News Epic Game Store, Spyware, Tracking, and You!

crimsonheadGCN

MetaMember
Jan 20, 2019
2,924
7,866
113
40
Clifton, New Jersey
www.resetera.com
Valve has responded:

EPIC Promises to Fix Game Launcher after Privacy Concerns

We are looking into what information the Epic launcher collects from Steam.

The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: Steam Help.
 

madjoki

đź‘€ I see you
Sep 19, 2018
3,009
11,158
113
Well, seems like I was able to decrypt the file:

It seems to be parsed to binary format (possible some used by Unreal Engine?).
It seems to parse VDF (valve definition format to that)

Interestingly TimSweeney specifically claimed they didn't parse the file for playtimes in addition to not using it.



It did seems odd claim (especially as he didn't have to make that claim), since if you used any kind of parser, you'd end up parsing everything, even if technically.
But they definitely seem to even save that information to new file in their own format, which I'd definitely count as "parsing".



It's just XOR.

XOR cipher - Wikipedia

For me key was 223, this may differ for you.

Also the fact they are scraping way more than just friends ID’s.

Makes no logical sense and sounds like they are being dishonest to me.
Yeah it doesn't. Much less keeping history even if it's just locally. Even if there is no code now, they could plausibly implement code in patch and get data from users and get rid of evidence. Or even stream code from server and instantly get rid off it (I believe Valve's VAC works similarly, for example, to make it harder to know what it actually checks). Possibilities are there. (But no proof whatsoever, just random thoughts)

---

Here's no warranty decode tool + source code if someone wants to try figuring out file contents:

MEGA

Just drag file into it and it will write decoded version with .dec extension.
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
30,364
85,133
113
well, well, well ... things are getting interesting

Well, seems like I was able to decrypt the file:

It seems to be parsed to binary format (possible some used by Unreal Engine?).
It seems to parse VDF (valve definition format to that)

Interestingly TimSweeney specifically claimed they didn't parse the file for playtimes in addition to not using it.
so you're saying a multi-billionaire CEO of a huge corporation LIED?! well i never ....

 

Digoman

Lurking in the Shadows
Dec 21, 2018
854
2,390
93
What's this? An article that doesn't say it is all on the head of Steam fanboys? So strange....

so you're saying a multi-billionaire CEO of a huge corporation LIED?! well i never ....
Look, all we found out is that they go through Steam folders to grab a lot more information than they claim to be after, and store several obfuscated full backups of this info on another directory, and all of that without bothering us users with pesky questions. I'm sure Tim will pinky swear that they filter out this "extra" data later.
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
30,364
85,133
113
Look, all we found out is that they go through Steam folders to grab a lot more information than they claim to be after, and store several obfuscated full backups of this info on another directory, and all of that without bothering us users with pesky questions. I'm sure Tim will pinky swear that they filter out this "extra" data later.
yes ... surely
 

DriftedPlanet

Ash, I think something was in those sandwiches
Oct 27, 2018
102
88
28
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
30,364
85,133
113
That response from Valve is amazingly clean. They don't see this as a workaround that Epic had any right to use. I wonder how far Valve intends to take this, after they've looked into it further.
yeah, same ... i wonder what they'll do
 

suiko

saviour of worlds
Nov 12, 2018
307
650
93
can they do anything? people insist US having no laws for protecting digital privacy
 
  • Like
Reactions: lashman

Digoman

Lurking in the Shadows
Dec 21, 2018
854
2,390
93
If Valve finds something then I think they'll ban Epic from using the API and make changes so that the file is inaccessible.
While the information on this file isn't something that usually would need be encrypted (and I don't want Steam encrypting everything like an UWP app) I don't think there is really any other choice here, specially if the press continues to do this "excellent" job of covering this issue.

Epic could have simply said they will start to use the API from now on but instead we got an "we will just check the registry first", so it seems they really want that data.
 

Ex-User (307)

MetaMember
Dec 11, 2018
1,105
2,597
113
There is zero chance that as a private company they give this much info away freely, but I would like Steam to actually just kick the industry-wide standard of secrecy.

Privatize all user specific data so something like this can’t happen again, but start giving regular sales numbers that exponentially surpass the depth of industry standards like NPD and Media Create.
 

Alextended

Segata's Disciple
Jan 28, 2019
5,461
8,524
113
They can't give sales numbers without the constent of each and every company involved in the game probably. Which sucks. I suppose they could make it an opt in thing but given sales numbers would inevitably lead to charts the charts would be useless with major companies missing. As much as I'd still be interested in seeing the rest for myself, like how much indie game x sold. Although even indies wouldn't necessarily like to divulge that outside framing it on their own timing under their own PR message potentially if they attempt to change their fate by appealing to the community via media or something.
While the information on this file isn't something that usually would need be encrypted (and I don't want Steam encrypting everything like an UWP app) I don't think there is really any other choice here, specially if the press continues to do this "excellent" job of covering this issue.

Epic could have simply said they will start to use the API from now on but instead we got an "we will just check the registry first", so it seems they really want that data.
Would encrypting make it inaccessible to users? Cos in that case I'm sure the press would just speak of shady Steam not telling us what data it gathers.
 
  • Like
Reactions: lashman
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
30,364
85,133
113
Fortnite asks that you accept a brand new end-user agreement today.
Nothing suspicious there /s
well it's easier to change a few lines of text than to change your spying software ;)

not that it makes any difference in the EU, lol
 
OP
lashman

lashman

Dead & Forgotten
Sep 5, 2018
30,364
85,133
113
Doing a quick search using "epic" didn't bring back anything, but there might be some residue left
yeah, i imagine ... someone would have to check what entries it creates on install ... and then check if any of those are left after uninstalling it

dunno if that's even possible

maybe Wok or madjoki know?
 
  • Like
Reactions: DriftedPlanet