Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

May 27, 2018
344
I would just like to know if anyone can confirm that the file it duplicates to get info bypasses Steam privacy settings?

For example if I set everything on my Steam profile to be all private, does Epic still create a local duplicate file with that info I have declared I want to be private?
 
Oct 25, 2017
2,585
Oh there is also the notion that the client has been collecting information since I believe May 2018 according to someone's post on that OP forum. This was due to the client being the same one that was before used for Unreal development, however this means that they've been collecting data (without your permission) for nearly a year and that is worth a lot in the right hands, namely Epic for understanding a market they are now pushing their way into.

Also note that the client collects this data no matter you opting in to linking your Steam friends list or not. Hence the 20% Fortnite Steam figure, because they just scrape it no matter what.
Odd how they have been collecting friends list for a non-extient epic store that doesn't need Steam friends lists in mid 2018
 
Oct 25, 2017
1,941
I would just like to know if anyone can confirm that the file it duplicates to get info bypasses Steam privacy settings?

For example if I set everything on my Steam profile to be all private, does Epic still create a local duplicate file with that info I have declared I want to be private?
Yes and Yes.
 
Oct 27, 2017
865
Doubt Epic will be saying anything further out of its own volition. If games media could help us get to the bottom of this, or you know, try, that would be nice.
 
Oct 27, 2017
151
You know for a while I was willing to give them the benefit of the doubt.

Yeah, those exclusive were shitty moves but I was rationalizing it along the lines of "they need a few big hitters early on to build a community and have people come back to their store, it sucks but I get it"
I even bought Ashen when it came out because I had been waiting a long while to play it.

But now I don't think I'll ever buy anything from them ever again unless drastic changes happen.
All these recent EGS exclusivity announcements are just BS.
It's adding up.
 
Oct 25, 2017
2,585
I would just like to know if anyone can confirm that the file it duplicates to get info bypasses Steam privacy settings?

For example if I set everything on my Steam profile to be all private, does Epic still create a local duplicate file with that info I have declared I want to be private?
yes because they are scrapping the local files on your computer, the privacy settings is on your online account and determines who and what has access to that.
 
Oct 25, 2017
2,997
I would just like to know if anyone can confirm that the file it duplicates to get info bypasses Steam privacy settings?

For example if I set everything on my Steam profile to be all private, does Epic still create a local duplicate file with that info I have declared I want to be private?
This has no bearing on what can be captured locally, its digging into your client installed on your pc. Your private/public settings have to do with whats visible on the web side.
 
Oct 25, 2017
1,941
Odd how they have been collecting friends list for a non-extient epic store that doesn't need Steam friends lists in mid 2018
The Epic Game Shop is build over the Fortnite launcher, so they were using that data to make it easier to add friends from Steam.

However, there is an API from STeam for that, and that doesnt explain the other data. So it asks the question why were they doing this (to avoid privacy settings in Steam at least), if they were also using it to get more precise data on gaming habits of you.
 
Oct 27, 2017
8,064
It is creating files with data irrelevant to the stated purpose of the collection, so if you "give permission" to sync that data with Epic for your friends list, they are collecting more than they state they are, or at least more than you would have reason to assume they are without manually checking the files being sent.

If as in your examples, Epic games collects information on porn habits from users "just on local machines", but then that data gets sent to their service when you tell it to sync your friend lists, that would indeed be a breach of privacy, both on a legal and common-language sense.
Except there is no evidence they're actually collecting any data except that which they have permission to sync. If we did, it would be a clear-cut problem.
If they collect which games I play and my savefiles, which they never state they are collecting: they are breaching GDPR
If this data is never sent back to Epic, is that considered data collection under GDPR? Remember we have no evidence of data being sent to Epic without permission.
 
Oct 25, 2017
4,322
Anyone have IDA Pro and a lot of times on their hands? I'd be willing to disassemble the client and see what they actually are doing if I had the time.
I imagine it would be a massive mess to disassemble it. It's an electron app, so you'd be disassembling chrome. Basically.
 
Oct 25, 2017
1,788
Sorry I messed up. Process Monitor and not Process Explorer:

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Updated OP.
Thanks, just got around to reading this. Also saw the update in the OP from Epic.

I guess the next step is to ask if anyone's inspected the network traffic coming from the process and seeing if any of it is a) unencrypted and b) shows more data than Epic is saying they send. On my system, inside Process Monitor I do see signs of network traffic to what looks like an Akamai CDN server as well as several Amazon EC2 machines during its scan of my Steam userdata directory, but for all I know those are totally unrelated.

I'm reaching the limits of my own ability to decipher what's going on here so I'll leave it to people with more knowledge than me for now. But yeah, it definitely looks like they're scanning your userdata folder and doing something with that info. I don't know how to decrypt the SocialBackup files so can't verify those contents, but the Process Monitor stuff at least checks out for sure. (And of course Epic doesn't deny any of the findings, but are being cagey about some of the data.)
 
Oct 25, 2017
475
I think it's time i deleted my Epic account free games are cool and all but i have many to get through already and only really made it for Unreal tournament back in the day. Thanks for the helpful template Evon

Also I love how some Reddit users have given x3 Gold for that response.... Also the tunnel vision from some users here is something.
 
Oct 30, 2017
1,642
Australia
Odd how they have been collecting friends list for a non-extient epic store that doesn't need Steam friends lists in mid 2018
So the Epic Store is actually just the same client that was just for Unreal stuff. They rejigged it to add in Fortnite support and then now revamped it with the store interface. That is why they've been doing it since before it was the "Epic Game Store" due to it being the same client.
 
