Epic Game Store, Spyware, Tracking your Steam friends and play history.

Oct 24, 2017
6,456
5,545
335
#1
Ok now it is getting straight up illegal. This is clearly a GDPR Breach.



So after installing the Launcher. Epic Games Launcher on start up searches for Steam install
and proceeds to get list of files in your Steam Cloud (this includes mostly game saves for every user that has logged in on your PC)

Steam Cloud is stored under userdata\[account id]\ if you wanna check

It will also create encrypted copy of config\localconfig.vdf.
This file contains your steam friends, their name history (groups you're part of, are considered "friends").

screens;





More here

https://metacouncil.com/threads/epic-game-store-spyware-tracking-and-you.766/

OP needs to be updated with Epic reply.

 
Last edited:
Oct 24, 2017
6,456
5,545
335
#9
This is not good... not good at all... is this legit?

Shit... this is the kind of thing that can stomp a store in its tracks... what we’re they thinking?

Is it maybe some legacy stuff that’s left over from when the storefront was essentially a barebones launcher?
Apparently the guy who created steamspy is working on this epic store for quite a while already.

https://kotaku.com/the-guy-behind-steam-spy-has-been-working-on-epics-stor-1830890162

They seem to be tracking data at least since may 2018
 
Last edited:
Likes: Blochu

jshackles

Gentlemen, we can rebuild it. We have the capability to make the world's first enhanced store. Steam will be that store. Better than it was before.
Jul 2, 2013
12,119
1,918
720
#10
This is not good... not good at all... is this legit?

Shit... this is the kind of thing that can stomp a store in its tracks... what we’re they thinking?

Is it maybe some legacy stuff that’s left over from when the storefront was essentially a barebones launcher?
This seems to have only started in May of last year - about the same time that Valve switched everyone's privacy settings to default to private.
 
Likes: Kadayi

Fbh

Member
Dec 6, 2013
10,256
2,064
580
#19
But what if it's just collecting that data to figure out which friends you play the most with so it can send them $10K if they only play Epic game store games for a year, thus making your friends an Epic games store exclusive?


If Epic is doing this could you imagine how bad a Google console would be?
That one is going to be on another level. Instead of regular "this friend is online" or "this game is updating" notifications it will be like "yesterday while playing you told your wife you'd fix the leaky sink... have you done it yet?"
 
Jan 16, 2014
2,323
162
385
Manchester
steamcommunity.com
#22
Why are you even on the internet if you are so shocked and concerned about such a thing? Your own browser and neogaf collects data on you.
All of which is up front and known by the user. The user is a willing participant. Epic's tactics are not up front, aren't largely known and the user is not a willing participant unless they find out the information from a 3rd party source like reddit or neogaf and choose to continue using the launcher.
 
Jan 7, 2018
240
463
220
#23
Hmm, I wonder why they would do this. At first, I figured it was to help with some sort of 'People you may know' friend list system or analytics, I even bet you the T&C's we agreed when we installed the thing already covers such a scenario.

But, I can't think why they would go to the effort of extracting, encrypting and storing locally instead of just silently shooting it straight over the network to Epic. Usually, you would save stuff locally if it's for offline use, and you would only need to collate it together if it was getting frequently accessed and required some sort of preprocessing. It's not like they are worried folks are going to uninstall steam and that information would be gone, so why such an elaborate system to collect and keep it?

Oh well, if it was getting sent over the network someone would have noticed already so likely just some old legacy code for some sort of steam migration tool.
 
Last edited:
Likes: Kadayi
Oct 26, 2014
3,238
471
305
#24
All of which is up front and known by the user. The user is a willing participant. Epic's tactics are not up front, aren't largely known and the user is not a willing participant unless they find out the information from a 3rd party source like reddit or neogaf and choose to continue using the launcher.
Epic games has a privacy policy telling you about this data collection as does MS as does Sony as does everywhere else.

Not defending it but you would be foolish to think others aren't collecting much worse data on you
 
Likes: pupo
Feb 27, 2017
220
233
210
Germany
#35
They're obviously doing this because EA had great success with collecting data back in the day when Origin launched.

oh wait...

This is even more serious now than it was back then because of the GDPR. lol.
I'm not quite sure but on the surface it seems to be the same thing. Where is it stated that it's copying your Steam ID?
The Xbox thingy on Windows 10 doesn't sniff out your profile data and game history, the Epic Launcher apparently does this (tracking a game you've played 5 years ago)... at least according to the guy that is linked in the OP.

The Xbox thingy only detects a game when you've played it. So on the surface it seems to work like good old xfire or raptr.
 
Last edited:
Mar 3, 2018
968
1,455
260
#38
They even collect the data if the profiles that are set on private
Well that just means they're collecting local information, all setting your profile to private does is make external access to community data impossible. All of this information is still able to be read locally though.

This isn't encrypted system data.
 
Feb 6, 2018
442
175
195
#39
This isn´t data generated by or in their web sites, games and applications, and I doubt they got Steam permission either as to be considered third party data. So it is scummy spying, unacceptable. I wonder how they are gonna raise the competitiveness banner this time.
 
Likes: Blochu
Sep 4, 2014
592
319
390
Germany
#42
Well that just means they're collecting local information, all setting your profile to private does is make external access to community data impossible. All of this information is still able to be read locally though.

This isn't encrypted system data.
So that justifies it? It's a fact that it's doing something it should not.

BTW wouldn't it be easier for epic to just say "okay our launcher was a failure and will be shut down" instead of creating outrageous news all the time?
 
