If You Use Steam, Valve Might Be Tracking Every Website You Visit

Here's a fun fact: If you use Steam for your games—let's face it, you do—there's a chance Valve's Anti-Cheat System been taking a look at all the websites you visit and sending a list back to home base. Why? No one knows for sure.

The discovery comes by way of SHG_Nackt who claims to have found a suspicious little piece of code that appears to mine your DNS cache for a list of domains, hash them, and send them back to Valve for perusal.

You don't have to visit the site, any query to the site (an image, a redirect link, a file on the server) will be added to the dns cache. And only the domain will be in your cache, no full urls. Entries in the cache remains until they expire or at most 1 day (might not be 100% accurate), but they dont last forever.

Presumably, the idea would be to collect a list of hashed domains from users, and check them against a list of domains that are widely known for supporting cheating or hacking on VAC-protected Steam games. The issue is that this is going on in the background, fairly secretly, and that the list of domains is necessarily attached to your SteamID; it's identifiable. What's more is that the way Valve appears to be hashing isn't good enough to keep anything effectively secret. You might not care if Valve knows what your favorite sites are, but if the US government comes knocking, that information isn't staying private.

Valve hasn't made any comment on the situation yet (we've reached out for an explanation) but there are counterpoints—this collection might not be related to Valve at all, it may not involve any phoning home, and only happens when you connect to a VAC-protected server—so maybe this isn't quite as bad as it seems.

As Redditor Drakia puts it:

As someone who reverse engineers things for fun, and can read the C "pseudocode" generated via decompilation pretty easily, I am going to have to disagree with the assumptions made in this post. First, there's no proof this is from Steam, I've poked around a few of the DLLs since I saw this and am unable to find anything even remotely close to what this does. Second, this method does NOT send anything to Valve. This method grabs the DNS cache, yes. And it MD5s the entries, then it stores it. This method itself does nothing more with the hashes. For all we know VAC could be doing a LOCAL scan of the list, and comparing it to an internal list of "known" cheat subscription servers. Until someone posts details of exactly where in Steam this is (What DLL is all that's required to verify), and the calling method that supposedly sends this information to Valve, I would take this with a very massive grain of salt.

But if this is accurate, and does make you think twice about using Steam (or SteamOS), you're going to be in a tough situation. There's not really anywhere else as comprehensive to go for your games (or sales). Hopefully Valve can clear this up in a way that's halfway satisfying. Or else you're going to have to dig up your EA Origin password. [SHG_Nackt via Reddit]

Update: Valve CEO Gabe Newell has come out to totally refute these claims, offering a rare look inside the specifics of Valve's Anti-Cheating System. But in short:

1) Do we send your browsing history to Valve? No.

2) Do we care what porn sites you visit? Oh, dear god, no. My brain just melted.

3) Is Valve using its market success to go evil? I don't think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust.