Concerns arise over the Epic Games Store client doing non-authorized things on people's PCs - Tim Sweeney responds to the discussions

[Delicieuxz]

 

This topic first came up on Reddit, and has been also discussed elsewhere since.

 

There is drama, hyperbole, and hysteria involved, but there is also the detail of the EGS client scraping data on a person's PC without permission. This data may be limited, but the fact that it is done by scanning other programs (Steam) on a PC and that the system owner isn't notified or asked for permission to do it is concerning, to me.

 

Some people have raised an analogy between this and Valve's Steam client collecting system data for the the Steam hardware survey. However, that isn't analogous because the Steam client shows a prompt that asks whether a person wants to participate in the Steam hardware survey, and if the system owner declines to participate in the survey then the system hardware is never scanned.

 

Tim Sweeney has made various responses to the Reddit discussion, including an acknowledgement that some things about this are not as they should be and will be amended:

Quote

You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we're going to fix it.

 

 

Here's the original Reddit thread.

 

 

A more technical look has been made on the Tech Power Up forums. I've only added the first of the post's images in this quote. Look at the thread on Tech Power Up to see the others.

Quote

 

In a recent post over on Reddit a user has found just what the EGS gets up to when installed on your laptop.

Firstly, it is clear the client is listing all of the processes running on the system. As seen below

As well as following up with trying to access .dll files of other programs.

 

 [image]

What's more worrying is that the user goes on to show that the client likes accessing your root certs on the PC.

 

[image] 

As well as all things Internet related, including Cookies, Keys and other aspects.

 

[image]

As well as a hardware survey, like Steams, without asking your prior permission to do so

 

[image]

 

However, none of this is not as bad as the final, Despite users not wishing to link their Epic games account with their steam account or their friends list, and without any permission or notification Epic Games launcher is taking a copy of your steam localconfig.vdf. a file containing your entire steam data, Friends list, Games owned, playtime history.

Epic Games have confirmed that it is in fact true, with Tim Sweeney stating Epic "ought to only access the localconfig.vdf file after the user chooses to import Steam friends" .

With Epics links to Chinese company Tencent, it really does make you wonder what they're compiling all this data for and if it isn't getting passed on to other parties.

 

 

[Fnige]

He had a tinfoil hat on right? right?

[Slottr]

"What do you mean Epic, the 40% owned by the Chinese government providing company tencent, is spying on me?"

 

*surprised*

[justpoet]

And now you know why their funding sources are trying to undercut all the other game distribution app store types, such as Steam.  The money always comes from someplace, the only question is where.

[Bananasplit_00]

Yay even more stuff to throw at people when I say I refuse to touch epic! 

[TAHIRMIA]

+1 to the list why Steam is better in comparison.

[Sakkura]

These concerns are fairly overblown, though they do need to fix that localhost.vdf bodge soonish.

 

I'm more annoyed by their business decisions, competing to get devs to lock their games to EGS rather than competing to give end users a better experience, lower prices etc. - and of course side effects like Phoenix Point losing Linux support.

[Salv8 (sam)]

1 hour ago, Sakkura said:

These concerns are fairly overblown, though they do need to fix that localhost.vdf bodge soonish.

accessing these certificates is a BIG problem, most programs use them to encrypt files and data on the system, it also uses them to encrypt data sent to servers and other systems.

such as authentication and/or logon credentials and other sensitive data...

the reason they are accessible by other programs is because some enterprise's use a custom certificates for their networks, without it the client's requests get ignored and if done repeatedly, causes the network protection software (if they have one which most do) to block the client entirely from the network for security reasons since the program doesn't know the encryption that it needs to understand the network correctly.

 

granted valve should be encrypting the localhost.vdf file due to it containing "sensitive data" (i put it in quotes since some don't think it goes in the category of sensitive data)

but the fact that it's already taken it before even asking if you wanted to link the account is unacceptable since it's still feeding someone before asking if they are hungry.

the hardware servery thing can take a pass, most programs (chrome, firefox, vlc etc.) do this so the devs can understand the platform their products are running on, allowing them to better optimize the product for more common configurations. this is done automatically without user request, valve asks since it can be wrong (e.g running steam in wine on Linux gives incorrect results on the hardware) and that can give incorrect info to the devs (both for valve and companys developing games on steam) about what they need to do.

[ravenshrike]

Pity, I might have to skip Borderlands 3 if it ends up a Epic exclusive.

[DragonTamer1]

Salt needed, Reddit based source.

 

The guy that did this original write up on Reddit was obviously tilted at EGS before he even start looking into it. His whole write up sounds like someone who has a personal grudge and is looking for anything to make them look bad. They could have been uploading pictures of kittens and it would have been good enough for him.

 

I'm not saying he's not right, but I would rather someone who is more professional and at the very least unbiased look into this before we take anyone out to burn at the stake.

 

I did take a quick look through the .js file he uploaded and based on my limited programing knowledge, it looks like it is sending user data but it seems to be limited to web browser cookies, and browsing patterns from inside the EGS. As far as I can tell this is no worse than what something like Chrome would be tracking. Somebody who has more experience can jump in and correct me if I'm wrong.

[Stefan Payne]

7 hours ago, Delicieuxz said:

Some people have raised an analogy between this and Valve's Steam client collecting system data for the the Steam hardware survey.

Steam isn't involved with the Chinese.

Epic is....

That should be cause for concern...

[Ryujin2003]

Was wondering why Eric was suggesting people who are Steam friends.. fucken thanks Epic...

