Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

AMD

Member
Oct 27, 2017
104
I'm not sure that this is important but I'm curious: do any of you guys happen to know whether Epic are collecting this info on a per-PC or per-user basis?

If, for example, a PC has three users, all of whom have a Steam account but only one of them has signed up to the Epic Games Store, will all the Steam accounts be scrutinised or just the one belonging to the person with the Epic account?
 
Valve Responds (March 15th)

crimsonheadGCN

The Fallen
Oct 25, 2017
2,500
Clifton, NJ
Valve has responded:

https://www.bleepingcomputer.com/news/security/epic-promises-to-fix-game-launcher-after-privacy-concerns/

We are looking into what information the Epic launcher collects from Steam.

The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: https://help.steampowered.com/en/accountdata.
 

dex3108

Member
Oct 26, 2017
6,511
I'm not sure that this is important but I'm curious: do any of you guys happen to know whether Epic are collecting this info on a per-PC or per-user basis?

If, for example, a PC has three users, all of whom have a Steam account but only one of them has signed up to the Epic Games Store, will all the Steam accounts be scrutinised or just the one belonging to the person with the Epic account?
Per user. They will make their own copies for each user.
 

neon_dream

Member
Dec 18, 2017
2,943
Oh. Look. Another petulant response from Valve to rile up their toxic user base.
Are you being sarcastic?

That was about as neutral, mild, and level-headed a response as they could have made:
"This is what the file contains. The file contains private user data and isn't meant to be accessed by 3rd parties. We'll look into it."
 

Digoman

Member
Oct 27, 2017
223
Here's no warranty decode tool + source code if someone wants to try figuring out file contents:

https://mega.nz/#!39dFECQA!AzZQVqcMxFzvvi4tO5wvKCL7ht6MByZJZpXKq55rtlo

Just drag file into it and it will write decoded version with .dec extension.
I was feeling lazy so thanks for the code. Had to recompile but otherwise it worked. I was also able to verify that indeed it is a full backup but Epic has already admitted that this is the case anyway.

So... the Epic Launcher doesn't filter any information before saving a local copy and we must rely on Epic's word that it does so before sending the data. I'm guessing if/when we find out they does indeed send the whole thing, the next response will be "but we only store your friends list on our servers".

I can see no reason why the program would keep these full backups. Even if you assume everything they are saying is true, it still shows an amazing lack of respect for the user privacy when coding.

When you go back to fact that there is an API for all of this, it really doesn't look good.
 

TheTrain

Member
Oct 27, 2017
359
That's an unexpected turn around of event but I like it, let's see what Valve will say about it. Surely they have better tool and knowledge than us to analyze the situation, also with them looking into it I, at the very least, expect a different approach at this embarrassing situation from the journalist on the US side of videogaming.
 

Armaros

Member
Oct 25, 2017
3,131
Now what I want to know is, why in the hell has none of the major game publications gotten or even asked a response from Valve or Epic directly?

And why is smaller site that probably has a fraction of the traffic of those others getting out Valve’s response instead of the major ones
 

Dr. Caroll

Banned
Oct 27, 2017
8,111
Epic are at worst mishandling data and lying about it. At best, they're... astoundingly sloppy. This isn't the wild west of user data anymore. It has to be treated with care. Only touched when absolutely necessary.
 

Javetus

Member
Feb 23, 2019
56
Now what I want to know is, why in the hell has none of the major game publications gotten or even asked a response from Valve or Epic directly?

And why is smaller site that probably has a fraction of the traffic of those others getting out Valve’s response instead of the major ones
Well probably the small site was the only one that bothered to ask Valve
 

TripaSeca

Member
Oct 27, 2017
1,558
São Paulo
Under GDPR, mere collection of personal data HAS to have consent. European users CAN sue Epic for this violation. And ot wouldn't hurt Steam to secure their file as well.
 

texhnolyze

Self-Requested Ban
Banned
Oct 25, 2017
11,543
Indonesia
I still don't get this part:
Additionally, in response to user concerns that the company's launcher also gathers info on "how long someone played a steam game and last time played," Vogel argued that while the Epic Games Launcher will make "a local copy of a Steam file that contains Steam friends IDs" which also contains play time info, this data will not be parsed or delivered to their servers.

