Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

Nome

Designer
Verified
Oct 27, 2017
1,554
NYC
Maybe, maybe not. You can either believe that a massive, successful company is outright lying about illegal data collection, or you can believe that there's some other method. I'm hoping Sweeney or someone else clears this point up, but there are other ways to obtain this sort of information either directly or indirectly.

For example, once the Steam friend import feature was launched, they could simply review what proportion of clients generated the local file; no need to upload or analyze the file itself.
 
Oct 26, 2017
5,188
Yeah answering how they knew how many Fortnite players have and use Steam would clear up many things.

Maybe, maybe not. You can either believe that a massive, successful company is outright lying about illegal data collection, or you can believe that there's some other method. I'm hoping Sweeney or someone else clears this point up, but there are other ways to obtain this sort of information either directly or indirectly.

For example, once the Steam friend import feature was launched, they could simply review what proportion of clients generated the local file; no need to upload or analyze the file itself.
They specifically said how many Fortnite players used Steam. To know if person is using Steam you had to analyze some data.
 
The fact that they scrapped more then just the friends list means this wasn’t just a cludge job to hastily set up a linkup system.

You don’t need to look up peoples game history and playtime to find a friends list and they went out of their way to package all of that information for themselves. They did MORE work then Is necessary to find a friends list.

Even their cries that they didn’t upload any of it back, why are you gathering the data you shouldn’t be getting if you are not using it?
dude why are you getting so defensive against me? I agree with you.
 
OP
OP
Madjoki
Oct 25, 2017
2,722
So, yes, you're right. But also, no, you're not, because the two situations aren't the same, even if Valve are still doing that 5 years on from that article.
Yeah vac if probably shsdiest part of steam.

These checks don't live very long, once cheaters know what they are, it's useless. Ie, for cleaning dns entries from cheat or avoid creating.

Also this specific case was so highly voted on treffit valve had to answer, so it's not like everyone is giving valve pass either which is good.
 

Nome

Designer
Verified
Oct 27, 2017
1,554
NYC
Yeah answering how they knew how many Fortnite players have and use Steam would clear up many things.



They specifically said how many Fortnite players used Steam. To know if person is using Steam you had to analyze some data.
Did you read my last sentence? They don't need any Steam data to figure this out.
1. Fortnite client detects Steam on local machine
2. Fortnite client makes local copy of Steam file
3. Fortnite client sends notification to Epic servers that it ran the Steam detection feature
4. Sergey looks at how many Fortnite clients reported they ran the feature

Done.
 
Oct 25, 2017
1,056
Maybe, maybe not. You can either believe that a massive, successful company is outright lying about illegal data collection, or you can believe that there's some other method. I'm hoping Sweeney or someone else clears this point up, but there are other ways to obtain this sort of information either directly or indirectly.

For example, once the Steam friend import feature was launched, they could simply review what proportion of clients generated the local file; no need to upload or analyze the file itself.
Admittedly it's late and I'm tired, but this....

That info may be stored in the Steam file, however we never parse it, and it's never sent to Epic. The only information that's sent to Epic are hashes of Steam friend ids, and only if you explicitly choose to import your Steam friends. We're working to update the implementation so that the Epic Games launcher only touches the Steam file at all if you choose to import friends.
Seems to imply that Epic never analyzes the file without your consent, and that the file is never sent to EPIC without your explicit consent.

So Sweeney (unless I'm reading something wrong, which is admittedly possible) is either lying, or they've got some unknown other way of looking.

Which, granted, could just be Sweeney splitting hairs, but I suppose we'll have to wait and see until more digging is done.
 

Nome

Designer
Verified
Oct 27, 2017
1,554
NYC
Admittedly it's late and I'm tired, but this....



Seems to imply that Epic never analyzes the file without your consent, and that the file is never sent to EPIC without your explicit consent.

So Sweeney (unless I'm reading something wrong, which is admittedly possible) is either lying, or they've got some unknown other way of looking.

Which, granted, could just be Sweeney splitting hairs, but I suppose we'll have to wait and see until more digging is done.
Read what I wrote again--
They don't need to send the file. They just need to know how many clients ran the feature to copy the file.
Re: recency/frequency of use-- this can also be surmised if the feature runs and detects changes to the file, which would imply Steam activity.
 
