News Epic Game Store, Spyware, Tracking, and You!

crimsonheadGCN

Professional Shlooter
Jan 20, 2019
195
409
63
35
Clifton, New Jersey
www.resetera.com
Valve has responded:

EPIC Promises to Fix Game Launcher after Privacy Concerns

We are looking into what information the Epic launcher collects from Steam.

The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: Steam Help.
 

madjoki

MetaMember
Sep 19, 2018
310
753
93
Well, seems like I was able to decrypt the file:

It seems to be parsed to binary format (possible some used by Unreal Engine?).
It seems to parse VDF (valve definition format to that)

Interestingly TimSweeney specifically claimed they didn't parse the file for playtimes in addition to not using it.



It did seems odd claim (especially as he didn't have to make that claim), since if you used any kind of parser, you'd end up parsing everything, even if technically.
But they definitely seem to even save that information to new file in their own format, which I'd definitely count as "parsing".



It's just XOR.

XOR cipher - Wikipedia

For me key was 223, this may differ for you.

Also the fact they are scraping way more than just friends ID’s.

Makes no logical sense and sounds like they are being dishonest to me.
Yeah it doesn't. Much less keeping history even if it's just locally. Even if there is no code now, they could plausibly implement code in patch and get data from users and get rid of evidence. Or even stream code from server and instantly get rid off it (I believe Valve's VAC works similarly, for example, to make it harder to know what it actually checks). Possibilities are there. (But no proof whatsoever, just random thoughts)

---

Here's no warranty decode tool + source code if someone wants to try figuring out file contents:

MEGA

Just drag file into it and it will write decoded version with .dec extension.
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
4,833
5,245
113
well, well, well ... things are getting interesting

Well, seems like I was able to decrypt the file:

It seems to be parsed to binary format (possible some used by Unreal Engine?).
It seems to parse VDF (valve definition format to that)

Interestingly TimSweeney specifically claimed they didn't parse the file for playtimes in addition to not using it.
so you're saying a multi-billionaire CEO of a huge corporation LIED?! well i never ....

 

Digoman

Junior Lurker
Dec 21, 2018
110
259
63
What's this? An article that doesn't say it is all on the head of Steam fanboys? So strange....

so you're saying a multi-billionaire CEO of a huge corporation LIED?! well i never ....
Look, all we found out is that they go through Steam folders to grab a lot more information than they claim to be after, and store several obfuscated full backups of this info on another directory, and all of that without bothering us users with pesky questions. I'm sure Tim will pinky swear that they filter out this "extra" data later.
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
4,833
5,245
113
Look, all we found out is that they go through Steam folders to grab a lot more information than they claim to be after, and store several obfuscated full backups of this info on another directory, and all of that without bothering us users with pesky questions. I'm sure Tim will pinky swear that they filter out this "extra" data later.
yes ... surely
 

DriftedPlanet

Ash, I think something was in those sandwiches
Oct 27, 2018
18
30
13
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
4,833
5,245
113
That response from Valve is amazingly clean. They don't see this as a workaround that Epic had any right to use. I wonder how far Valve intends to take this, after they've looked into it further.
yeah, same ... i wonder what they'll do
 

suiko

saviour of worlds
Nov 12, 2018
307
640
93
can they do anything? people insist US having no laws for protecting digital privacy
 
Reactions: lashman
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
4,833
5,245
113
can they do anything? people insist US having no laws for protecting digital privacy
legally? who knows

but they sure as hell can make it impossible for epic to do that shit anymore ... so there's that
 
Reactions: Sampson

Digoman

Junior Lurker
Dec 21, 2018
110
259
63
If Valve finds something then I think they'll ban Epic from using the API and make changes so that the file is inaccessible.
While the information on this file isn't something that usually would need be encrypted (and I don't want Steam encrypting everything like an UWP app) I don't think there is really any other choice here, specially if the press continues to do this "excellent" job of covering this issue.

Epic could have simply said they will start to use the API from now on but instead we got an "we will just check the registry first", so it seems they really want that data.
 

Sampson

boop
Dec 11, 2018
603
1,451
93
There is zero chance that as a private company they give this much info away freely, but I would like Steam to actually just kick the industry-wide standard of secrecy.

Privatize all user specific data so something like this can’t happen again, but start giving regular sales numbers that exponentially surpass the depth of industry standards like NPD and Media Create.
 

Alextended

Segata's Disciple
Jan 28, 2019
303
589
93
They can't give sales numbers without the constent of each and every company involved in the game probably. Which sucks. I suppose they could make it an opt in thing but given sales numbers would inevitably lead to charts the charts would be useless with major companies missing. As much as I'd still be interested in seeing the rest for myself, like how much indie game x sold. Although even indies wouldn't necessarily like to divulge that outside framing it on their own timing under their own PR message potentially if they attempt to change their fate by appealing to the community via media or something.
While the information on this file isn't something that usually would need be encrypted (and I don't want Steam encrypting everything like an UWP app) I don't think there is really any other choice here, specially if the press continues to do this "excellent" job of covering this issue.

Epic could have simply said they will start to use the API from now on but instead we got an "we will just check the registry first", so it seems they really want that data.
Would encrypting make it inaccessible to users? Cos in that case I'm sure the press would just speak of shady Steam not telling us what data it gathers.
 
Reactions: lashman
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
4,833
5,245
113
Fortnite asks that you accept a brand new end-user agreement today.
Nothing suspicious there /s
well it's easier to change a few lines of text than to change your spying software ;)

not that it makes any difference in the EU, lol
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
4,833
5,245
113
Doing a quick search using "epic" didn't bring back anything, but there might be some residue left
yeah, i imagine ... someone would have to check what entries it creates on install ... and then check if any of those are left after uninstalling it

dunno if that's even possible

maybe Wok or madjoki know?
 
Reactions: DriftedPlanet