"Nearly 2 million people protected their privacy by deleting their DNA from 23andMe after it declared bankruptcy in March," writes a Washington Post technology columnist.

"Now it's back with the same person in charge — and I still don't trust it." As of this week, genetic data from the more than 10 million remaining 23andMe customers has been formally sold to an organization called TTAM Research Institute for $305 million. That nonprofit is run by the person who co-founded and ran 23andMe, Anne Wojcicki. In a recent email to customers, the new 23andMe said it "will be operating with the same employees and privacy protocols that have protected your data." Never mind that Wojcicki and her privacy protocols are what put your DNA at risk in the first place...

The company is legally obligated to maintain and honor 23andMe's existing privacy policies, user consents and data protection measures. And as part of a settlement with states, TTAM also agreed to provide annual privacy reports to state regulators and set up a privacy board. But it hasn't agreed to take the fundamental step of asking for permission to acquire existing customers' genetic information. And it's leaving the door open to selling people's genes to the highest bidder again in the future...

Existing 23andMe customers have the right to delete their data or opt out of TTAM's research. But the new company is not asking for opt-in permission before it takes ownership of customers' DNA... Why does that matter? Because people who handed over the DNA 15 years ago, often to learn about their genetic ancestry, never imagined it might be used in this way now. Asking for new permission might significantly shrink the size (and value) of 23andMe's DNA database — but it would be the right thing to do given the rocky history. Neil M. Richards [the Washington University professor who served as privacy ombudsman for the bankruptcy court], pointed out that about a third of 23andMe customers haven't logged in for at least three years, so they may have no idea what is going on. Some 23andMe users never even clicked "agree" on a legal agreement that allowed their data to be sold like this; the word "bankruptcy" wasn't added to the company's privacy policy until 2022. And then there is an unknown number of deceased users who most certainly can't consent, but whose DNA still has an impact on their living genetic relatives...

[S]everal states have argued that their existing genetic privacy laws don't allow 23andMe to receive the information without getting permission from every single person. Virginia has an ongoing lawsuit over the issue, and the California attorney general's office told me it "will continue to fight to protect and vindicate the rights" of consumers....
Two more points of concern:

• "There is nothing in 23andMe's bankruptcy agreement or privacy statement to prevent TTAM from selling or transferring DNA to some other organization in the future."

• The article also notes a 2023 data breach affecting 6.9 million users, arguing "They haven't shown they can keep your data safe... 23andMe's financial struggles could make it hard to run a robust cybersecurity program."

Google has filed a lawsuit to dismantle the sprawling Badbox 2.0 botnet, which infected over 10 million Android devices with pre-installed malware. Badbox 2.0 "is already the largest known botnet of internet-connected TV devices, and it grows each day. It has harmed millions of victims in the United States and around the world and threatens many more," Google said in its complaint. SecurityWeek reports: The internet giant cautions that, while it has been used mainly for fraud, the botnet could be used for more harmful types of cybercrime, such as ransomware or distributed denial-of-service (DDoS) attacks. In addition to pre-installing the malware on devices, Badbox 2.0's operators also tricked users into installing infected applications that provided them with further access to their personal devices, Google says. As part of their operation, the individuals behind Badbox 2.0 sold access to the infected devices to be used as residential proxies, and conducted ad fraud schemes by abusing these devices to create fake ad views or to exploit pay-per-click compensation models, the company continues. The internet giant also points out that this is the second global botnet the perpetrators have built, after the initial Badbox botnet was disrupted by German law enforcement in 2023.

According to Google, Badbox 2.0 is operated by multiple cybercrime groups from China, each having a different role in maintaining the botnet, such as establishing infrastructure, developing and pre-installing the malware on devices, and conducting fraud. "The BadBox 2.0 Enterprise includes several connected threat actor groups that design and implement complex criminal schemes targeting internet-connected devices both before and after the consumer receives the device," Google says. "While each member of the Enterprise plays a distinct role, they all collaborate to execute the BadBox 2.0 Scheme. All of the threat actor groups are connected to one another through the BadBox 2.0 shared C2 infrastructure and historical and current business ties," the company continues.

