tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.

There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks, forever, and they give us no option to opt out of it. Not even a private profile will stop it from scouring your friends’ lists, the forums, your avatars and name history. So what’s the purpose of it?

Stalking. I’m a victim of it.

And despite all of my efforts to not leave a trail leading to my new Steam account, SteamHistory enabled my stalkers to find me.

There are a number of unfortunate folks that have dedicated their time to follow me into whatever game servers I visit and spoil my day. I had deleted my old Steam account and repurchased all of my games on a new account that was privated from the start. I was very careful to not disclose any information that could lead to my identification, including using VPNs and prepaid methods to avoid leaking my real name to Steam. Despite that, my stalkers managed to attribute my new anonymous account to me, even though my profile is private and haven’t posted anything. But how? Well, they were “kind” enough to tell me how.

How did they find me? Enter SteamHistory.

The task itself would have been impossible without a massive database of Steam friend networks, but the website simplifies such an endeavor that it is basically trivial. Assume the role of a stalker for a second and that you know nothing about your victim’s new account. All you know is that they have a few friends with whom they sometimes play and their profiles are also private. What can you do? Initially, it seems like a lost cause, SteamHistory gives you a lead.

Go on their website and look up your victim’s friends. Despite that all involved profiles are private, it is unlikely that the victim’s friends would create new Steam accounts and repurchase their games. It’s more likely that they would simply private their profiles. With this knowledge, look at each friend’s friend history and find the friends that they all have in common, then eliminate all of those in this intersection that you are sure are not your victim. This process will always narrow the scope into only one last person: the target. Bingo. You’ve found your victim. And you didn’t even need any data from them. That’s how they found me.

What does SteamHistory store?

They store and put on an exhibit your embarrassing names, your immature profile pictures, for the whole world to see. Your deadname, your abusive ex’s comments, made forever available for any imaginable bad actor. They etch in stone the fact that you once were Steam friends with this guy that turned out to be a sexual predator.

So what can you do?

Nothing besides not using Steam. Or get Valve to implement better control of our privacy, but good luck with that. The owner of SteamHistory has been confronted on the matter, and what they said is that you can opt out of data collection by deleting your Steam account. They don’t care about the GDPR because they’re situated in the US.

So heads up.

  • FractalsInfinite@sh.itjust.works
    link
    fedilink
    arrow-up
    50
    ·
    edit-2
    6 months ago

    very careful not to disclose any information to steam

    proceeds to associate with everyone they were previously friends with on public logs

    I just want to point out that if your friends accounts were public like you imply they wouldn’t have even needed to use the site. All the site does is automate the data collection process. The only way to fix it is to make private accounts the default.

  • ElectroLisa
    link
    fedilink
    arrow-up
    32
    ·
    6 months ago

    They have to comply with GDPR as their website is accessible from EU countries, as long as they have data to identify a specific EU citizen.

    So in theory, if you’re from EU you could put your name and surname on your Steam profile, have it archived and then file a GDPR request to have all of your data removed

    • Potatos_are_not_friends@lemmy.world
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      6 months ago

      They have to comply with GDPR as their website is accessible from EU countries, as long as they have data to identify a specific EU citizen.

      There’s currently American laws that if not followed, States have a right to pursue a lawsuit. Many American companies shrug and wait for the paperwork. Often, it takes a few months for that paperwork, and then years before it moves through the courts. Imagine a EU company getting that paperwork. Besides the initial “I’m in the EU, I don’t have to follow your American laws”, the court case would take YEARS to materialize.

      Now flip that for American companies following EU rules.

      A law is only as strong as those who enforce it. Look at Twitter. How many warnings will the EU give and still not do anything about it?

      I’m not saying this to wave my freedom around. This is just reality. Major American companies to this day still are lax around GDPR. So a small 1-person company is going to shrug and do whatever they want. Until they do something outrageous like terrorism or CP, they’ll at most get a strongly written letter.

      And by then, they’ll just bankrupt their company and start a new one.

      Again, not saying that to be a jerk. I’ve been on that side of arguing that our products should follow GDPR, watching some manager tell me fuck off, then literally nothing happening for years.

      So yeah, I’m pretty jaded.

      • lud@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        6 months ago

        What warnings has the EU issued against Twitter? Usually when it comes to GDPR DPAs don’t issue warnings like that.

        Some that care enough should report it to their national DPA and see what happens.

