Facebook chief executive officer Mark Zuckerberg testified before the United States House of Representatives today and before the Senate yesterday about securing the personal data of the people who use his social network. In their questions, Congress made it clear that it wants Facebook to change its policies or face legal regulation. As this threat looms, Valve Software has announced this week that it is beefing up its security policies on its Steam PC gaming distribution service.
In a blog post yesterday, Valve announced that it is now hiding the contents of your game library by default. You can also hide details about your activity — like how many hours you’ve spent playing adult visual novels (live your truth!). This data had been public, and it was easily accessible by third parties using the official Steam API tool. That’s what powered services like the PC-game ownership-tracking website Steam Spy, which is shutting down due to this change, according to its owner.
By accessing publicly available library data from Steam users, Steam Spy provided a useful insights tool for developers trying to understand player behavior. The website was able to break down its information based on filters like country, and it enabled people to see statistics like how many people were playing a certain game each day. I’ve asked Valve if it will provide Steam Spy with a way to continue or if it has plans to introduce its own alternative to developers. I’ll update this post if Valve provides a response.
Steam Spy provided high-level insights into how people buy and play games on Valve’s service, but it’s possible that someone else could use that exact same information to build targeted advertising profiles for individuals. No one has done that yet, but little was stopping bad actors from doing this in the future. It was likely a matter of time and money before a Cambridge Analytica-like began scraping Steam for more personal data to fill out voter profiles. That’s what happened with Facebook and political research firm Cambridge Analytica, and Valve is now limiting its exposure to a similar risk more than it is worrying about new European regulations.
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
“For a moment, I was thinking that it was related to [the General Data Protection Regulation] laws going live in Europe in May,” Steam Spy founder Sergey Galyonkin said in an interview with Eurogamer. “But if they wanted to be compliant with those laws, they should have hidden all profile information. Right now they have sensitive information exposed by default and only the game libraries are hidden. It doesn’t really make sense.”
By default, your Steam profile will still show identifying info like your real name and your social media accounts to everyone. Instead of hiding that, Valve focused on the data that would prove most useful to big data firms. That may not seem useful to a company like Cambridge Analytica, but the games you own and play can provide context to data scraped from other sites.
Above: Mark Zuckerberg sitting on a thick pad to make him look taller.
“[Valve’s move] does seem like it could be in response to the changing data privacy tides,” corporate attorney Leonard J. French explained to GamesBeat. “And while I’m sorry to hear of Steam Spy shutting down, I’m of the mind that increased privacy options are a good thing, and this particular decision seems appropriate.”
French noted that the timing — with Zuckerberg on Capitol Hill — suggests something more than coincidence, but he also thinks that this was inevitable.
“The panel questioning him did seem to be determining the need for regulation,” said French. “Valve being able to say that it has taken steps will help. However, making an option for private profiles seems pretty obvious even if Zuck weren’t on the booster seat.”
Valve also has no financial reason to continue providing access to this information. It already provides tools for targeting specific subsets of people based on their activity — like what genres they like and how much time they spend in multiplayer online games as opposed to story campaigns. It doesn’t need to sell that data because it makes so much money from direct sales of games and content. It’s also not a publicly traded company. So, unlike Facebook, Valve can cut off everyone — including Steam Spy — without having to worry about losing out on revenues.
So what took so long?
If this move isn’t going to hurt Valve, then why didn’t it do it earlier? The answer to that is probably cultural. It introduced the Steamworks API back in 2008, and it did so to provide more transparency to developers. That expanded over time to reveal new details about how Steam worked, which was part of the company’s mission to give developers and publishers a feeling of ownership over the platform.
Valve built Steam, but it has never wanted to lock anyone out of its data because it was trying to build an “open” platform. The exact nature of that openness has changed, but it has served Valve well as a defense of Steam’s status as a near monopoly in the PC game-sales market.
The company owns Steam and its data, but if it acts like it doesn’t own it, then it doesn’t have take responsibility for protecting it. This is similar to how Valve approaches curation and moderation of what games are available on its store. The company typically lets everything through because anything it blocks has almost no chance of succeeding on PC. Valve doesn’t want to curate and risk drawing attention to its control of the market.
But by acting like it isn’t the keeper of its data, Valve has abdicated its responsibility to secure and protect that information. And as Facebook, Amazon, and Google have built some of the most lucrative businesses in the history of the world by mining “the new oil” of big data, Steam’s privacy policy didn’t make any sense.
At the heart of this issue is that people don’t want their data used against them in ways that they can’t imagine or don’t agree to in some explicit way. Most reasonable people expect that the Steam store will use library and play data to serve up relative ads and promotions. Valve can justify that. But people don’t expect companies to use their Facebook “likes” to build a psychological profile that third-parties can use to design fake news stories that may influence voting behavior.
Again — no evidence suggests anything like that has ever happened with Steam.
I’ve looked and asked around, and as far as I can tell, no third party used Steam data to build individual marketing profiles for consumers outside of Valve’s own tools. But the point is that we often can’t imagine how people will use data until it’s too late, and Valve knows that it is better off closing off access to its database where it can provide explicit allowances on a case-by-case basis. If it didn’t and its data ended up in a Cambridge Analytica-style voter profile, Valve chief executive Gabe Newell could end up testifying in front of Congress next time. And that’s awful because it would take him away from putting the finishing touches on Half-Life 3.
