Epic responds to accusations of Steam data mining

Original story, March 15, 2019: Epic Games has defended itself against claims that its digital games store is accessing users' Steam data and transmitting information back to the company.

The accusations stem from a Reddit thread that says the Epic Games Store launcher enumerates running processes and attempts to access root certificates and DLLs without the user's knowledge.

It was also claimed that the launcher transmits data back to Epic without making the reasons clear. PC Gamer confirmed that it specifically access Steam files as well.

Responding to the thread, Epic's vice president of engineering Daniel Vogel attempted to explain all this.

He claimed a tracking pixel was used as part of the firm's Support-A-Creator program "so we can pay creators" and track page statistics. The root certificate and cookies access were explained away as "a result of normal web browser start up" because the launcher's UI uses a lot of web technology rendered by Chromium.

Access to Steam's files centres around the ability to import Steam friends, with Vogel stressing the Epic Games Store only does so "with your explicit permission."

"The launcher makes an encrypted local copy of your localconfig.vdf Steam file," he explained. "However, information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed IDs of your friends are sent and no other information from the file."

Vogel also addressed concerns that collected user data was getting into the hands of Tencent -- which owns a majority of Epic -- and by extension the Chinese government.

"Epic is controlled by Tim Sweeney," said Vogel. "We have lots of external shareholders, none of whom have access to customer data."

Sweeney himself weighed in, acknowledging users were right in some of their concerns and that "we ought to only access the localconfig.vdf file after the user chooses to import Steam friends."

He said the current setup is "a remnant left over from our rush to implement social features in the early days of Fortnite."

"It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it," he said. "Since this issue came to the forefront, we're going to fix it."

Update, March 18, 2019:Valve has confirmed that it is investigating the information the Epic Launcher collects from Steam.

In a statement issued to Bleeping Computer, a Valve spokesperson said: "The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies).

"This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service."

Epic responded by point to the paragraph in its previous statement about the need for "explicit permission" from the user before Epic imported lists of Steam friends.