Developing: Epic Games Launcher appears to collect your steam friends & play history (Up2: Valve responds, See Threadmarks)

[spam musubi]

My only problem so far with the gaming media reporting on this (those who have) is that they are simply shaping down the barebones issue and casting it as a non-issue all while peppering in the PR statement on Reddit that reads like a farce. I understand in not wanting to overload your reader with technical mumbo jumbo but at least get the real hard facts out that it isn't just the friends list but cloud data, games played and what games you have. On top of that you have Sweeney saying they know that data is being collected, but that it is okay because *they* aren't sending it back to their servers.

I mean, I can't really take that from face value when you've got PR throwing a statement so blanketed that they completely ignored the fact users have found more than just the friend's list being datamined in hopes of stamping out the fire.

Click to shrink...

I think they're just so used to the console space and big publishers throwing their weight around. There are so few actual journalists and technical writers in gaming, and so many enthusiasts that are happy to be "in" and receiving attention from publishers. They're just not accustomed to challenging the hand that feeds them, and when those players start throwing their weight around in the PC space they just don't know how to react. Since valve don't really have a strong PR presence they can't compete with the constant assault of information from big players.

 

[Relik7]

This is more about a corporate data breach. Epic is collecting this data from every Steam user to get a leg up on Steam, not to personally target you, in my belief. They are grabbing this data while it's still clear text and available before Steam realizes they've had a data breach. As customers, we should hold Epic accountable as well as demand to know what Steam is going to do to keep our data safe. By the way, the copy of localconfig.vdf that Epic makes is simply XOR'd with 0xFF, ,not encrypted. The only reason to do something like that is to hide that what you are doing. I also went through the whole procedure of linking my Steam friends to Epic and the "SocialBackup" file that Epic made was not accessed once (watched using Procmon). That Steam file contains all your friends, every game you own, when you last played, etc.

I can also say that the backup file created by Epic is created 1 minute after installing their launcher.

 

[Sign My Guestbook!]

This is more about a corporate data breach. Epic is collecting this data from every Steam user to get a leg up on Steam, not to personally target you, in my belief.

Click to shrink...

This is about the same as saying "nothing personal, just business"

We're still the ones having our privacy violated.

 

[StereoVSN]

Not even surprised anymore

Click to shrink...

I am done with PC Gamer. It's pathetic how a publication calling itself "PC Gamer" is so much in the Epic's pocket now days.

Separately, I am certainly not astonished by this latest EGS shit show. It's to be expected. Considering that they have completely anti-consumer stance from the get-go, is this really surprising? Oh, and if Borderlands 3 does go to EGS, well, another game I don't have to worry about, plenty remains.

 

[Ollolol]

I am done with PC Gamer. It's pathetic how a publication calling itself "PC Gamer" is so much in the Epic's pocket now days.

Separately, I am certainly not astonished by this latest EGS shit show. It's to be expected. Considering that they have completely anti-consumer stance from the get-go, is this really surprising? Oh, and if Borderlands 3 does go to EGS, well, another game I don't have to worry about, plenty remains.

Click to shrink...

PCGamer, sorry, I mean EPICGamer.

 

[Annubis]

Fuck....I want to uninstall, but I need the epic launcher for school.
How can the store side of Epic be so much shittier than the engine/Unreal side?

Click to shrink...

Oh..

...oh dear.

I'd uninstall it, but... I do developmental learning with Unreal Engine 4, so like... not really an option for me.

Still, this isn't... a good look.

Click to shrink...

Go to the folder and remove the right to create file or folder in there.
I think that should work.

First delete everything in C:\ProgramData\Epic\SocialBackup\
Go back up a level

Right-click SocialBackup
Properties
Security
Advanced
Modify Authorization
Select System
Modify
Refuse Writing Files or folder (not exact wording, my Win is French)
Ok and agree to the warning after

I'm not entirely sure if doing on System works. At worst, do it on the accounts too.
Nothing bad will happen, you're just blocking making new files or folder in that folder.

 

[Mentalist]

This is more about a corporate data breach. Epic is collecting this data from every Steam user to get a leg up on Steam, not to personally target you, in my belief. They are grabbing this data while it's still clear text and available before Steam realizes they've had a data breach. As customers, we should hold Epic accountable as well as demand to know what Steam is going to do to keep our data safe. By the way, the copy of localconfig.vdf that Epic makes is simply XOR'd with 0xFF, ,not encrypted. The only reason to do something like that is to hide that what you are doing. I also went through the whole procedure of linking my Steam friends to Epic and the "SocialBackup" file that Epic made was not accessed once (watched using Procmon). That Steam file contains all your friends, every game you own, when you last played, etc.

I can also say that the backup file created by Epic is created 1 minute after installing their launcher.

Click to shrink...

I fully realize that's their intent.
I consider it utterly unethical, and I am even less inclined than before to do any business with them.

 

[Deleted member 11214]

Remember when GFW Radio used to constantly shit on GFWL because it was junk?

Now we have PC Gamer writing free Epic advertorials because it's fashionable with a subset of indie developers.

 

[Relik7]

This is about the same as saying "nothing personal, just business"

We're still the ones having our privacy violated.

Click to shrink...

I'm in full agreement. I said that because some people are sadly of the opinion in this era that they don't even care about having their privacy violated because of constant violations happening all over. I just wanted it clear that they are not just stealing from us, but they are using Steam's own users to collect data to use against them. While certain Steam data is public, you can't buy the kind of data that is in that file. They are about to come out with hugely anticipated exclusive games (Satisfactory among others) that are going to bring a lot of launcher installs.

 

[TooBusyLookinGud]

This isn't the only issue with this.

It's also a potential breach for beta testers on games still officially unannounced and unlisted on Steam. the EGS client can sniff those out from your steam folder and then go and contact the dev/pub and try and get an exclusive deal out of them. It's just shady and unethical as heck.

Click to shrink...

Man that's a low blow. I honestly thought this was BS outrage but this is too low of a blow from Epic.

I don't have their launcher installed and I don't think I will now. This sucks if true.

 

[SmartWaffles]

SteamSpy's owner is also still profiting from datamining its direct competitor.

 

[ty_hot]

So, Epic gets your Steam friends names after you agree to send it to them. The EGS gets more info using the Steam API, but this extra info never leaves your computer. There is no real problem here, if I understood everything correctly. If you are afraid they will ever do anything with that extra data, you are just cautious and for some reason you dont trust them, but it doesnt mean they are doing something wrong right now.

 

[Annubis]

So, Epic gets your Steam friends names after you agree to send it to them. The EGS gets more info using the Steam API, but this extra info never leaves your computer. There is no real problem here, if I understood everything correctly. If you are afraid they will ever do anything with that extra data, you are just cautious and for some reason you dont trust them, but it doesnt mean they are doing something wrong right now.

Click to shrink...

They are breaking European laws...

 

[ty_hot]

They are breaking European laws...

Click to shrink...

how?

 

[Demacabre]

Yep, damage control at it's finest.



Now that is some next level damage control.

Click to shrink...

I see you misspelt Public Relations. Happens all the time.

 

[Kurt Russell]

So, Epic gets your Steam friends names after you agree to send it to them. The EGS gets more info using the Steam API, but this extra info never leaves your computer. There is no real problem here, if I understood everything correctly. If you are afraid they will ever do anything with that extra data, you are just cautious and for some reason you dont trust them, but it doesnt mean they are doing something wrong right now.

Click to shrink...

If only it was as easy as they made it look like. For starters, they could get this info from Valve's API, without snooping local data. And the other thing that doesn't make a lot of sense is that they started gathering this data almost a month BEFORE they added the Steam friends functionality to the EGL. I checked my computer, I have almost 500mb of Steam data in the Epic folder, and the first file is from May 4th, when the friends stuff was added on May 30th.

