Sections

Epic responds to accusations of Steam data mining

Update: Valve is "looking into" issue that Epic's Tim Sweeney attributed to “our rush to implement social features in the early days of Fortnite”

Original story, March 15, 2019: Epic Games has defended itself against claims that its digital games store is accessing users' Steam data and transmitting information back to the company.

The accusations stem from a Reddit thread that says the Epic Games Store launcher enumerates running processes and attempts to access root certificates and DLLs without the user's knowledge.

It was also claimed that the launcher transmits data back to Epic without making the reasons clear. PC Gamer confirmed that it specifically access Steam files as well.

Responding to the thread, Epic's vice president of engineering Daniel Vogel attempted to explain all this.

He claimed a tracking pixel was used as part of the firm's Support-A-Creator program "so we can pay creators" and track page statistics. The root certificate and cookies access were explained away as "a result of normal web browser start up" because the launcher's UI uses a lot of web technology rendered by Chromium.

Access to Steam's files centres around the ability to import Steam friends, with Vogel stressing the Epic Games Store only does so "with your explicit permission."

"The launcher makes an encrypted local copy of your localconfig.vdf Steam file," he explained. "However, information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed IDs of your friends are sent and no other information from the file."

Vogel also addressed concerns that collected user data was getting into the hands of Tencent -- which owns a majority of Epic -- and by extension the Chinese government.

"Epic is controlled by Tim Sweeney," said Vogel. "We have lots of external shareholders, none of whom have access to customer data."

Sweeney himself weighed in, acknowledging users were right in some of their concerns and that "we ought to only access the localconfig.vdf file after the user chooses to import Steam friends."

He said the current setup is "a remnant left over from our rush to implement social features in the early days of Fortnite."

"It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it," he said. "Since this issue came to the forefront, we're going to fix it."

Update, March 18, 2019:Valve has confirmed that it is investigating the information the Epic Launcher collects from Steam.

In a statement issued to Bleeping Computer, a Valve spokesperson said: "The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies).

"This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service."

Epic responded by point to the paragraph in its previous statement about the need for "explicit permission" from the user before Epic imported lists of Steam friends.

Additional reporting by Matthew Handrahan.

Related stories

2K halts Borderlands 3 pre-orders during Epic Games Store Mega Sale

Publisher says decision is temporary, and pre-orders made during sale will be honoured

By Haydn Taylor

Paradox pulls Bloodlines 2 from Epic Store during Mega Sale

Klei Entertainment follows suit with Oxygen Not Included as Epic offers $10 off basically everything

By Haydn Taylor

Latest comments (1)

James Prendergast Research Chemist 2 months ago
I don't see the problem here. I mean, it's freely open data on the user's end. The user "agrees" to this in the EULA in the sense that the company provides protection to what it decides is private information. Clearly, the files in question are neither protected or private from the end-user themselves. IMO, any company that gets the approval from their users to "mine" that data (granted, it's a bit murky that Epic explicitly laid this out) has no issue with the original provider or the user themselves...

At the same time, from the other side, it's, IMO, impossible for the controlling/issuing company to deny the ability of the user to apply or share that personal, private information with a third party as they see fit. A.K.A. Steam have no leg to stand on to challenge this or any other similar action.

Edited 2 times. Last edit by James Prendergast on 19th March 2019 10:22am

0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.