cross-posted from: https://lemmy.cafe/post/4800845

tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.

There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks, forever, and they give us no option to opt out of it. Not even a private profile will stop it from scouring your friends’ lists, the forums, your avatars and name history. So what’s the purpose of it?

Stalking. I’m a victim of it.

And despite all of my efforts to not leave a trail leading to my new Steam account, SteamHistory enabled my stalkers to find me.

There are a number of unfortunate folks that have dedicated their time to follow me into whatever game servers I visit and spoil my day. I had deleted my old Steam account and repurchased all of my games on a new account that was privated from the start. I was very careful to not disclose any information that could lead to my identification, including using VPNs and prepaid methods to avoid leaking my real name to Steam. Despite that, my stalkers managed to attribute my new anonymous account to me, even though my profile is private and haven’t posted anything. But how? Well, they were “kind” enough to tell me how.

How did they find me? Enter SteamHistory.

The task itself would have been impossible without a massive database of Steam friend networks, but the website simplifies such an endeavor that it is basically trivial. Assume the role of a stalker for a second and that you know nothing about your victim’s new account. All you know is that they have a few friends with whom they sometimes play and their profiles are also private. What can you do? Initially, it seems like a lost cause, SteamHistory gives you a lead.

Go on their website and look up your victim’s friends. Despite that all involved profiles are private, it is unlikely that the victim’s friends would create new Steam accounts and repurchase their games. It’s more likely that they would simply private their profiles. With this knowledge, look at each friend’s friend history and find the friends that they all have in common, then eliminate all of those in this intersection that you are sure are not your victim. This process will always narrow the scope into only one last person: the target. Bingo. You’ve found your victim. And you didn’t even need any data from them. That’s how they found me.

What does SteamHistory store?

They store and put on an exhibit your embarrassing names, your immature profile pictures, for the whole world to see. Your deadname, your abusive ex’s comments, made forever available for any imaginable bad actor. They etch in stone the fact that you once were Steam friends with this guy that turned out to be a sexual predator.

So what can you do?

Nothing besides not using Steam. Or get Valve to implement better control of our privacy, but good luck with that. The owner of SteamHistory has been confronted on the matter, and what they said is that you can opt out of data collection by deleting your Steam account. They don’t care about the GDPR because they’re situated in the US.

So heads up.

  • @irreticent
    link
    English
    48 months ago

    GDPR is a specific new thing less than 10 years old and has no equivalent in US law.

    That’s not entirely true. California has a GDPR-like privacy law now:

    “The requirements aren’t insignificant, and the fines could add up”

    See also:

    “This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The bill would require a business to provide this information in response to a verifiable consumer request. The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The bill would authorize businesses to offer financial incentives for collection of personal information. The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers. The bill would prescribe various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The bill would prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.”

    • @[email protected]
      link
      fedilink
      English
      2
      edit-2
      8 months ago

      Thanks! Feels a little like the exception that proves the rule though 😅

      If you see the chain here (sorry, lemmy has no good way to link to a comment - here is a lemmyverse.link link for redirecting to it in your instance), it seems US courts generally follow (but are not obliged to follow) court orders from other countries where there is a similar law in the US. So it’s likely now that California courts would uphold rulings in relation to GDPR, but other states probably wouldn’t.

      However, there’s a giant caveat in that fines and penalties are specifically excluded (see above chain) so for my original question about whether the site could ignore the fine - well as far as I can tell they can ignore it, because it won’t be enforced by US courts.

      That doesn’t rule out other action though. Perhaps a US court would uphold some sort of takedown order, since it’s only fines and penalties that are specifically excluded and the US would likely have other laws (some sort of anti-stalking?) that could be used for the takedown request?