 

[Eila]

Epic really need to get their shit together when it comes to offer something, anything better for the user than the competitors. Moneyhatting basically already developed games for a 1 year store exclusivity is not something positive, just an annoyance.
As it stands, Epic Store is inferior to the Steam store in every single way. And that's not even counting this breach of privacy. Didn't see Epic's reply mention anything about them getting our entire games list with playtimes. Why do they need that, again?

 

[Relik7]

So, Epic gets your Steam friends names after you agree to send it to them. The EGS gets more info using the Steam API, but this extra info never leaves your computer. There is no real problem here, if I understood everything correctly. If you are afraid they will ever do anything with that extra data, you are just cautious and for some reason you dont trust them, but it doesnt mean they are doing something wrong right now.

Click to shrink...

How did you get this opinion? Maybe you haven't read the recent posts since there are 16 pages of them. I can't totally fault you on that, but I recently posted that this Steam file is cloned 1 minute after you install the Epic launcher. It does not ask for permission, it takes it. It contains way more than just your friends, but every game you own including pre-release purchases - think for a minute about Epic stealing developers away from Steam such as Coffee Stain with Satisfactory. As another user notes, they can use this to target other developers. That's just one example use. Like Facebook, first you collect all the data you can and THEN you figure out how to monetize it.

We don't know exactly what they are using this data for or whether it leaves your computer because there is too much encrypted traffic between the Epic Launcher and Epic. What I DO know from my analysis is that their excuse of using this file for linking to Steam friends is untrue as the file is never accessed during the whole process of linking your Steam account to your Epic account.

 

[Annubis]

how?

Click to shrink...

It has been explained at least 3 times in detail in this thread.
European GDPR

Personally, I think this could even go against Canadian privacy laws.
https://www.priv.gc.ca/en/privacy-t...-electronic-documents-act-pipeda/p_principle/

PIPEDA Fair Information Principle 3 – Consent

• Clearly specify to your customers what personal information you are collecting and why you are collecting it.
• Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
• Obtain the individual's consent before or at the time of collection, as well as when a new use of their personal information is identified.

Click to shrink...

The information being gathered is not covered in their agreement and the collection itself is against the law here.

 

[ty_hot]

How did you get this opinion? Maybe you haven't read the recent posts since there are 16 pages of them. I can't totally fault you on that, but I recently posted that this Steam file is cloned 1 minute after you install the Epic launcher. It does not ask for permission, it takes it. It contains way more than just your friends, but every game you own including pre-release purchases - think for a minute about Epic stealing developers away from Steam such as Coffee Stain with Satisfactory. As another user notes, they can use this to target other developers. That's just one example use. Like Facebook, first you collect all the data you can and THEN you figure out how to monetize it.

We don't know exactly what they are using this data for or whether it leaves your computer because there is too much encrypted traffic between the Epic Launcher and Epic. What I DO know from my analysis is that their excuse of using this file for linking to Steam friends is untrue as the file is never accessed during the whole process of linking your Steam account to your Epic account.

Click to shrink...

I only read the first post and a few of the last ones. So it seems that what I said is still correct, because you are not sending them this data, it is just copied (cloned) in your PC. I get that from this they can do something, I just said that they aren't at the moment. And with everyone knowing about this, if they ever start sending data without permission we will know by the next minute because people will be monitoring. Also, if this is an "exploit", Valve could probably do something to stop it, right?

edit. oh, I read the encrypted part now. Well, we can't know what is encrypted so we can't say it is or isn't related to the data. It does sound like I am defending them but I am just trying to understand what is happening.

It has been explained at least 3 times in detail in this thread.
European GDPR

Personally, I think this could even go against Canadian privacy laws.
https://www.priv.gc.ca/en/privacy-t...-electronic-documents-act-pipeda/p_principle/

PIPEDA Fair Information Principle 3 – Consent

The information being gathered is not covered in their agreement and the collection itself is against the law here.

Click to shrink...

