Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

Durante

Dark Souls Man
Member
Oct 24, 2017
4,730
I doubt they can get in trouble in the EU because of RGPD, nicknames and games are not sensitive information, but I hope Valve can sue the living hell out of them.
That's not how the GDPR (which I assume you meant) works.

It specifically requires you to hold and process only the data absolutely necessary for the completion of whatever you are doing, and get consent for literally any other personal data you gather. You (as in the company processing the data) do by no means get to decide what's "sensitive" and just collect other data as you please. At least that's how I've had it explained to me by people who know more about law than I do.

Honestly this event will somehow get turned into steam/valves fault by news sites and whatnot.
If that happens I'll officially and entirely give up on the games media.
 
Oct 25, 2017
98
Austria
Friendly reminder that for those of us in the EU who may have been affected by this, you do not report a GDPR violation directly to the EU. You instead need to contact your National Data Protection Authorities and then let them take it from there. They're better equipped to find out if it's a breach and what kind it might be than we are.

Of course, it can be hard to know exactly who to contact, which is why the EU has a master list of them all.

I do not have the EGL installed, so I cannot claim my data has been affected by this, meaning I cannot contact them. But if you have, here's your point of contact.
Same here, I only had the client installed in February 2018 when I played Fortnite for a bit. Since their snooping apparently only started in June or July 2018, I am not directly affected and can't report them. Otherwise I would. EU citizens affected by this should really report them to their national data protection authorities. They are the ones that can actually put pressure on Epic.

Took me six months to get my account deleted after about 30 emails and constantly being told they would delete it and not doing so.

I was getting about 3 emails a day about how my account was trying to be accessed (hacked) and even that wasn’t even enough to hurry them up.

They don’t give a damn apparently, they just want to keep people on their service as much as possible, that’s why they make it so difficult to delete accounts.

Honestly Epic are shady and I have been beating this drum for months now, they can’t be trusted and Steam having a poor attitude towards curation isn’t an excuse to ignore what Epic are doing, their blatant corruption and greed and illegal behaviour is unacceptable and anti-consumer.

Worst part is, games journalists are turning a blind eye to what Epic are doing because they dislike Steam it seems.

Either that or they are on Epics payroll...
That sounds awful. I will see how long it takes them for my request. Legally they have to delete all data within a month and if they don't, I will certainly report their violation of the GDPR to my national data protection authority.
 
Oct 25, 2017
2,529
If it would be problematic for you if those files were out in the public space? Yes. If not then just realize that data just isn't and live your life? But you do you.
But you aren’t spending your time here victim blaming.

It’s funny, you have done nothing but say the people who got spied on are at fault
 
Epic Games Response

ZhugeEX

诸葛亮 - 卧龙
Administrator
Oct 24, 2017
2,807
Information
Added Epic Games response to the OP


We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.

The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy(see the “Information We Collect or Receive” section). You can find the code here.

The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.

The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up.

The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.

We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.

Epic is controlled by Tim Sweeney. We have lots of external shareholders, none of whom have access to customer data.

Daniel Vogel
VP of Engineering
Epic Games Inc.
https://www.reddit.com/r/PhoenixPoi..._game_store_spyware_tracking_and_you/eijlbge/
 
Oct 27, 2017
59
Unbelievable.

Just a few months ago I was so happy Epic hit the jackpot with Fortnite and UE4. I was excited for what the future would hold. Should've fucking known.
 
Oct 27, 2017
240
That's not how the GDPR (which I assume you meant) works.

It specifically requires you to hold and process only the data absolutely necessary for the completion of whatever you are doing, and get consent for literally any other personal data you gather. You (as in the company processing the data) do by no means get to decide what's "sensitive" and just collect other data as you please. At least that's how I've had it explained to me by people who know more about law than I do.
This is correct. You are not allowed to widly collect data. You have to SPECIFY what data you collect and for what you collect that.
 
Oct 25, 2017
203
Epic's behaviour really does seem to indicate that they firmly believe they have a mandate to do anything and everything required to succeed in toppling Steam, and the media appear content to encourage them.

PC Gamer, RPS et al, I look forward to your thorough, balanced and hard-hitting coverage of these shenanigans.
 
Mar 14, 2019
187
I am not a software engineer, but I must wonder: if the intention is to scan what games are currently running (so as not to update them), what is the purpose of colllecting updated (I presume it gets updated?) play time for every single game?

