Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

Dec 30, 2018
1,334
I would be very surprised if the guy who did a video a few weeks back about how capitalism is strangling gaming would so haphazardly support a company; even in his previous video his big argument about the value of the Epic Game Store was that they weren't giving Rape Day the time of day, which is so narrow of a bar to clear I wouldn't consider it even remotely a ringing endorsement. And it's not like there aren't obvious digs to be made in Valve's direction either (why is something that can be marked private on the server side so easy to access by anything on the user's side?). I'd be very surprised if he doesn't complain about this.
I would be shocked if he didn’t complain about it because it would make him look like a hypocrite if he didn’t quite frankly.
 

stan423321

Member
Oct 25, 2017
3,703
You know, if Epic's justification is that API may change but file format won't, Valve should probably immediately start obfuscating the format. Which may be a loss for some Steam assistant hacktools I'm not aware of, but, well.

As a matter of fact, Valve themselves are in breach of GDPR for even allowing that file to be copied so I imagine in the future it might well be encrypted because of this.
Could you point to relevant clause? This sounds like GDPR is basically unimplementable on an authentic open personal computer. Steam could make this a little harder, but EGS could always go full admin on it.
 

Digoman

Member
Oct 27, 2017
223
I would be shocked if he didn’t complain about it because it would make him look like a hypocrite if he didn’t quite frankly.
He already looks like one to me, and I did like most of his content before this. He attacked the most notorious case of exclusivity with Metro, but overall has been very silent on Epic strategy as a whole. Even this last episode has already enough information (with Epic actually saying it does search for and copies the file) for at least some quick video. For me he has opted to keep going for the low hanging fruit of "bad Valve, bad Steam without curation" instead of actually digging on the subject.

It would be nice if some journalist and/or "personality" actually got some new facts or even off the record opinions, but so far the users had to do all the work themselves to find about what Epic is doing.
 
Dec 30, 2018
1,334
You know, if Epic's justification is that API may change but file format won't, Valve should probably immediately start obfuscating the format. Which may be a loss for some Steam assistant hacktools I'm not aware of, but, well.


Could you point to relevant clause? This sounds like GDPR is basically unimplementable on an authentic open personal computer. Steam could make this a little harder, but EGS could always go full admin on it.
I couldn’t tell you the exact clause but I know under GDPR that personal data is defined as:

“any information relating to an identified or identifiable natural person (‘data subject’).

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Essentially anything that can be used to identify an individual, even just age or gender, doesn’t even have to be an individuals name, as it says, it can be an “online identifier”

A data breach under GDPR (which is what I believe Valve will be in breach of with this) is as follows:

“personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

From what I can tell there, that would mean, by Epic getting this information and storing it, even if it isn’t processed, Valve would be in breach of GDPR.

I could be completely wrong here so don’t take my word as factual, I am not an expert on this, I would be interested to know if we do have any experts here on this though so I can confirm if I am right in my assumptions?
 

StereoVSN

Member
Nov 1, 2017
4,346
Eastern US
He already looks like one to me, and I did like most of his content before this. He attacked the most notorious case of exclusivity with Metro, but overall has been very silent on Epic strategy as a whole. Even this last episode has already enough information (with Epic actually saying it does search for and copies the file) for at least some quick video. For me he has opted to keep going for the low hanging fruit of "bad Valve, bad Steam without curation" instead of actually digging on the subject.
Between PC Gamer, RPS, Sterling, and most of the other large outlets as well as YouTubers it looks like Epic moneyhatted the whole Gaming Media with their Fortnite and Tencent cash.

It's just a pathetic look. I am sorely disappointed especially by PC Gamer, RPS and Sterling.
 
Dec 30, 2018
1,334
He already looks like one to me, and I did like most of his content before this. He attacked the most notorious case of exclusivity with Metro, but overall has been very silent on Epic strategy as a whole. Even this last episode has already enough information (with Epic actually saying it does search for and copies the file) for at least some quick video. For me he has opted to keep going for the low hanging fruit of "bad Valve, bad Steam without curation" instead of actually digging on the subject.

