cross-posted from: https://lemmy.cafe/post/4800845
tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.
There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks, forever, and they give us no option to opt out of it. Not even a private profile will stop it from scouring your friends’ lists, the forums, your avatars and name history. So what’s the purpose of it?
Stalking. I’m a victim of it.
And despite all of my efforts to not leave a trail leading to my new Steam account, SteamHistory enabled my stalkers to find me.
There are a number of unfortunate folks that have dedicated their time to follow me into whatever game servers I visit and spoil my day. I had deleted my old Steam account and repurchased all of my games on a new account that was privated from the start. I was very careful to not disclose any information that could lead to my identification, including using VPNs and prepaid methods to avoid leaking my real name to Steam. Despite that, my stalkers managed to attribute my new anonymous account to me, even though my profile is private and haven’t posted anything. But how? Well, they were “kind” enough to tell me how.
How did they find me? Enter SteamHistory.
The task itself would have been impossible without a massive database of Steam friend networks, but the website simplifies such an endeavor that it is basically trivial. Assume the role of a stalker for a second and that you know nothing about your victim’s new account. All you know is that they have a few friends with whom they sometimes play and their profiles are also private. What can you do? Initially, it seems like a lost cause, SteamHistory gives you a lead.
Go on their website and look up your victim’s friends. Despite that all involved profiles are private, it is unlikely that the victim’s friends would create new Steam accounts and repurchase their games. It’s more likely that they would simply private their profiles. With this knowledge, look at each friend’s friend history and find the friends that they all have in common, then eliminate all of those in this intersection that you are sure are not your victim. This process will always narrow the scope into only one last person: the target. Bingo. You’ve found your victim. And you didn’t even need any data from them. That’s how they found me.
What does SteamHistory store?
They store and put on an exhibit your embarrassing names, your immature profile pictures, for the whole world to see. Your deadname, your abusive ex’s comments, made forever available for any imaginable bad actor. They etch in stone the fact that you once were Steam friends with this guy that turned out to be a sexual predator.
So what can you do?
Nothing besides not using Steam. Or get Valve to implement better control of our privacy, but good luck with that. The owner of SteamHistory has been confronted on the matter, and what they said is that you can opt out of data collection by deleting your Steam account. They don’t care about the GDPR because they’re situated in the US.
So heads up.
Just as an FYI, Steam has some granularity for privacy settings, your profile can be private while your friends list is not. Steam defaults profiles to private since 2018 and as I recall I had to go and open mine back up after they made that change in 2018 (I enjoy having SteamDB able to give me some analytics on my account, which it cannot do while things are private, so I took my stuff public.) I believe that they made that change retroactive to some degree else I could have continued using SteamDB without having had to change anything in my profile which worked before the change.
I just sicced SteamHistory on a Steam account that I use for managing some dedicated servers I host, I’ve never futzed with the privacy settings on that account, but it does have a single friend that I set up so one of the server admins could find the account, and SteamHistory is completely unaware of that fact. It shows that the account has 0 friends and I was able to confirm that this is not the case from the perspective of that account.
You (or your friends) can check your privacy settings for Steam at https://steamcommunity.com/my/edit/settings
That said, and you did touch on this OP, nothing on the Internet should be considered private, even in the best cases it’s still data that you don’t have 100% control over and you should assume that it COULD be public at any time because that scenario is always only one data breach away. If you’re not comfortable with your data being known by others, you should not put it on the internet in any form under any circumstances; privacy settings will not save you.
TL;DR: It seems that whatever means SteamHistory is using, they are bound by the limitations of the Steam Privacy settings, so if your stalkers were able to figure out where your account moved via SteamHistory, it’s probably because your friends do not have 100% of their stuff set private or because someone inside your circle of trust is giving the stalkers an inside scoop.