I understood that the only data that goes to their servers is the names, after you give permission. They do gather more stuff but it is all stored locally so I doubt it can be considered as 'data collected by Epic'.

 

[Rat King]

 

[Annubis]

I only read the first post and a few of the last ones. So it seems that what I said is still correct, because you are not sending them this data, it is just copied (cloned) in your PC. I get that from this they can do something, I just said that they aren't at the moment. And with everyone knowing about this, if they ever start sending data without permission we will know by the next minute because people will be monitoring. Also, if this is an "exploit", Valve could probably do something to stop it, right?



I understood that the only data that goes to their servers is the names, after you give permission. They do gather more stuff but it is all stored locally so I doubt it can be considered as 'data collected by Epic'.

Click to shrink...

They made code that seeks that data. That is collection.

 

[Tuco Benedicto Pacifico]

Media finally spoken out!



🤣🤣🤣

Click to shrink...

Don't worry. I bet Polygon and Kotaku will be all over the case in minutes.

 

[Relik7]

They made code that seeks that data. That is collection.

Click to shrink...

Not only is it collected, they also stored a copy on your computer (obfuscated). Tim Sweeney of Epic has responded to me on Reddit and I have sent him a few more questions. I'm still mad that he thinks he can rummage through the localconfig.vdf file but at least he now believes the user should be asked first!

Here is a reply from him : https://www.reddit.com/r/PhoenixPoi...game_store_spyware_tracking_and_you/eikbeya/?

TimSweeneyEpic 1 point 16 minutes ago ​

You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we're going to fix it.​

​

We don't use the Steam API because we work to minimize the number of third-party libraries we include in our products due to security and privacy concerns (not from Valve specifically, but see e.g. https://www.macrumors.com/2019/02/22/ios-apps-sending-private-data-to-facebook/ for the general concern of APIs collecting more data than expected)​

EDIT: I just looked over the Steam Web API and see no reason they couldn't use the proper way. https://developer.valvesoftware.com/wiki/Steam_Web_API#GetFriendList_.28v0001.29

GetFriendList returns 64-bit Steam ID's of all your friends and then you have to iterate through GetPlayerSummaries for each of them to get their display names. Then you compare those with people on Epic to find matching friends. Harder maybe, but the right way.

 

[Digoman]

EDIT: I just looked over the Steam Web API and see no reason they couldn't use the proper way. https://developer.valvesoftware.com/wiki/Steam_Web_API#GetFriendList_.28v0001.29

GetFriendList returns 64-bit Steam ID's of all your friends and then you have to iterate through GetPlayerSummaries for each of them to get their display names. Then you compare those with people on Epic to find matching friends. Harder maybe, but the right way.

Click to shrink...

It is late here and maybe I'm missing something, but I don't get what he is talking about in regards to the API. Isn't web based? Why he is going on about third party libraries and using examples of apps that appear to be sending more data to Facebook on purpose?

As for the first part... well, "rush job" or not it does raise concerns about their general privacy policies when deploying features.

 

[Kuga]

Not only is it collected, they also stored a copy on your computer (obfuscated). Tim Sweeney of Epic has responded to me on Reddit and I have sent him a few more questions. I'm still mad that he thinks he can rummage through the localconfig.vdf file but at least he now believes the user should be asked first!

Here is a reply from him : https://www.reddit.com/r/PhoenixPoi...game_store_spyware_tracking_and_you/eikbeya/?

TimSweeneyEpic 1 point 16 minutes ago ​

You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we're going to fix it.​

​

We don't use the Steam API because we work to minimize the number of third-party libraries we include in our products due to security and privacy concerns (not from Valve specifically, but see e.g. https://www.macrumors.com/2019/02/22/ios-apps-sending-private-data-to-facebook/ for the general concern of APIs collecting more data than expected)​

EDIT: I just looked over the Steam Web API and see no reason they couldn't use the proper way. https://developer.valvesoftware.com/wiki/Steam_Web_API#GetFriendList_.28v0001.29

GetFriendList returns 64-bit Steam ID's of all your friends and then you have to iterate through GetPlayerSummaries for each of them to get their display names. Then you compare those with people on Epic to find matching friends. Harder maybe, but the right way.