It would be nice if some journalist and/or "personality" actually got some new facts or even off the record opinions, but so far the users had to do all the work themselves to find about what Epic is doing.
You’re right, I am just waiting to see what he says in his next video before I make a final judgement call on if I should consume anymore of his content, I would find it incredibly difficult to take him seriously if he fails to cover this and expose it.
 
Dec 30, 2018
1,334
Between PC Gamer, RPS, Sterling, and most of the other large outlets as well as YouTubers it looks like Epic moneyhatted the whole Gaming Media with their Fortnite and Tencent cash.

It's just a pathetic look. I am sorely disappointed especially by PC Gamer, RPS and Sterling.
RPS have disappointed me the most, I expect this stuff from sites like PC Gamer and Eurogamer as they have mostly always felt like paid advertisers.

RPS however have always felt honest to me, today when I read that it just felt weird, it was like a PR blog post by Epic and the victim blaming and accusations of racism was just honestly so off the mark that I couldn’t believe what I was reading.
 

Mudface90210

Member
Oct 29, 2017
92
I couldn’t tell you the exact clause but I know under GDPR that personal data is defined as:

“any information relating to an identified or identifiable natural person (‘data subject’).

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Essentially anything that can be used to identify an individual, even just age or gender, doesn’t even have to be an individuals name, as it says, it can be an “online identifier”

A data breach under GDPR (which is what I believe Valve will be in breach of with this) is as follows:

“personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

From what I can tell there, that would mean, by Epic getting this information and storing it, even if it isn’t processed, Valve would be in breach of GDPR.

I could be completely wrong here so don’t take my word as factual, I am not an expert on this, I would be interested to know if we do have any experts here on this though so I can confirm if I am right in my assumptions?
No, Valve aren't the data controller here and wouldn't be in breach in this scenario unless they were storing the data themselves and allowed it to be accessed through negligence or deliberately given to a third party without the consent of the subject.
 

TheRedSnifit

Member
Oct 29, 2017
4,001
Now what I want to know is, why in the hell has none of the major game publications gotten or even asked a response from Valve or Epic directly?

And why is smaller site that probably has a fraction of the traffic of those others getting out Valve’s response instead of the major ones
Games "journalists" are pretty much always just mediocre editorialists who won't write anything that they don't think they can frame as standing up to The Man.
 

Pixieking

Member
Oct 25, 2017
4,090
Great point. We should be pushing writers at these outlets to spend some time brushing up on the latest trends outside of gaming as well as those inside the industry.
Yup. But even if they don't, they should be doing what the actual media does and getting an analyst/ex-industry member or someone with known technical knowledge to shed light on things. Random example from the Washington Post:

Trump “indicated that nuclear and missile testing really is a red line. He basically said that as long as they’re not testing, he’s happy, even though behind the scenes they continue to perfect their arsenal,” said Bruce Klingner, a former U.S. intelligence official who is now a Northeast Asia analyst at the conservative Heritage Foundation.
No-one expects journalists/reporters to know everything, but people do expect light to be shed on complicated issues by people in-the-know, and it's the journalists job to know their own limitations and interview people who fill in those gaps.
''Valve doesn't sound too happy about the epic store copying steam data''
Subjectivity and showing your bias in news reporting... Just make it stop. :/

Anyways... loving the comment from Valve. Doing their due diligence by seeing what Epic are doing with the Steam files and making comment on it. What kind of timeline is this?
 

nynt9

Member
Oct 25, 2017
4,354
Yup. But even if they don't, they should be doing what the actual media does and getting an analyst/ex-industry member or someone with known technical knowledge to shed light on things. Random example from the Washington Post:



No-one expects journalists/reporters to know everything, but people do expect light to be shed on complicated issues by people in-the-know, and it's the journalists job to know their own limitations and interview people who fill in those gaps.
For some reason (hubris?) this is something games journalism literally never, ever does. Seriously, it’s baffling. Jason Schreier is legitimately the only games journalist I’ve seen do this.
 

