Like most online game makers, Valve uses a cheat detection system to protect popular multiplayer games like Counter-Strike: Global Offensive, Team Fortress 2, and Dota 2 from hacks that would give a player an unfair advantage. That Valve Anti-Cheat (VAC) system was at the center of a potential privacy bombshell earlier today, with accusations that the system was sending Valve a list of all the domains that a system has visited whenever a protected game was played.

The claim rose to popularity thanks to a Reddit post that included an image originating from a cheating/hacking forum, purportedly showing a partial decompilation of the offending VAC module. However, while the initial evidence suggested that VAC is doing something with users' DNS history, it wasn't clear from the decompiled code provided that it is, in fact, transmitting the information back to Valve. Valve CEO Gabe Newell has subsequently and categorically denied that the module transmits any private information back to the company.

Windows operates a DNS cache to accelerate the translation from domain names into IP addresses. Windows users can see the domains stored within the cache, both at the command-line ( ipconfig /displaydns ) and within the GUI. The partial decompilation of VAC shows that the module is using undocumented Windows functions to enumerate all the cached entries. In turn, each entry is converted to lower case and then hashed using MD5.

Contrary to the original claims, though, the module doesn't immediately appear to actually send the information to Valve. Each MD5 hash is compared to a bunch of other values (the image of the decompilation doesn't include the actual values it's being compared to), and if any of these comparisons are successful, the hash is stored; otherwise, it's discarded. What happens to these stored values is also not shown in the code provided.

In spite of the lack of clarity or convincing evidence of the true nature of this VAC check, Reddit immediately blew up with speculation earlier today, with some suggesting that the entire set of hashes is sent to Valve, others suggesting that instead the module is doing a client-side check. Many seemed willing to assume the worst; some posters said that the company had "pulled an [Electronic Arts]," alluding to EA's poor reputation among many gamers.

In light of the controversy, Valve's CEO Gabe Newell stepped in this evening with a Reddit response to put people's minds at ease. The nature of anti-cheating systems makes open public discussion of systems like VAC something of a rarity; in an arms race against the cheaters, obfuscation and secrecy remain important weapons. Nonetheless, Newell was remarkably straightforward in explaining why VAC is so interested in the system DNS cache.

According to Newell, cheat software has its own DRM systems so that the developers can ensure that people pay for their cheats. If the VAC module detects certain cheats, it then checks to see if the system has performed lookups for the relevant cheat DRM servers. If it has, then (and only then) is the data sent to Valve so a ban can be issued. The module doesn't disclose the contents of the DNS cache, and Valve has no interest, in general, in which domains gamers' systems have looked up.

With this explanation, it's likely that the fuss will blow over soon enough. Still, today's brouhaha shows the vulnerable position Valve is in. Due to the techniques used by the cheat developers, it's common for anti-cheat software to use some fairly underhanded techniques itself; VAC, for example, uses obfuscated code and undocumented API functions to go about its business. Anyone wanting to cast Valve in a bad light, or even simply raise suspicion about (otherwise desirable) anti-cheat software, need only make this same kind of partial, incomplete disclosure, and fear mongering will do the rest.