PSA: A website called SteamHistory enables stalkers through Steam mass data harvesting. Here's how stalkers found me despite creating a new, private, anonymous account.

cross-posted from: lemmy.cafe/post/4800845

tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.

There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks, forever, and they give us no option to opt out of it. Not even a private profile will stop it from scouring your friends’ lists, the forums, your avatars and name history. So what’s the purpose of it?

Stalking. I’m a victim of it.

And despite all of my efforts to not leave a trail leading to my new Steam account, SteamHistory enabled my stalkers to find me.

There are a number of unfortunate folks that have dedicated their time to follow me into whatever game servers I visit and spoil my day. I had deleted my old Steam account and repurchased all of my games on a new account that was privated from the start. I was very careful to not disclose any information that could lead to my identification, including using VPNs and prepaid methods to avoid leaking my real name to Steam. Despite that, my stalkers managed to attribute my new anonymous account to me, even though my profile is private and haven’t posted anything. But how? Well, they were “kind” enough to tell me how.

How did they find me? Enter SteamHistory.

The task itself would have been impossible without a massive database of Steam friend networks, but the website simplifies such an endeavor that it is basically trivial. Assume the role of a stalker for a second and that you know nothing about your victim’s new account. All you know is that they have a few friends with whom they sometimes play and their profiles are also private. What can you do? Initially, it seems like a lost cause, SteamHistory gives you a lead.

Go on their website and look up your victim’s friends. Despite that all involved profiles are private, it is unlikely that the victim’s friends would create new Steam accounts and repurchase their games. It’s more likely that they would simply private their profiles. With this knowledge, look at each friend’s friend history and find the friends that they all have in common, then eliminate all of those in this intersection that you are sure are not your victim. This process will always narrow the scope into only one last person: the target. Bingo. You’ve found your victim. And you didn’t even need any data from them. That’s how they found me.

What does SteamHistory store?

They store and put on an exhibit your embarrassing names, your immature profile pictures, for the whole world to see. Your deadname, your abusive ex’s comments, made forever available for any imaginable bad actor. They etch in stone the fact that you once were Steam friends with this guy that turned out to be a sexual predator.

So what can you do?

Nothing besides not using Steam. Or get Valve to implement better control of our privacy, but good luck with that. The owner of SteamHistory has been confronted on the matter, and what they said is that you can opt out of data collection by deleting your Steam account. They don’t care about the GDPR because they’re situated in the US.

So heads up.

DarthYoshiBoy,
DarthYoshiBoy avatar

Just as an FYI, Steam has some granularity for privacy settings, your profile can be private while your friends list is not. Steam defaults profiles to private since 2018 and as I recall I had to go and open mine back up after they made that change in 2018 (I enjoy having SteamDB able to give me some analytics on my account, which it cannot do while things are private, so I took my stuff public.) I believe that they made that change retroactive to some degree else I could have continued using SteamDB without having had to change anything in my profile which worked before the change.

I just sicced SteamHistory on a Steam account that I use for managing some dedicated servers I host, I've never futzed with the privacy settings on that account, but it does have a single friend that I set up so one of the server admins could find the account, and SteamHistory is completely unaware of that fact. It shows that the account has 0 friends and I was able to confirm that this is not the case from the perspective of that account.

You (or your friends) can check your privacy settings for Steam at https://steamcommunity.com/my/edit/settings

That said, and you did touch on this OP, nothing on the Internet should be considered private, even in the best cases it's still data that you don't have 100% control over and you should assume that it COULD be public at any time because that scenario is always only one data breach away. If you're not comfortable with your data being known by others, you should not put it on the internet in any form under any circumstances; privacy settings will not save you.

