The Steam Overlay: A Tool for Active User Tracking

Index

1. What is the Steam overlay?
2. Tracking, Analytics, Cookies, and Unprotected Users
3. Once clicked, you've lost
4. Transmitted User-Agent and Involved Companies
5. Conclusion
6. How to protect yourself from tracking?

What is the Steam overlay?

The Steam Overlay is a feature of Valve Corporation's Steam distribution platform. It is activated in the background of every game, unless specifically disabled, and can be accessed by users with the default shortcut "Shift+TAB." The primary benefit of this feature is that it allows users to view various summaries of their game progress and access the chat function without leaving the game.

But that's about it for the advantages.

For the example the game product This war of mine was chosen, but the system can be ab/used by developers like Paradox Interactive AB or Sega Games Co., Ltd..

The described behavior applies to any product and developer with similar mechanics.

 

Tracking, Analytics, Cookies, and Unprotected Users

Unfortunately, some developers exploit the Steam Overlay for their own benefit, using it for data collection and tracking campaigns.

In certain games, users may encounter buttons with advertisements or other links on the main menu or splash screen from time to time. These links might lead to Discord, a Facebook page, or the developer's website, but the destination is not always obvious to players, as the link could lead to anything, including potentially malicious content such as malware, trojans, or other risks. Furthermore, it is common for domains to be taken down, owners to change, or entire websites to be altered without Steam users noticing.

If such a link is clicked, the Steam Overlay opens with an internal browser function that loads the clicked link. In addition to the uncertainty of what will open or where users will be redirected, there is another drawback for users.

Once clicked, you've lost

Once opened, various trackers and third-party services load in the background without users being protected or informed. Ad blockers, which are commonly included in modern web browsers, are absent in the Steam Overlay. For example, Microsoft Edge includes a built-in feature to block intrusive ads (which can also be downloaded from the host's site), Firefox comes with Google SafeSearch, and many security software solutions block tracking and ads by default.

Transmitted User-Agent and Involved Companies

Users who click on a link in the game are first redirected to a landing page that collects various pieces of information. This includes the origin of the user, namely the Steam client, together with a Unix timestamp and the name and version of the Steam client. In addition, as usual, the user's IP address and, depending on the source of the click, the Steam account may also be transmitted, making it potentially identifiable.
The third party providers involved on the screenshot listed once again. Everything for free for a single click on a little ingame button.

Company	Service	Description	Cookie/Trackingpixel
Google, LLC	Google Analytics	Realtime tracking, user acquisition and tracking, advertising, user flow, conversions, geotracking tied with Adwords, DoubleClick, AdExchange, Affiliatetracking	set
https://www.google-analytics.com/analytics.js
https://www.google-analytics.com/collect?v=1&_v=j96&a=630033916&t=timing&_s=6&dl=https://pay.google.com/gp/p/ui/payframe&dr=https://js.stripe.com&ul=en-us&de=UTF-8&dt=&sd=32-bit&sr=2560x1440&vp=&je=0&utc=/buyflow/merchant_page/&utv=IS_READY_TO_PAY_CALLED&utt=2339&_u=aEBAAEABAAAAAC~&jid=&gjid=&cid=407914248.1650999420&tid=UA-116858069-1&_gid=1133825008.1650999420&z=974631179
https://www.google-analytics.com/j/collect?v=1&_v=j96&a=630033916&t=pageview&_s=1&dl=https://pay.google.com/gp/p/ui/payframe&dr=https://js.stripe.com&dp=/buyflow/merchant_page/pay_frame_requested&ul=en-us&de=UTF-8&dt=&sd=32-bit&sr=2560x1440&vp=&je=0&_u=aEBAAEABAAAAAC~&jid=1334110799&gjid=113994457&cid=407914248.1650999420&tid=UA-116858069-1&_gid=1133825008.1650999420&_r=1&_slc=1&z=716674256
Google, LLC	Google Doubleclick	Crossplatform-Tracking pixel in interaction with Google Ads, Adwords and Google Analytic
https://stats.g.doubleclick.net/j/collect?t=dc&aip=1&_r=3&v=1&_v=j96&tid=UA-116858069-1&cid=407914248.1650999420&jid=1334110799&gjid=113994457&_gid=1133825008.1650999420&_u=aEBAAEAAAAAAAC~&z=624852441
Google, LLC	Google Pay		set
https://pay.google.com/gp/p/js/pay.js
https://pay.google.com/gp/p/_/InstantbuyFrontendBuyflowPayframeUi/gen204/?tmambps=-1&rtembps=-1&rttms=-1&ct=undefined
https://www.google-analytics.com/collect?v=1&_v=j96&a=630033916&t=timing&_s=12&dl=https://pay.google.com/gp/p/ui/payframe&dr=https://js.stripe.com&ul=en-us&de=UTF-8&dt=&sd=32-bit&sr=2560x1440&vp=&je=0&utc=/buyflow/merchant_page/&utv=IS_READY_TO_PAY_API_true&utt=2361&_u=aEBAAEABAAAAAC~&jid=&gjid=&cid=407914248.1650999420&tid=UA-116858069-1&_gid=1133825008.1650999420&z=843623096
https://pay.google.com/gp/p/ui/payframe?origin=https://js.stripe.com&mid=
Google, LLC	Google Play	Logging	set
https://play.google.com/log?format=json&hasfast=true&authuser=0
https://play.google.com/log?format=json&hasfast=true
Hotjar / Content Square	Hotjar	Heatmaps, Visualize clicks & Taps, Funnel Analytics, Popups
https://static.hotjar.com/c/hotjar-2392508.js?sv=6
https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js
https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html
https://vc.hotjar.io/sessions/2392508?s=0.25&r=0.24732673982931774
Stripe, Inc.	Stripe	Unique Identifier, Timespamps, Referal & Event-Tracking - Online payment service - Delivers economic infrastructure for the internet.	set
https://js.stripe.com/v3/
https://js.stripe.com/v3/controller-b612a716aafed4e28815ea629e5881d3.html
https://js.stripe.com/v3/payment-request-inner-google-pay-6b6c419551739db168e5652dc565c7a3.html
https://js.stripe.com/v3/fingerprinted/js/controller-1521243df0a7b7c081f91f1c63dcc8bf.js
https://js.stripe.com/v3/fingerprinted/js/payment-request-inner-google-pay-fc381c64f8a4e017ee78b0a9e5a1f215.js
https://r.stripe.com/0
https://m.stripe.network/inner.html
https://m.stripe.network/out-4.5.42.js

Conclusion

When following a link from a game, whether out of curiosity or by accident, users can never be certain about what will be reloaded or where they will be redirected. Ad-blockers and other protective mechanisms are absent in Valve's Steam browser, and many developers exploit the system for data mining, linking their games to advertising campaigns, affiliate programs, and other commercial activities.

Users are often enticed with offers (such as in-game items or participation incentives) and then redirected to external websites via the Steam Overlay, where they become vulnerable to tracking and advertising mechanisms.

In the worst case, malware awaits you at the end...

This procedure has been criticized multiple times on Steam, but Valve Corporation has ignored the criticism, sabotaged my threads, closed tickets without providing responses, and ultimately banned me for raising these concerns.

Lastly, a note on keystroke encryption: There are several security programs that offer such features. It is advisable to use them, even if this means they may not be compatible with the Steam Overlay.

How to protect yourself from tracking?

It's easy. Just don't use it.

1. Open Steam
2. Menubar top left click "Steam" > "Settings" > "Ingame"
3. Deactivate "Enable the Steam Overlay while in-game"