That seems an awful lot like observing and collecting consumer behavior for marketing purposes- data that is not necessary for the stated goal of the process
 
Oct 27, 2017
240
The statement does not make it better. I have not consented to access MY local Steam account data. They collected this data beforehand WITHOUT specifying it.
 
Oct 25, 2017
4,680
PC Gamer, RPS et al, I look forward to your thorough, balanced and hard-hitting coverage of these shenanigans.
They are too wrapped up in their narrative that EGS is a "good thing for devs" and that Steam is a social evil since their curation sucks and they are only reactionary when it comes to awful content that makes it onto the store.
 
Oct 22, 2018
2,950
We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.
This seems like something that should be easy enough to verify by going over packet information. My kingdom for some wireshark traces.
 

GHG

Banned
Member
Oct 26, 2017
6,498
I never said that. Can you please quote me where I said that? Only thing I said was that if this is important data you don't want shared you guys should also be critical of Valve right no along with Epic.
Why must there be a defence force for everything on this forum?

Can we not just save the spin and call a spade a spade?
 
Oct 27, 2017
1,071
Halifax, NS
They still don't (and probably won't) address the fact that it scraps the info first before asking permission.
I never said that. Can you please quote me where I said that? Only thing I said was that if this is important data you don't want shared you guys should also be critical of Valve right no along with Epic.
But Valve isn't sharing it (to our knowledge). If you set your profile to private, Valve does not allow companies to use their API to access your profile data.

Local files on a computer are exactly that, local. They are meant to be used by the program that created it. Other programs are not meant to scrape your harddrive looking for them without you either telling it to, or it asking your permission to do so. Because otherwise, it's literally spyware.
 

Eorl

Banned
Member
Oct 30, 2017
1,626
Australia
That Epic reply, holy shit that's some straight up hand waving denial. Epic is owned by Sweeney, what even is that line there for. I'm not opted in to Steam linking my profile for Epic and you are still scrapping my computer, and worse yet you are doing it without my consent or knowledge. Only friends, fucking bullshit the receipts say otherwise.

Please, for the love of God go to town on this company journalists. I know you won't, especially Jim "Eh Competition Right?" Sterling, but someone needs to call their bullshit.
 
Oct 27, 2017
228
The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.
Why are you doing this if I'm not using the unreal editor? Most people using the epic game store won't be using it.

We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.
Why are you doing this without my explicit permission? Surely you could make a copy of my Steam friendslist at the moment I choose to pair it with the egs. There's no need to do it before that.

This shit is suspicious as hell. I don't trust them for a minute with this.
 
Oct 25, 2017
2,529
Steam API literally exists to get this information from Valve with permissions in the 100% legal and upfront way.

This is why the Steam API exists, so other companies can link to Steam only when the user allows it.
 
They still don't (and probably won't) address the fact that it scraps the info first before asking permission.


But Valve isn't sharing it (to our knowledge). If you set your profile to private, Valve does not allow companies to use their API to access your profile data.

Local files on a computer are exactly, local. They are meant to be used by the program that created it. Other programs are not meant to scrape your harddrive looking for them without you either telling it to, or it asking your permission to do so. Because otherwise, it's literally spyware.
I completely agree. If this is important data to people it also shouldn't be so easily accessed either.
 
Oct 25, 2017
3,723
I never said that. Can you please quote me where I said that? .
Ask and you shall receive.

Your reply is the equivalent of calling me out for victim blaming because I told a burglary victim that they should shut and lock their doors/windows next time they decide to leave the house if they want to help avoid it happening again so easily.
That's textbook victim blaming. I doubt you would say that to a rape victim.

Edit: in before "you're equating that to rape!" irate response: no, I'm saying victim blaming works the same.
 
Last edited:
Oct 25, 2017
220
I completely agree. If this is important data it also shouldn't be so easily accessed either.
That's like saying your wallet shouldn't be easily accessible too, so if you invite someone in to paint your house and they steal your wallet that's on you, hide it better next time.
Crappy analogy aside, we should be able to trust the people who we pay to provide a service for us.
 
"I didn't think this would spy on MY Steam!", said people who installed a program made partially by the SteamSpy guy

I wonder if Spybot - Search and Destroy is still around.

Weren't those the good ol days? Having to worry about that shit on a regular basis?
Oh god...the memories...

I had to run that thing like twice a day on my parents' computer because they kept going to obvious scam/spam/virus sites. My mom was always so excited that she was somehow the 10,000,000th visitor to every other site she visited... :-/