TL;DR: It seems that whatever means SteamHistory is using, they are bound by the limitations of the Steam Privacy settings, so if your stalkers were able to figure out where your account moved via SteamHistory, it's probably because your friends do not have 100% of their stuff set private or because someone inside your circle of trust is giving the stalkers an inside scoop.

carpelbridgesyndrome,

This probably violates California privacy protection laws. Which they will have to follow if they are in the US and have data on persons in California

tal,
@tal@lemmy.today avatar

Nothing besides not using Steam

So if I understand the concern, it’s that someone can look at someone who is friends with you but doesn’t have a private profile and find your Steam username.

While I can see an argument that the default should be not to expose a friend list publicly (hell, I think that the default should be for profiles to be private entirely), you can also just not use the friend functionality in Steam. I don’t play multiplayer games, but are there any fundamental limitations on playing games multiplayer with people you haven’t friended in Steam?

ProdigalFrog,

A not insignificant portion of online games utilize the steam friend system exclusively to enable inviting others to your party, and would not function otherwise. One example off the top of my head is Hunt: showdown.

LinyosT,

Surely it should be possible to expose friends lists to games while also allowing friends lists to remain private on profiles.

ProdigalFrog,

Absolutely, I’m surprised they haven’t addressed that privacy concern.

Onii-Chan,
Onii-Chan avatar

I checked my account through the site and they don't seem to have shit other than my current display name. When did they start collecting this data?

grue,

In other words, it sounds like they found you because you re-friended the same people with your new account that you had on the old one?

lemmyvore,

What I’m confused (and concerned) about is, if all the accounts involved are private, how did SH still manage to get an up to date list of their friends?

I get that everything you put on there while the account is public is fair game and can be archived and offered for search even after you change it.

But if an account goes private and then acquires a new friend who’s also private, this information should not be available anywhere.

So, is Steam actually publishing information that’s supposed to be private?

stom,

Yeah, this doesn’t add up. If the friends added you after setting their profiles to private then SH can’t see that you’re friends.

cindybyrd547,
cindybyrd547 avatar

I'm extremely happy sharing my testimony, Dr. Excellent helped me change my husband’s heart to love and want me again. I was heart broken when my husband left me and moved to California to be with another woman. I felt my life was over and my kids thought they would never see their father again. I tried to be strong just for the kids but I could not control the pains that tormented my heart, my heart was filled with sorrows and pains because I was really in love with my husband. I have tried many options but he did not come back, until i met a Relationship Coach that directed me to Dr. Excellent a spell caster, who helped me to bring back my husband after 11hours. Me and my husband are living happily together again, This man is powerful, Contact Dr. Excellent for any kind of spiritual problems or any kind of spell or relationship problems he is capable of making things right for you with no side effect., Here his contact. WhatsApp him at: +2348084273514 "Or email him at: Excellentspellcaster@gmail.com , His website:https://lovespellonline.godaddysites.com

NeryK,
@NeryK@sh.itjust.works avatar

tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.

That right here is very much what it boils down to. Whether it’s SteamHistory or The Internet Archive or whatever public or private data store… Any information you publish is out of your control as soon as you do.

Kolanaki,
@Kolanaki@yiffit.net avatar

There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks,

How do they have “real name” data from the public (or even private) profiles? The only place to enter your real name into Steam is when giving the store your credit card info and none of that should be publicly available under any circumstances.

LinyosT,

There’s a “Real Name” section on your profile as well. Though there isn’t a hard requirement to have your real name there.

chameleon,
chameleon avatar

It's the second field on the edit profile page. Can't recommend putting it in, but victim blaming doesn't help anyone that already did so.

The edit profile page has a statement that "providing your real name can help friends find you on the Steam Community" with no indication that doing so also puts you at the risk of capital-G Gamers. I can see quite a bunch of people thinking that that's perfectly reasonable and not going to be abused.

Kolanaki,
@Kolanaki@yiffit.net avatar

Oh shit, you’re right. When the hell did that happen?

Lesrid,

It’s been around since they first had profiles. I’m pretty sure that was while Steam was still green

HubertManne,
HubertManne avatar

ha ha. im immune.

sugar_in_your_tea,

No friends either? Glad I’m not alone in being alone.

HubertManne,
HubertManne avatar

lol. yes.

9point6,

FWIW they don’t get the option to not care about GDPR, it doesn’t matter where they’re headquartered.

NoIWontPickAName,

What’re they going to do? Force eu laws on the US?

icedterminal,

…well yeah…

If a US based company (via their websites) collects data on citizens in the EU, they have to comply. Otherwise the EU can issue fines. This is why some websites are geo-blocked.

If you are a website admin and know some of your traffic will come from the EU, you have to comply with the GDPR set for their residents, or block anyone from that region from accessing. You have complied by taking one of those actions.

xionzui,

So theoretically they could collect data on Europeans from Steam, block those people from accessing the site, and they would be good?

OsaErisXero,

No, they would have to collect from some Europeans and then geoblock all of Europe, and they might be good.

xionzui,

Yes, blocking all of Europe is what I meant. The point is they are collecting the data from Steam, which already has the data legitimately, not from the users directly. One of the two conditions for complying with GDPR according to the comment above was simply blocking Europeans with no other conditions. It sounds like as long as they do that, they can collect and distribute all the data about Europeans they want.

Cyberspark,

No, the purpose of restricting the site is to ensure you don’t collect European citizens data. They don’t use any part of the site that collects data, their data isn’t in your set.

What you’re saying would break GDPR and hide that fact from Europeans.

xionzui,

The comment above claimed one of two options to comply with GDPR was to block Europeans with no other conditions. Is there additional language in there to mandate that sites that block Europeans cannot collect data about them from other sources as well? If so, the previous comment isn’t accurate

Cyberspark,

They explicitly state they’re talking about considerations of being a website admin.

For instance your can be an EU Spotify account holder and request your portfolio from Spotify and they have to dig up all your data and give it to you. You can also ask them to forget about you and make them delete all that data. You can make this request to anyone that holds your information without reason.

If you collect information about European citizens, whether as a primary aggregate, or simply to manipulate and present it, you must comply. It is not an option. The other implicit option is don’t collect data belonging to European citizens. For a website admin this is done by preventing Europeans from accessing your site.

Osa above says they might be good because it only matters if Europeans know you have their data and you’re not obligated to announce it without a GDPR request. Which is hard to do if you block them.

NoIWontPickAName,

Well isn’t that some bullshit.

Dave,
@Dave@lemmy.nz avatar

But can’t the site owners just ignore the EU fines? What enforcement power does the EU have?

Potatos_are_not_friends,

A lot of people really believe that if you shout “Hey that’s illegal” to a criminal, they’ll stop.

If I’m running a site to sell harvested data, I’ll wait for the lawsuit, which can be multiple years.

OsaErisXero,

Depends on where the site is hosted and/or monitized, but if it's the US then a US court will simply execute the fine as written, generally, as part of our reciprocity agreements with the EU regarding enforcement of court orders.

Dave,
@Dave@lemmy.nz avatar

Wow, really?

Like I get Apple or Netflix or whatever. They ignore a fine they will just not be allowed to operate in the EU.

But you’re saying the US has laws that say US companies have to follow EU rules?

lemmyvore,

Sure. How do you think import and export works?

Dave,
@Dave@lemmy.nz avatar

I’m almost certain that import and export has specific laws written for that case, considering how crucial it is to the country. GDPR is a specific new thing less than 10 years old and has no equivalent in US law.

Sorry, I may have given the impression that I mean I was questioning if there are any laws that control how interactions with other countries work. In fact my question was if there are generic laws that say “when Europe introduces some new law, the US has to follow it”.

irreticent,

GDPR is a specific new thing less than 10 years old and has no equivalent in US law.

