I dunno, the ground condition here is "You're invisible/office and no one can see your activity" but that turns out to not actually be fully true. Maybe if it said "You're invisible/offline to the public, but mostly invisible to your friends" it'd be more true and setting the correct expectations. But of course, that's not how that feature is being sold.

Disagree, that trust relationship implicitly includes a "I can opt out of you seeing my status if I set my status to offline" contract, because that is my expectation of Steam.

True, but a tracking pixel is an active attack that leaves a visible trail. This leak is passive surveillance; I can silently graph the sleep cycles of 200 friends without ever interacting with them. Trust shouldn't imply consent for invisible, automated logging.

Do you really need an LLM to talk on HN? Genuinely, this research seems cool but its hard to trust your findings when there's clearly AI being used heavily in writing the article and in your comments here.

But your friends have accepted your request for friendship and your friends are not expecting you to spy on them correct?

Exactly. The 'Offline' feature exists specifically to set that boundary, and the backend completely ignores it.

It's about when your friends were last signed-in in their account. From my understanding:

    Invisible = Sign-in but do not broadcast the games you are playing (though your profile will show that you signed-in)

    Offline = Stay offline and do not sign-in

I mean the invisible status is supposed to hide all that, yeah. Why have a "show as offline" if it still shows activity like going online?

> Steam "Offline" status leaks exact login timestamps (Valve: Won't Fix)

On the profile of a friend you can see the last time they signed-in to their account:

https://preview.redd.it/can-anyone-beat-my-last-online-frien...

Before it was public, and now restricted (for a couple of years already) to friends only.

I guess this is why they won't change it, since it's a feature.

Incorrect. "Invisible" is a privacy control, not just a UI filter. While the official client freezes the text, the backend still broadcasts live last_logon and last_logoff Unix timestamps in the ClientPersonaState packet. This leaks exact real-time sleep/wake cycles via the socket, completely bypassing the privacy toggle.

But is it different from the "last signed-in" info that you see on the profile ? (genuinely asking)

Because from the fields in the protobuf I somewhat suspect it's the same, but I get your point of view as well

EDIT: If it's not, then my bad

How do you construct a sleep cycle out of login events? Does steam do one if the computer goes into standby etc?

Nope, going into standby is the same as logging off, since your client doesn't send keep alive packets anymore. (Not sure if macOS is an exception, because I think my MBP doesn't go into proper sleep if I keep Steam running)

MBP never goes into proper sleep.

I got one from work that I don't use much outside of travel and haven't changed in any way past initial setup. It stays connected to WiFi and continuously broadcasts various discovery packets for the past month and a half since I last opened it up.

I know that, I meant: Steam is preventing it from going into that sleep phase (it's still a sleep phase after all) and keeps the OS awake.

    > You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.

Only for as long as they have the steam chat window open and your tracking pixel/message is a recent enough message to be actually loaded. I don't use steam chat enough to remember if they do any of these, but your plan also ignores any possible automatic security/scanning/proxy shenanigans on steams part that will muddy your pixels tracking data or just break it.

    > That logic is acceptable. 

I completely disagree. I use invisible status all the time on steam. I very much have an expectation that when set to invisible my friends would not be able to track my online status.

This is why Signal allows you to disable automatic previews and read-indicators. Because it does matter for privacy.

I'm curious, in your logic, who else would you use the setting to go invisible for?

I have some workmates on Steam, and sometimes I come down with a cold right around game releases.

The tracking pixel still needs to be clicked on.

e.g. FB Messenger & WhatsApp have their own web scraping infrastructure to provide server side link previews & thereby mitigate tracking links.

Not sure if Steam does the same currently.

It's not acceptable. Nobody turns on invisible thinking "my friends can still see me".