Oct 25, 2017
926
I would just like to know if anyone can confirm that the file it duplicates to get info bypasses Steam privacy settings?

For example if I set everything on my Steam profile to be all private, does Epic still create a local duplicate file with that info I have declared I want to be private?
I can answer this.
My Steam account is private.

I have 95 files in the Epic folder (95MB)
Oldest being 2018-05-14, newest being 2019-03-10 (that's YYYY-MM-DD)
 
Ugh. I guess I have to uninstall EGS when I get home tonight. I buy and play a lot of games on Steam, I'm exactly the kind of user whose data they want to scrape. I'm sure as shit not giving them any help determining which games they need to moneyhat next so they can fuck with me even more.

There goes the copy of Hades I bought.
 
Oct 25, 2017
3,584
Except there is no evidence they're actually collecting any data except that which they have permission to sync. If we did, it would be a clear-cut problem.

If this data is never sent back to Epic, is that considered data collection under GDPR? Remember we have no evidence of data being sent to Epic without permission.
Why is collected if it's never sent? In which moment the Epic client asks authorization to collect and receive this data? The client only asked me to sync friend lists.

The fact they only admitted collecting the friend steam data while there's eveidence they are gathering way more is quite telling.
 
Oct 25, 2017
2,585
Why is collected if it's never sent? In which moment the Epic client asks authorization to collect and receive this data? The client only asked me to sync friend lists.

The fact they only admitted collecting the friend steam data while there's eveidence they are gathering way more is quite telling.
Its extremely conspicous they avoided talking about why they look up other information unrelated to the friends list.

That is completely disregarding them looking up our information outside of the proper channels of the Steam API.
 
Oct 25, 2017
7,810
I can answer this.
My Steam account is private.

I have 95 files in the Epic folder (95MB)
Oldest being 2018-05-14, newest being 2019-03-10 (that's YYYY-MM-DD)
Wait a sec...why was it collecting info about Steam in May...when Epic announced their store later on in the year???
 
Oct 25, 2017
3,615
They're owned by Tencent, after all. People tend to forget this.
I didn't think they were owned by TenCent. Last time I checked (yesterday?) TenCent owned a 40% stake in Epic, which makes them a large shareholder, but not the owner or even majority shareholder, depending upon how many other companies the remaining 60% is controlled by.

Wait a sec...why was it collecting info about Steam in May...when Epic announced their store later on in the year???
Because the store is built upon older tech - Unreal and Fortnite launcher - which was doing all this before the Store became an actual thing.
 
Oct 27, 2017
8,064
Why is collected if it's never sent?
Any number of reasons. The most obvious being "they plan on using it at some point". It doesn't mean they're using it now, though. If they are, that's a problem obviously.
In which moment the Epic client asks authorization to collect and receive this data?
If the data is being scraped and stored locally, they don't necessarily have to ask authorization. Videogames don't have to ask permission to create a log file containing your OS, Windows Location, installed drivers, CPU details, GPU details, and stuff like that. They DO have to ask permission to send this data back to the game's developer.

I wouldn't put it past Epic to at some point confusingly ask whether you would like to not not not not not not send data about time played to Epic, however.
 
Oct 25, 2017
871
Downunder.
If anyone interested in researching what HTTP calls the Epic client are making to send the telemetries out, Fiddler can be used to do this task. Combined with procmon, perhaps you can analyze what type of data they actually sending out.
 

EloKa

GSP
Verified
Oct 25, 2017
229
Well Epic can't / doesn't want to compete for Steam users so they are competing for the local Steam files instead #competition
 
Nov 20, 2017
1,215
Good ole competition helping build better intrusive spyware for the benefit of consumers.

You said you wanted new and innovative features for a storefront, didn't you?
 
Mar 14, 2019
207
So, after I uninstall it, the ONLY thing left sitting in my Program Data is this "social backup" folder.

Frequency is about once a week- that checks out, that's about how often I'd count the number of games in their store.
 
Oct 25, 2017
2,585

"while we do look at information we aren't supose to look at, we dont take it, WE PROMISE"

"Btw we do still do this outside of proper channels with regards to the Steam API"
 
Oct 30, 2017
1,642
Australia
According to this website: Fortnite Guide- Now Add Steam Friends In Fortnite - VoStory the functionality that lets people import their Steam friends into the EGL was added with Update 4.3 of Fortnite. That update was released on May 30, 2018. The first files scrapped by the EGL on my computer were generated on May 4, 2018. Did those files travel in time?
No they were put there as a competitive way to gain a competitive nature on a very competitive platform. Competition!

Also reports from some websites are starting to file in, but as expected they conflate the issue and take the PR stance for granted especially handwaving in the lede.

https://www.pcgamer.com/au/epic-steam-data-reddit/
https://www.pcgamesn.com/epic-launcher-spyware
 
Oct 25, 2017
1,941
That asshole tried to sell games on G2A, I wouldn't really trust his judgement on what a viable store is.
If one thing has amazed me in the whole EGS saga, it's how firmly some high-level people have their foot ensconced in their mouth.
Of all the people in the industry, Randy is probably not on the top of my list of having a sound judgement taking into account he left a USB with internal secret information from his company AND squirting barely legal porn in a fast food restaurant.