Cipherr

Member
Oct 26, 2017
3,606
This whole thing stinks. RPS is showing their ass and Im straight up waiting to see how Sterling handles this too. Hypocrites, the whole lot of them if they don't treat this with all the ire its rightfully due.

Jesus what the fuck is even going on in gaming media these days.
 

Relik7

Member
Mar 14, 2019
20
Well, seems like I was able to decrypt the file:
It's just XOR.

https://en.wikipedia.org/wiki/XOR_cipher

For me key was 223, this may differ for you.
The key isn't 223, it's DEC 255 aka HEX 0xFF aka toggle every binary bit in the data stream. I didn't post an executable or anything because the decoded contents is the exact same as localconfig.vdf so if you want to see what they grab, just open that in a text editor (like you already did).
 

Pixieking

Member
Oct 25, 2017
4,090
For some reason (hubris?) this is something games journalism literally never, ever does. Seriously, it’s baffling. Jason Schreier is legitimately the only games journalist I’ve seen do this.
Maybe it's something that's covered in journalism degrees? Does Schreier have one? I mean, I don't have a journalism degree, and I know this is obvious, but then again, in hindsight, I should've done a journalism degree at university. :/
 

Unknownhero

The Fallen
Oct 27, 2017
917
OP
OP
Madjoki

Madjoki

Member
Oct 25, 2017
3,278
The key isn't 223, it's DEC 255 aka HEX 0xFF aka toggle every binary bit in the data stream. I didn't post an executable or anything because the decoded contents is the exact same as localconfig.vdf so if you want to see what they grab, just open that in a text editor (like you already did).
Thanks for noticing, somehow I missed that. Fixed my post.

I only called it "decrypting" because of Epic claim of it being encrypted.
 

Absolute

Member
Nov 6, 2017
684
Well PC Gamer covered the thing again:

https://www.pcgamer.com/valve-doesnt-sound-too-happy-about-the-epic-store-copying-steam-data/

''Valve doesn't sound too happy about the epic store copying steam data'' or ''In the future, Valve could potentially encrypt local user data to prevent the Epic client and other software from copying it. '' are their takes on this
This is just click bait fluff. The headline is so off base. Valve reported the unbiased truth of the situation as was outlined beforehand by users here. It adds motive to Valve addressing a matter that users are concerned about.
 
Oct 29, 2017
3,487
Jim is almost certainly going to make a video on this, but probably has his hands full on the whole Pewdipie shooter story right now. He’s only one person and can only cover so many VG industry fuckups at once!

This is prime material for his channel, he ain’t passing this one up!
 

Cipherr

Member
Oct 26, 2017
3,606
It's all about the Benjamins $$$.
This shit is scary. If its this easy to spend a little money and get RPS and PCGamer basically running PR for you and your mistakes, this industry is going to be in rough fucking shape when a company like Google gets in there and has even deeper pockets. NOTHING is going to be trustworthy. Toss in the fact that fanboys will ALWAYS be right there to backup this sort of horseshit and its just depressing.

Jim Sterling is just one guy, but Im like... really fucking hoping he's not on the kool-aid with this one, because damn...
 

Relik7

Member
Mar 14, 2019
20
Well PC Gamer covered the thing again:

https://www.pcgamer.com/valve-doesnt-sound-too-happy-about-the-epic-store-copying-steam-data/

''Valve doesn't sound too happy about the epic store copying steam data'' or ''In the future, Valve could potentially encrypt local user data to prevent the Epic client and other software from copying it. '' are their takes on this
So Valve is mad they are accessing the file yet still didn't fully commit to keep our user data safe by at least TRYING to hide it instead of keeping it in plain sight? *expletive* *expletive*. I'm not sure how others feel, but I find the lack of concern for user's private data is sickening from both of these companies. The Steam application has had what I consider the most sluggish development progress for a team of it's size in the entire history of software development. They have had no real competition so they have barely made progress in the many years since it was developed (In-Home streaming was one of the few new features). I'll stop myself before I go on a rant.

