Originally posted by K-czynski:

A quick fingerprinting test shows that my browser only leaves my resolution and Windows version, no device name anywhere. This is default Firefox with no fingerprinting protections or extensions.

You seem to think that all stored information is showed on every website, it's not.

The Steam website is a concrete example of a website that logs your device name. When you look at the stored device names in your account info, that's not just the device names of devices that you have used the client on. It lists all devices that are currently authorised to access Steam, either through the client or the website.

Originally posted by Crazy Tiger:

Originally posted by K-czynski:

A quick fingerprinting test shows that my browser only leaves my resolution and Windows version, no device name anywhere. This is default Firefox with no fingerprinting protections or extensions.

You seem to think that all stored information is showed on every website, it's not.

The Steam website is a concrete example of a website that logs your device name. When you look at the stored device names in your account info, that's not just the device names of devices that you have used the client on. It lists all devices that are currently authorised to access Steam, either through the client or the website.

I'm talking about device fingerprinting which every website does to an extent, yes. But your device name is not being disclosed there, only things such as your resolution, fonts and sometimes operating system. You can do the Panopticlick test for yourself and see exactly what info a website can extract from your browser.
What Steam does is different, iit has nothing to do witth the website. My device name history contains computer names that I logged in with months and months ago on the client itself, meaning the client is scraping that info and uploading it to Steam servers. Which is incredibly risky and spyware-y.

And yet if you never use the client, but only log in on the website through browsers, then too the device names are logged.

You can de-authorise all linked devices, so there isn't really an issue there.

Originally posted by Crazy Tiger:

And yet if you never use the client, but only log in on the website through browsers, then too the device names are logged.

You can de-authorise all linked devices, so there isn't really an issue there.

You type the ones on the website in yourself, hence why all of my website logins come from "123123123" (anonymous enough, no?) and my client logins come from Myname-PC. Deauthorizing does nothing, the device history still stays there.

My computer name doesn't actually use my real name (bad idea, folks - prime example right here), but that's besides the point.

Originally posted by Start_Running:

No one outside of VAlve would know their polic. Just like any other business. How long they archive records for is a matter of their own internal policy, policy that can be subject to change from time to time.

In otherwords. You'll never know, and they'll likely never say.

Then why bother with privacy policies at all? Or rather, with any privacy policy other than "Oh, and what we do with user data is a secret, and you don't get to know. Ever."

Because, you know if that policy was legal, I'll bet money literally every company would use it...so why do they bother with anything else?

Originally posted by K-czynski:

Originally posted by Kusa:

https://store.steampowered.com/privacy_agreement/

Read: 6. Your Rights and Control Mechanisms


Click the link: https://help.steampowered.com/en/

Select > My Account > Data Related to Your Steam Account

This is all so very vague it hurts to read. Is there some buried option that allows me to request erasure or erase this data myself or is this all basically telling you to e-mail Steam and hope for aan actual human to reply to you in 2 months time?

Yes you can delete your account and it delinks your name with your posts. The actual content of what you posted remains on steam as you don't own it, and forum posts unless they contain personal info you entered are not personally identifiable.

Originally posted by brian9824:

Originally posted by K-czynski:

This is all so very vague it hurts to read. Is there some buried option that allows me to request erasure or erase this data myself or is this all basically telling you to e-mail Steam and hope for aan actual human to reply to you in 2 months time?

Yes you can delete your account and it delinks your name with your posts. The actual content of what you posted remains on steam as you don't own it, and forum posts unless they contain personal info you entered are not personally identifiable.

Forum posts aren't an issue. You post something on a forum, you assume it stays there forever or until the administrator of the forum removes it. Chat sessions between two users are another thing. Why Steam doesn't have even basic end to end encryption for these is beyond me, even the most normalized of chat tools like WhatsApp have encryption. This indicates to me that Steam is using these chat logs for something, whether it's targeted advertisment or something more nefarious. The "it's to prevent scamming" argument doesn't really fly with me. They claim that they don't reverse trades and have plenty of failsafes in place to prevent scamming in the first place.

Originally posted by K-czynski:

This indicates to me that Steam is using these chat logs for something, whether it's targeted advertisment or something more nefarious. The "it's to prevent scamming" argument doesn't really fly with me. They claim that they don't reverse trades and have plenty of failsafes in place to prevent scamming in the first place.

And now I know your tinfoil hat is too tight and you need to ease it off a bit.

I'd like to know to begin with ,where's your source to say they don't encrypt chat 'to prevent scamming' because that's a new one for me. Your sources may be iffy to say the least.

As for why the chat isn't encrypted you can apply the Occam's Razor to it. Either they're still unencrypted because Steam is conspiring snooping through your chat logs because reasons or Valve is simply slow as hell adding functionalities to the client.

Originally posted by Tito Shivan:

Originally posted by K-czynski:

This indicates to me that Steam is using these chat logs for something, whether it's targeted advertisment or something more nefarious. The "it's to prevent scamming" argument doesn't really fly with me. They claim that they don't reverse trades and have plenty of failsafes in place to prevent scamming in the first place.

And now I know your tinfoil hat is too tight and you need to ease it off a bit.

I'd like to know to begin with ,where's your source to say they don't encrypt chat 'to prevent scamming' because that's a new one for me. Your sources may be iffy to say the least.

