As detailed by Daniel Vogel, VP of Engineering at Epic Games, in the Reddit thread where the gamers’ concerns were first expressed, the Epic Games Store client “makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.”
We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.
The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.
The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.
Additionally, in response to user concerns that the company’s launcher also gathers info on “how long someone played a steam game and last time played,” Vogel argued that while the Epic Games Launcher will make “a local copy of a Steam file that contains Steam friends IDs” which also contains play time info, this data will not be parsed or delivered to their servers.
Vogel also insisted that “We only look at your Steam friends’ IDs in that file after you grant us permission and only then send a hash of those IDs back to our servers to allow us to make friend suggestions” and that Epic Games will only import the list of Steam friends after receiving “explicit permission.”
The Epic Games VP also added that “The launcher work concluded before the backend work. We are going to clean up the implementation and replace making a local copy of the file with a registry check for the presence of Steam before prompting you to import your friends” and that “We are ONLY sending hashed Steam friend IDs and ONLY with your permission.”
CEO possibly behind controversial data collection behavior
Epic Games CEO and Founder Tim Sweeney also chimed in to answer some of the gamers’ questions on Reddit, stating that “Since this issue came to the forefront we’re going to fix it.”
Sweeney said that the current way of collecting client Steam info from users’ computers is actually his fault:
You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It’s actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we’re going to fix it.
We don’t use the Steam API because we work to minimize the number of third-party libraries we include in our products due to security and privacy concerns (not from Valve specifically, but see e.g. https://www.macrumors.com/2019/02/22/ios-apps-sending-private-data-to-facebook/ for the general concern of APIs collecting more data than expected)
“We’re working to update the implementation so that the Epic Games launcher only touches the Steam file at all if you choose to import friends” stated Sweeney in reply to concerns that the program is tracking Steam play time for various games.
internetnewsblog has reached out to Epic Games and Valve for additional comments but had not heard back at the time of this publication. The article will be updated when responses will be received.
Image credits: Dot Esports
Update March 15, 2019, 12:49 EDT: A Valve spokesperson responded to our request stating that the information stored within the localconfig.vdf Steam file is not intended to be used by other software:
We are looking into what information the Epic launcher collects from Steam. The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service. Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: https://help.steampowered.com/en/accountdata.
Update March 15, 2019, 13:16 EDT: We also got a reply from Epic Games:
We've responded to in full here: https://www.reddit.com/r/PhoenixPoint/comments/b0rxdq/epic_game_store_spyware_tracking_and_you/eijlbge/ Specifically, on the Steam stuff, this is the relevant piece: "We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file."