Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

Dec 30, 2018
1,334
We are starting to lose the thread.

I feel it's important to establish the extent of what Epic did here, before further speculating "how high up does this go"
I agree, let’s not worry about if this does go higher for now, let’s worry about the most significant part of this that media outlets and people are trying to sweep under the rug using deflection.
 

Armaros

Member
Oct 25, 2017
3,131
We still don’t know exactly what data is being taken when we link our accounts.

The file they use to take that info is encrypted and it’s literally their word that they only take the friends list info when we enable it on EGS, but for some reason they package everything else in that file as well.
 

Mentalist

Member
Mar 14, 2019
963
We still don’t know exactly what data is being taken when we link our accounts.

The file they use to take that info is encrypted and it’s literally their word that they only take the friends list info when we enable it on EGS, but for some reason they package everything else in that file as well.

2 points were raised earlier in the thread (on my phone, so can't look for the quotes)


1) during the linking process the actual .bak file does not appear to be accessed (raising the question of why do those files even need to be there then).

2) someone described the .bak files as not being encrypted but using some substitution code (not sure about this, may have misunderstood that post).
 

Armaros

Member
Oct 25, 2017
3,131
2 points were raised earlier in the thread (on my phone, so can't look for the quotes)


1) during the linking process the actual .bak file does not appear to be accessed (raising the question of why do those files even need to be there then).

2) someone described the .bak files as not being encrypted but using some substitution code (not sure about this, may have misunderstood that post).
And that just opens so many other things of, if none of it is accessed for the account linking, why are they being copied and accessed by the client for any reason at all?

It doesn’t make any sense with the reason they gave us, they have literally admitted to looking up and coping data they aren’t suppose to but promising they aren’t actaully going to do anything with it.

It’s like a mother catching her child with a hand in the cookie jar but the child says ‘but I wasn’t going to take any, I’m just putting my hand in the jar, trust me’
 
Dec 30, 2018
1,334
Great comment from the RPS comment section and I completely agree.

“I’ve been reading RPS from the start, and I’ve watched them open up and grow out of the “our secret treehouse of games”-mentality.
RPS has always been staffed with straight-shooters (in my opinion), who sometimes make mistakes, and often own up to them via introspective articles.
We may not always agree with their stances, but at least they’ve tended to have their stances backed up by sound thinking.

This seems different. Unfinished. As others have put more eloquently than me, this really seems like a PR piece, nonchalantly dismissing privacy concerns and accusing people of racism. This is not the RPS I know and love- it’s far, far beneath the standard of excellence I expect from RPS.
Software companies have shown time and time again that they cannot be trusted with respecting our privacy, our systems’ integrity and at times even legal guidelines for data storage/dissemination, etc.
Why should we trust Epic? Because they say so?

FWIW, I don’t think they’re spying for the Chinese govt. I do not, however, trust for a second that Epic wouldn’t happily wave good-bye to our privacy it benefited them and they could get away with it.“

I just want to add as well that, it not racist to criticise the foreign/domestic policy of a government that quite literally spies on its own citizens and being critical of their policies isn’t a reflection of thoughts towards people living under these regimes and has nothing to do with their race.

That’s like saying anybody who criticises Trump or the US government outside of America is being racist towards Americans which simply isn’t true, it’s not the fault of the citizens.

People are concerned about their data being shared, RPS haven’t addressed the evidence here, they are suggesting that people are being conspiracy theorists for being concerned about their data and privacy and worrying about what Epic might do with this data, all we have is Tim Sweeneys word that he isn’t sharing this data, is that supposed to be enough to reassure people?

Making excuses for poor corporate behaviour (possibly illegal) is something I really cannot stomach.
 

WarRock

Member
Oct 25, 2017
5,417
I wish this shit was bannable. Coming to a thread to say "I don't care about any of this, you are all wrong. Oh, I was wrong? I still don't give a fuck, I refuse to read the OP" doesn't exactly make someone look like a valuable forum member looking to engage in good faith discourse.
Thread whining is bannable. Report and move on.

