Seems like a reasonable report to me. Offline mode intentionally hides you from friends in the UI, so you would assume it would keep you hidden.
I have a number of friends who, for various social reasons, keep their Steam status as "Offline" so their friends don't know they're still logging in. If "Offline" can be bypassed, it ruins the point
> Setting yourself to "Offline" is basically a UI illusion.
I always assume this is such in every case. Every "I'm offline" or "hide me" or "don't save this" or "delete this forever!" UI element is a facade until proven otherwise. "Temporary" chats with LLMs are also permanent and are likely eventually public via massive data leak in future year 20XX.
People should always consider the "abusive friend" scenario with regards to privacy.
Even marriages can be extremely abusive...
The assumption that people on your friend's lists, Steam or anywhere (even just people in the same household) should be able to see your personal information, such as computer use, is a bananas assumption. It is an assumption that I'm pleased to say has failed privacy reviews at at least one company larger than Steam.
I think it's a quite small demographic that have abusive friends on Steam that they can't simply unfriend for whatever reason, and it's not a reasonable expectation on Steam to design for that case. It'd be like a pencil company trying to prevent people from writing hurtful messages.
People should also remember that scaling means very small percentages are still very big numbers. 0.01% of active steam users is still several thousand people. Which may seem small but it is probably 10x more people than you're friends with and more than every person you know. We get so used to seeing big numbers that we think they're small.
> Their logic: You have to be friends with the user to receive this packet. Therefore, a "trust relationship" exists.
That logic is acceptable. You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
I dunno, the ground condition here is "You're invisible/office and no one can see your activity" but that turns out to not actually be fully true. Maybe if it said "You're invisible/offline to the public, but mostly invisible to your friends" it'd be more true and setting the correct expectations. But of course, that's not how that feature is being sold.
Disagree, that trust relationship implicitly includes a "I can opt out of you seeing my status if I set my status to offline" contract, because that is my expectation of Steam.
True, but a tracking pixel is an active attack that leaves a visible trail. This leak is passive surveillance; I can silently graph the sleep cycles of 200 friends without ever interacting with them. Trust shouldn't imply consent for invisible, automated logging.
> You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
Only for as long as they have the steam chat window open and your tracking pixel/message is a recent enough message to be actually loaded. I don't use steam chat enough to remember if they do any of these, but your plan also ignores any possible automatic security/scanning/proxy shenanigans on steams part that will muddy your pixels tracking data or just break it.
> That logic is acceptable.
I completely disagree. I use invisible status all the time on steam. I very much have an expectation that when set to invisible my friends would not be able to track my online status.
I'm not saying any tracking is great, but a couple of things here. I cant remember when if ever I logged out os steam and this is just shared with friends right? Not sure if this is a nothing burger or not.
In this context, 'Logoff' triggers whenever the socket disconnects. So every time you shut down your PC or put it to sleep, that timestamp is updated and broadcast, even if you never explicitly clicked 'Sign Out'.
The first thing I have to point out is that this entire article is clearly LLM-generated from start to finish.
The second thing I have to point out is that bug bounty programs are inundated with garbage from people who don't know anything about programming and just blindly trust whatever the LLM says. We even have the 'author' reproducing this blind reinforcement in the article: "Tested Jan 2026. Confirmed working."
The third thing I have to point out is that the response from Valve is not actually shown. We, the reader, are treated to an LLM-generated paraphrasal of something they may or may not have actually said.
Is it possible this issue is real and that Valve responded the way they did? Perhaps, but the article alone leaves me extremely skeptical based on past experiences with LLM-generated bug bounty reports.
Spending months dealing with folks attempting to blackmail us over ridiculous non-issues has pretty much killed any sympathy I had for bug bounty hunters.
I see a lot of these "this is LLM" comments; but they rarely add value, side track the discussion, and appear to come into direct conflict with several of HN's comment guidelines (at least my reading).
I think raising that the raw Valve response wasn't provided is a valid, and correct, point to raise.
The problem is that that valid point is surrounding by what seems to be a character attack, based on little evidence, and that seemingly mirrors many of these "LLM witch-hunt" comments.
