Recently, a member of the Reddit Counter Strike: Global Offensive Subreddit (which I am a subscriber to) named ‘theonlybond’ created a thread by the name of VAC now reads all the domains you have visited and sends it back to their servers hashed. In this posting, he goes into detail about what kind of suspicious activity was discovered while playing Counter Strike: Global Offensive (CSGO) and exactly what he discovered was going on while playing CSGO on Valve’s Steam service in VAC enabled servers. He decompiled the code and was able to discover, in short, what was going on:
Goes through all your DNS Cache entries (ipconfig /displaydns)
Hashes each one with md5
Reports back to VAC Servers
Once this was discovered a lot of users started asking Valve to explain themselves and why they were watching users’ browsing behavior and if they really enjoyed seeing what gamers ‘fap’ to. Furthermore, it appeared to be a gross overstepping of the users’ privacy that they weren’t even aware of. And since Valve actually maintains a consistent presence on the CSGO Subreddit and is constantly working with CSGO players to improve the game, it came as no surprise that Gabe Newell himself started a new thread titled Valve, VAC and trust on Reddit’s Gaming Subreddit which is currently the #1 posting on the whole Reddit site.
In his posting, he basically explains that they are to a certain degree doing exactly what was discovered, but only as an anti-cheating precaution in order to detect certain hacks/cheats that use DRM. He explains that the developers of these cheats are in fact implementing their own DRM which enables them to verify that the cheat was legally purchased from them, but at the same time makes their own cheat vulnerable to detection. By searching for these cheats’ DRM lookups through the DNS cache they are able to discover which cheats are ‘phoning home’ much like game DRM does today. They only sent the MD5 hashed information only once the cheating servers DRM had been found as contacted in the DNS cache and then sent to Valve for a VAC ban.
Gabe also explained that with this method they were able to discover and ban 570 people, however, the developers of these cheats have already discovered Valve’s method and have found a way around it. As such, Valve has already ceased to employ this method and is already working on new methods in the cat and mouse game of cheating and anti-cheating.
He also wraps up by saying, "Our response is to make it clear what we were actually doing and why with enough transparency that people can make their own judgements as to whether or not we are trustworthy."
Additionally, he posted a fairly hilarious and short FAQ about the whole ordeal.
1) Do we send your browsing history to Valve? No.
2) Do we care what porn sites you visit? Oh, dear god, no. My brain just melted.
3) Is Valve using its market success to go evil? I don’t think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust.