News Epic Game Store, Spyware, Tracking, and You!

Digoman

Lurking in the Shadows
Dec 21, 2018
854
2,390
93
I'm holding off on bringing out the pitchforks just yet. Here's the thing, there is legitimate information that could be used by Epic's game launcher regarding Steam and its presence, very similar to how a browser would want to import settings from another browser type. Now, I'm not going to defend Epic saying they are doing this or doing that, but there's a variety of situations where getting information from Steam and your system makes sense:

  1. Collecting information regarding what games you own, specifically in conjuction with stopping you from buying them again.
  2. Collecting info about what games could have cross-compatibility in terms of online multiplayer that don't use Steam servers, but external ones.
  3. Collecting compatibility info regarding games that are installed with directx versions, etc.
  4. The ability to import information from a Steam account into a Epic account in the future (it could be a feature)
Now granted, this should be brought up to Epic and this should be presented to them and see their reaction, but I hate to break it to you all: but a lot of companies do this when it comes to those that have multiple platforms and options available. That doesn't make it right per say, but this is also information publicly available in most cases regarding your steam profile and the information in your steam profile. Epic's not really THAT different in that regard.
I've been using browsers since NCSA Mosaic, and never once when installing them it imported data without asking me first. As you said, this not uncommon data to collect, but not without asking first. I have the files on my computer and did not link, connected or gave permission for their launcher to go around snooping inside the Steam directory.

And as other people already wrote, this information is no longer public by default on the Steam profiles, something the guy from SteamSpy surely knows since it invalidated his statistics model.

Steam profiles are private by default.

Actually Kurt Russell 's image shows this starting when (May 2018) Steam made their profiles private by default, assuming this isn't coincide, this could be done to bypass privacy options you set.
Hmmmm.. if this indeed started on May 2018, I'm sure is just a coincidence! :)
 
Last edited:

Ascheroth

Chilling in the Megastructure
Nov 12, 2018
5,119
11,978
113
Uninstalled this thing and deleted everything faster than sanic.
How isn't stuff like that illegal?
It should actually be illegal under GDPR.
Which is why I've sent a complaint to my local DPA just now (just an email, contact information can be found here). :coffee-blob:
The more people that do this, the higher the chance that something actually happens.
 

Dragnix

Does Way Too Long Reviews on Youtube
Feb 6, 2019
9
21
3
www.youtube.com
I've been using browsers since NCSA Mosaic, and never once when installing them it imported data without asking me first. As you said, this not uncommon data to collect, but not without asking first. I have the files on my computer and did not link, connected or gave permission for their launcher to go around snooping inside the Steam directory.

And as other people already wrote, this information is no longer public by default on the Steam profiles, something the guy from SteamSpy surely knows since it invalidated his statistics model.



Hmmmm.. if this indeed started on May 2018, I'm sure is just a coincidence! :)
If that's the case, then yeah, there's a problem then on the data that's not present anymore, but I do then question how they got it.
 

Kurt Russell

SUPREME OVERLORD OF EVIL
Sep 6, 2018
981
2,120
93
35
Mar del Plata
I don't use reddit, but there is epic reply there is someone wants to copy it here
it's funny as hell
We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.



The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy (see the “Information We Collect or Receive” section). You can find the code here.



The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.



The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up.



The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.



We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.



Epic is controlled by Tim Sweeney. We have lots of external shareholders, none of whom have access to customer data.



Daniel Vogel

VP of Engineering

Epic Games Inc.
 

Kvik

Crossbell City Councillor
Dec 6, 2018
4,149
10,267
113
Downunder.
The Epic VP's response is all well and good. But I can hardly believe the last paragraph so I'm not sorry if I'm skeptical. Let's not forget SteamSpy is still exists, making a compound data with these sources combined is possible and if they're already scanning the entire Steam directory, who's to say they won't collect anything else in the future while nobody's looking?

Frankly, I am astounded at how many people place so little value for their data. Even though a certain business owner claims this data collection is harmless and has no value to them, collectively this data is of value to Epic . Anything of value can be sold, and traded. Just because Google and a bunch of other companies already has their data, there's no good reason for them to collect even more data. This line of reasoning is a part of the reason why Business Intelligence and Data Warehousing industry is so large today. Hell, as part of my day job, I helped built a platform to facilitate this data collection.

People dismissing that cautionary thread on ERA about the dangers of Google entering gaming space also raised my eyebrow. I would assume these people are actually fine with Google milking them for all they worth.
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
30,369
85,135
113
The Epic VP's response is all well and good. But I can hardly believe the last paragraph so I'm not sorry if I'm skeptical. Let's not forget SteamSpy is still exists, making a compound data with these sources combined is possible and if they're already scanning the entire Steam directory, who's to say they won't collect anything else in the future while nobody's looking?
exactly ... plus they have EXACTLY ZERO reason to collect ANY of it ... steam has an API anyone can use to access this sort of data ... they don't even have to ask for permission or pay for it

and yet, they decided to go about it this way - a way which specifically goes around your steam profile privacy settings

and then there's of course the fact that they're collecting all of that data the moment you run the launcher "just in case", not when you click the "sync friends" button
 

Ex-User (307)

MetaMember
Dec 11, 2018
1,105
2,597
113
Frankly, I am astounded at how many people place so little value for their data. Even though a certain business owner claims this data collection is harmless and has no value to them, collectively this data is of value to Epic . Anything of value can be sold, and traded. Just because Google and a bunch of other companies already has their data, there's no good reason for them to collect even more data. This line of reasoning is a part of the reason why Business Intelligence and Data Warehousing industry is so large today. Hell, as part of my day job, I helped built a platform to facilitate this data collection.
The unfortunate reality is that most people don't care, and think nothing bad could ever happen from sharing their data. I would assume many of these people would also hilariously be up in arms about Facebook selling data to Cambridge Analytica :coffee-blob:

Like I said earlier, the funny thing about the "whaddabout Google?!" argument is that whenever these privacy issues come up, they almost inevitably involve companies who don't even remotely meet Google's bar for disclosure. Like sure, Google scrapes my email to determine purchasing and travel habits and that's really shitty. But at least I know they do that and there are logs that seem to indicate when they do it. It's not like it's happening completely behind my back, and Google generally isn't trying to infiltrate its way into my other files.
 

EdwardTivrusky

Good Morning, Weather Hackers!
Dec 8, 2018
7,277
12,381
113
I don't have the app installed but If you took ownership of the epic steamdata folder in programdata and then revoked access for all accounts to the folder and subfolders I wonder if the launcher/client would demand admin rights via UAC to revert the changes so it could read/write to the folder again?
 

Kurt Russell

SUPREME OVERLORD OF EVIL
Sep 6, 2018
981
2,120
93
35
Mar del Plata
According to this website: Fortnite Guide- Now Add Steam Friends In Fortnite - VoStory the functionality that lets people import their Steam friends into the EGL was added with Update 4.3 of Fortnite. That update was released on May 30, 2018. The first files scrapped by the EGL on my computer were generated on May 4, 2018. Did those files travel in time?
 

Ex-User (307)

MetaMember
Dec 11, 2018
1,105
2,597
113
Holy shit, I knew these chuckleheads were going to do it, and they did. This dipshit "journalist" at PC Gamer is actually blaming Steam for "leaving the data in the open."



Journalism in the video game industry simply doesn't exist in the aggregate. Complete and utter morons, as far as the eyes can see, all willing to go to bat for their new favorite mega-corporation.
 

Alextended

Segata's Disciple
Jan 28, 2019
5,463
8,528
113
Even if it's "just" for that why would they take the data when I haven't actually linked my Steam account?

Might as well take all my facebook data if they add an optional Facebook link in their client that I also won't use? And google data if they add an optional google link? And everything anywhere on my PC if they add an optional Microsoft account link? >_>
 

Ex-User (307)

MetaMember
Dec 11, 2018
1,105
2,597
113
Even if it's "just" for that why would they take the data when I haven't actually linked my Steam account?

Might as well take all my facebook data if they add an optional Facebook link in their client that I also won't use? And google data if they add an optional google link? And everything anywhere on my PC if they add an optional Microsoft account link? >_>
This is actually kind of like that creepy thing that Facebook does where it creates "profiles" of information on people, even if you don't have an account.
 
  • Like
Reactions: lashman

Alextended

Segata's Disciple
Jan 28, 2019
5,463
8,528
113
So from denial to agreeing there's a privacy issue but that they honestly aren't doing anything shady, pinky promise, and it was an honest mistake they will now proceed to fix "since this issue came to the forefront" and otherwise would happily leave it as is if it didn't, lol, what about purging existing data acquired?
 

DriftedPlanet

Ash, I think something was in those sandwiches
Oct 27, 2018
102
88
28
My "SocialBackup"s start from June 2nd, 2018 and contains 4 files for my account as well as 3 accounts of friends. If they were just trying to have Steam friend IDs hashed for their import feature then they definitely half-assed it. Why maintain multiple versions of this data from my individual account over the span of a year? It's either intended for data processing or badly designed. Either way, I'm glad they're getting called out on it. Best of luck to you GDPR folks with reporting them.
 

Alextended

Segata's Disciple
Jan 28, 2019
5,463
8,528
113
Oh, had no idea steamspy guy was involved.

To think people were getting mad at Steam for changing the profile defaults to private thus affecting the poor Russian guy's business.

I mean it was a super creative way to exploit available data and everything to provide decently accurate sales numbers but come on.

It always struck me as weird when people kept citing that site after the change as I don't see how it can possibly be accurate after it.
 

Ex-User (307)

MetaMember
Dec 11, 2018
1,105
2,597
113
Oh, had no idea steamspy guy was involved.

To think people were getting mad at Steam for changing the profile defaults to private thus affecting the poor Russian guy's business.

I mean it was a super creative way to exploit available data and everything to provide decently accurate sales numbers but come on.

It always struck me as weird when people kept citing that site after the change as I don't see how it can possibly be accurate after it.
Sergey is now Epic's Director of Publishing strategy, while still making $14,000 a month on Patreon from running Steam Spy to scrape (inaccurate) data on his competitor.

The fact that hasn't gotten more discussion in the media is alone an indictment of them all.
 

Alextended

Segata's Disciple
Jan 28, 2019
5,463
8,528
113
Off topic but since I noticed this again I have to say their client is pretty shoddy in updating too, often there's a tiny 100-200MB update but it takes ages to complete because it seemingly spends ages reading and writing on the HDD every few MB and stops downloading altogether until it finishes whatever the heck it's doing to then proceed for a few more MB etc. So I often thought there's some big Fortnite patch stalling then check and see it's an 100MB client patch.
 
  • Like
Reactions: lashman

Ge0force

Excluding exclusives
Jan 12, 2019
3,984
13,795
113
Belgium
Holy shit, I knew these chuckleheads were going to do it, and they did. This dipshit "journalist" at PC Gamer is actually blaming Steam for "leaving the data in the open."



Journalism in the video game industry simply doesn't exist in the aggregate. Complete and utter morons, as far as the eyes can see, all willing to go to bat for their new favorite mega-corporation.
This is ridiculous. It's embarrassing how certain editors of PC Gaming have been defending Epic's scummy moves lately. Remember that guy bitching to us that Epic's moneyhats are for our own good?
 

Alextended

Segata's Disciple
Jan 28, 2019
5,463
8,528
113

Ugh, what has become of RPS in not-so-recent years...

I don't understand what's happening. It's like when gamergate happened and then everyone started saying what, me, no I'm not a gamer, I just play games, gamers are the scum of the earth. Like a hobby common with scum makes you scum so you can't even say you partake. And now, even without any incident like gamergate to put the blame on, it's like it's starting to be accepted that if you're a Steam user, if you're one of like 100 million PC gamers, if you criticize Epic or even just appreciate what Steam offered, and still offers, to PC gaming, to PC gamers (sorry, to people who play PC games), to developers and publishers, then you're just scum, you're a disgruntled Steam user, you're being unreasonable, you're confirming your bias every chance you can, you're this, you're that. The issue discussed barely matters, it's just meaningless noise by a supposed minority who only wishes to do that, make noise, if it's not pro-Epic and anti-Steam as if Epic is some messiah here to save us from a Steam that we all freaking shaped together throughout these last decades! The PC gamers, the press, the developers, the indies, Steam is what we all made it. It's not a flawless Steam, but it's still the best thing to happen to PC gaming at its worst times for it to reach the point it's in today, pretty much the center of traditional gaming, from indies, to niches, to AAAs, even never before ported Japanese games. And yet it's like Steam is the bane of gaming when without Steam and nobody else to take up the challenge, the risk, we'd probably be 10 years behind. Like we don't understand the luxury it is to simply be able to complain about things like visibility and store improvements and fee % and too many shit indie games thanks to the wonder of fair equal terms self publishing on the biggest service available to everyone willing to invest in it. Isn't it fucking great that we've been so spoiled in this hobby for those first world problems to be what we're facing? Isn't it because of Steam bringing us to this point that Epic even has a chance to make their own store now that they've made digital distribution so widespread and mainstream? Why not continue to shape Steam and every other service by our expectations and demands, the gamers (sorry, the people who play games), the developers,and the press and the influencers and instead just lay down and accept Epic or any one company as the one to fix everything how, by buying out a handful of developers and publishers and proclaiming any nay sayers as haters who are too invested in a competitor and can't handle what, the free games, free money for developers and peace on earth Epic apparently brings?
 
Last edited:

RionaaM

Vogon Poetry Appreciator
Sep 6, 2018
887
2,187
93
Amazing answer! "Kvik, it's your fault for leaving doughnuts lying around on your desk. I'm going to eat it since you just left it there".


:wd_rainbow:


Good to see gaming journalism isn't above Simpsons' humor.

Saw this posted on Era:

So, the usual rush job on features and... well... don't ask me what he is talking about with the API....
We want to minimize the risk of using Valve's official API, that's why we're going to crawl through your personal files on your PC. Because fuck you, that's why.

Also worth repeating, it not only gathers the data from one user, but all users who used steam on that computer, so users who don't even use egs get their data stolen.
Nah, fuck this! I hope none of my friends had this piece of shit installed when I logged in to Steam on their computers :/
 
Last edited:

Copons

MetaMember
Nov 12, 2018
466
1,159
93
Brighton, UK
copons.wordpress.com
To be honest I think that, unless proved otherwise, what the OP on Reddit discovered are mostly very common practices, and investigated with a bit of ingenuity that makes me believe they aren't super skilled in such investigation.
Pointing out minified JS and the tracking file, which are the absolute standard everywhere and do not mean anything per se, imho is almost enough to disprove their point.
I'd love to see people with more "hacking" experience chime in on this before being all like EPIC SPYWARE FUCK YOU

This said, poking around Steam folder is a totally bad practice, so EPIC SPYWARE FUCK YOU anyway 🤷‍♂️
 

Alextended

Segata's Disciple
Jan 28, 2019
5,463
8,528
113
Sigh. How awesome it would have been if the persons who discovered this had at first hoax-claimed that the reverse is happening, that Steam is accessing Epic user data and doing whatever with them, everything exactly as it was but reversing the situation. Then we'd get all these Steam bashing, Epic propping articles only to reveal that it was Epic at fault all along, and then see the ensuing hilarious backpedaling and damage control. If only :)
 
Last edited:

Ascheroth

Chilling in the Megastructure
Nov 12, 2018
5,119
11,978
113
Oh hey, german gaming site gamestar.de did a pretty good article about it: Epic bestätigt unerlaubte Nutzung von Steam-Daten, Lösung soll folgen

The headline translates to about "Users accuse Epic of illegally using Steam data - Epic confirms the allegations" and it basically objectively and accurately sums up the situation and ends it with a reminder that Epic has been criticized for security reasons in the past.
I should start reading gamestar more again :p