Should HN's guidelines be updated to directly call out this stuff as unconstructive? Pointing out the quality/facts of an article is one thing, calling out suspected tool usage without even evidence is quite another.
Stop worrying about whether articles are written by LLM or not and judge them by their content or provenance to sources that you can justifiably trust. If you weren't doing that before LLMs then you were getting fooled by humans writing incompetent or deceptive articles too. People have good reasons for using LLMs to write for them. If they wrote it themselves, it might cause you to judge them as being a teenager, uneducated, foreign, or whatever other unreliable proxies you use for trust.
OsrsNeedsf2P|1 month ago
I have a number of friends who, for various social reasons, keep their Steam status as "Offline" so their friends don't know they're still logging in. If "Offline" can be bypassed, it ruins the point
accrual|1 month ago
I always assume this is such in every case. Every "I'm offline" or "hide me" or "don't save this" or "delete this forever!" UI element is a facade until proven otherwise. "Temporary" chats with LLMs are also permanent and are likely eventually public via massive data leak in future year 20XX.
AlexandrB|1 month ago
All I can think of is Megaman.
duxup|1 month ago
Krede|1 month ago
Yes, if the target gets on their PC every day after they wake up.
iLoveOncall|1 month ago
explodes|1 month ago
Even marriages can be extremely abusive...
The assumption that people on your friend's lists, Steam or anywhere (even just people in the same household) should be able to see your personal information, such as computer use, is a bananas assumption. It is an assumption that I'm pleased to say has failed privacy reviews at at least one company larger than Steam.
snowmobile|1 month ago
godelski|1 month ago
HeliumHydride|1 month ago
xmrcat|1 month ago
Proofread0592|1 month ago
Another example: if the user turns off "Turn on when Windows starts up" or whatever equivalent, this would also be a non-issue.
bigyabai|1 month ago
That logic is acceptable. You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
embedding-shape|1 month ago
pityJuke|1 month ago
xmrcat|1 month ago
Spunkie|1 month ago
viraptor|1 month ago
breakingcups|1 month ago
ycombinatrix|1 month ago
e.g. FB Messenger & WhatsApp have their own web scraping infrastructure to provide server side link previews & thereby mitigate tracking links.
Not sure if Steam does the same currently.
causalscience|1 month ago
xmrcat|1 month ago
throwerxyz|1 month ago
If this is an issue to your friends on a gaming platform, you may want to relax more.
tabarnacle|1 month ago
winterbloom|1 month ago
BoredPositron|1 month ago
uberman|1 month ago
xmrcat|1 month ago
anonymous908213|1 month ago
The second thing I have to point out is that bug bounty programs are inundated with garbage from people who don't know anything about programming and just blindly trust whatever the LLM says. We even have the 'author' reproducing this blind reinforcement in the article: "Tested Jan 2026. Confirmed working."
The third thing I have to point out is that the response from Valve is not actually shown. We, the reader, are treated to an LLM-generated paraphrasal of something they may or may not have actually said.
Is it possible this issue is real and that Valve responded the way they did? Perhaps, but the article alone leaves me extremely skeptical based on past experiences with LLM-generated bug bounty reports.
metanonsense|1 month ago
Someone1234|1 month ago
I think raising that the raw Valve response wasn't provided is a valid, and correct, point to raise.
The problem is that that valid point is surrounding by what seems to be a character attack, based on little evidence, and that seemingly mirrors many of these "LLM witch-hunt" comments.
Should HN's guidelines be updated to directly call out this stuff as unconstructive? Pointing out the quality/facts of an article is one thing, calling out suspected tool usage without even evidence is quite another.
gruez|1 month ago
Is your LLM detector on a hairtrigger? At best the headings seem like LLM, but the rest don't look LLM generated.
foxglacier|1 month ago
You point about Valve's response is valid though.
xmrcat|1 month ago
zwb2324550|1 month ago
[deleted]
lifetimerubyist|1 month ago
spartanatreyu|1 month ago
cptroot|1 month ago
cluckindan|1 month ago
liviux|1 month ago