Click to shrink...

That is some serious damage control. I can't believe they thought that something like this could be implemented and it wouldn't get called out.

 

[Deleted member 3196]

I uninstalled that dumpster fire store months ago, and this week I started the process of deleting my account.

I was hoping I'd maybe support Epic Store one day, when they stopped doing the exclusivity bullshit, but the spyware stuff (and subsequent damage control) is the last straw.

 

[Relik7]

Tim replied to my questions and you can see the thread here: https://www.reddit.com/r/PhoenixPoi..._game_store_spyware_tracking_and_you/eik31to/

Sorry for linking off-site but it's too much to post. His reply shows that they only perform the Steam API <-> Epic authorization during the import friends procedure to verify that you are the owner of the Steam installation on your computer. He points out that there might be multiple Steam installs on a computer. The end result is that they aren't currently using the Steam Web API to pull friends - once they confirm your identity they go through your local Steam file directly. Now he's left fighting numerous battles and doing damage control for taking a shortcut.

He neglected to answer why they make a copy of that important Steam file in their own directory (and obscure/encrypt it).

It is late here and maybe I'm missing something, but I don't get what he is talking about in regards to the API. Isn't web based? Why he is going on about third party libraries and using examples of apps that appear to be sending more data to Facebook on purpose?

As for the first part... well, "rush job" or not it does raise concerns about their general privacy policies when deploying features.

Click to shrink...

I don't know what he's talking about either. I think he's saying they didn't want to have to use the Steam Web API in the launcher itself because of yet another API, but come on.

Tim continues to get clobbered on Reddit :

TimSweeneyEpic • -17 points • submitted 19 days ago​

I've posted and answered some questions below, but they've been downvoted, so use "show all posts" to see the whole context.​

In relation to Chinese gaming company Tencent owning part of Epic:

TimSweeneyEpic • -7 points • submitted 2 hours ago​

Tencent is a significant, but minority shareholder in Epic. I'm the controlling shareholder of Epic. I reckon that many of you here at /r/pcgaming don't much like me or my decisions, but the decisions Epic makes are ultimately my decisions, made here in North Carolina based on my beliefs as a game developer about what the game industry needs!​

LOL.

 

[Morrigan]

According to this website: Fortnite Guide- Now Add Steam Friends In Fortnite - VoStory the functionality that lets people import their Steam friends into the EGL was added with Update 4.3 of Fortnite. That update was released on May 30, 2018. The first files scrapped by the EGL on my computer were generated on May 4, 2018. Did those files travel in time?

Click to shrink...

Welp....

 

[GaimeGuy]

Don't use the Epic Games Store. Wait for the games to come to Steam or other platforms.

Epic is trying to fragment PC gaming and has a history of questionable practices. Steam offers several features for free via their APIs and doesn't give a damn what other platform you distribute your games on.

Yes, steam has problematic curation and customer service, but Epic is worse in every way for the gaming industry. And they definitely will pull back on those lower margins once the fortnite money begins to dry up, and/ or if they get significant market share - it's all bribery that will be pulled out from underneath everyone once it's no longer necessary.

 

[SmashJT]

I covered this the best I could thanks to everyone's input, prior to the update given by Epic later today:
Epic Games Store Caught Stealing Personal Information
Please let me know if there's anything more I can do to get the word out.

 

[Nome]

*cough* Tencent *cough*
Not surprising at all.

Click to shrink...

Don't dump this on Tencent.
They have their fingers in half the industry and no other developer is doing this shit.

 

[Digoman]

I don't know what he's talking about either. I think he's saying they didn't want to have to use the Steam Web API in the launcher itself because of yet another API, but come on.

Click to shrink...

I'm hesitant to comment because I'm not familiar with the Steam API, but it doesn't make sense to me. He talks about using "Steam on the Web" (I'm assuming the API) to validate the user, but instead of continuing to use it, they switch to this local and invasive method. He justifies it "because we avoid including third-party code in our engine wherever possible". Does Valve supply any library for the API or is it all web-based? And if it is local, can't they inspect the code?

Again... I must be missing something. And that's ignoring the fact that coding something that goes around directly snooping in other folders without asking the user first is a *big* mistake to do.

Thank you for trying to extract some info from him. Just to give people context I'm going to quote his response to you here:

The current implementation is the result of a system that was built quickly and then rapidly modified before launch as the online team identified that we needed to authenticate with Steam on the web (in case there were multiple Steam users on the PC) and make other privacy-oriented changes identified by the online team. It's a klunky method that we'll fix, but I don't think there's an issue of privacy law issue regarding data that is purely stored on your computer.
We don't use the Steam API because we avoid including third-party code in our engine wherever possible, as it often brings its own privacy, security, and licensing complications (though Valve has a fine reputation).

Click to shrink...

 

[Rose]

Seeing how this story is the top post on /r/Steam, it shows the hypocrisy of Steam fans yet again, because Steam goes further than that and essentially looks at your browsing history.

 

[Nome]

According to this website: Fortnite Guide- Now Add Steam Friends In Fortnite - VoStory the functionality that lets people import their Steam friends into the EGL was added with Update 4.3 of Fortnite. That update was released on May 30, 2018. The first files scrapped by the EGL on my computer were generated on May 4, 2018. Did those files travel in time?

Click to shrink...

It's common practice to ship code for incomplete features but not launch them until a later update.
See: https://en.wikipedia.org/wiki/Continuous_integration

 

[Kurt Russell]

It's common practice to ship code for incomplete features but not launch them until a later update.
See: https://en.wikipedia.org/wiki/Continuous_integration

Click to shrink...

Yes, but they started using the "incomplete feature" without notifying anyone. I have six files that were generated BEFORE that "feature" was publicly turned on (and a ton more afterwards, since they got almost 500mb of Steam data).

 

[Pixieking]

Seeing how this story is the top post on /r/Steam, it shows the hypocrisy of Steam fans yet again, because Steam goes further than that and essentially looks at your browsing history.

Click to shrink...

1) That's 2014. It might've changed since then.
2)

According to the thread author, VAC is retrieving the cache information and submits hashed versions of each domain you have visited or was looked up to remote servers. Hashed means it does not know the url itself, but only a hash of it.

While it is not clear what happens then, it is likely that the hashes are compared against a database of known cheating services and websites.

Click to shrink...

3) Considering that CS:GO is VAC protected and there's tournaments that have millions in prize money every year, it's not unjust to determine if someone who may or may not enter those tournaments could be downloading hacks which are incredibly hard to find.

So, yes, you're right. But also, no, you're not, because the two situations aren't the same, even if Valve are still doing that 5 years on from that article.

 

[Dan L]

Yes, but they started using the "incomplete feature" without notifying anyone. I have six files that were generated BEFORE that "feature" was publicly turned on (and a ton more afterwards, since they got almost 500mb of Steam data).

Click to shrink...

speaking as someone who was a software developer for years and not that it excuses the slimy behaviour at all but this is absolutely standard practice, the back end code was in place before they had the front end code live. Though typically you would have the backend code there but not actually running until you enable the feature.
Epic has royally fucked up in many ways and they should be held accountable for this. I honestly feel they have broken laws

 

[Nome]

Yes, but they started using the "incomplete feature" without notifying anyone. I have six files that were generated BEFORE that "feature" was publicly turned on (and a ton more afterwards, since they got almost 500mb of Steam data).

Click to shrink...

If you believe Sweeney, then that data wasn't being sent to Epic anyway.
I kind of believe him, just because I've been in development situations where corners had to get cut in order to ship something in a timely manner.
That said, I think when it comes to user data, there's no room for sloppiness.

speaking as someone who was a software developer for years and not that it excuses the slimy behaviour at all but this is absolutely standard practice, the back end code was in place before they had the front end code live. Though typically you would have the backend code there but not actually running until you enable the feature.
Epic has royally fucked up in many ways and they should be held accountable for this. I honestly feel they have broken laws

Click to shrink...

Yeah, usually you'd feature flag something like this.
But there's also the possibility they were A/B testing, doing a phased rollout, running silently to check for bugs/stability, or a host of other reasons.
You could also just take Sweeney's word that they were rushing the feature and maybe just didn't bother to throw in a switch.

Really hard to say at this point, but bottom line is that the feature being on production clients prior to official launch doesn't mean anything conclusive.

 

[spineduke]

Tim replied to my questions and you can see the thread here: https://www.reddit.com/r/PhoenixPoi..._game_store_spyware_tracking_and_you/eik31to/

Sorry for linking off-site but it's too much to post. His reply shows that they only perform the Steam API <-> Epic authorization during the import friends procedure to verify that you are the owner of the Steam installation on your computer. He points out that there might be multiple Steam installs on a computer. The end result is that they aren't currently using the Steam Web API to pull friends - once they confirm your identity they go through your local Steam file directly. Now he's left fighting numerous battles and doing damage control for taking a shortcut.

He neglected to answer why they make a copy of that important Steam file in their own directory (and obscure/encrypt it).

I don't know what he's talking about either. I think he's saying they didn't want to have to use the Steam Web API in the launcher itself because of yet another API, but come on.

Tim continues to get clobbered on Reddit :

TimSweeneyEpic • -17 points • submitted 19 days ago​

I've posted and answered some questions below, but they've been downvoted, so use "show all posts" to see the whole context.​

In relation to Chinese gaming company Tencent owning part of Epic:

TimSweeneyEpic • -7 points • submitted 2 hours ago​

Tencent is a significant, but minority shareholder in Epic. I'm the controlling shareholder of Epic. I reckon that many of you here at /r/pcgaming don't much like me or my decisions, but the decisions Epic makes are ultimately my decisions, made here in North Carolina based on my beliefs as a game developer about what the game industry needs!​

LOL.

Click to shrink...

Has he answered how Sergey knew that 20% of Fortnite players *regularly* use Steam? They are lying by omission with how far they are going with this.

 

[Kyuur]

If nothing gets sent off anyone's machine without consent there is absolutely zero problem here. Software is expected to query things off your machine.

Detecting and saving hardware information locally is not data collection. Transmitting that data to another machine is.

 

[GrrImAFridge]

Has he answered how Sergey knew that 20% of Fortnite players *regularly* use Steam?

Click to shrink...

This. I don't see how Galyonkin would have that sort of information if the data being collected were just sitting idle on users' PCs.

 

[Relik7]

I covered this the best I could thanks to everyone's input, prior to the update given by Epic later today:
Epic Games Store Caught Stealing Personal Information
Please let me know if there's anything more I can do to get the word out.

Click to shrink...

That's a good report SmashJT. You covered everything known at the time. I've posted some minor updates above but the end result is that Epic was simply lazy/rushed and didn't use the API that Steam freely provides for this. Instead they sifted through your local Steam files and only added a Steam Web API authentication check whenever they realized at the last minute it was necessary.

Also, we shouldn't let Valve off the hook here either. They should not be storing all that information in a plain text file in the userdata directory. Make it much harder to access/scrape at least.

I'm hesitant to comment because I'm not familiar with the Steam API, but it doesn't make sense to me. He talks about using "Steam on the Web" (I'm assuming the API) to validate the user, but instead of continuing to use it, they switch to this local and invasive method. He justifies it "because we avoid including third-party code in our engine wherever possible". Does Valve supply any library for the API or is it all web-based? And if it is local, can't they inspect the code?

Click to shrink...

