Steam Hardware Survey leaks your local user name

I was asked to complete the Steam Hardware Survey about 5 months ago. The images in this article were found online as I managed to misplace my own screenshots. The text in the images seems to be identical to the text that was presented to me.

From time to time the users of Steam are asked to complete a "Steam Hardware Survey". The goal is to collect technical information about the user's device and upload them to Valve's servers. While the survey is reportedly performed on a monthly basis the only a certain sample of users is asked to complete the survey. The survey itself is automatic and does not involve filling anything out manually. When a user is prompted to complete the survey they are presented with the following pop-up:

The image depicts the popup asking the user to complete the Steam Hardware Survey. The popup contains the following text: "Please take a moment to complete the following short survey. Each month, Steam collects data about what kinds of computer hardware and software our customers are using. The survey data is incredibly helpful to us in that it ensures that we're making good decisions about what kinds of technology investments to make and products to offer.". Below the text there are two radio boxes: "Yes, I would like to participate in the survey." and "No, thanks". Below them a link allowing the user to view the "Valve Privacy Policy" is visible.

The text displayed to the user makes two claims:

  1. The data that is collected is anonymous.
  2. The data that is collected won't be associated with your account.

While the second claim can not be confirmed we can try to look into the first claim. As the part of the process the user is presented with the data which was automatically gathered about their system before it will be uploaded to Steam's servers. The data can be reviewed in another popup which is presented to the user after the collection process completes:

The image depicts a popup presenting the information gathered as the result of the Steam Hardware Survey to the user. The text states: "This survey has gathered some diagnostic information about your computer, which you can see below.". Slightly below, in paranthesis, additional sentence can be seen: "When you click the 'Next' button, this information will be transmitted to Valve.". Below this text a scrollable textbox containing the collected data in the text format can be seen.

I opened the data in a text editor and out of curiosity searched for the name of my local user account. I was immediately presented with many lines such as those:

"pinned_libs_32" : {
  "list" : [
    "  6553789      4 drwxr-xr-x   2 filip    filip        4096 Dec 22 15:18 pinned_libs_32",
    "  6553915      0 lrwxrwxrwx   1 filip    filip          12 Dec 22 15:18 pinned_libs_32/libcurl.so.3 -> libcurl.so.4",
    "  6553913      0 -rw-r--r--   1 filip    filip           0 Dec 22 15:18 pinned_libs_32/has_pins",
    "  6553832      4 lrwxrwxrwx   1 filip    filip          96 Dec 22 15:18 pinned_libs_32/libcurl.so.4 -> /home/filip/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/i386-linux-gnu/libcurl.so.4.2.0",
    "  6553833      4 -rw-r--r--   1 filip    filip          52 Dec 22 15:18 pinned_libs_32/system_libcurl.so.4"
  ]
},

As you can see the data that is uploaded to Valve's servers contains the name of the local user's account. For some users this could be their full name including the first name and the last name. The data appears to be the result of executing the ls command so it appears to deliberately include the local username on top of including it indirectly by collecting absolute paths.

If you want to see what data is collected by Steam on your machine then similar information can be found by selecting Help and then System Information in Steam's main window at any time. This data appears to be identical to the data sent during Steam Hardware Survey. Some of the results of the survey (not the raw data I believe, don't worry) are available online if someone is curious.

2021-05-08