Valve's Doug Lombardi : "The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies)," wrote Lombardi. "This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

He admits that this is private user data and yet still doesn't commit to protecting it. It's just mind boggling. I know, Epic is the data thief, but Steam left the door open with all your possessions in clear view.
 

Armaros

Member
Oct 25, 2017
3,131
So Valve is mad they are accessing the file yet still didn't fully commit to keep our user data safe by at least TRYING to hide it instead of keeping it in plain sight? *expletive* *expletive*. I'm not sure how others feel, but I find the lack of concern for user's private data is sickening from both of these companies. The Steam application has had what I consider the most sluggish development progress for a team of it's size in the entire history of software development. They have had no real competition so they have barely made progress in the many years since it was developed (In-Home streaming was one of the few new features). I'll stop myself before I go on a rant.

Valve's Doug Lombardi : "The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies)," wrote Lombardi. "This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

He admits that this is private user data and yet still doesn't commit to protecting it. It's just mind boggling. I know, Epic is the data thief, but Steam left the door open with all your possessions in clear view.
It’s amazing how in your quest to attack Steam and Valve you go full blown victim blaming and say that everything on our personal computers should be encrypted so companies like Epic don’t steal it.
 

SaberVS7

Member
Oct 25, 2017
1,645
This shit is scary. If its this easy to spend a little money and get RPS and PCGamer basically running PR for you and your mistakes, this industry is going to be in rough fucking shape when a company like Google gets in there and has even deeper pockets. NOTHING is going to be trustworthy. Toss in the fact that fanboys will ALWAYS be right there to backup this sort of horseshit and its just depressing.

Jim Sterling is just one guy, but Im like... really fucking hoping he's not on the kool-aid with this one, because damn...
With the ubiquity of adblockers and Gaming-News sites being rather on the niche side of things to begin with as far as Ad Revenue generation goes, this was inevitable.

But I mean, anyone who's been paying attention would know this has been the case for the past fifteen years. Famitsu didn't start the fire.
 

Viper_GK

Member
Oct 28, 2017
21
Don't mean to break up the mob, but r/programming actually looked at the client and disagreed with the fear mongering. Looks like the original Reddit thread was created by some amateurs, many of whom seem to be in this thread as well!

https://www.reddit.com/r/programming/comments/b0vjq1/rnotte_m_portent_discovers_that_the_epic_games/
I dislike posts like these, it is akin to a drive by post, try to interject that the facts that have been presented about privacy is fear mongering, gets called out on it in many posts, don't show up again, until another hot take from a random post/article defending epic regarding this matter.
 

Pixieking

Member
Oct 25, 2017
4,090
He admits that this is private user data and yet still doesn't commit to protecting it. It's just mind boggling. I know, Epic is the data thief, but Steam left the door open with all your possessions in clear view.
Andy Chalk, is that you?

Microsoft doesn't encrypt the Documents folder on my computer, and the subfolders of that contain photos and financial information. Is MS at fault if another program skims information from that set of folders and potentially uploads it?

Take a step back and think about what you're asking here, then apply it to every company equally.
 

EloKa

GSP
Verified
Oct 25, 2017
357
He admits that this is private user data and yet still doesn't commit to protecting it. It's just mind boggling. I know, Epic is the data thief, but Steam left the door open with all your possessions in clear view.
Yeah of course it's private user data. If you save a picture, a text document or anything else on your PC it also becomes private user data.
Everything stored on YOUR PC is private user (aka "your") data.

Edit: I've justed noticed that you've registered in the last hours and all of your 11 posts are in this thread, spinning the story that Valve is the bad guy causing a data privacy breach and trying to put them into blame while Epic is just doing good stuff. Nope, please do not reply to me and troll somewhere else.
 

oipic

Member
Oct 25, 2017
216
So Valve is mad they are accessing the file yet still didn't fully commit to keep our user data safe by at least TRYING to hide it instead of keeping it in plain sight? *expletive* *expletive*. I'm not sure how others feel, but I find the lack of concern for user's private data is sickening from both of these companies. The Steam application has had what I consider the most sluggish development progress for a team of it's size in the entire history of software development. They have had no real competition so they have barely made progress in the many years since it was developed (In-Home streaming was one of the few new features). I'll stop myself before I go on a rant.