Christine Hunsicker, founder of the failed "Clothing-as-a-Service" startup CaaStle, has been criminally charged with defrauding investors of over $300 million by falsifying financials and misrepresenting the company's health. CNBC reports: Authorities said Christine Hunsicker, 48, of Lafayette, New Jersey, promoted CaaStle to investors as a more than $1.4 billion "Clothing-as-a-Service" business that helped companies rent apparel to consumers with an option to buy, despite knowing it was financially distressed and short of cash. The alleged fraud spanned six years starting in 2019, three years after the Princeton University alumna was named one of Inc magazine's "Most Impressive Women Entrepreneurs" and Crain's New York Business' "40 Under 40."

Hunsicker was charged in a six-count indictment with wire fraud, securities fraud, money laundering, making false statements to a bank and aggravated identity theft. She turned herself in to authorities, and could face decades in prison if convicted. The Securities and Exchange Commission filed a related civil lawsuit. In a joint statement, Hunsicker's lawyers Michael Levy and Anna Skotko said the indictment presented "an incomplete and very distorted picture," despite their client being "fully cooperative and transparent" with prosecutors. "There is much more to this story, and we look forward to telling it," the lawyers added.

Authorities said Hunsicker falsified CaaStle's financial statements and bank records to raise capital. This included alleged representations that CaaStle earned $66.3 million on revenue of $439.9 million in 2023, when it actually lost $81 million on revenue of $15.7 million. Hunsicker was also accused of falsely telling investors their money would go toward buying discounted shares from existing shareholders who needed liquidity, including after the 2022 collapse of the FTX cryptocurrency exchange. Prosecutors said Hunsicker fraudulently raised more than $275 million for CaaStle and $30 million for a related venture, P180.

Apple has filed a lawsuit against YouTuber Jon Prosser and Michael Ramacciotti for misappropriation of trade secrets related to iOS 26 leaks published earlier this year. The complaint alleges Prosser and Ramacciotti conspired to access a development iPhone belonging to Apple employee Ethan Lipnik, acquiring his passcode and using location-tracking to determine when he "would be gone for an extended period."

Apple claims Ramacciotti accessed Lipnik's device and made a FaceTime call to Prosser showing iOS 26 features, which Prosser recorded and used to create rendered mockups for his January, March, and April videos. Lipnik's employment was terminated, and Apple seeks an injunction against further disclosure plus damages.

Russian lawmakers passed sweeping new legislation allowing authorities to fine individuals simply for searching and accessing content labeled "extremist" via VPNs. The Washington Post reports: Russia defines "extremist materials" as content officially added by a court to a government-maintained registry, a running list of about 5,500 entries, or content produced by "extremist organizations" ranging from "the LGBT movement" to al-Qaeda. The new law also covers materials that promote alleged Nazi ideology or incite extremist actions. Until now, Russian law stopped short of punishing individuals for seeking information online; only creating or sharing such content is prohibited. The new amendments follow remarks by high-ranking officials that censorship is justified in wartime. Adoption of the measures would mark a significant tightening of Russia's already restrictive digital laws.

The fine for searching for banned content in Russia would be about a $65, while the penalty for advertising circumvention tools such as VPN services would be steeper -- $2,500 for individuals and up to $12,800 for companies. Previously, the most significant expansion of Russia's restrictions on internet use and freedom of speech occurred shortly after the February 2022 full-scale invasion of Ukraine, when sweeping laws criminalized the spread of "fake news" and "discrediting" the Russian military. The new amendment was introduced Tuesday and attached to a mundane bill on regulating freight companies, according to documents published by Russia's lower house of parliament, the State Duma.

An anonymous reader quotes a report from NBC News: Mark Zuckerberg and current and former directors and officers of Meta Platforms agreed on Thursday to settle claims seeking $8 billion for the damage they allegedly caused the company by allowing repeated violations of Facebook users' privacy, a lawyer for the shareholders told a Delaware judge on Thursday. The parties did not disclose details of the settlement and defense lawyers did not address the judge, Kathaleen McCormick of the Delaware Court of Chancery. McCormick adjourned the trial just as it was to enter its second day and she congratulated the parties. The plaintiffs' lawyer, Sam Closic, said the agreement just came together quickly.

Billionaire venture capitalist Marc Andreessen, who is a defendant in the trial and a Meta director, was scheduled to testify on Thursday. Shareholders of Meta sued Zuckerberg, Andreessen and other former company officials including former Chief Operating Officer Sheryl Sandberg in hopes of holding them liable for billions of dollars in fines and legal costs the company paid in recent years. The Federal Trade Commission fined Facebook $5 billion in 2019 after finding that it failed to comply with a 2012 agreement with the regulator to protect users' data. The shareholders wanted the 11 defendants to use their personal wealth to reimburse the company. The defendants denied the allegations, which they called "extreme claims." "This settlement may bring relief to the parties involved, but it's a missed opportunity for public accountability," said Jason Kint, the head of Digital Content Next, a trade group for content providers.

