Two days ago, Reddit user theonlybond posted lines of code from Valve Anti-Cheat (VAC), the software Steam uses to curb online cheating, accusing it of scanning users' internet browsing history and sending it back to Valve. Other users were quick to point out that the accusations were unfounded, but the discussion got serious enough for Gabe Newell to make an official statement.
"We don't usually talk about VAC (our counter-hacking hacks), because it creates more opportunities for cheaters to attack the system (through writing code or social engineering)," Newell writes on Reddit . "This time is going to be an exception."
He goes on to explain that there are a number of paid cheats, which verify cheaters have paid for them by "phoning home" and confirming the purchase with a DRM server. "VAC checked for the presence of these cheats," Newell says. "If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache."
Less than a tenth of one percent of clients triggered the second check, and 570 cheaters were banned as a result, Newell explains. This particular anti-cheat protection method is also no longer active, as cheat providers have already found a way around it.
According to Newell, the very accusation that Valve is tracking users' browsing history is a type of social engineering that benefits cheat creators. "VAC is inherently a scary looking piece of software, because it is trying to be obscure, it is going after code that is trying to attack it, and it is sneaky," he says. "For most cheat developers, social engineering might be a cheaper way to attack the system than continuing the code arms race, which means that there will be more Reddit posts trying to cast VAC in a sinister light."
Newell ends his statement by clarifying that VAC does not in any way send your browsing history to Valve. "Do we care what porn sites you visit? Oh, dear god, no. My brain just melted."