As for why the chat isn't encrypted you can apply the Occam's Razor to it. Either they're still unencrypted because Steam is conspiring snooping through your chat logs because reasons or Valve is simply slow as hell adding functionalities to the client.

Ah yes, the "tinfoil hat" retort. What's next, "if you don't have anything to hide you have nothing to fear"? I'm pretty sure a certain fella made people like you look like utter fools in 2013.
There are existing open source E2EE protocols (OTR, SCIMP, Signal) out there that would take a single coder a few hours to implement. Steam either does not want this, or as you said, are just incredibly slow (and negligent - something like this should take priority over pretty stickers and fancy emoticons) in their development.

Edit: I just realized that i'm arguing internet security with a representative of a company that let the source code for all their games leak a few days ago and let server admins freely upload files to players PC's since 2000. Gotta peace out before one of these lads decides they should just community ban me instead of forming an argument that isn't "LOL TINFOIL BRO XD".

Originally posted by K-czynski:

Edit: I just realized that i'm arguing internet security with a representative of a company that let the source code for all their games leak a few days ago and let server admins freely upload files to players PC's since 2000. Gotta peace out before one of these lads decides they should just community ban me instead of forming an argument that isn't "LOL TINFOIL BRO XD".

Except I'm not a 'representative' of the company at all. Just another user who ocassionally gets to clean the forums of spammers and people trying to steal other's accounts.

And you're not getting community banned because of discussing stuff, just for breaking the discussion rules. Don't put the bandage before the wound.

Do I think Steam chat should be secured? Hell yeah.
Do I know it's relatively easy to do so? Sure.

I've also been around long enough to know how Valve love to drag their feet to add many functionalities to the client. So it doesn't suprise me the slightest for the Steam chat to be unencrypted when they haven't even added functionality that's been part of every media player out there to the Steam music player which has been out for years. Or how come we still don't have a WYSIWYG editor for formatting our forums posts.

So when someone comes with the theory of 'they're doing it for EVIL purposes' I know how much it frontally clashes with how the company has been operating so far. Goes around with the '2FA is just a scheme to have our phones and sell their data' which up-to-date no one found evidence of. But conspirancy theories are cool and that.

Originally posted by K-czynski:

Ah yes, the "tinfoil hat" retort. What's next, "if you don't have anything to hide you have nothing to fear"?

Go ahead and look for that exact sentence in my post history. I actually argument about its fallacious nature whenever it's brought up in the forums.

You may have jumped too quickly into assumptions. (Stream does things for nefarious reasons, 'imma get banned for speaking the truth' and so on...) Which seems to be the case for this whole thread. Which was the point of my reply and the mention to the tinfoil hat all around.

i might be a bit simple... but i thought we lost all our privacy with the war on terrorism...
and it was thought that game sites were a hot bed of terrorist activity as it was easy to
get together and chat about stuff under the radar...

sure all the terrorist might have gone to amazon... but i thought security centers were
still monitoring everything to keep us all safe and stuff.....

Originally posted by K-czynski:

Originally posted by brian9824:

Yes you can delete your account and it delinks your name with your posts. The actual content of what you posted remains on steam as you don't own it, and forum posts unless they contain personal info you entered are not personally identifiable.

Forum posts aren't an issue. You post something on a forum, you assume it stays there forever or until the administrator of the forum removes it. Chat sessions between two users are another thing. Why Steam doesn't have even basic end to end encryption for these is beyond me, even the most normalized of chat tools like WhatsApp have encryption. This indicates to me that Steam is using these chat logs for something, whether it's targeted advertisment or something more nefarious. The "it's to prevent scamming" argument doesn't really fly with me. They claim that they don't reverse trades and have plenty of failsafes in place to prevent scamming in the first place.

You know the most basic google search shows that steam chat is encrypted
https://steamcommunity.com/groups/SteamClientBeta/discussions/3/1760230157501663712/

Chat messages are encrypted when sent to/from our servers. Voice used to be an exception due to being P2P, so it's new that it's encrypted and that's why it's specifically called out.

Text chat has been encrypted over the wire for a long time as your Steam clients connection to Steam servers is always encrypted.

Originally posted by jmccaskey:

Chat messages are encrypted when sent to/from our servers. Voice used to be an exception due to being P2P, so it's new that it's encrypted and that's why it's specifically called out.

Text chat has been encrypted over the wire for a long time as your Steam clients connection to Steam servers is always encrypted.

transmission is encrypted and that is the only thing jmc says
and that is only encrypted because it uses https, which can be nuked with a root certificate.

your chat message log is not stored encrypted on Steams servers

Originally posted by wuddih:

Originally posted by jmccaskey:

Chat messages are encrypted when sent to/from our servers. Voice used to be an exception due to being P2P, so it's new that it's encrypted and that's why it's specifically called out.

Text chat has been encrypted over the wire for a long time as your Steam clients connection to Steam servers is always encrypted.

transmission is encrypted and that is the only thing jmc says
and that is only encrypted because it uses https, which can be nuked with a root certificate.

your chat message log is not stored encrypted on Steams servers

Yeah but the question was on end to end encryption which does occur. As for whether they are encrypted on the actual database end no idea.

http://store.steampowered.com/privacy_agreement/

You can read their privacy policy here