I think the Steam API is web-based but here's what's going on : When you go to add friends it opens a browser to Steam to grant permission to Epic to use the Steam API for your account (This part is "Steam on the Web"). You do that and agree, then Epic gets a token. Epic has confirmed your identity and could now use the Steam API & token to pull your friends but they never implemented that. Instead they just go through your local Steam files. I hope that makes it clear. All they need to do is have their launcher work with the Steam API instead of going through the local file. They seem like they are cutting corners to get their launcher and store going as fast as possible.

 

[Armaros]

If you believe Sweeney, then that data wasn't being sent to Epic anyway.
I kind of believe him, just because I've been in development situations where corners had to get cut in order to ship something in a timely manner.
That said, I think when it comes to user data, there's no room for sloppiness.


Yeah, usually you'd feature flag something like this.
But there's also the possibility they were A/B testing, doing a phased rollout, running silently to check for bugs/stability, or a host of other reasons.
You could also just take Sweeney's word that they were rushing the feature and maybe just didn't bother to throw in a switch.

Really hard to say at this point, but bottom line is that the feature being on production clients prior to official launch doesn't mean anything conclusive.

Click to shrink...

But there is still literally no reason to do any of this to get just a friends list.

the Steam API has exists for years and years for JUST THIS.

And somehow their cludge workaround they made up on the spot is better? And he has the audacity to talk about security when the Epic launcher is known to have terrible email and account security? And wants to make Steam look like the vulnerable one?

 

[Dan L]

Yeah, usually you'd feature flag something like this.
But there's also the possibility they were A/B testing, doing a phased rollout, running silently to check for bugs/stability, or a host of other reasons.
You could also just take Sweeney's word that they were rushing the feature and maybe just didn't bother to throw in a switch.

Really hard to say at this point, but bottom line is that the feature being on production clients prior to official launch doesn't mean anything conclusive.

Click to shrink...

This is absolutely true. with the rapid development of fortnite/launcher it wouldn't surprise me in the least if he is being straight about this.

But there is still literally no reason to do any of this to get just a friends list.

the Steam API has exists for years and years for JUST THIS.

And somehow their cludge workaround they made up on the spot is better? And he has the audacity to talk about security when the Epic launcher is known to have terrible email and account security? And wants to make Steam look like the vulnerable one?

Click to shrink...

Yup I agree also with this. They should have used the API and his excuse for not is thin as a wet sheet of single ply tp.

 

[Armaros]

This is absolutely true. with the rapid development of fortnite/launcher it wouldn't surprise me in the least if he is being straight about this.

Click to shrink...

The Epic launcher is not some new out nowhere thing and they started data scrapping before they launched their Steam Friend linking.

 

[CommodoreKong]

If you believe Sweeney, then that data wasn't being sent to Epic anyway.
I kind of believe him, just because I've been in development situations where corners had to get cut in order to ship something in a timely manner.
That said, I think when it comes to user data, there's no room for sloppiness.

Click to shrink...

Given what Sergey Galyonkin knew about Steam installation and regular user percentages for Fortnite players I find it very hard to believe Sweeney.

 

[Metroidvania]

Has he answered how Sergey knew that 20% of Fortnite players *regularly* use Steam? They are lying by omission with how far they are going with this.

Click to shrink...

I'd love to see Sweeney answer this.....

But I'm sure he won't.

 

[Madjoki]

But there is still literally no reason to do any of this to get just a friends list.

the Steam API has exists for years and years for JUST THIS.

And somehow their cludge workaround they made up on the spot is better? And he has the audacity to talk about security when the Epic launcher is known to have terrible email and account security? And wants to make Steam look like the vulnerable one?

Click to shrink...

And valve api don't need code. You do that from server. They already do Auth, so they have code there.

 

[Dan L]

The Epic launcher is not some new out nowhere thing and they started data scrapping before they launched their Steam Friend linking.

Click to shrink...

I am not saying it is but they have a ridiculously release schedule and I doubt they follow rigorous standard practices when it comes to code releases. My statements were not saying they were right in doing this, just as to why it may have happened. again Not saying it was right to let it happen. They dun fucked up regardless of how it happend.