Claims of anonymity of the Steam Hardware Survey

I was asked to complete the Steam Hardware Survey about 5 months ago. The images in this article were found online as I managed to misplace my own screenshots. The text in the images seems to be identical to the text that was presented to me.

From time to time the users of Steam, a video game distribution platform created by Valve, are asked to complete a so called "Steam Hardware Survey". The goal of the survey is to collect technical information about the user's device and upload them to Valve's servers. While the survey is supposedly performed on a monthly basis the selection process for the survey seems to be in some sense arbitrary and not all users will be asked to complete it every month. The survey itself is automatic and does not involve filling it out manually. When a user is prompted to complete the survey they are presented with the following pop-up:

The image depicts the popup asking the user to complete the Steam Hardware Survey. The popup contains the following text: "Please take a moment to complete the following short survey. Each month, Steam collects data about what kinds of computer hardware and software our customers are using. The survey data is incredibly helpful to us in that it ensures that we're making good decisions about what kinds of technology investments to make and products to offer.". Below the text there are two radio boxes: "Yes, I would like to participate in the survey." and "No, thanks". Below them a link allowing the user to view the "Valve Privacy Policy" is visible.

The text displayed to the user makes two claims:

  1. The data that is collected is anonymous.
  2. The data that is collected won't be associated with your account.

While the second claim can not be confirmed since Steam is a proprietary service we can try to look into the first claim. As the part of the process the user is helpfully presented with the data which was automatically gathered about their system before it will be uploaded to Steam's servers. The data can be reviewed in another popup which is presented to the user after the collection process completes:

The image depicts a popup presenting the information gathered as the result of the Steam Hardware Survey to the user. The text states: "This survey has gathered some diagnostic information about your computer, which you can see below.". Slightly below, in paranthesis, additional sentence can be seen: "When you click the 'Next' button, this information will be transmitted to Valve.". Below this text a scrollable textbox containing the collected data in the text format can be seen.

Due to the large volume of this data when presented with it I opened it in a text editor and searched for the name of my local user account. I was immediately presented with many lines such as those:

"pinned_libs_32" : {
  "list" : [
    "  6553789      4 drwxr-xr-x   2 filip    filip        4096 Dec 22 15:18 pinned_libs_32",
    "  6553915      0 lrwxrwxrwx   1 filip    filip          12 Dec 22 15:18 pinned_libs_32/libcurl.so.3 -> libcurl.so.4",
    "  6553913      0 -rw-r--r--   1 filip    filip           0 Dec 22 15:18 pinned_libs_32/has_pins",
    "  6553832      4 lrwxrwxrwx   1 filip    filip          96 Dec 22 15:18 pinned_libs_32/libcurl.so.4 -> /home/filip/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/i386-linux-gnu/libcurl.so.4.2.0",
    "  6553833      4 -rw-r--r--   1 filip    filip          52 Dec 22 15:18 pinned_libs_32/system_libcurl.so.4"
  ]
},

As you can see the data that is uploaded to Valve's servers contains the name of the local user's account. For some users, especially on workplace provided machines, this will be their full name including the first name and the last name. The data appears to be the result of executing the ls command so it appears to deliberately include the local username on top of including it indirectly by collecting absolute paths. This makes the claims of the data being anonymous seem to be outright false.

If you want to see what data is collected by Steam on your machine then similar information can be found by selecting Help and then System Information in Steam's main window at any time. This data appears to be identical to the data sent during Steam Hardware Survey. Some of the results of the survey are available online.

I decided to finally write this short summary after hearing about Audacity, free software used for editing audio, attempting to start uploading various telemetry data to third parties.

2021-05-08