Steam's 'Offline' Status Appears to Be a UI Illusion, Report Claims

A new report from an anonymous blog, Xmrcat, claims that Steam's "Offline" and "Invisible" status settings are effectively a user interface illusion. According to the analysis, the Steam client continues to broadcast raw login and logout timestamps to all friends on your list, regardless of your chosen privacy setting.

{{IMAGE:1}}

The core of the issue lies in the Steam Connection Manager (CM). When a user changes their status, the client sends a ClientPersonaState protobuf message to the backend. This message contains a Unix timestamp indicating the exact time of the status change. The report states this data is sent to every friend on the user's list, even if the user has set their profile to "Offline" or "Invisible."

The visible difference for friends is that the user's profile appears in the "Offline" list within the Steam client. However, the backend data stream remains active. A technically skilled individual could intercept this protobuf payload and reconstruct a target's daily activity patterns, including sleep cycles and gaming habits, even if the target has been "invisible" for weeks.

This behavior bypasses other privacy settings, such as a "Private Profile," because the data is transmitted at the connection manager level, not the profile visibility layer. The information is not displayed in the Steam UI, but it is available in the data stream sent to friends.

Valve's response to the report, as shared by the anonymous author, was to close the HackerOne ticket as "Informative." The company's rationale, according to the report, is that the packets are only sent to users already on a friend's list, implying a pre-existing relationship of trust.

This assumption, however, may not reflect common Steam usage. Many users add acquaintances, online teammates, or strangers they meet in games to their friends list without a deep personal trust. For these users, the ability for anyone on their friends list to track their real-time activity—despite using privacy controls—represents a significant privacy concern.

The technical mechanism involves the Steam client communicating with its backend servers using the Steamworks Web API and custom protobuf messages. The ClientPersonaState message, which handles user status updates, is a fundamental part of the Steam network protocol. While the data is intended for friend list synchronization, its persistence in the data stream when a user is "Offline" creates the privacy gap described in the report.

For the average user, this may not be a pressing issue. However, for users who value precise control over their online presence—such as those who wish to game without being disturbed, or those with security concerns—this behavior undermines the stated purpose of the offline and invisible modes. It suggests that Steam's privacy controls are more about UI presentation than actual data flow restriction.

The report highlights a common tension in platform design: balancing real-time social features with user privacy. Steam's social graph is a core part of its platform, enabling features like friend activity and game invites. However, the implementation detail that status changes are broadcast to all friends, regardless of the user's chosen visibility, may not be transparent to the average user.

Users concerned about this behavior have limited recourse. The only way to prevent the data transmission is to not have friends on Steam or to use a different client. The report does not indicate whether this behavior is present in third-party Steam clients or the Steam Deck's interface.

This issue is separate from Steam's broader privacy settings, which control profile visibility, game details, and inventory. Those settings operate at a higher level and do not affect the low-level connection manager data stream.

The report serves as a reminder that "offline" modes in many online services are often a client-side presentation layer, not a guarantee of complete data silence. For Steam, a platform built on persistent social connections, the distinction between appearing offline and being truly disconnected from the network may be more nuanced than the UI suggests.