An anonymous blog post is raising fresh concerns about user privacy on Steam, alleging that the client continues to transmit detailed activity data even when users set their status to “Invisible” or “Offline.”
According to the blog, published by an anonymous developer using the name Xmrcat, Steam’s privacy controls only affect what is shown in the user interface, not what is shared behind the scenes. The post claims that while users may appear offline to their friends, Steam’s backend systems continue to broadcast log-on and log-off events in real time.
The report alleges that Steam sends raw Unix timestamps to all connected friends whenever a user’s status changes. While the client categorises the user as “Offline” in friends lists, the underlying data reportedly still reveals when that user last connected or disconnected from the service.
“This is essentially a UI illusion,” the post states, arguing that the backend connection manager continues transmitting activity data regardless of profile visibility or private profile settings. If accurate, this would mean that privacy options do not fully prevent the sharing of behavioural metadata.
Potential for Abuse by Technical Users
The issue is described as largely invisible to the average user. However, individuals with programming experience could allegedly intercept and analyse this data. The blog claims that by monitoring the ClientPersonaState protobuf messages sent by Steam, it is possible to reconstruct patterns such as sleep cycles or gaming habits over extended periods.
Such tracking would not require account access, only a mutual friendship connection. While Steam restricts this data to friends, critics argue that many users accept friend requests from people they do not personally know, especially in multiplayer or trading communities.
Valve Response and Disclosure Outcome
The anonymous author states that the issue was formally reported to Valve through HackerOne, including proof demonstrating how long-term activity patterns could be reconstructed even when a profile remained invisible for weeks.
According to the blog, Valve closed the report as “Informative,” citing that data packets are shared only with users already added as friends and that this assumes a baseline level of trust between both parties.
That rationale, however, has drawn criticism from privacy advocates, who point out that Steam’s social ecosystem often encourages adding unfamiliar users for matchmaking, modding, or item trading purposes.
No Official Statement Yet
As of now, Valve has not publicly addressed the claims or clarified whether the reported behavior is intentional or subject to change. The company has historically emphasized user privacy controls, but the allegations suggest a gap between what those controls imply and what data is actually transmitted.
If the claims are confirmed, the situation could prompt renewed scrutiny over how much metadata platforms are allowed to share under the guise of “friend-only” visibility—and whether offline modes truly mean offline.