Oct 25, 2017
2,585
Maybe, maybe not. You can either believe that a massive, successful company is outright lying about illegal data collection, or you can believe that there's some other method. I'm hoping Sweeney or someone else clears this point up, but there are other ways to obtain this sort of information either directly or indirectly.

For example, once the Steam friend import feature was launched, they could simply review what proportion of clients generated the local file; no need to upload or analyze the file itself.
It’s funny saying the illegal data collection by a big company is the unlikely thing when Facebook and google are being hauled up to congress for just that.

Also the fact that Sweeney is doing damage control with esoteric excuses of why they are even snooping around and scrapping data is troubling.
 
Oct 26, 2017
5,188
Did you read my last sentence? They don't need any Steam data to figure this out.
1. Fortnite client detects Steam on local machine
2. Fortnite client makes local copy of Steam file
3. Fortnite client sends notification to Epic servers that it ran the Steam detection feature
4. Sergey looks at how many Fortnite clients reported they ran the feature

Done.
Read what I wrote again--
They don't need to send the file. They just need to know how many clients ran the feature to copy the file.
Re: recency/frequency of use-- this can also be surmised if the feature runs and detects changes to the file, which would imply Steam activity.
From what I saw log is created every 7 days or something like that, so if they create logs no matter if you used Steam or not they would need to compare difference between logs to know if something is changed. Maybe they could do it based on size but I don't know.
 

Nome

Designer
Verified
Oct 27, 2017
1,554
NYC
From what I saw log is created every 7 days or something like that, so if they create logs no matter if you used Steam or not they would need to compare difference between logs to know if something is changed. Maybe they could do it based on size but I don't know.
I'm no programmer, but I'm sure there's ways to see if two files are different. I don't know if checking the hash would technically count as file analysis, for example.

I also want to point out that it's really common to make grandiose statements about a population with only a sample.
Nielsen ratings are a common example of this, but also, in cases where you don't have complete data, you make do with what you have.

So it's entirely possible that they had a small, statistically-significant sample of willing users that they're extrapolating to their population. Note that because this statistic is used as a selling point of EGS to court partners, they may not outright come out and talk about their methodology, especially if it's potentially flawed.

Also, I feel like I need to say this as a disclaimer, but I'm not defending Epic here.
I agree with several other posters here that avoiding Valve's API is a shoddy excuse to run invasive code. I have my own theory about this--I've long believed that Epic unethically abused their relationship with PUBG Corp/Bluehole to help build a business plan for Fortnite BR. I wouldn't be surprised if their own behavior in that relationship informed their paranoia with the Valve API.
 
Oct 27, 2017
180
I think the Steam API is web-based but here's what's going on : When you go to add friends it opens a browser to Steam to grant permission to Epic to use the Steam API for your account (This part is "Steam on the Web"). You do that and agree, then Epic gets a token. Epic has confirmed your identity and could now use the Steam API & token to pull your friends but they never implemented that. Instead they just go through your local Steam files. I hope that makes it clear. All they need to do is have their launcher work with the Steam API instead of going through the local file. They seem like they are cutting corners to get their launcher and store going as fast as possible.
But then the "we avoid including third-party code in our engine" is just plain wrong. There is no third-party library to cause "security and privacy concerns" since you directly control what you are sending to the Steam servers. And believe me I know about cutting corners, but in this case it would probably be easier and faster to just continue to use the API you are *already* using than go around and parse another file.

In the end, it probably is just damage control. I'm shocked.

Read what I wrote again--
They don't need to send the file. They just need to know how many clients ran the feature to copy the file.
Re: recency/frequency of use-- this can also be surmised if the feature runs and detects changes to the file, which would imply Steam activity.
Personally for me that goes over the line about "no data is being uploaded until you link the account". It is hard to know without them defining exactly what "60% of the Fortnite users that have Steam don't actively use it" means. Maybe he was referring to the scan of active processes Epic already said it does.
 

Nome

Designer
Verified
Oct 27, 2017
1,554
NYC
But then the "we avoid including third-party code in our engine" is just plain wrong. There is no third-party library to cause "security and privacy concerns" since you directly control what you are sending to the Steam servers. And believe me I know about cutting corners, but in this case it would probably be easier and faster to just continue to use the API you are *already* using than go around and parse another file.