"Facebook has successfully remade the 'Cambridge Analytica' scandal about a few bad actors rather than an unraveling of its entire business model of surveillance capitalism and the reciprocal, unbridled sharing of personal data. That reckoning is now left unresolved."

A California federal judge has ruled that three authors suing Anthropic for copyright infringement can represent writers nationwide whose books the AI startup allegedly pirated to train its Claude chatbot.

U.S. District Judge William Alsup said the authors can bring a class action on behalf of all U.S. writers whose works Anthropic allegedly downloaded from pirate libraries LibGen and PiLiMi to create a repository of millions of books in 2021 and 2022.

Alsup said Anthropic may have illegally downloaded as many as 7 million books from the pirate websites, which could make it liable for billions of dollars in damages if the authors' case succeeds.

The UK secretly relocated thousands of Afghans to the UK after their personal details were disclosed in one of the country's worst ever data breaches, putting them at risk of Taliban retaliation. The operation cost around $2.7 billion and remained under a court-imposed superinjunction until recently lifted. Reuters reports: The leak by the Ministry of Defence in early 2022, which led to data being published on Facebook the following year, and the secret relocation program, were subject to a so-called superinjunction preventing the media reporting what happened, which was lifted on Tuesday by a court. British defence minister John Healey apologised for the leak, which included details about members of parliament and senior military officers who supported applications to help Afghan soldiers who worked with the British military and their families relocate to the UK. "This serious data incident should never have happened," Healey told lawmakers in the House of Commons. It may have occurred three years ago under the previous government, but to all whose data was compromised I offer a sincere apology."

The incident ranks among the worst security breaches in modern British history because of the cost and risk posed to the lives of thousands of Afghans, some of whom fought alongside British forces until their chaotic withdrawal in 2021. Healey said about 4,500 Afghans and their family members have been relocated or were on their way to Britain under the previously secret scheme. But he added that no-one else from Afghanistan would be offered asylum because of the data leak, citing a government review which found little evidence of intent from the Taliban to seek retribution against former officials.

Reddit has begun verifying users' ages in the UK to restrict access to "certain mature content" for minors, complying with the UK's Online Safety Act. The BBC reports: Reddit, known for its online communities and discussions, said that while it does not want to know who its audience is: "It would be helpful for our safety efforts to be able to confirm whether you are a child or an adult." Ofcom, the UK regulator, said: "We expect other companies to follow suit, or face enforcement if they fail to act." Reddit said that from 14 July, an outside firm called Persona will perform age verification for the social media platform either through an uploaded selfie or "a photo of your government ID," such as a passport. It said Reddit will not have access to the photo and will only retain a user's verification status and date of birth so people do not have to re-enter it each time they try to access restricted content. Reddit added that Persona "promises not to retain the picture for longer than seven days" and will not have access to a user's data on the site. The new rules in the UK come into force on 25 July. [...]

Companies that fail to meet the rules face fines of up to 18 million pounds or 10% of worldwide revenue, "whichever is greater." [Ofcom] added that in the most serious cases, it can seek a court order for "business disruption measures," such as requiring payment providers or advertisers to withdraw their services from a platform, or requiring Internet Service Providers to block access to a site in the UK."

An anonymous reader quotes a report from TorrentFreak: Internet service providers BT, Virgin Media, Sky, TalkTalk, EE, and Plusnet account for the majority of the UK's residential internet market and as a result, blocking injunctions previously obtained at the High Court often list these companies as respondents. These so-called "no fault' injunctions stopped being adversarial a long time ago; ISPs indicate in advance they won't contest a blocking order against various pirate sites, and typically that's good enough for the Court to issue an order with which they subsequently comply. For more than 15 years, this has led to blocking being carried out as close to users as possible, with ISPs' individual blocking measures doing the heavy lifting. A new wave of blocking targeting around 200 pirate site domains came into force yesterday but with the unexpected involvement of a significant new player.

