Don't Shake the Valve

No, Valve is NOT Collecting your Browsing History

If you play games on Steam, you’ll likely have fired up a title at some point which uses VAC – Valve Anti-Cheat. From the rather comprehensive Valve support page:

“If a user connects to a VAC-Secured server from a computer with identifiable cheats installed, the VAC system will ban the user from playing on VAC-Secured servers in the future.”

Valve never explain how VAC works, for obvious reasons – cheaters will use said info in an effort to get around the system.

Bans are staggered so the cheaters won’t know exactly what they did or when to achieve their trip to Bansville; they just won’t be able to play that VAC enabled game on VAC enabled servers anymore.

Many PC games use similar systems in their efforts to keep hacks and cheats from polluting their gameworld.

VAC is absolutely zero tolerance when it comes to cheating, and if you get caught then it’s a case of “too bad, so sad and the salty tears bucket can be found over there in the corner”.

A post made to Reddit a few days back claimed that VAC was “reading all the domains you have visited”,  and “sends it back [to Valve’s servers] in hashed form”.

As you can imagine, this caused a fair amount of consternation. One problem: none of it seemed to make much sense. For one thing, the original post was altered because it apparently linked to a “hacking site” which could be seen as a bit of a red flag:

“Original thread removed, reposted as self text (eNzyy: Hey, please could you present the information in a self post rather than linking to a hacking site. Thanks)”

Elsewhere, individuals examining the code in question couldn’t spot where any of this data was supposedly being beamed back to base.

The claims quickly spiralled out of control, with posts suggesting that Valve were going to VAC ban anyone for simply having hacking / gaming / cheats sites in their browser history – leading to panic that trolls could insert image files hosted on blacklisted sites into unrelated threads and thus cause VAC to think you’d been visiting dubious forums.

Gabe Newell, the CEO of Valve, actually ended up posting to Reddit himself on the controversy to dispel fears and set everyone straight. Given the typical wall of silence on VAC, this is really quite a surprising thing to see (with any form of Half-Life 3 announcement coming a close second).

Good news: Valve doesn’t care about your web browsing history and they aren’t collecting it.

“There are a number of kernel-level paid cheats that relate to this Reddit thread. Cheat developers have a problem in getting cheaters to actually pay them for all the obvious reasons, so they start creating DRM and anti-cheat code for their cheats. These cheats phone home to a DRM server that confirms that a cheater has actually paid to use the cheat.

VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban.”

He also adds that Social Engineering might be a more viable method of attack for cheats, instead of getting into a “code arms race” with a system that seems (for the most part) to have them beat. Is this a good time to link back to the tips on keeping your Steam account secure? It sure is.

Finally, the all important Q&A:

1) Do we send your browsing history to Valve? No.

2) Do we care what porn sites you visit? Oh, dear god, no. My brain just melted.

3) Is Valve using its market success to go evil? I don’t think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust.

Finally, he confirms that you will not get banned simply for looking at a cheat site.

Anti-cheat technology has to be obscure and vaguely terrifying because there is little deterrent to cheats and scammers if they’re not going to be horribly inconvenienced when caught – Steam libraries can be very expensive things, and nobody wants to lose a large financial investment.

By the same token, there are endless examples of broken DRM and policies being rolled back due to furious gamer complaints. Keeping gamers happy can be a tough business, and companies need to walk a fine line between privacy, protecting their investment and making their games enjoyable for all.

On this occasion, at least, it’s a case of “Business as usual and leave the wallhacks at the door”.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.