Vogel also insisted that "We only look at your Steam friends’ IDs in that file after you grant us permission and only then send a hash of those IDs back to our servers to allow us to make friend suggestions" and that Epic Games will only import the list of Steam friends after receiving "explicit permission."
When, how, and where do they ask for this permission?
 

Unkindled

Member
Nov 27, 2018
1,326
We will never know if they uploaded them or not.
Epic know's that public knows about it, so they will stop it ASAP if they were doing it to prevent getting caught. They didn't care about this until it came out in Reddit .
 
Dec 30, 2018
1,334
RPS dying on Epic's hill is making me quite sad indeed.
Going to be even worse if Valve expose Epic for what we suspect.

RPS already look incredibly unprofessional after that article, will look even worse if our suspicions are confirmed.

This whole debacle has proven one thing to me more than anything, gaming media cannot be trusted whatsoever.

Still waiting for Jim Sterling to address this, I know how much he hates corporations behaving in an anti-consumer fashion, would be very weird for him not to take issue with what Epic are doing here.

Unless of course he thinks it’s ok just because it’s not Valve...
 
Last edited:

Armaros

Member
Oct 25, 2017
3,131
We will never know if they uploaded them or not.
Epic know's that public knows about it, so they will stop it ASAP if they were doing it to prevent getting caught. They didn't care about this until it came out in Reddit .
Now they are spinning it as something that was on their long "to do list" of things they needed to upgrade and features that they needed to create. Suddently when they got caught, it became an 'unfortunate temporary kludge job', a completly unecessarey kludge job when the Steam API exists.
 
Dec 30, 2018
1,334
Epic are at worst mishandling data and lying about it. At best, they're... astoundingly sloppy. This isn't the wild west of user data anymore. It has to be treated with care. Only touched when absolutely necessary.
I think enough evidence exists to make a reasonable assumption that they are purposefully hiding the truth about this.

The statements they have made have already been shown to be false “We only collect Friends ID’s” for example.
 

MrCibb

Member
Dec 12, 2018
548
UK
I think enough evidence exists to make a reasonable assumption that they are purposefully hiding the truth about this.

The statements they have made have already been shown to be false “We only collect Friends ID’s” for example.
I wasn't giving them the benefit of the doubt to begin with, but now they've been caught out as lying? Not a good look at all. I'm glad I've never installed their Launcher now. It's going to take a lot of explaining before I even consider supporting them on this platform now.
 

Armaros

Member
Oct 25, 2017
3,131
I wasn't giving them the benefit of the doubt to begin with, but now they've been caught out as lying? Not a good look at all. I'm glad I've never installed their Launcher now. It's going to take a lot of explaining before I even consider supporting them on this platform now.
They said all they wanted was to find the friends list (disregarding the fact that these files are not for third party use) but they decide to package ALL our avaliable user data, including the games list and time played into the file, and they 'promise' us that only the friends list is send to Epic when we link our accounts to Epic.

Triple Pinky Promise.
 
Dec 30, 2018
1,334
I wasn't giving them the benefit of the doubt to begin with, but now they've been caught out as lying? Not a good look at all. I'm glad I've never installed their Launcher now. It's going to take a lot of explaining before I even consider supporting them on this platform now.
The fact that they are even collecting this data without user permission, even if it never leaves the host machine (which if I was a betting man, I would bet it has) should be enough for people to distrust them, as Valve have said, this is private information and Epic have no reason to be collecting it.

When you pair that up with all their anti-consumer tactics and also their awful customer service which is well noted pretty much everywhere (just today I reported them for breaking the law in regards to my account shutdown taking so long.) then yeah, it’s a pretty damn bad look.
 