There's zero evidence Tencent has access to this data. Zero. Sweeney has also already come out and said it.
Tencent already owns or has invested in a big portion of the industry. Even before Fortnite hit its stride, they already owned Riot Games and Supercell, both of which had reach on the level of Fortnite or greater. No data snooping or privacy issues there. No data sharing. It makes zero sense that they'd suddenly have Epic put in a sloppy, illegal backdoor. Go to any Epic thread and you can find plenty of users here fearmongering over Tencent. It's entirely racist.
"It's entirely racist to think a chinese company may be spying on people for its government"
C'mon.
While sure, there is a lot of fear mongering over Tencent with no evidence, there is reason to be worried that has nothing to do with racism, much like you can point out that certain facebook/youtube posts "sound like russion trolls/bots" or that certain MMO economies are dictated by chinese/venezuelan/korean farmers.

There is also the fact that the racism accusation comes from a piss poor written article that is being written to dismiss Epic's action and paint everyone concerned about it as Valve-fanboy-children-that-you-should-not-listen-to-since-they-may-even-be-racists, just another day on the internet! *slaps knee*
 

Demacabre

Member
Nov 20, 2017
1,845
Pretty much my feeling for the ost few years about video games journalism.
You are not the customer for video game journalism. You pay nothing to read most. You are a metric and traffic to sell ad rates. You can like them or hate them, you are still counted as a number if you click on it. They can write a great article or sensationalist trash. Remember that. Guess where they do get their money.
 
Last edited:

Tart Toter 9K

Member
Oct 25, 2017
287
We really don't need to pass the blame on to Tencent, Epic are perfectley capable of doing this by themselves. It's not like american companies don't spy on their customers and competitors.
 

Kurt Russell

Avenger
Oct 25, 2017
321
Mar del Plata
We really don't need to pass the blame on to Tencent, Epic are perfectley capable of doing this by themselves. It's not like american companies don't spy on their customers and competitors.
Yup, I think it's a big mistake to start talking about it like it's Tencent's doing. There is no proof of that, and doing so is a perfect way of derailing threads like this one.
 

Nappael

Member
Oct 25, 2017
5,052
We really don't need to pass the blame on to Tencent, Epic are perfectley capable of doing this by themselves. It's not like american companies don't spy on their customers and competitors.
Exactly.

Even if there is truth behind the Tencent stuff, there is no need to speculate when we already know Epic aren't to be trusted. You just weaken your argument.
 
Dec 30, 2018
1,334
Yup, I think it's a big mistake to start talking about it like it's Tencent's doing. There is no proof of that, and doing so is a perfect way of derailing threads like this one.

We really don't need to pass the blame on to Tencent, Epic are perfectley capable of doing this by themselves. It's not like american companies don't spy on their customers and competitors.
I agree with you both as things currently stand and I also agree that we should all be focusing on the real issue which is what Epic have done.

The RPS article was a blatant deflection attempt and it worked but I am hoping we get back on to the real issues now.
 

Morrigan

Armoring
Moderator
Oct 24, 2017
10,304
According to this website: Fortnite Guide- Now Add Steam Friends In Fortnite - VoStory the functionality that lets people import their Steam friends into the EGL was added with Update 4.3 of Fortnite. That update was released on May 30, 2018. The first files scrapped by the EGL on my computer were generated on May 4, 2018. Did those files travel in time?
I want to quote this again because.... well, has Sweeney or anyone else at Epic given an explanation for this?
 

Chairmanchuck

Member
Oct 25, 2017
3,979
China
Is there a reason why the "Non-english" publication see it far harder?

(German)Gamestar wrote a really good article.
(German) 4Players too.
 

Armaros

Member
Oct 25, 2017
3,131
Is there a reason why the "Non-english" publication see it far harder?

(German)Gamestar wrote a really good article.
(German) 4Players too.
EU countries seem to put more emphasis on privacy concerns.

Most English speaking games media is US based, which don’t care much about privacy concerns.

Notice how many of them minimize what is occurring at the same time companies like Facebook and google and being hauled up to Congress for privacy concerns
 

dex3108

Member
Oct 26, 2017
6,512
I want to quote this again because.... well, has Sweeney or anyone else at Epic given an explanation for this?
As far as I remember they did. Something about implementing code for testing or something like that. But I find it really curious that they added that just 2 weeks after Valve locked Steam accounts and Sergey wos most vocal about it and worked at Epic at that time.
 