That’s not entirely true. California has a GDPR-like privacy law now:

“The requirements aren’t insignificant, and the fines could add up”

See also:

“This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The bill would require a business to provide this information in response to a verifiable consumer request. The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The bill would authorize businesses to offer financial incentives for collection of personal information. The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers. The bill would prescribe various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The bill would prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.”

Dave,
@Dave@lemmy.nz avatar

Thanks! Feels a little like the exception that proves the rule though 😅

If you see the chain here (sorry, lemmy has no good way to link to a comment - here is a lemmyverse.link link for redirecting to it in your instance), it seems US courts generally follow (but are not obliged to follow) court orders from other countries where there is a similar law in the US. So it’s likely now that California courts would uphold rulings in relation to GDPR, but other states probably wouldn’t.

However, there’s a giant caveat in that fines and penalties are specifically excluded (see above chain) so for my original question about whether the site could ignore the fine - well as far as I can tell they can ignore it, because it won’t be enforced by US courts.

That doesn’t rule out other action though. Perhaps a US court would uphold some sort of takedown order, since it’s only fines and penalties that are specifically excluded and the US would likely have other laws (some sort of anti-stalking?) that could be used for the takedown request?

TachyonTele,

Trade agreements. Every country that trades with another one has laws in place for both sides.

Dave,
@Dave@lemmy.nz avatar

Yeah, I guess I’d just like to see some case law or something to back up the idea. Or to know the specific law that says that US companies have to follow EU rules or they can be prosecuted in a US court.

TachyonTele,

Well then, look into it.

Dave,
@Dave@lemmy.nz avatar

I did. The best I’ve found is that US companies have to follow GDPR because it says it’s reach is international, and this has never been tested in court. Any specific cases are always related to big tech which EU courts can hurt, as far as I can tell there has never been any test of the reach for a site like in the OP.

lemmyvore,

redgravellp.com/sedona-conference-commentary-enfo…

Links to further materials are in the linked page.

Dave,
@Dave@lemmy.nz avatar

Thanks for providing this, I wasn’t able to find it through my own searches. I’m reading the linked documents, and can’t find anything to back up that the US courts will enforce the foreign fine. In fact, this is specifically addressed in the document and it seems to support that they will not support it.

C. The rule against recognition of foreign fines and penal judgments

The general rule in favor of recognizing foreign country judgments that meet the foundational requirements above is subject to a key exception: under both the Recognition Acts and the common law, U.S. courts generally do not recognize or enforce foreign judgments for the collection of taxes, fines, or penalties.

Given my original question was why can’t they ignore the fine, it seems the answer is that they can?

Dave, (edited )
@Dave@lemmy.nz avatar

Sorry but I went off on a thread with someone else and now I really need to know what this is based on. As far as I can tell, GDPR’s international reach has never been tested, there is no specific legislation I can find, and any companies big enough for the EU to care also operate in the EU so can be hurt by EU courts (as in, pay the fine or no more Facebook in Europe).

I’m being down voted to hell for asking a question but I still want some confirmation of the answer backed up by something.

bilb,
@bilb@lem.monster avatar

I think you’re right, since a website like SteamHistory is definitely not going to bother establishing a representative in an EU state the only recourse would be to try to go through the US legal system and it’s far from clear to me how that would go. GDPR seems like it was written with actual businesses in mind, but SteamHistory isn’t exactly that. I think a business would want to comply or lose access to a valuable market, but there’s less leverage on a (seemingly) privately run web site.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • games@sh.itjust.works
  • tester
  • DreamBathrooms
  • osvaldo12
  • mdbf
  • everett
  • magazineikmin
  • khanakhh
  • Youngstown
  • rosin
  • slotface
  • modclub
  • kavyap
  • tacticalgear
  • ngwrru68w68
  • provamag3
  • thenastyranch
  • cisconetworking
  • Durango
  • ethstaker
  • InstantRegret
  • normalnudes
  • Leos
  • GTA5RPClips
  • megavids
  • cubers
  • anitta
  • JUstTest
  • lostlight
  • All magazines
    •