Mar 3, 2018
968
1,455
260
#43
This isn´t data generated by or in their web sites, games and applications, and I doubt they got Steam permission either as to be considered third party data. So it is scummy spying, unacceptable. I wonder how they are gonna raise the competitiveness banner this time.
It's none of the above, it's literally information housed in local text files in the Steam directory. This is the biggest non-starter fake outrage thread I've seen in a while.
 
Oct 24, 2017
6,456
5,545
335
#44
Well that just means they're collecting local information, all setting your profile to private does is make external access to community data impossible. All of this information is still able to be read locally though.

This isn't encrypted system data.
No hat means it is a clear Breach of GDPR and the most known fine is 4% of their global income.

If ou set your profile to private people can not see your friends or even what you played. Somehow the spyware still collects the data. How is this not scummy?

It's none of the above, it's literally information housed in local text files in the Steam directory. This is the biggest non-starter fake outrage thread I've seen in a while.
That is why they encrypted these information in their own files right?
 
Last edited:
Likes: Blochu
Mar 3, 2018
968
1,455
260
#45
No hat means it is a clear Breach of GDPR and the most known fine is 4% of their global income.

If ou set your profile to private people can not see your friends or even what you played. Somehow the spyware still collects the data. How is this not scummy?
Try doing research.

It's none of the above, it's literally information housed in local text files in the Steam directory. This is the biggest non-starter fake outrage thread I've seen in a while.
 
Mar 3, 2018
968
1,455
260
#47
That is why they encrypted these information in their own files right?
Who cares why they encrypt it, it's local data that any program can access. Why are you not questioning Valve as to why they don't encrypt this information?

Fake outrage.

Try doing research about the GDPR my friend. It is a breach in Europe.
Cite me the exact statute that states this is a violation of EU laws and regulations, you're saying things you don't understand. Throwing GDPR into a conversation and saying this is a violation of EU law doesn't suddenly make it so, what statute is this a violation of?
 
Last edited:
Oct 24, 2017
6,456
5,545
335
#48
Who cares why they encrypt it, it's local data that any program can access. Why are you not questioning Valve as to why they don't encrypt this information?

Fake outrage.


Cite me the exact statute that states this is a violation of EU laws and regulations, you're saying things you don't understand. Throwing GDPR into a conversation and saying this is a violation of EU law doesn't suddenly make it so, what statute is this a violation of?
ANY FORM OF data collection needs to be clear and approved by signing. It does not matter if its easily collectable or not. In Germany we even had a case in which children could not even hang up their wishes on a public Christmas tree without signed consent of their parents. We even had discussion about doorbell names etc. To access files on your computer is not in any form allowed until you state the real purpose and if the person is ok with it. And this was not the case. They also need to get permission from Steam which I doubt they will ever get.


If you are collecting data from EU citizens, including your own employees, then GDPR applies to you, even if you are based in a country outside the EU. If you are currently subject to the Data Protection Act, based around eight principles of good information handling, you will also need to be GDPR compliant.
https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-data-collection

part of it
Consent - The request for consent must be given in an easy to understand plain language and it must be in an easily accessible form, with the purpose for data processing attached to that consent. Consent has to be distinguishable from other matters such as using the service and must be freely given and be easy to withdraw, as easy as it was for a customer to give it.

Personal Data Definition - Personal data will mean any information relating to an identified or identifiable natural person. This will include unique identifiers, including: IP addresses and cookies (where they are used to uniquely identify the device). This makes cookie use subject to the same consent requirements.

Right to Access - The person, whose data you are collecting, has the right to obtain confirmation of whether personal data concerning them is being processed, where it is being processed and for what purposes. This must be provided free of charge unless the request is repetitive, excessive or unfounded.

Right to be Forgotten - The data subject can insist that the controller erase all personal data about them and stop the processing of it by third parties. The controller can object based on if there is public interest in the availability of the data.

Breach Notification - Breach Notification must be sent to the Information Commissioners Office (ICO) and must be done within 72 hours of becoming aware of the breach. The data subject must also be notified without undue delay if it is likely to result in risk to their rights and freedoms.

Privacy by Design – Data controllers must implement appropriate technical and organisational measures to meet the GDPR requirements; i.e. hold and process only data that is absolutely necessary for the completion of duties, and limit access to personal data to those doing the processing.

Data portability - The new regulation will give individuals the right to transfer their data from one controller to another. So organisations, on request, must be able to deliver a person's data in a suitable format. Data collected via online surveys is immediately compliant with the data portability rule as it can be provided instantly without needing any further handling.
 
Last edited:
Mar 3, 2018
968
1,455
260
#49
ANY FORM OF data collection needs to be clear and approved by signing. It does not matter if its easily collectable or not. In Germany we even had a case in which children could not even hang up their wishes on a public Christmas tree without signed consent of their parents. We even had discussion about doorbell names etc. To access files on your computer is not in any form allowed until you state the real purpose and if the person is ok with it. And this was not the case. They also need to get permission from Steam which I doubt they will ever get.
You should probably read Epic's terms of service, it's clear as day what they state they may access. Also they encrypt this data on their end to avert liability if they are breached so your information will be protected.
 
Oct 24, 2017
6,456
5,545
335
#50
You should probably read Epic's terms of service, it's clear as day what they state they may access. Also they encrypt this data on their end to avert liability if they are breached so your information will be protected.
Again Wrong

  • Freely given: “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”
Which means it does not matter if its in their EULA or not. You need consent without consequences aka not being able to play your games you purchased got etc.

More info here:
https://www.criteo.com/insights/gdpr-compliance-legal-bases-collecting-personal-data/

Also they collected data since May 4th Which means that was even before the GDPR also this means they need special consent after it as well. They had to write EVERY customer so they can sign their consent. Otherwise it is a breach.
 
Last edited: