cross-posted from: https://lemmy.cafe/post/4800845

tl;dr: Watch what you put online and who you friend, especially on Steam. Once it’s on the internet, it’s there forever.

There’s a website similar to SpyPet for Discord, but for Steam. They compile all of our users’ profile pictures, name history, comments, URL history, “real name” history, our friend networks, forever, and they give us no option to opt out of it. Not even a private profile will stop it from scouring your friends’ lists, the forums, your avatars and name history. So what’s the purpose of it?

Stalking. I’m a victim of it.

And despite all of my efforts to not leave a trail leading to my new Steam account, SteamHistory enabled my stalkers to find me.

There are a number of unfortunate folks that have dedicated their time to follow me into whatever game servers I visit and spoil my day. I had deleted my old Steam account and repurchased all of my games on a new account that was privated from the start. I was very careful to not disclose any information that could lead to my identification, including using VPNs and prepaid methods to avoid leaking my real name to Steam. Despite that, my stalkers managed to attribute my new anonymous account to me, even though my profile is private and haven’t posted anything. But how? Well, they were “kind” enough to tell me how.

How did they find me? Enter SteamHistory.

The task itself would have been impossible without a massive database of Steam friend networks, but the website simplifies such an endeavor that it is basically trivial. Assume the role of a stalker for a second and that you know nothing about your victim’s new account. All you know is that they have a few friends with whom they sometimes play and their profiles are also private. What can you do? Initially, it seems like a lost cause, SteamHistory gives you a lead.

Go on their website and look up your victim’s friends. Despite that all involved profiles are private, it is unlikely that the victim’s friends would create new Steam accounts and repurchase their games. It’s more likely that they would simply private their profiles. With this knowledge, look at each friend’s friend history and find the friends that they all have in common, then eliminate all of those in this intersection that you are sure are not your victim. This process will always narrow the scope into only one last person: the target. Bingo. You’ve found your victim. And you didn’t even need any data from them. That’s how they found me.

What does SteamHistory store?

They store and put on an exhibit your embarrassing names, your immature profile pictures, for the whole world to see. Your deadname, your abusive ex’s comments, made forever available for any imaginable bad actor. They etch in stone the fact that you once were Steam friends with this guy that turned out to be a sexual predator.

So what can you do?

Nothing besides not using Steam. Or get Valve to implement better control of our privacy, but good luck with that. The owner of SteamHistory has been confronted on the matter, and what they said is that you can opt out of data collection by deleting your Steam account. They don’t care about the GDPR because they’re situated in the US.

So heads up.

    • icedterminal@lemmy.world
      link
      fedilink
      English
      arrow-up
      54
      arrow-down
      1
      ·
      6 months ago

      …well yeah…

      If a US based company (via their websites) collects data on citizens in the EU, they have to comply. Otherwise the EU can issue fines. This is why some websites are geo-blocked.

      If you are a website admin and know some of your traffic will come from the EU, you have to comply with the GDPR set for their residents, or block anyone from that region from accessing. You have complied by taking one of those actions.

      • Dave@lemmy.nz
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        7
        ·
        6 months ago

        But can’t the site owners just ignore the EU fines? What enforcement power does the EU have?

        • OsaErisXero@kbin.run
          link
          fedilink
          arrow-up
          19
          arrow-down
          2
          ·
          6 months ago

          Depends on where the site is hosted and/or monitized, but if it’s the US then a US court will simply execute the fine as written, generally, as part of our reciprocity agreements with the EU regarding enforcement of court orders.

          • Dave@lemmy.nz
            link
            fedilink
            English
            arrow-up
            14
            arrow-down
            1
            ·
            edit-2
            6 months ago

            Sorry but I went off on a thread with someone else and now I really need to know what this is based on. As far as I can tell, GDPR’s international reach has never been tested, there is no specific legislation I can find, and any companies big enough for the EU to care also operate in the EU so can be hurt by EU courts (as in, pay the fine or no more Facebook in Europe).

            I’m being down voted to hell for asking a question but I still want some confirmation of the answer backed up by something.

            • Bilb!@lem.monster
              link
              fedilink
              English
              arrow-up
              9
              ·
              edit-2
              6 months ago

              I think you’re right, since a website like SteamHistory is definitely not going to bother establishing a representative in an EU state the only recourse would be to try to go through the US legal system and it’s far from clear to me how that would go. GDPR seems like it was written with actual businesses in mind, but SteamHistory isn’t exactly that. I think a business would want to comply or lose access to a valuable market, but there’s less leverage on a (seemingly) privately run web site.

          • Dave@lemmy.nz
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            8
            ·
            6 months ago

            Wow, really?

            Like I get Apple or Netflix or whatever. They ignore a fine they will just not be allowed to operate in the EU.

            But you’re saying the US has laws that say US companies have to follow EU rules?

            • TachyonTele@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              3
              ·
              6 months ago

              Trade agreements. Every country that trades with another one has laws in place for both sides.

              • Dave@lemmy.nz
                link
                fedilink
                English
                arrow-up
                8
                arrow-down
                4
                ·
                6 months ago

                Yeah, I guess I’d just like to see some case law or something to back up the idea. Or to know the specific law that says that US companies have to follow EU rules or they can be prosecuted in a US court.

                  • Dave@lemmy.nz
                    link
                    fedilink
                    English
                    arrow-up
                    5
                    ·
                    6 months ago

                    I did. The best I’ve found is that US companies have to follow GDPR because it says it’s reach is international, and this has never been tested in court. Any specific cases are always related to big tech which EU courts can hurt, as far as I can tell there has never been any test of the reach for a site like in the OP.

        • Potatos_are_not_friends@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          3
          ·
          6 months ago

          A lot of people really believe that if you shout “Hey that’s illegal” to a criminal, they’ll stop.

          If I’m running a site to sell harvested data, I’ll wait for the lawsuit, which can be multiple years.

      • xionzui@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        So theoretically they could collect data on Europeans from Steam, block those people from accessing the site, and they would be good?

        • OsaErisXero@kbin.run
          link
          fedilink
          arrow-up
          8
          ·
          6 months ago

          No, they would have to collect from some Europeans and then geoblock all of Europe, and they might be good.

          • xionzui@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            Yes, blocking all of Europe is what I meant. The point is they are collecting the data from Steam, which already has the data legitimately, not from the users directly. One of the two conditions for complying with GDPR according to the comment above was simply blocking Europeans with no other conditions. It sounds like as long as they do that, they can collect and distribute all the data about Europeans they want.

        • Cyberspark@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          6 months ago

          No, the purpose of restricting the site is to ensure you don’t collect European citizens data. They don’t use any part of the site that collects data, their data isn’t in your set.

          What you’re saying would break GDPR and hide that fact from Europeans.

          • xionzui@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            The comment above claimed one of two options to comply with GDPR was to block Europeans with no other conditions. Is there additional language in there to mandate that sites that block Europeans cannot collect data about them from other sources as well? If so, the previous comment isn’t accurate

            • Cyberspark@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              6 months ago

              They explicitly state they’re talking about considerations of being a website admin.

              For instance your can be an EU Spotify account holder and request your portfolio from Spotify and they have to dig up all your data and give it to you. You can also ask them to forget about you and make them delete all that data. You can make this request to anyone that holds your information without reason.

              If you collect information about European citizens, whether as a primary aggregate, or simply to manipulate and present it, you must comply. It is not an option. The other implicit option is don’t collect data belonging to European citizens. For a website admin this is done by preventing Europeans from accessing your site.

              Osa above says they might be good because it only matters if Europeans know you have their data and you’re not obligated to announce it without a GDPR request. Which is hard to do if you block them.