Claims of anonymity of the Steam Hardware Survey
I was asked to complete the Steam Hardware Survey about 5 months ago. The images in this article were found online as I managed to misplace my own screenshots. The text in the images seems to be identical to the text that was presented to me.
From time to time the users of Steam, a video game distribution platform created by Valve, are asked to complete a so called "Steam Hardware Survey". The goal of the survey is to collect technical information about the user's device and upload them to Valve's servers. While the survey is supposedly performed on a monthly basis the selection process for the survey seems to be in some sense arbitrary and not all users will be asked to complete it every month. The survey itself is automatic and does not involve filling it out manually. When a user is prompted to complete the survey they are presented with the following pop-up:
The text displayed to the user makes two claims:
- The data that is collected is anonymous.
- The data that is collected won't be associated with your account.
While the second claim can not be confirmed since Steam is a proprietary service we can try to look into the first claim. As the part of the process the user is helpfully presented with the data which was automatically gathered about their system before it will be uploaded to Steam's servers. The data can be reviewed in another popup which is presented to the user after the collection process completes:
Due to the large volume of this data when presented with it I opened it in a text editor and searched for the name of my local user account. I was immediately presented with many lines such as those:
"pinned_libs_32" : {
"list" : [
" 6553789 4 drwxr-xr-x 2 filip filip 4096 Dec 22 15:18 pinned_libs_32",
" 6553915 0 lrwxrwxrwx 1 filip filip 12 Dec 22 15:18 pinned_libs_32/libcurl.so.3 -> libcurl.so.4",
" 6553913 0 -rw-r--r-- 1 filip filip 0 Dec 22 15:18 pinned_libs_32/has_pins",
" 6553832 4 lrwxrwxrwx 1 filip filip 96 Dec 22 15:18 pinned_libs_32/libcurl.so.4 -> /home/filip/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/i386-linux-gnu/libcurl.so.4.2.0",
" 6553833 4 -rw-r--r-- 1 filip filip 52 Dec 22 15:18 pinned_libs_32/system_libcurl.so.4"
]
},
As you can see the data that is uploaded to Valve's servers contains the name of the local user's account. For some users, especially on workplace provided machines, this will be their full name including the first name and the last name. The data appears to be the result of executing the ls
command so it appears to deliberately include the local username on top of including it indirectly by collecting absolute paths. This makes the claims of the data being anonymous seem to be outright false.
If you want to see what data is collected by Steam on your machine then similar information can be found by selecting Help and then System Information in Steam's main window at any time. This data appears to be identical to the data sent during Steam Hardware Survey. Some of the results of the survey are available online.
I decided to finally write this short summary after hearing about Audacity, free software used for editing audio, attempting to start uploading various telemetry data to third parties.