In the latest wave of blocking that seems to have come into force yesterday, close to 200 pirate domains requested by the Motion Picture Association were added to one of the longest pirate site blocking lists in the world. The big change is the unexpected involvement of Cloudflare, which for some users attempting to access the domains added yesterday, displays the [Error 451 -- Unavailable for Legal Reasons] notice ... As stated in the notice, Error 451 is returned when a domain is blocked for legal reasons, in this case reasons specific to the UK. [...] In this case there's no indication of who requested the blocking order, or the authority that issued it. However, from experience we know that the request was made by the studios of the Motion Picture Association and for the same reason the High Court in London was the issuing authority. [...] The issue lies with dynamic injunctions; while a list of domains will appear in the original order (which may or may not be made available), when the MPA concludes that other domains that appear subsequently are linked to the same order, those can be blocked too, but the details are only rarely made public.

From information obtained independently, one candidate is an original order obtained in December 2022 which requested blocking of domains with well known pirate brands including 123movies, fmovies, soap2day, hurawatch, sflix, and onionplay. This leads directly to another unusual issue. The notice linked from Cloudflare doesn't directly concern Cloudflare. The studios sent the notice to Google after Google agreed to voluntarily remove those domains from its search indexes, if it was provided with a copy of relevant court orders. Notices like these were supplied and the domains were deindexed, and the practice has continued ever since. That raises questions about the nature of Cloudflare's involvement here and why it links to the order sent to Google; notices sent to Cloudflare are usually submitted to Lumen by Cloudflare itself. That doesn't appear to be the case here. "Domains blocked by Sky, BPI and others, don't appear to be affected," notes TorrentFreak. "All relate to sites targeted by the MPA, and the majority if not all trigger malware warnings of a very serious kind, either immediately upon visiting the sites, or shortly after."

"At least in the short term, if Cloudflare is blocking a domain in the UK, moving on is strongly advised."

At an Amazon warehouse that employs 3,700 people, hundreds of workers recently lost their job, reports the New York Times.

"They are among thousands of foreign workers across the country who have been swept up in a quiet purge, pushed out of jobs in places where their labor was in high demand and at times won high praise." While raids to nab workers in the country without legal permission in fields and Home Depot parking lots have grabbed attention, the job dismissals at the Amazon warehouse are part of the Trump administration's effort to thin the ranks of immigrants who had legal authorization to work... Such dismissals are happening at many of Amazon's more than 1,000 facilities around the country, including in Massachusetts and the warehouse in Staten Island that fills orders for millions of New Yorkers. At one fulfillment center in Florida, hundreds were let go, a person familiar with the site said... "We're supporting employees impacted by the government's recent changes in immigration policy," Richard Rocha, an Amazon spokesperson, said in a statement. The company has pointed workers to various resources, including outside free or low-cost legal services...

The dismissals came with remarkable speed. On May 30, the Supreme Court granted temporary approval for the Trump administration to revoke a program known as "humanitarian parole," which had allowed more than 500,000 migrants feeling political turmoil in Cuba, Haiti, Nicaragua and Venezuela to quickly get work permits if they had a fiscal sponsor... On June 12, the Department of Homeland Security said it had begun notifying enrollees that the program was ending, saying the immigrants had been poorly vetted and undercut American workers...

On June 22, Amazon told managers around the country in an email, which was obtained by The New York Times, that it had "received the first list from D.H.S. identifying impacted Amazon employees" from the parole program, as well as "some employees outside of this specific program whose work authorization is similarly affected." Amazon let the managers know that the next day, the affected workers would receive push notifications in the employee app about the change. Unless the workers could provide alternate work authorization documents in the next five days, they would be suspended without pay and ultimately dismissed.

The advocacy group Free Press on Friday blasted America's Federal Communications Commission chief "for an order that rips net neutrality rules off the books, without any time for public comment, following an unfavorable court ruling," reports the nonprofit progressive news site Common Dreams: A panel from the U.S. Court of Appeals for the 6th Circuit ruled in January that broadband is an "information service" instead of a "telecommunications service" under federal law, and the FCC did not have the authority to prohibit internet service providers (ISPs) from creating online "fast lanes" and blocking or throttling web content... FCC Chair Brendan Carr said in a Friday statement that as part of his "Delete, Delete, Delete" initiative, "we're continuing to clean house at the FCC, working to identify and eliminate rules that no longer serve a purpose, have been on our books for decades, and have no place in the current Code of Federal Regulations...."

