Steam users have accused Valve of scanning their Internet history with their anti-cheat software. Valve CEO Gabe Newell denied this today and stated that they have no interest in tracking your porn habits.
The controversy stems from kernel-level cheats. These cheats cost money and have DRM to ensure that the cheaters are actually paying for them. They transmit to a DRM server to confirm that the player paid for the cheat. VAC was monitoring the communication between the cheater's machine and the DRM server.
"[Valve Anti-Cheat] checked for the presence of these cheats," Newell said on Reddit. "If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban."
Newell added that this VAC test was limited in scope with less than a tenth of one percent of clients triggering the DNS check. There were 570 cheaters banned due to this test. The method was only used by Valve for 13 days because cheaters now manipulate the DNS cache of their customers' computers.
He characterized the anti-cheat process as a cat-and-mouse game. Hackers find new ways to exploit the system while Valve tries to stop them. Some cheat developers also resort to fear-mongering in order to make gamers distrust VAC. Reddit posts that claim Valve is reading every domain you visit is one example of this "social engineering."
These conspiracy theories about VAC can be an easy sell because, in Newell's words, it's "inherently a scary looking software." There's a degree of secrecy surrounding the software. The more information Valve releases about VAC, the easier it is for cheaters to bypass it.
As a result, Valve typically doesn't discuss details of VAC. However, they felt that this situation required an exception. The company wants gamers to know what they were doing to stop these cheaters and why so that they can make informed judgments about VAC.
"Do we send your browsing history to Valve? No. Do we care what porn sites you visit? Oh, dear god, no. My brain just melted. Is Valve using its market success to go evil? I don't think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust."
This won't end the debate over VAC. Cheats are always changing so Valve will have to think of new methods to combat them. Eventually another one of these methods will rub someone the wrong way and the cycle of outrage/debate/defense will start all over again. As far as this specific case goes, though, I'm pleased Valve decided to be transparent.