In the end, it probably is just damage control. I'm shocked.



Personally for me that goes over the line about "no data is being uploaded until you link the account". It is hard to know without them defining exactly what "60% of the Fortnite users that have Steam don't actively use it" means. Maybe he was referring to the scan of active processes Epic already said it does.
It's interesting, right? Because after having spent a decade working on GaaS products, the idea of sending back feature usage data seems very benign and normal to me. It's pretty standard for basically all feature launches nowadays, for any product. But it does seem nefarious in some aspects... partly because of the very specific context it occurred in, and partly because I wonder... if there was even a 1% chance... that they built it in this way just to have plausible deniability for data snooping.
 
Oct 26, 2017
5,188
I'm no programmer, but I'm sure there's ways to see if two files are different. I don't know if checking the hash would technically count as file analysis, for example.

I also want to point out that it's really common to make grandiose statements about a population with only a sample.
Nielsen ratings are a common example of this, but also, in cases where you don't have complete data, you make do with what you have.

So it's entirely possible that they had a small, statistically-significant sample of willing users that they're extrapolating to their population. Note that because this statistic is used as a selling point of EGS to court partners, they may not outright come out and talk about their methodology, especially if it's potentially flawed.

Also, I feel like I need to say this as a disclaimer, but I'm not defending Epic here.
I agree with several other posters here that avoiding Valve's API is a shoddy excuse to run invasive code. I have my own theory about this--I've long believed that Epic unethically abused their relationship with PUBG Corp/Bluehole to help build a business plan for Fortnite BR. I wouldn't be surprised if their own behavior in that relationship informed their paranoia with the Valve API.
That is why I would like to see them answer how they came to those numbers.

But even if we leave that aside and focus on what they confirmed they still need to answer why they copy entire Steam usage file and not just data related to friends. Steam file is open and from OP it is clear that friends related data is labeled, so they could just parse that data and save it in new file for their usage.
 

Nome

Designer
Verified
Oct 27, 2017
1,554
NYC
That is why I would like to see them answer how they came to those numbers.

But even if we leave that aside and focus on what they confirmed they still need to answer why they copy entire Steam usage file and not just data related to friends. Steam file is open and from OP it is clear that friends related data is labeled, so they could just parse that data and save it in new file for their usage.
Yeah, I can't think of a good answer for that one, lol.
It just blows my mind that anyone would actually want to risk doing something this illegal and be sloppy enough about it to get caught.
But I guess in this day and age I really shouldn't be surprised if this was a thing.
 
Oct 25, 2017
5,766
Houston
the hilarious part of this is Steam doesn't even get my data for when i use Steam as i block them from having access to the internet in any way i can including disabling even my network before launching. So they can take any of the data of the maybe 3 steam games i have that are all old as fuck
 
Oct 28, 2017
181
Maybe, maybe not. You can either believe that a massive, successful company is outright lying about illegal data collection, or you can believe that there's some other method. I'm hoping Sweeney or someone else clears this point up, but there are other ways to obtain this sort of information either directly or indirectly.

For example, once the Steam friend import feature was launched, they could simply review what proportion of clients generated the local file; no need to upload or analyze the file itself.
Like facebook, a successful company never lied to their customer?
 
Oct 26, 2017
5,188
Yeah, I can't think of a good answer for that one, lol.
It just blows my mind that anyone would actually want to risk doing something this illegal and be sloppy enough about it to get caught.
But I guess in this day and age I really shouldn't be surprised if this was a thing.
Today data is everything, and there is also thing that apparently they started doing this in May 2018. Guess what happened in April 2018? Valve changed Steam profile privacy to comply with GDPR. Guess who was really pissed about that? Yeah Sergey.

There is simply too much coincidence surrounding this to be just sloppy job.
 
Oct 25, 2017
2,997
Did you read my last sentence? They don't need any Steam data to figure this out.
1. Fortnite client detects Steam on local machine
2. Fortnite client makes local copy of Steam file
3. Fortnite client sends notification to Epic servers that it ran the Steam detection feature
4. Sergey looks at how many Fortnite clients reported they ran the feature

Done.
They made the distinction of players who regularly use Steam and not, so it goes further than that.