Armaros

Member
Oct 25, 2017
3,131
Don't mean to break up the mob, but r/programming actually looked at the client and disagreed with the fear mongering. Looks like the original Reddit thread was created by some amateurs, many of whom seem to be in this thread as well!

https://www.reddit.com/r/programming/comments/b0vjq1/rnotte_m_portent_discovers_that_the_epic_games/
Uh you are like over a day late, this thread is not even about that original reddit thread, if you read the OP, you can see how the OP got his information and you can do it your self.

Moreover, the CEO of Epic HIMSELF acknowledged what they were doing and that they probably shouldn't have done it this way, tech VP for EPIC and the CEO himself would not be posting in response to this issue if there was nothing to it.
 

Toadofsky

User requested ban
Banned
Mar 8, 2018
303
Still waiting for Jim Sterling to address this, I know how much he hates corporations behaving in an anti-consumer fashion, would be very weird for him not to take issue with what Epic are doing here.

Unless of course he thinks it’s ok just because it’s not Valve...
Forgive me if I believe he’ll just be contrarian and take Epic’s side on this solely to get attention.
 

Kyougar

Member
Nov 3, 2017
3,624
Don't mean to break up the mob, but r/programming actually looked at the client and disagreed with the fear mongering. Looks like the original Reddit thread was created by some amateurs, many of whom seem to be in this thread as well!

https://www.reddit.com/r/programming/comments/b0vjq1/rnotte_m_portent_discovers_that_the_epic_games/
And why are you believing "Random Internet Person #2" over "Random Internet Person #1"?
While you could instead:
- prove it yourself with the information in this thread
- question yourself why Epic is in damage-control mode.
 
Dec 30, 2018
1,334
Don't mean to break up the mob, but r/programming actually looked at the client and disagreed with the fear mongering. Looks like the original Reddit thread was created by some amateurs, many of whom seem to be in this thread as well!

https://www.reddit.com/r/programming/comments/b0vjq1/rnotte_m_portent_discovers_that_the_epic_games/
That thread quite literally proves nothing, the reality still remains that Epic taking private data that they are not entitled to, it’s not fear mongering at all, evidence exists proving it.

All I am seeing in that programming thread is 6-7 people insulting Gabe and Valve and stating that people are hating on Epic for “karma” it actually disproves nothing.


https://www.reddit.com/r/Steam/comments/b1kfcb/valve_spokesperson_says_steams_localconfigvdf/

“We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file."

Epic admitting right there that the file with all the data (more than just friends ID’s) is saved and we have to just trust them that

A) They won’t take that data without our permission and

B) If we import our friends, they receive that file and the only thing they will do with it is take our friend ID’s and nothing else, pinky promise.

If you want to believe them that’s your choice but attacking people in the thread for having valid concerns about their security isn’t a great approach to a healthy discussion imo.

And regardless, that private data is by law, protected and not supposed to be used by anything other than the APP it comes from.

As a matter of fact, Valve themselves are in breach of GDPR for even allowing that file to be copied so I imagine in the future it might well be encrypted because of this.
 

Unkindled

Member
Nov 27, 2018
1,326
Don't mean to break up the mob, but r/programming actually looked at the client and disagreed with the fear mongering. Looks like the original Reddit thread was created by some amateurs, many of whom seem to be in this thread as well!

https://www.reddit.com/r/programming/comments/b0vjq1/rnotte_m_portent_discovers_that_the_epic_games/
Valve has clearly stated the file is not intended to be used by 3rd party service that includes not making copy of the file, which Tim has admitted Epic was doing without user's permission, and OP has shown proof of. Uploading it or not is another matter.
 

muteKi

Member
Oct 22, 2018
6,347
a sunken pirate ship
Forgive me if I believe he’ll just be contrarian and take Epic’s side on this solely to get attention.
I would be very surprised if the guy who did a video a few weeks back about how capitalism is strangling gaming would so haphazardly support a company; even in his previous video his big argument about the value of the Epic Game Store was that they weren't giving Rape Day the time of day, which is so narrow of a bar to clear I wouldn't consider it even remotely a ringing endorsement. And it's not like there aren't obvious digs to be made in Valve's direction either (why is something that can be marked private on the server side so easy to access by anything on the user's side?). I'd be very surprised if he doesn't complain about this.