Responding in a lengthy statement, Free Press vice president of policy and general counsel Matt Wood said that "the FCC's so-called deletion today is little more than political grandstanding. It's true that the rules in question were first stayed by the 6th Circuit and then struck down by that appellate court — in a poorly reasoned opinion. So today's bookkeeping maneuver changes very little in reality... There's no need to delete currently inoperative rules, much less to announce it in a summer Friday order. The only reason to do that is to score points with broadband monopolies and their lobbyists, who've fought against essential and popular safeguards for the past two decades straight...."

Wood noted that "the appeals process for this case has not even concluded yet, as Free Press and allies sought and got more time to consider our options at the Supreme Court. Today's FCC order doesn't impact either our ability to press the case there or our strategic considerations about whether to do so," he added. "It's little more than a premature housekeeping step..."

A Russian professional basketball player has been arrested in France at the request of the United States, which reportedly accused him of being involved in a ransomware group that allegedly targeted hundreds of American companies and federal institutions. From a report: Daniil Kasatkin, 26, was detained in June at Paris's Charles de Gaulle Airport shortly after arriving in the country with his fiancee, according to local media reports. He is currently being held in extradition custody, with a U.S. warrant reportedly issued against him. Kasatkin previously studied and played basketball in the U.S., at Penn State University.

The unnamed ransomware network Kasatkin is suspected of being part of is believed to have targeted nearly 900 entities between 2020 and 2022. Local media, citing court proceedings in Paris, reported that Kasatkin allegedly helped negotiate ransom payments, though the extent of the damage caused by the attacks has not been disclosed.

An anonymous reader quotes a report from The Record: A German court has ruled that Meta must pay $5,900 to a German Facebook user who sued the platform for embedding tracking technology in third-party websites -- a ruling that could open the door to large fines down the road over data privacy violations relating to pixels and similar tools. The Regional Court of Leipzig in Germany ruled Friday that Meta tracking pixels and software development kits embedded in countless websites and apps collect users' data without their consent and violate the continent's General Data Protection Regulation (GDPR).

The ruling in favor of the plaintiff sets a precedent which the court acknowledged will allow countless other users to sue without "explicitly demonstrating individual damages," according to a Leipzig Regional Court press release. "Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account," the press release said. "This may very well be one of the most substantial rulings coming out of Europe this year," said Ronni K. Gothard Christiansen, the CEO of AesirX, a consultancy which helps businesses comply with data privacy laws. "$5,900 in damages for one visitor adds up quickly if you have tens of thousands of visitors, or even millions."

A federal judge has dismissed an antitrust lawsuit that accused Apple, Visa and Mastercard of conspiring to suppress competition in the payments network market and inflate merchant transaction fees.

U.S. District Judge David Dugan in Illinois ruled that merchants failed to provide sufficient evidence supporting claims that Apple illegally declined to launch a competing payment network to rival Visa and Mastercard.

The lawsuit, filed by beverage retailer Mirage Wine & Spirits and other businesses representing thousands of merchants, alleged the payment networks paid Apple hundreds of millions of dollars annually to avoid competition. Dugan found the plaintiffs offered only "a slew of circumstantial allegations" but permitted them to amend their complaint.

A federal appeals court struck down a "click-to-cancel" rule that would have required companies to make cancelling services as easy as signing up. The Federal Trade Commission rule was scheduled to take effect on July 14 but was vacated by the US Court of Appeals for the 8th Circuit. The three-judge panel ruled unanimously that the Biden-era FTC failed to follow the full rulemaking process required under US law.

The FTC is required to conduct a preliminary regulatory analysis when a rule has an estimated annual economic effect of $100 million or more. The FTC initially estimated the rule would not reach that threshold, but an administrative law judge later found compliance costs would exceed $100 million. Despite this finding, the FTC did not conduct the required preliminary analysis.

The Georgia Court of Appeals has overturned a trial court's order after finding it relied on court cases that do not exist, apparently generated by AI. The appellate court vacated the ruling in a divorce case involving Nimat Shahid's challenge to a divorce order granted to her husband Sufyan Esaam in July 2022.

"We are troubled by the citation of bogus cases in the trial court's order," the appeals court stated in its decision, which directs the lower court to revisit Shahid's petition. The court noted the errant citations appear to have been "drafted using generative AI" and were included in an order prepared by attorney Diana Lynch.