Given Epics lack of transparency, and Sergeys history with analyzing data, this is a huge red flag that there is more to this.
 
Mar 14, 2019
20
I see CommodoreKong got a reply from Sweeney on Twitter. I didn't bother putting the question to him because I knew I wouldn't be satisfied no matter what he said. I'll let Kong post about it.

Sweeney is in North Carolina and is still up at 2:30 AM responding to questions about this.

I knew Tim Sweeney had money, but not this kind of money. Wikipedia: According to Bloomberg, as of 2019 he has a net worth of $7.18 billion.

So he's up there with Elon Musk ($21 billion). I just play strategy games, never played Fortnite or anything Epic has done lately. I played Unreal 1 back in 1998 on a 12MB 3dfx Voodoo 2. I always liked John Carmack - I see he's only worth $40 million. I digress so I better get to sleep myself.
 
Last edited:
Oct 25, 2017
3,615
I see CommodoreKong got a reply from Sweeney on Twitter. I didn't bother putting the question to him because I knew I wouldn't be satisfied no matter what he said. I'll let Kong post about it.

Sweeney is in North Carolina and is still up at 2:30 AM responding to questions about this.
Well, first of all I have Sweeney blocked on Twitter, so I was confused why I couldn't see that conversation.

Then I unblocked the tweets and just laughed. OMFG. That's just insane.
 
Oct 25, 2017
2,997
Someone made an interesting comment (dex3108 i think?)

The Epic Games launcher started scrapping files locally shortly after Valve tightened up their public data and broke Steamspy.
 
Oct 25, 2017
3,522
China
Sweeney always changing his answer. First it was just Friends information.

Now all of a sudden this is still in from the early Fortnite days:

The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite.
You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends.
 
Last edited:
Dec 21, 2017
7,095
I don't know if this has anything to do with the subject at hand, but something regarding Epic made me think about this topic tonight. Earlier today I was curious about buying the Division 2, so I was looking at the store page on the Epic store. A little past midnight, I received an email that "the Division 2 is now available". I thought this was weird because A.) this is the only time I've received an email from Epic since making the account months ago, and B.) I've never subbed to a notification for it. It just made me think, what else are they tracking that I do? I get that it's marketing, but I thought of this topic and thought I'd share since it kinda weirded me out.
 
Oct 26, 2017
2,287
Belarus
This whole Epic Store mess feels like a huge clusterfuck since the day they announced it. Like seriously, how can you be so dense and fuck up so much just within the first few months of your store existences. The way Epic handling this whole mess shows that they either didn't plan it properly expect "let's buy some exclusives and see what happens", or either they perfectly realized that they doing some shady shit but decided to play dumb and try to get away with it. It's like they want to see how far they can go while pissing off as many people as possible.
 
Oct 26, 2017
5,188
I don't know if this has anything to do with the subject at hand, but something regarding Epic made me think about this topic tonight. Earlier today I was curious about buying the Division 2, so I was looking at the store page on the Epic store. A little past midnight, I received an email that "the Division 2 is now available". I thought this was weird because A.) this is the only time I've received an email from Epic since making the account months ago, and B.) I've never subbed to a notification for it. It just made me think, what else are they tracking that I do? I get that it's marketing, but I thought of this topic and thought I'd share since it kinda weirded me out.
I never subscribed for Fortnite news, I don't play Fortnite and I never got email regarding Fortnite (only Unreal Engine 4 news) but they sent me email about free Battle Pass for Seaon 8 of Fortnite when they announced challenge to get free Battle Pass. And I wasn't the only person who got that email. And I was wondering if they used my mail from UE4 subscription to push for Fortnite newsletter.
 
Oct 26, 2017
3,838
Sweeney always changing his answer.

Now all of a sudden this is still in from the early Fortnite days:
Seems its in his blood
https://www.pcgamer.com/tim-sweeney-microsoft-uwp-is-still-woefully-inadequate/

2 years ago, he said its important for PC platform to remain open, and criticize/warn that Microsoft might turn UWP into a closed system slowly.
Fast forward to today, Microsoft announces MCC for Steam and Microsoft Store, while he's the one fragmenting PC gaming with a closed platform.