Valve's Doug Lombardi : "The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies)," wrote Lombardi. "This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

He admits that this is private user data and yet still doesn't commit to protecting it. It's just mind boggling. I know, Epic is the data thief, but Steam left the door open with all your possessions in clear view.
The web browser from which you posted your reply will have personal data readily-accessible and 'available' too, I'd wager - the vast majority of applications on your PC would be in the same boat. Storing this data on your machine - for use by the app by which it is captured - and a competitor sneakily seeking it out via another app, and taking a copy for whatever purpose, are two very different things.

I'm baffled by any 'accusations' levelled at Valve as being somehow responsible for this.
 

Relik7

Member
Mar 14, 2019
20
It’s amazing how in your quest to attack Steam and Valve you go full blown victim blaming and say that everything on our personal computers should be encrypted so companies like Epic don’t steal it.
I have no quest to attack anyone except those that are criminally negligent in protecting important data. If you read back, I've been anti Epic the entire thread, but Valve's response is equally disappointing. You are using the typical bait of putting words in my mouth. Not every file on your hard drive is created equal IS IT? Is your master password list supposed to be stored in plain text the same as un-encrypted pictures of your cat? Microsoft protects your "Live" credentials, Google protects your stored password archive, how many more examples do I have to give?
 

nynt9

Member
Oct 25, 2017
4,354
So Valve is mad they are accessing the file yet still didn't fully commit to keep our user data safe by at least TRYING to hide it instead of keeping it in plain sight? *expletive* *expletive*. I'm not sure how others feel, but I find the lack of concern for user's private data is sickening from both of these companies. The Steam application has had what I consider the most sluggish development progress for a team of it's size in the entire history of software development. They have had no real competition so they have barely made progress in the many years since it was developed (In-Home streaming was one of the few new features). I'll stop myself before I go on a rant.

Valve's Doug Lombardi : "The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies)," wrote Lombardi. "This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

He admits that this is private user data and yet still doesn't commit to protecting it. It's just mind boggling. I know, Epic is the data thief, but Steam left the door open with all your possessions in clear view.
Gotta day, this is the most hilarious self-own meltdown of the day.
 

Armaros

Member
Oct 25, 2017
3,131
I have no quest to attack anyone except those that are criminally negligent in protecting important data. If you read back, I've been anti Epic the entire thread, but Valve's response is equally disappointing. You are using the typical bait of putting words in my mouth. Not every file on your hard drive is created equal IS IT? Is your master password list supposed to be stored in plain text the same as un-encrypted pictures of your cat? Microsoft protects your "Live" credentials, Google protects your stored password archive, how many more examples do I have to give?
You literally have 4 words for what epic did have a two paragraph tirade to blame Valve for this. You are comparing passwords and login information to files that show your games directory and time played? Are you serious?

You are transparent, absurdly so.
 

Kade

Member
Oct 25, 2017
663
Canada
I was wondering how the Epic Launcher fetched that data when I initially linked the two accounts when the feature was announced. I don't remember having to log into a Steam third-party site login page or any of the notices that state that your profile needs to be public. I could definitely be wrong. It doesn't show up on my list of third-party logins while other services and games do.
 

Pixieking

Member
Oct 25, 2017
4,090
I have no quest to attack anyone except those that are criminally negligent in protecting important data. If you read back, I've been anti Epic the entire thread, but Valve's response is equally disappointing. You are using the typical bait of putting words in my mouth. Not every file on your hard drive is created equal IS IT? Is your master password list supposed to be stored in plain text the same as un-encrypted pictures of your cat? Microsoft protects your "Live" credentials, Google protects your stored password archive, how many more examples do I have to give?
But "private data" and "sensitive data" are two different things. Both need the user's permission to be shared, but only one has serious consequences if uploaded. Comparing

the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies)
with

master password list [...] "Live" credentials [and] Google [...] stored password archive
Is the definition of bad faith arguing.
 

