need any data from them. That’s how they found me.
What does SteamHistory store?
They store and put on an exhibit your embarrassing names, your immature profile pictures, for the whole world to see. Your deadname, your abusive ex’s comments, made forever available for any imaginable bad actor. They etch in stone the fact that you once were Steam friends with this guy that turned out to be a sexual predator.
So what can you do?
Nothing besides not using Steam. Or get Valve to implement better control of our privacy, but good luck with that. The owner of SteamHistory has been confronted on the matter, and what they said is that you can opt out of data collection by deleting your Steam account. They don’t care about the GDPR because they’re situated in the US.
So heads up.
FWIW they don’t get the option to not care about GDPR, it doesn’t matter where they’re headquartered.
…well yeah…
If a US based company (via their websites) collects data on citizens in the EU, they have to comply. Otherwise the EU can issue fines. This is why some websites are geo-blocked.
- https://reutersinstitute.politics.ox.ac.uk/news/many-eu-visitors-shut-out-us-sites-response-gdpr-never-came-back
- https://www.eqs.com/compliance-blog/biggest-gdpr-fines/
If you are a website admin and know some of your traffic will come from the EU, you have to comply with the GDPR set for their residents, or block anyone from that region from accessing. You have complied by taking one of those actions.
But can’t the site owners just ignore the EU fines? What enforcement power does the EU have?
So theoretically they could collect data on Europeans from Steam, block those people from accessing the site, and they would be good?
In other words, it sounds like they found you because you re-friended the same people with your new account that you had on the old one?
What I’m confused (and concerned) about is, if all the accounts involved are private, how did SH still manage to get an up to date list of their friends?
I get that everything you put on there while the account is public is fair game and can be archived and offered for search even after you change it.
But if an account goes private and then acquires a new friend who’s also private, this information should not be available anywhere.
So, is Steam actually publishing information that’s supposed to be private?
tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.
That right here is very much what it boils down to. Whether it’s SteamHistory or The Internet Archive or whatever public or private data store… Any information you publish is out of your control as soon as you do.
There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks,
How do they have “real name” data from the public (or even private) profiles? The only place to enter your real name into Steam is when giving the store your credit card info and none of that should be publicly available under any circumstances.
It’s the second field on the edit profile page. Can’t recommend putting it in, but victim blaming doesn’t help anyone that already did so.
The edit profile page has a statement that “providing your real name can help friends find you on the Steam Community” with no indication that doing so also puts you at the risk of capital-G Gamers. I can see quite a bunch of people thinking that that’s perfectly reasonable and not going to be abused.
Nothing besides not using Steam
So if I understand the concern, it’s that someone can look at someone who is friends with you but doesn’t have a private profile and find your Steam username.
While I can see an argument that the default should be not to expose a friend list publicly (hell, I think that the default should be for profiles to be private entirely), you can also just not use the friend functionality in Steam. I don’t play multiplayer games, but are there any fundamental limitations on playing games multiplayer with people you haven’t friended in Steam?
A not insignificant portion of online games utilize the steam friend system exclusively to enable inviting others to your party, and would not function otherwise. One example off the top of my head is Hunt: showdown.
Surely it should be possible to expose friends lists to games while also allowing friends lists to remain private on profiles.
