Warning: *privacy not included with this product

Entertainment Toys & Games Gaming Platforms

Steam Deck

Valve

Wi-Fi Bluetooth

Review date: Nov. 9, 2022

Mozilla researched 8 hours

Mozilla says

People voted: Not creepy

If you're a serious PC gamer, you probably use Steam, the online game store, community, and place to go to find and play over 30,000 games. Owned by Valve, Steam recently launched their handheld console, Steam Deck, to let PC gamers play someone other than their PC. And so far, based on how hard it's been to get a Steam Deck, the latest video game console referred to as a "Nintendo Switch for adults" by one publication, is a success. That's all fine and dandy, but how does Valve's Steam Deck do at privacy? Well, eh, they aren't the worst, we'll give them that.

What could happen if something goes wrong?

Good news! Valve's privacy policy, which covers the Steam Deck and the Steam store, doesn't raise any huge privacy concerns for us. It’s a little vague for our tastes, but we didn’t see any big red flags. We like that they say they don't require users to provide a real name when signing up for a Steam User Account. You will need to provide an email and a user name, and then will be assigned a Steam ID number that will be used to reference your account, rather than something more personally identifiable. This is good. Of course, Valve still says they can collect personal information on you, including any information you provide identifying yourself in posts to chats or message boards, so, as always, be aware of what you share online.

We also like that Valve says they don’t sell data. Yay! They make no explicit mention in their privacy policy if they share data with third parties for targeted advertising purposes. It’s always nice when a privacy policy explicitly states they do or do not share your personal information like that. However, you can bet that Valve knows what games you're playing, when you’re playing, for how long, and the like so they can target you with ads for similar games.

Valve does say they can process anonymous data and they may share anonymous data, aggregated or not, with third parties. This is a fairly common practice and doesn’t worry us too much. However, it is always good to remind people that some anonymous data has been found to be relatively easy to re-identify.

Here’s the bad news about the Steam Deck though. We can’t confirm it meets our Minimum Security Standards because we can’t confirm it uses encryption or if Valve has a way to manage security vulnerabilities. We emailed Valve three times with our privacy and security questions and haven’t heard back from them. There is a lot written out there on the internet about how to set up encryption on the Linux-based SteamOS yourself. However, we don’t think that users should have to go through that to protect their data.

What’s the worst that could happen with your brand new Steam Deck playing all those games online? Well, Steam is an online gaming community and those have been known to be pretty toxic, especially to women, the LGBTQ+ community, and minority gamers. So, be careful what you share on those public chats and message boards. Because while Valve might indicate they are doing a decent job handling your personal information, we’re not so sure every person on Steam will do the same. You don’t need to get doxxed or swatted or whatever the latest form of gaming harassment is because you overshared (or heck, just even shared) while playing Call of Duty.

Tips to protect yourself

Do not sign up with third-party accounts. Better just log in with email and strong password.
Chose a strong password! You may use a password control tool like 1Password, KeePass etc
When starting a sign-up, do not agree to tracking of your data if possible.

mobile

Can it snoop on me?

Camera

Device: No

App: N/A

Microphone

Device: Yes

App: N/A

Tracks location

Device: No

App: N/A

What can be used to sign up?

What data does the company collect?

How does the company use this data?

"Valve does not sell Personal Data. However, we may share or provide access to each of the categories of Personal Data we collect as necessary for the following business purposes.
[...]
Valve collects and processes Personal Data for the following reasons:

a) where it is necessary for the performance of our agreement with you to provide a full-featured gaming service and deliver associated Content and Services;
b) where it is necessary for compliance with legal obligations that we are subject to (e.g. our obligations to keep certain information under tax laws);
c) where it is necessary for the purposes of the legitimate and legal interests of Valve or a third party (e.g. the interests of our other customers), except where such interests are overridden by your prevailing legitimate interests and rights; or
d) where you have given consent to it."

How can you control your data?

Value seems to grant all users the same rights to access and delete data, regarless of where they live. "The data protection laws of the European Economic Area, United Kingdom, California, and other territories grant their residents certain rights in relation to their Personal Data. While other jurisdictions may provide fewer statutory rights, we make the tools designed to exercise such rights available to our customers worldwide."

"To allow you to exercise your data protection rights in a simple way we are providing a dedicated section on the Steam support page (the "Privacy Dashboard"). This gives you access to your Personal Data, allows you to rectify and delete it where necessary and to object to its use where you feel necessary. To access it, log into the Steam support page at http://help.steampowered.com and choose the menu items My Account -> Data Related to Your Steam Account. In most cases, you can access, manage, or delete Personal Data in the Privacy Dashboard, but you may also contact Valve with questions or requests via the contact processes described in sections 8 and 10 below."

What is the company’s known track record of protecting users’ data?

Average

In 2020, CheckPoint found four major vulnerabilities in the popular Valve games networking library. All vulnerabilities were acknowledged and received CVE’s. There were four major vulnerabilities in total.

In 2019, Valve investigated Epic’s use of Steam data after users raised privacy concerns on Reddit.

Child Privacy Information

"The minimum age to create a Steam User Account is 13. Valve will not knowingly collect Personal Data from children under this age. Where certain countries apply a higher age of consent for the collection of Personal Data, Valve requires parental consent before a Steam User Account can be created and Personal Data associated with it collected. Valve encourages parents to instruct their children to never give out personal information when online."

Can this product be used offline?

Yes

An online connection is required to download games and play online multiplayer games. Once downloaded, some games can be played offline.

User-friendly privacy information?

Links to privacy information

Does this product meet our Minimum Security Standards?

Unknown

Encryption

Can’t Determine

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Can’t Determine

Privacy policy

Yes

Does the product use AI?

Can’t Determine

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

Dive Deeper

Pressure grows on Valve to unplug Steam gaming platform vulnerabilities
PortSwigger
Standard Privacy Report for Steam
Common Sense
Game over? Vulnerabilities on Valve’s Steam put hundreds of thousands gamers at risk
Check Point
Valve to investigate Epic’s use of Steam data after users raise privacy concerns
MCV/Develop
After 14 years, Steam finally gets some decent privacy settings
Mashable
4 security bugs discovered in games on Valve’s Steam platform
TechRepublic
Steam Pulls Game After Dev Goes On Transphobic Rant Against Keffals
Kotaku