Dealing with players that abuse steam family sharing

For quite some time now it has been spread that you can basically evade any server/gac/whatever ban by just family sharing garry’s mod to a newly created alt of yours, thus rendering any banning system useless.

I have been asking myself on how to deal with that for a while now.
Should anyone that is detected using this system (you can detect family sharing very easily) just be banned? What if family sharing is used legitimately?

Would love to get some input.

A simple solution might be to write a unique key to the user’s data folder just before they’re banned. You could store the key in a database and request the file contents whenever a user joins. If it exists, send it to the server and run it against a list of all unique ban IDs. If there’s a match, ban them.

[editline]15th March 2014[/editline]

Pdata might actually be a better idea since it isn’t stored in a txt file and the user would have to view their local SQLite database to find the key.

You check if they steam family share with a simple steam web api call. You can even see who they are sharing from to check whether that account is banned in any way.

The question isn’t how to detect them, the question is what we should them once we detect them.

I’d suggest some sort of watchlist system but that sounds too obvious. Plus that would still require some manual input. Personally, I think they should be banned only because it’s like saying “it was my bother who hacked” or whatever lame excuse is used. Their family member ruined it for them and therefore they should not be allowed.

I say family member but obviously people aren’t just letting family members us the “family share” option.

Would be nice to get some more access to the steam api.

Im sure there was an addon that could check for you, im sure its somewhere on the releases forum here

[del][/del] - didn’t read the part about the what to do - posted below.


This thread would be in dev discussion if I needed help detecting them.

Oh, sorry, I would just do what that script does: just kick them if their parent SteamID is banned

But what if they are using family sharing in a legitimate way (i.e. share a game with your brother from the same steam machine or smth)

I would treat it as a “your account, your fault” since they’re sharing the same game without paying the price for a second copy.

You could try giving them a second chance if you’re really worried about blocking legitimate players, but if they get banned a second time I would definitely assume they’re just using family sharing as a way of avoiding bans.

Kick them on join, with an explanation.
That way they can’t evade with family sharing but if they choose to turn it off they can join.

Go from there

Two options: ply:ReadMind() or ply:GetSocialSecurityNumber().
With the former you can identify whether the player has used family sharing with the intent to evade bans.
With the latter you can check if it’s the same person you banned before. Use it as an identification rather than steam id.

You want to identify the difference between whether someone is using family sharing with one intention or the other. That simply cannot be calculated. You can only have the computer guess and accept that mistakes will be made.
Have an example:

For every ban store the ip. Ban anyone using family sharing with a banned steam id.
Alternative: ban anyone using family sharing where the family shared steam id is banned.
The ban will * probably* be appropriate, but what if the player was steam sharing with their sibling or parent? Is it right to say a ban is linked to an account/ip and not necessarily the person using it?

Consider this rare, but possible use case:
Harry is a super minge prop killing everyone in sight in every server. After years of doing that he gets bored of gmod. Since he only has gmod, he gives the account to his little brother Larry by giving him the username and password. When Larry tries to play online he finds he’s banned from many servers.

Is it right to assume same account = same person? You have to make that assumption when banning on steam id. Is it right to assume the same thing with a family shared account? It might be, but there may also be serious objections.

Ask yourself this: how disastrous are the consequences if an innocent player gets banned from a server because the steam family sharing parent account is banned?
I usually say punishing the innocent by script is capital sin (E.g. Prop kill detection, anti cheat ban while allowcslua=1,etc.)but I must admit that this is an interesting use case.

Yes, but even though someone legitimately sharing from a banned account is probably a really rare case, I still want them to give the ability to play. (Since they did nothing wrong, they use family sharing as valve tells them to do) Otherwise that would be pretty bad in a an ethical way. “Hey you did nothing wrong, but we ban you anyway with no chance for an unban”
So I guess they’ll have to send us a video of themselves, with their brother/whatever showing that they legitimately share or some other form of “internet-proof”.

Whose responsibility is it to provide evidence and why? Should the player prove their innocence or should the server prove the accusation?

It depends what your server offers.

If in the sense it offers some form of return for playing (currency for points shop) then you could simply reduce or restrict the ability to gain such items.
If we’re talking ye olde DarkRP server then you could very well be SOL unless you don’t mind constricting actual ‘gameplay’ features from them. I agree with your sentiment though that it isn’t really fair to ban someone else on a completely separate account just because a sibling was an idiot.

But then again I see the other side of the argument as well :v:

As you have stated in your post, the server can’t prove the accusation since it can’t read minds.
So the only way to be sure is letting the client prove his innocence.

It’s still a bad solution but it’s the best one can do for such a rare case.

I found its easier to ban the person sharing automatically. Its better to assume its the same person and be corrected later than to have the same scumbag coming back every half hour.