        • Potatos_are_not_friends@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          Twitter confirmed that the breach occurred on November 4, 2014. Yet, the company remained unable to determine who was affected by the issue before September 5, 2017. Between September 5, 2017, and January 11, 2019, Twitter’s breach also impacted users from the European Union and the European Economic Area (EEA).

          https://www.hipaaexams.com/blog/twitter-violating-gdpr-data-breach-provisions-the-full-story-you-need-to-know

          Tldr: it took five years and they were hit with a “astonishing” $500k fine.

          • Carighan Maconar@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            6 months ago

            Which to be fair, is a more than enough law for 98%++ of the population and all companies, too. Just not for the biggest companies who really ought to always be upgraded one “unit”. That is, instead of 500 Kiloeuros, they get to pay 500 Megaeuros.

          • lud@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            6 months ago

            Yeah that’s not great but not too surprising when it comes to the Irish DPA.

            They are seemingly very corrupt. They pretty much refuse to fine any of the large US corporations like Facebook.

            And while they have actually fined Facebook multiple times that’s because the rest of the EU (EDPB) forced them too. It wasn’t a willing decision on their part. They have also cried to the Irish government (or parliament) to get a new law that makes it possible to get the reporting party (I.E. normal EU citizens and NGOs) to pretty much sign a NDA regarding everything in the case.

            Why are they like this? Why do they interpret the GDPR differently than the rest of the EU and coincidentally they interpret the law in Facebook’s favour?

            I have no evidence but to me it seems extremely likely that they are directly bribed or more likely IMO is that Ireland wants to keep all the tax avoiding US companies in Ireland and they do this to keep them happy and when they get fined anyways they can blame the EU for the fines.

            Oh and Ireland is still the one that’s actually issuing the fine, so they get to keep the money even when they were forced to do it.

            On another note, I suspect that DPAs are more eager to fine when it’s something that’s done explicitly bad. Like refusing to delete data.

  • tfw_no_toiletpaper@lemmy.world
    link
    fedilink
    arrow-up
    18
    ·
    edit-2
    6 months ago

    It’s just a profile scraper, no? I tried my own and a few of my friends profiles. They were not indexed yet and because they all have private settings you cannot see anything else besides current Display Name and current Profile Picture.

    So you should tell your friends to set profile/edit/settings/privacy settings: Friend’s List -> Friend’s only. After that you create a new account and the scraper won’t be able to access their new friend list anymore.

    Edit: Also why is this post written that way, I was unsure if AI generated or some attempt at a novel, or am I going crazy??

  • forgotmylastusername@lemmy.ml
    link
    fedilink
    arrow-up
    13
    ·
    6 months ago

    Isn’t this generally how the big tech firms generate dark profiles on people? Of the people who don’t explicitly exist on their database. Take the intersection of data from family events. The people not in their database of known profiles are also likely family. Do the same for friend events. Take the intersection of those peoples interests. You’ll be knowing a lot about someone who never told you anything about themselves.

    You can run but you can’t hide. Crazy times we live in.

  • Carighan Maconar@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    6 months ago

    I mean, this sucks, but I also wonder how this could be fixed. If you read up what absolutely benign stuff like your physical screen resolution coupled with how quickly you move your mouse coupled with your possible languages ad companies can use to uniquely identify you among the whole world visiting their page, it’s not a long throw at all to uniquely identify someone based on their steam friends.

  • experbia@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    6 months ago

    interesting, only the most basic info is included about my 19 year old account. I’ve always been very conservative with the info I share online though.

    back in the day, everyone was regularly reminded that the internet is a wild west and only by safeguarding your personal information and using pseudonyms and avoiding identifying info can you have a chance to be safe and have a good time. but now that PII is profitable, all the big internet companies tell you the opposite so they can make a buck. I think this is the inevitable outcome of it.

    sorry to hear a baddie is clinging to you, that’s always quite troublesome. it can be hard to do anything about it. shitty as it is, your best bet is usually to become an undesirable target: boring. they’re school yard bullies. they do it for the reaction, that’s it. the more you react, the harder they try. fucking assholes.

  • hayalci@fstab.sh
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    Fun fact, the GDPR applies to entities outside the EU, if they sell to EU, or they handle EU citizen data.

    • hayalci@fstab.sh
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      So gist of this is, of they are not some random people hiding, but there’s a real company to -presumably- reap in some ad money or subscription money for their StalkerPlus product.or something, it takes a single determined EU citizen to fuck them up.