Epic Games has responded to multiple accusations saying that their Epic Games Launcher is scanning for and collecting users' Steam information without first requesting permission.
As detailed by Daniel Vogel, VP of Engineering at Epic Games, in the Reddit thread where the gamers' concerns were first expressed, the Epic Games Store client "makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file."
Vogel also stated that the Epic Games Launcher is also designed to track some user behavior, as well as to send some select information to the company's servers, but nothing that is not covered by the program's privacy policy or that would be considered privacy invasion.
We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.
The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy (see the “Information We Collect or Receive” section). You can find the code here.
The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.
The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.
Additionally, in response to user concerns that the company's launcher also gathers info on "how long someone played a steam game and last time played," Vogel argued that while the Epic Games Launcher will make "a local copy of a Steam file that contains Steam friends IDs" which also contains play time info, this data will not be parsed or delivered to their servers.
Vogel also insisted that "We only look at your Steam friends’ IDs in that file after you grant us permission and only then send a hash of those IDs back to our servers to allow us to make friend suggestions" and that Epic Games will only import the list of Steam friends after receiving "explicit permission."
The Epic Games VP also added that "The launcher work concluded before the backend work. We are going to clean up the implementation and replace making a local copy of the file with a registry check for the presence of Steam before prompting you to import your friends" and that "We are ONLY sending hashed Steam friend IDs and ONLY with your permission."
CEO possibly behind controversial data collection behavior
Epic Games CEO and Founder Tim Sweeney also chimed in to answer some of the gamers' questions on Reddit, stating that "Since this issue came to the forefront we're going to fix it."
Sweeney said that the current way of collecting client Steam info from users' computers is actually his fault:
You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we're going to fix it.
We don't use the Steam API because we work to minimize the number of third-party libraries we include in our products due to security and privacy concerns (not from Valve specifically, but see e.g. https://www.macrumors.com/2019/02/22/ios-apps-sending-private-data-to-facebook/ for the general concern of APIs collecting more data than expected)
"We're working to update the implementation so that the Epic Games launcher only touches the Steam file at all if you choose to import friends" stated Sweeney in reply to concerns that the program is tracking Steam play time for various games.
BleepingComputer has reached out to Epic Games and Valve for additional comments but had not heard back at the time of this publication. The article will be updated when responses will be received.
Image credits: Dot Esports
Update March 15, 2019, 12:49 EDT: A Valve spokesperson responded to our request stating that the information stored within the localconfig.vdf Steam file is not intended to be used by other software:
We are looking into what information the Epic launcher collects from Steam.
The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.
Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: https://help.steampowered.com/en/accountdata.
Update March 15, 2019, 13:16 EDT: We also got a reply from Epic Games:
We've responded to in full here: https://www.reddit.com/r/PhoenixPoint/comments/b0rxdq/epic_game_store_spyware_tracking_and_you/eijlbge/
Specifically, on the Steam stuff, this is the relevant piece: "We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file."
Comments
GT500 - 5 years ago
Well, I don't actually use the Epic Games Launcher, so I guess now is a good time to uninstall it.
I don't enjoy Fortnite, and I don't think I've ever installed anything else from Epic (I'm not counting their old DOS games that I still have copies of), so I see no need for this launcher. I'm certainly not going to buy any games that are Epic Games Store exclusives (that means you Metro Exodus), and I doubt I will ever want to install/play any games that are exclusively offered via the launcher even if they're free.
CB80 - 5 years ago
I don't play Fortnite either but Epic hooked me with their free game giveaways all year long. Every two weeks they are giving away a free game and so far they've mostly been great games. I'll risk a little of my "privacy" for this. It's not like Epic is going to find any info (from me) that other, even less reputable companies don't already have.
rhasce - 5 years ago
Of course they would do that, they have a kids market, and markets these days love them kids, just look at youtube.