The Steam overlay is a means to an end for active user tracking

Index

1. What is the Steam overlay?
2. Tracking, Analytics, Cookies and unprotected users
3. Once clicked, you've lost
4. Transmitted user-agent and involved companies
5. Conclusion
6. How to protect yourself from tracking?

What is the Steam overlay?

The Steam overlay is a feature within Valve Corporation's Steam distribution platform. The overlay is activated in the background of every game unless it is specifically disabled, and users can open the overlay with the default setting "Shift+TAB". The supposed advantage for users of this mechanic is that they can see various summaries of their game progress via the overlay, as well as access the chat without switching out of the game.

But that's about it for the advantages.

For the example the game product This war of mine was chosen, but the system can be ab/used by developers like Paradox Interactive AB or Sega Games Co., Ltd.. The described behaviour counts for every product and developer witch similar mechanics.

Tracking, Analytics, Cookies and unprotected users

Unfortunately, there are some developers who exploit the overlay for their own benefit and use it for data farming and their tracking campaigns.

In some games, users will obviously find buttons with advertisements or other links and hints in the main menu or splash screen every now and then. Whether this is a link to Discord, a Facebook page or the developer's website is not obvious to players, because anything can be hidden behind a link. Also malware, trojans and other dangers. Above all, it often happens that domains are shut down, owners and entire contents change without Steam users noticing anything.

If such a link is then clicked on, the Steam overlay opens with an internal browser function that opens the link clicked on by the user. Apart from the fact that you cannot guess what will open up or where you will be redirected, there is another disadvantage for users.

Once clicked, you've lost

Once opened, various trackers and third-party services load in the background. without users being protected, let alone informed. Adblockers that these services normally come with as part of a common browser are non-existent. As example Microsoft Edge has an inbuild-function to block abusive ads (can be also downloaded on the hosts site), Firefox comes along with Google SafeSearch and so on and even good security software blocks stuff and ads by default.

Transmitted user-agent and involved companies

Users who clicked on the link in-game first were redirected to a landingpage and delivers several informations. Where they came from? Namely the Steam client, which is linked to a Unix timestamp in addition to the name and version. In addition, as always of course, the own IP and also your Steamaccount (depending from which site you are come from) which is clearly identifiable.
The third party providers involved on the screenshot listed once again. Everything for free for a single click on a little ingame button.

Company	Service	Description	Cookie/Trackingpixel
Google, LLC	Google Analytics	Realtime tracking, user acquisition and tracking, advertising, user flow, conversions, geotracking tied with Adwords, DoubleClick, AdExchange, Affiliatetracking	set
https://www.google-analytics.com/analytics.js
https://www.google-analytics.com/collect?v=1&_v=j96&a=630033916&t=timing&_s=6&dl=https://pay.google.com/gp/p/ui/payframe&dr=https://js.stripe.com&ul=en-us&de=UTF-8&dt=&sd=32-bit&sr=2560x1440&vp=&je=0&utc=/buyflow/merchant_page/&utv=IS_READY_TO_PAY_CALLED&utt=2339&_u=aEBAAEABAAAAAC~&jid=&gjid=&cid=407914248.1650999420&tid=UA-116858069-1&_gid=1133825008.1650999420&z=974631179
https://www.google-analytics.com/j/collect?v=1&_v=j96&a=630033916&t=pageview&_s=1&dl=https://pay.google.com/gp/p/ui/payframe&dr=https://js.stripe.com&dp=/buyflow/merchant_page/pay_frame_requested&ul=en-us&de=UTF-8&dt=&sd=32-bit&sr=2560x1440&vp=&je=0&_u=aEBAAEABAAAAAC~&jid=1334110799&gjid=113994457&cid=407914248.1650999420&tid=UA-116858069-1&_gid=1133825008.1650999420&_r=1&_slc=1&z=716674256
Google, LLC	Google Doubleclick	Crossplatform-Tracking pixel in interaction with Google Ads, Adwords and Google Analytic
https://stats.g.doubleclick.net/j/collect?t=dc&aip=1&_r=3&v=1&_v=j96&tid=UA-116858069-1&cid=407914248.1650999420&jid=1334110799&gjid=113994457&_gid=1133825008.1650999420&_u=aEBAAEAAAAAAAC~&z=624852441
Google, LLC	Google Pay		set
https://pay.google.com/gp/p/js/pay.js
https://pay.google.com/gp/p/_/InstantbuyFrontendBuyflowPayframeUi/gen204/?tmambps=-1&rtembps=-1&rttms=-1&ct=undefined
https://www.google-analytics.com/collect?v=1&_v=j96&a=630033916&t=timing&_s=12&dl=https://pay.google.com/gp/p/ui/payframe&dr=https://js.stripe.com&ul=en-us&de=UTF-8&dt=&sd=32-bit&sr=2560x1440&vp=&je=0&utc=/buyflow/merchant_page/&utv=IS_READY_TO_PAY_API_true&utt=2361&_u=aEBAAEABAAAAAC~&jid=&gjid=&cid=407914248.1650999420&tid=UA-116858069-1&_gid=1133825008.1650999420&z=843623096
https://pay.google.com/gp/p/ui/payframe?origin=https://js.stripe.com&mid=
Google, LLC	Google Play	Logging	set
https://play.google.com/log?format=json&hasfast=true&authuser=0
https://play.google.com/log?format=json&hasfast=true
Hotjar / Content Square	Hotjar	Heatmaps, Visualize clicks & Taps, Funnel Analytics, Popups
https://static.hotjar.com/c/hotjar-2392508.js?sv=6
https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js
https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html
https://vc.hotjar.io/sessions/2392508?s=0.25&r=0.24732673982931774
Stripe, Inc.	Stripe	Unique Identifier, Timespamps, Referal & Event-Tracking - Online payment service - Delivers economic infrastructure for the internet.	set
https://js.stripe.com/v3/
https://js.stripe.com/v3/controller-b612a716aafed4e28815ea629e5881d3.html
https://js.stripe.com/v3/payment-request-inner-google-pay-6b6c419551739db168e5652dc565c7a3.html
https://js.stripe.com/v3/fingerprinted/js/controller-1521243df0a7b7c081f91f1c63dcc8bf.js
https://js.stripe.com/v3/fingerprinted/js/payment-request-inner-google-pay-fc381c64f8a4e017ee78b0a9e5a1f215.js
https://r.stripe.com/0
https://m.stripe.network/inner.html
https://m.stripe.network/out-4.5.42.js

Conclusion

If you follow a link from a game out of curiosity or accidentally, you can never be sure what will be reloaded, nor where the journey will take you. Adblock or other protection mechanics are non-existent in Valve's Steam-Browser and there are many developers in the wild who exploit the system for data-mining, linking their games with advertising campaigns, affiliate mechanics, advertising and more.

Users are often lured with with offers (as example ingame items or like here...participate in something) and then redirected them to external sites with the help of the Steam-Overlay, where they are at the mercy of tracking and advertising mechanisms.

In the worst case, malware awaits you at the end...

The procedure has already been criticized by me several times in Steam, but Valve Corporation ignores any criticism and has sabotaged my threads, closed tickets without answer and last but not least banned me, because I became inconvenient.

One word to keystroke encryption. There are several security programs out there who have such functions. Use them. Even if this means that they are not compatible with a Steam-Overlay for example

How to protect yourself from tracking?

It's easy. Just don't use it.

1. Open Steam
2. Menubar top left click "Steam" > "Settings" > "Ingame"
3. Deactivate "Enable the Steam Overlay while in-game"