Hi privacy friends,

If you have not already seen a blurred image in your friends feed or on the community, then you will see it now:
https://steamcommunity.com/sharedfiles/filedetails/?id=1581742855 if not, then your community content settings are disabled.

This is the protection Valve released this year, to make the Steam community more friendly and with less nude and violent images. The technique behind it is an image recognition AI, one by Google the other by Amazon, which scanning all images the users upload to Steam as screenshot, artwork, workshop, guides and video thumbnail, no matter what content privacy settings are chosen.
Because this was not meant in the privacy policy and Valve has not announced this feature in any way, we have asked the Steam Support.

Originally posted by EXCONN:

8. Jan. at 20:18 Uhr
Good evening Steam Support,

through my own investigation i recognized that all artworks and screenshots which are uploaded on Steam as public, friends only or private are first scanned by Google Cloud Vision and Amazon Recognition.
This process and the reason for the data-processing is not meant in the Steam Privacy Policy.
The Steam Profile Privacy Setting are bypassed with this process and the training of AI Systems which also sold for military use is very questionable.
Can Valve/Steam please answer and inform the customers why this is done without a notice?

Thanks

Steam-Support 16. Jan. at 20:17 Uhr
Hey, thanks for voicing your concerns about these issues.

I have escalated them to our legal department. Their response is contained below.


The preprocessing of images for the protection of minors is outside the scope of GDPR. Personal Data in the sense of GDPR is data relating to an identified or identifiable data subject. For the automatic recognition of objectionable content we do not transfer any identifying elements to the service providers. We take the uploaded images, scale and convert them and upload this modified copy to the service providers. We then receive back a confidence score of whether the image contains objectionable content (in particular nudity). We do not provide them with any information about the source of the image that would make the uploader identifiable.

In the hypothetical case that an image contained an identifying element, e.g. a name burned into the image file, this use might constitute a processing of personal data; however, in this case it would be covered by sections 2.a), 2.b) and 3.9 of our Privacy Policy. We disagree with the user’s assessment that the fact that adult content can be purchased on Steam means that we can have any sort of hardcore and/or child pornography displayed on our web pages. The sheer volume of images that are being uploaded to Steam means we need to use technical measures to protect our users and comply with applicable laws.

Insofar as the user voiced concerns that the uploaded data can be used to train AI for military purposes we disagree as well. As we do not send the neural network information on what we believe is in the image, this is not data useful for training image recognition algorithms. Google already has access to an unlimited number of images on the web that have the advantage of coming pre-tagged for training purposes as they are accompanied by descriptor texts. Our data is not useful for this.

Steam Support

Originally posted by Privacy Policy:

1. Definitions
…
Valve may share anonymous data, aggregated or not, with third parties.

• The nudity content on Steam will still exist, it is only blurred out. Every child which disable the community content settings will see the real image.
  
  
• Games with gore, violence and sexual content can be bought by everyone on the Steam Store. This games generates the explicit content, that Valve tries to blur out.
  
  
• Content uploaded to the community is often labeled incorrectly. (See example image)
  
  
• Valve did not announced this feature and edited their Privacy Policy after the release.
  
  
• With their response, Valve declared that all content generated by an user is in the most cases “anonymous data” which can be transferred, shared and analyzed by third parties providing a service which Valve uses.
  
  
• The internet has enough free images and also there are special training databases for machine learning. With active use of the image recognition service, Valve supports and pays the most rich companies in the world, instead of using an alternative or programming their own one.
  
  
• The content you upload is also saved for a specific time on third party server.
  Google Cloud Vision Data Usage[cloud.google.com]
  Amazon Rekognition Data Privacy[aws.amazon.com]
  
  
• If the 16 million active users upload only 1 screenshot in a month, then over 192 million images will be scanned in a year only to label a small amount of targeted content.
  If you check out the Google[cloud.google.com] and Amazon[aws.amazon.com] pricing list, then Valve would pay in one month for G. circa 14.100$ and for A. 11.800$.
  This are 310.800$ per year.
  
  
• The missing transparency behind the process, makes it hard to prove what is really shared with third parties and if an identification is not possible.
  If you upload a screenshot to Steam, it will be already saved on Microsoft and Google storage “steamcloud-ugc.storage.googleapis.com”. The new thing is, that Google is now officially allowed to run their AI over a “modified version” of the images.