Skip to main content

Valve Says Its Anti-cheat System Doesn't Spy on Users

Valve Software bossman Gabe Newell recently jumped on Reddit to dispel rumors that the company is spying on Steam users through the anti-cheat system (VAC). A Counter-Strike: Global Offensive thread claims that Valve recently changed the way the VAC worked, allowing it to read all domains that the player visits and then send that info back to Valve's servers.

"We don't usually talk about VAC (our counter-hacking hacks), because it creates more opportunities for cheaters to attack the system (through writing code or social engineering)," Newell writes. "This time is going to be an exception."

Newell explains that cheat developers create DRM and anti-cheat code for their kernel-level cheats because they have a hard time getting money from players. These DRM-laced cheats "phone home" to a DRM server that confirms if the player has indeed purchased the cheat. VAC checks for the presence of these cheats.

"If they were detected VAC then checked to see which cheat DRM server was being contacted," Newell writes. "This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result."

He says that the whole cheat vs trust scenario is much like a cat and mouse game. The specific cheat and anti-cheat solution that brought on the recent spying rumor was effective for 13 days. The VAC's solution is now no longer active because the cheat providers have found a way around it: manipulating the DNS cache on the customers' client machines.

"Kernel-level cheats are expensive to create, and they are expensive to detect. Our goal is to make them more expensive for cheaters and cheat creators than the economic benefits they can reasonably expect to gain," Newell writes.

He says that VAC is "a scary-looking piece of software" because it is trying to be obscure, sneaky, and going after code that is trying to attack it. Thus, one way to get around this scary software and generate revenue is for cheat makers to jump on social sites and create a cloud of distrust. That means Reddit users will likely see more comments about the VAC system.

Newell goes on to state that Valve does not collect a user's browser history, Valve does not care about what porn sites the user visits, and Valve is not using the success of Steam to go evil. "You have to make the call if we are trustworthy. We try really hard to earn and keep your trust," Newell concludes.