[ZacoAttaco]

Quote

You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we're going to fix it.

If Sweeney had been this transparent earlier on then I think most gamers wouldn't have hated EGS quite so much. It's definitely a step in the right direction.

[Doobeedoo]

2 hours ago, ZacoAttaco said:

If Sweeney had been this transparent earlier on then I think most gamers wouldn't have hated EGS quite so much. It's definitely a step in the right direction.

Yeah this, some stuff needs cleanup for sure. 

[Tenelia]

What a joke. It's easy to apologize after things come to light, but I'm willing to bet they will hide these things elsewhere. Perhaps even in the running instances of FortNite?

[TetraSky]

More reasons to never touch Epic Games launcher. Cool.
 

This makes me think of all those mobile apps that want access to essentially everything on your phone and want internet access... when they really have no business getting it in the first place because it's a single player game that doesn't access the internet. All that harvesting to deliver personalized ads to you and/or sell your info to other companies...

[Delicieuxz]

7 hours ago, Stefan Payne said:

Steam isn't involved with the Chinese.

Epic is....

That should be cause for concern...

To be honest, the US government harvests more data from everybody than any other country could - and the US government does it in partnership with all of the major tech companies and many thousands of the smaller ones.

[Stefan Payne]

1 minute ago, Delicieuxz said:

To be honest, the US government harvests more data from everybody than any other country could - and the US government does it in partnership with all of the major tech companies and many thousands of the smaller ones.

They don't hinder you in your travels when they don't like you, China does.

[Humbug]

14 minutes ago, Delicieuxz said:

To be honest, the US government harvests more data from everybody than any other country could - and the US government does it in partnership with all of the major tech companies and many thousands of the smaller ones.

Wonder if they have got Valve to create a backdoor for them in steam...

[Syntaxvgm]

I love this shit. 

says the thread on a Tencent "owned" platform, which actively censors anti-chinese posts. 

[Thaldor]

Not really knowing, but aren't they also going through general Windows cookies instead of EGS specific cookies (...Roaming\Microsoft\Windows\Cookies instead of something like ...Roaming\Epic\EGS\Cookies)?

 

Either way this is kind of bad. Steam at least asks you if you want to join the hardware survey and it really isn't that hard to know if some game from the launcher is running before updating (Steam and Battle.net at least do this through using their game overlay). This doesn't really bid well for the future of EGL, if they have rushed and done the bubblegum and duct tape in the beginning to get into this kind of light, I don't really want to know what flavour of bubblegum they are going to use to make the reviews and other features they are going to bring "as soon as possible" to compete against Steam.

[RejZoR]

Steam also shows the exact plaintext of what it'll submit before it does so.

[yian88]

You would be surprised how much data the rest of the windows and software steals about you and sells to random third parties lmao.

Let's not forget the Chinese and US gov already harvest all your data from the phone but no one is ranting about that.

I guess gamers are the few that care about privacy or something.

[Thaldor]

Valve has given an response to BleepingComputer:

Quote

We are looking into what information the Epic launcher collects from Steam. 

 

The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service. 

 

Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: https://help.steampowered.com/en/accountdata.

 

Just out of interest I was going through my localconfig.vdf and it seems like a very bad idea to copy it anywhere as it is or post it anywhere. As far as I understand there's login token data, all your library data (licence tokens, login/authentication tokens, last played and total played times, preferences for startup and other things that Steam needs to launch the game), authentication tokens, if you use Steam Link also it's authentication and device tokens, controller data (some serial key, account to which that controller is "linked") and cloud save space key. Some of that data is actually something you probably really don't want to give to some random service. It's nothing alarming, no one can probably use it to do anything otherwise it would be encrypted and protected and not openable with notepad, probably just data that ables Steam to work in offline and shape off some network traffic, but still it's kind of alarming when a file containing a lot of data about your playing habits gets copied, encrypted and (even if only by your choice) send to some other company just to import your friends list. Not to pressure more about that even Tim Sweeney himself has admitted that EGL is rushed out and probably everyone knows what a "rushed out" software means in terms of bugs and holes, have fun time thinking about your personal data being copied without consent and in the worst case sent to some server somewhere to be decrypted and opened.

[Fnige]

3 hours ago, Thaldor said:

Valve has given an response to BleepingComputer:

 

Just out of interest I was going through my localconfig.vdf and it seems like a very bad idea to copy it anywhere as it is or post it anywhere. As far as I understand there's login token data, all your library data (licence tokens, login/authentication tokens, last played and total played times, preferences for startup and other things that Steam needs to launch the game), authentication tokens, if you use Steam Link also it's authentication and device tokens, controller data (some serial key, account to which that controller is "linked") and cloud save space key. Some of that data is actually something you probably really don't want to give to some random service. It's nothing alarming, no one can probably use it to do anything otherwise it would be encrypted and protected and not openable with notepad, probably just data that ables Steam to work in offline and shape off some network traffic, but still it's kind of alarming when a file containing a lot of data about your playing habits gets copied, encrypted and (even if only by your choice) send to some other company just to import your friends list. Not to pressure more about that even Tim Sweeney himself has admitted that EGL is rushed out and probably everyone knows what a "rushed out" software means in terms of bugs and holes, have fun time thinking about your personal data being copied without consent and in the worst case sent to some server somewhere to be decrypted and opened.

...WHAT

 

 

this is sueable right? if yes... Wheres that 7%