Armaros

Member
Oct 25, 2017
3,131
As far as I remember they did. Something about implementing code for testing or something like that. But I find it really curious that they added that just 2 weeks after Valve locked Steam accounts and Sergey wos most vocal about it and worked at Epic at that time.
We just have his assurances that none of that is linked and they have nothing to do with SteamSpy.

While they still have the guy running it on their payroll helping run the Epic Store.
 

Morrigan

Armoring
Moderator
Oct 24, 2017
10,304
As far as I remember they did. Something about implementing code for testing or something like that. But I find it really curious that they added that just 2 weeks after Valve locked Steam accounts and Sergey wos most vocal about it and worked at Epic at that time.
Yeah not sure I buy it. "Implementing code for testing"... in a live, production setting? This doesn't add up.
 

Armaros

Member
Oct 25, 2017
3,131
Yeah not sure I buy it. "Implementing code for testing"... in a live, production setting? This doesn't add up.
And the community and the overall industry still hasent addresses Sergi running SteamSpy while working on a Steam competitor, still to this day.

And yet somehow it has nothing to do with Epic
 

Arkanius

Member
Oct 25, 2017
1,610

Armaros

Member
Oct 25, 2017
3,131
Also the fact they are scraping way more than just friends ID’s.

Makes no logical sense and sounds like they are being dishonest to me.
What’s more, they claim the file that contains all of that extra information they scrape isn’t even involved in the friend list linking.

And yet that begs the question, why is any of that data being accessed in the first place and copied. That file shouldn’t even exist and all we have is their word that they don’t touch it after making it.
 
Dec 30, 2018
1,334
I want to kind of add my final thoughts to this as things stand.

I am all for more competition in the PC space if it’s for the benefit of consumers (prices coming down, more features and less demanding clients) so when I was aware Epic was coming into the market to compete with Steam I didn’t view it as a bad thing.

The sad part is, now after everything that has happened, I have little faith they will turn this around and do what is right for consumers from a business or moral stand point.

And even if they did, the trust is fractured now so it is going to be really difficult to gain it back for most people.

What’s more, they claim the file that contains all of that extra information they scrape isn’t even involved in the friend list linking.

And yet that begs the question, why is any of that data being accessed in the first place and copied. That file shouldn’t even exist and all we have is their word that they don’t touch it after making it.
Exactly, I won’t be trusting the words of a company who have already failed to be transparent.
 

KDR_11k

Member
Nov 10, 2017
1,705
Fortunately the retail version of Division 2 seems to run directly through UPlay, what a thing to say these days...

Epic kinda looks like they're trying to take the Aldi approach to game stores but they're missing the low prices part. Guess they gotta do shady shit if they cannot offer customers a real reason to shop there...
 

Digoman

Member
Oct 27, 2017
223
This was their response to that:



I don't feel it's good enough (since people didn't even know that they would add that functionality in the future)
Wait... they are going to replace to local file copying with a registry check? Can they please stop snooping around the local files and just use the API that have exactly the function they are claiming to be interested in?

Also the fact they are scraping way more than just friends ID’s.

Makes no logical sense and sounds like they are being dishonest to me.
And there is that. Even *with* the user permission they are sill parsing a file that has more info then just the friends list. Their insistence in accessing local files even after all of this is really getting suspicous for me.
 

Mudface90210

Member
Oct 29, 2017
92
Has anyone decrypted the file they create? I think someone mentioned it was just a weak form of encryption, but I can't find the post.

Ah, ignore that, read the original post wrongly, thought that the text ws what was originally in the Steam file.
 
Dec 30, 2018
1,334
Fortunately the retail version of Division 2 seems to run directly through UPlay, what a thing to say these days...

Epic kinda looks like they're trying to take the Aldi approach to game stores but they're missing the low prices part. Guess they gotta do shady shit if they cannot offer customers a real reason to shop there...
And unlike Aldi, they don’t have any professional gamers to pwn some kids and make them eat their dinner on time...lol.

And there is that. Even *with* the user permission they are sill parsing a file that has more info then just the friends list. Their insistence in accessing local files even after all of this is really getting suspicous for me.
Yeah it’s very strange for a company that is denying collecting data to be creating files with more data than they claim to have access to.

“It’s just for friends ID’s guys, ignore all that other stuff, it doesn’t exist and if it did that’s just irrelevant data that we promise we will not access, trust us.”
 