Lynch repeated the fabricated citations in her appeals briefs and expanded upon them after Shahid had challenged the fictitious cases. The appeals court found Lynch's briefs contained "11 bogus case citations out of 15 total, one of which was in support of a frivolous request for attorney fees." The court fined Lynch $2,500 for filing the frivolous motion.

Fubo has agreed to pay $3.4 million to settle a class-action lawsuit (PDF) accusing it of illegally sharing usersâ(TM) personally identifiable information and video viewing history with advertisers without consent, allegedly violating the Video Privacy Protection Act (VPPA). Ars Technica reports: As reported by Cord Cutters News this week, instead of going to trial, Fubo reached a settlement agreement [PDF] that allows people who used Fubo before May 29, which is when Fubo last updated its privacy policy, to receive part of a $3.4 million settlement. The settlement agreement received preliminary approval on May 29, and users recently started receiving notice of their potential entitlement to some of the settlement. They have until September 12 to submit claims. Fubo said in a statement: "We deny the allegations in the putative class lawsuit and specifically deny that we have engaged in any wrongdoing whatsoever. Fubo has nonetheless chosen to pursue a settlement for this matter in order to avoid the uncertainty and expense of litigation. We look forward to putting this matter behind us."

An anonymous reader quotes a report from Ars Technica: Epic Games, buoyed by the massive success of Fortnite, has spent the last few years throwing elbows in the mobile industry to get its app store on more phones. It scored an antitrust win against Google in late 2023, and the following year it went after Samsung for deploying "Auto Blocker" on its Android phones, which would make it harder for users to install the Epic Games Store. Now, the parties have settled the case just days before Samsung will unveil its latest phones.

The Epic Store drama began several years ago when the company defied Google and Apple rules about accepting outside payments in the mega-popular Fortnite. Both stores pulled the app, and Epic sued. Apple emerged victorious, with Fortnite only returning to the iPhone recently. Google, however, lost the case after Epic showed it worked behind the scenes to stymie the development of app stores like Epic's. Google is still working to avoid penalties in that long-running case, but Epic thought it smelled a conspiracy last year. It filed a similar lawsuit against Samsung, accusing it of implementing a feature to block third-party app stores. The issue comes down to the addition of a feature to Samsung phones called Auto Blocker, which is similar to Google's new Advanced Protection in Android 16. It protects against attacks over USB, disables link previews, and scans apps more often for malicious activity. Most importantly, it blocks app sideloading. Without sideloading, there's no way to install the Epic Games Store or any of the content inside it.

Auto Blocker is enabled by default on Samsung phones, but users can opt out during setup. Epic claimed in its suit that the sudden inclusion of this feature was a sign that Google was working with Samsung to stand in the way of alternative app stores again. Epic has apparently gotten what it wanted from Samsung -- CEO Tim Sweeney has announced that Epic is dropping the case in light of a new settlement. Sweeney said Samsung "will address Epic's concerns," without elaborating on the details. Samsung may stop making Auto Blocker the default or create a whitelist of apps, like the Epic Games Store, that can bypass Auto Blocker. Another possibility is that Epic and select third-party stores are granted special access while Auto Blocker remains on for others, balancing security and openness.

A "more interesting outcome," according to Ars, would be for Samsung to pre-install the Epic Games Store on its new phones.

Valve has achieved near-total dominance of PC gaming distribution through Steam, but the victory appears to have left the company adrift, Financial Times argues. The platform controls an estimated 70% of PC game sales while generating billions in revenue, yet Valve releases major new games at what observers call a "glacial pace."

Founder Gabe Newell has largely retreated from the company's operations, reportedly living at sea on one of his five ships and pursuing side projects like brain-computer interface startup Starfish Neuroscience. The much-anticipated third Half-Life game became "the video game equivalent of Samuel Beckett's Godot" before being quietly cancelled.

Attempts to challenge Steam have failed repeatedly. Epic Games Store, powered by Fortnite's success, "has failed to really impact Steam in any meaningful way," according to industry analysts. Microsoft runs what analysts describe as a "somewhat unambitious store," while EA shut down its Origin launcher earlier this year. Gaming analyst Michael Pachter notes that major tech companies could displace Valve "but nobody cares" enough to mount a serious challenge.

Court documents suggest Steam's revenues will exceed $10 billion next year, leaving Valve with unprecedented profits but unclear direction for a company that appears to have run out of worlds to conquer.