Relik7

Member
Mar 14, 2019
20
I'm baffled by any 'accusations' levelled at Valve as being somehow responsible for this.
Because they store it in PLAIN TEXT. Any reasonable programmer does something to thwart snooping of private user data - I'm not talking about your pictures, but a cache of your friends, purchases, and play habits. As I've said, you people NEW in this thread seem to have no idea I helped in reporting the Epic data theft. On reddit and on here. Go back to page 16. Why can't there be some level of fault from both companies?
 

Relik7

Member
Mar 14, 2019
20
But "private data" and "sensitive data" are two different things. Both need the user's permission to be shared, but only one has serious consequences if uploaded. Comparing

Is the definition of bad faith arguing.
Read your own quote again. Comparing saved login tokens with Google stored password archive is bad faith arguing? Come on.
 

EloKa

GSP
Verified
Oct 25, 2017
357
So Epic takes our info, is in fact taking more than just friends lists, and basically just "promising" they won't use the other info that they already have? Do I have that correct?
Kinda. Epic will use some of the gathered info if you opt-in to specific features (like connecting to your Steam friends) and is promising to not use or even look at all the other data at any point.
 

Pixieking

Member
Oct 25, 2017
4,090
Read your own quote again. Comparing saved login tokens with Google stored password archive is bad faith arguing? Come on.
Because, from what I understand it (and I may be wrong here) the token is just a session ID instance akin to a cookie, not a password. So, something like this:

By signing into www.artifactfire.com through Steam:
  • Your Steam login credentials will not be shared.
  • A unique numeric identifier will be shared with www.artifactfire.com. Through this, www.artifactfire.com will be able to identify your Steam community profile and access information about your Steam account according to your Profile Privacy Settings.
Edit:

Valve went through a hacking/password issue a few years back.

Hackers gained unauthorized access to user information on the digital videogame distribution service Steam last weekend, the company that runs the service has said.

Information in the database, which was accessed on Sunday, Nov. 6, included "user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," according to a note that Valve CEO Gabe Newell sent to all Steam accounts on Thursday. Valve forwarded the note to media including Wired.com, saying that the company was "still investigating" whether the information was taken by the hackers.

"We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked," the note read. "We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
So, again, comparing the file information in localconfig.vdf with actual passwords is incorrect. Is it bad that it's so open? Yes. But you're coming across as both the open-nature of the data and Epic's stealing that data are just as bad as each-other. They're not.
 
Last edited:

Relik7

Member
Mar 14, 2019
20
In an ideal environment (like in Android), Epic would not be able to see Steam's data because it would be isolated to the Steam application itself. I hear talk like "Well, your entire machine needs to be encrypted if you want to have privacy." No. There are such things as permissions and isolation. You can't access private system directories in Windows because the permissions prevent you. Your own user directory is blocked from other users on the machine.

Why is it so wrong to say the data file should not be accessible to Epic in the first place? Whether it be through encryption, permissions, isolation, or any programming construct available.
 
Last edited:

MrBob

Member
Oct 25, 2017
2,385
A website called Bleeping Computer got a response out of Valve, where was the games media grabbing a response from Valve? Amazing. We are truly in the era of hot takes reporting.
 

Pixieking

Member
Oct 25, 2017
4,090
A website called Bleeping Computer got a response out of Valve, where was the games media grabbing a response from Valve? Amazing. We are truly in the era of hot takes reporting.
PC Gamer at least didn't think it warranted contacting Valve, as what Valve do/did wasn't the point of the article:

Andy Chalk Mod a day ago
I could also point out that Steam obviously also leaves all this data lying around, open and accessible to any developer or application that wants it. This is a report on the accusation and response, not a technical analysis of how Steam and Epic handle, protect, and share your data.
Why is it so wrong to say that data file should not be accessible to Epic in the first place? Whether it be through encryption, permissions, isolation, or any programming construct available.
It's not wrong, but the false equivalence you're making is bad. Epic are far more wrong in this situation than Valve.