Sweeney said. "The thing that I feel is incredibly important for the future of the industry is that the PC platform remains open, so that any user without any friction can install applications from any developer, and ensure that no company, Microsoft or anybody else, can insert themselves by force as the universal middleman, and force developers to sell through them instead of selling directly to customers.
 
Dec 21, 2017
7,095
I never subscribed for Fortnite news, I don't play Fortnite and I never got email regarding Fortnite (only Unreal Engine 4 news) but they sent me email about free Battle Pass for Seaon 8 of Fortnite when they announced challenge to get free Battle Pass. And I wasn't the only person who got that email. And I was wondering if they used my mail from UE4 subscription to push for Fortnite newsletter.
Hmm. Well we're in the system. We know that much. I honestly just have the Epic Store for the free game every few weeks.
 
Oct 29, 2017
80
I don't know if this has anything to do with the subject at hand, but something regarding Epic made me think about this topic tonight. Earlier today I was curious about buying the Division 2, so I was looking at the store page on the Epic store. A little past midnight, I received an email that "the Division 2 is now available". I thought this was weird because A.) this is the only time I've received an email from Epic since making the account months ago, and B.) I've never subbed to a notification for it. It just made me think, what else are they tracking that I do? I get that it's marketing, but I thought of this topic and thought I'd share since it kinda weirded me out.
I had a similar experience. Last night, I logged into my Epic account for the first time in years to get it deleted, then received the Division 2 email this morning. I've never had an Epic marketing email before that one, so I just unsubscribed. It's almost as though they sub you in to marketing by default- looking at my account page now, I can't see anything about marketing preferences either. They do seem really, really shady.
 
Oct 27, 2017
217
I had a similar experience. Last night, I logged into my Epic account for the first time in years to get it deleted, then received the Division 2 email this morning. I've never had an Epic marketing email before that one, so I just unsubscribed. It's almost as though they sub you in to marketing by default- looking at my account page now, I can't see anything about marketing preferences either. They do seem really, really shady.
They must have sent that e-mail to a lot of people regardless of circumstances or subscriptions. I mostly used Epic account for Unreal Engine testing some years ago, have never even considered Fortnite, have not picked up any of the free games or done any transactions or interaction with EGS but I still got the Division 2 e-mail.
 
Oct 25, 2017
7,089
They must have sent that e-mail to a lot of people regardless of circumstances or subscriptions. I mostly used Epic account for Unreal Engine testing some years ago, have never even considered Fortnite, have not picked up any of the free games or done any transactions or interaction with EGS but I still got the Division 2 e-mail.
Yes, me too. I played around with Unreal Engine at some point and never played Fortnite or log in with that account on Epic Store but received the same email from Epic Game Store.
 
Oct 29, 2017
80
They must have sent that e-mail to a lot of people regardless of circumstances or subscriptions. I mostly used Epic account for Unreal Engine testing some years ago, have never even considered Fortnite, have not picked up any of the free games or done any transactions or interaction with EGS but I still got the Division 2 e-mail.
Yes, me too. I played around with Unreal Engine at some point and never played Fortnite or log in with that account on Epic Store but received the same email from Epic Game Store.
I'm similar in that I only ever had the launcher installed to get Shadow Complex from a few years back, which I ended up never actually playing anyway. So the timing of the Division 2 email must have just been coincidence then, rather than a response to me logging in. Although considering that I've never opted in to any marketing emails and have never received any before now, it's still not on.
 
Oct 27, 2017
3,207
I get emails from VGM a lot, and have done one thing with them. Usually don't make it past the screener.

It's not implausible they used them, they are a known quantity (and it would be weird to throw them under the bus randomly if they had nothing to do with it).
 
Oct 26, 2017
5,188
Also, shouldn't be faster a call to the Steam API which gives you exactly what you need, that accessing a several hundred MB file, read it and filter the data you need?
Apparently file is around 10mb. But as I said before they claim that they only parse friends info but why they are copying entire Steam usage file? You can parse only friends data and then save it as separate file that would probably be like few KB instead of 10+MB.
 
Oct 25, 2017
221
Also, shouldn't be faster a call to the Steam API which gives you exactly what you need, that accessing a several hundred MB file, read it and filter the data you need?
It would be faster, but it would not bypass the steam profile privacy setting that valve put in place after GDPR, so if epic used the Steam API they'd get less data /shrug.