Eatin' Olives

Member
Oct 29, 2017
4,215
"Epic is also owned by Tencent, which is a Chinese company, so really if you criticize Epic you're also criticizing a Chinese company, which is racist. So if you criticize Epic you're being racist".
 

KDR_11k

Member
Nov 10, 2017
1,705
Aren't Medion a Lenovo company mostly known for making crappy cheap laptops?

Pretty sure they have nothing to do with Aldi, outside of Aldi having a deal with them to sell their laptops in some countries. Tesco used to sell them here.
Dunno, I got that address from a leaflet in an Aldi store.
 
OP
OP
Madjoki

Madjoki

Member
Oct 25, 2017
3,278
Well, seems like I was able to decrypt the file:

It seems to be parsed to binary format (possible some used by Unreal Engine?).
It seems to parse VDF (valve definition format to that)

Interestingly TimSweeney specifically claimed they didn't parse the file for playtimes in addition to not using it.



It did seems odd claim (especially as he didn't have to make that claim), since if you used any kind of parser, you'd end up parsing everything, even if technically.

It's just XOR.

https://en.wikipedia.org/wiki/XOR_cipher

For me key was 223, this may differ for you.

Edit: Correct key is 255, this will produce original file as intended. with 223 some bits are corrupt, which is why it looked weird format.

Also the fact they are scraping way more than just friends ID’s.

Makes no logical sense and sounds like they are being dishonest to me.
Yeah it doesn't. Much less keeping history even if it's just locally. Even if there is no code now, they could plausibly implement code in patch and get data from users and get rid of evidence. Or even stream code from server and instantly get rid off it (I believe Valve's VAC works similarly, for example, to make it harder to know what it actually checks). Possibilities are there. (But no proof whatsoever, just random thoughts)
 
Last edited:

vastag

Member
Oct 26, 2017
284
Well, seems like I was able to decrypt the file:

It seems to be parsed to binary format (possible some used by Unreal Engine?).
It seems to parse VDF (valve definition format to that)

Interestingly TimSweeney specifically claimed they didn't parse the file for playtimes in addition to not using it.



It did seems odd claim (especially as he didn't have to make that claim), since if you used any kind of parser, you'd end up parsing everything, even if technically.
But they definitely seem to even save that information to new file in their own format, which I'd definitely count as "parsing".



It's just XOR.

https://en.wikipedia.org/wiki/XOR_cipher

For me key was 223, this may differ for you.



Yeah it doesn't. Much less keeping history even if it's just locally. Even if there is no code now, they could plausibly implement code in patch and get data from users and get rid of evidence. Or even stream code from server and instantly get rid off it (I believe Valve's VAC works similarly, for example, to make it harder to know what it actually checks). Possibilities are there. (But no proof whatsoever, just random thoughts)
They are lying through their teeth. They are processing and analyzing all the data. Has someone checked if something is being sent back?
 

Komo

Member
Jan 3, 2019
1,526
They say it's not being sent to them, but if I don't personally ask to get it collected dont pre collect it then tell me it's okay, because you don't have it.
 

Nappael

Member
Oct 25, 2017
5,052
Has anyone scanned their network traffic yet to see if any of this is being submitted?

We already know Epic are lying on some things. We need to see how deep the rabbit hole goes.
 

Komo

Member
Jan 3, 2019
1,526
They also said that they were only looking at the friend list and they are collecting info about the played games.
Except it's clear they are doing way more then that, and CEF doesn't run like that. It's a closed container and none of your information would reside anywhere other then in Epics own folders.
 

Mivey

Member
Oct 25, 2017
6,190
Just uninstalled the Epic Games Store.
Not even the free games will make me install it again
Same.
I was fine with using it for a few free games, but I won't support such dishonest and shady practices. Especially when they are called out and still just lie through their teeth. Fuck Epic.
 

Melhadf

Member
Dec 25, 2017
108
If they are collecting info from other areas of your disk for "future use" without permission that's dubious.

But let's say they don't send the data anywhere, just leave it "encrypted" on your disk where they know it is. They can still use that data within the EGS. Storing it on their servers is just a bonus for them. It's just that they can't shouldn't then send that to their servers.

GDPR makes allowances for "trade secrets" I expect a lot of that to happen when people request the data Epic have collected on them.