• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Epic Game Store, Spyware, Tracking your Steam friends and play history.

Dunki

Member
Ok now it is getting straight up illegal. This is clearly a GDPR Breach.



So after installing the Launcher. Epic Games Launcher on start up searches for Steam install
and proceeds to get list of files in your Steam Cloud (this includes mostly game saves for every user that has logged in on your PC)

Steam Cloud is stored under userdata\[account id]\ if you wanna check

It will also create encrypted copy of config\localconfig.vdf.
This file contains your steam friends, their name history (groups you're part of, are considered "friends").

screens;

MEgXCG2.png


5peS608.png


More here

https://metacouncil.com/threads/epic-game-store-spyware-tracking-and-you.766/

OP needs to be updated with Epic reply.

 
Last edited:

zeorhymer

Member
That's pretty major if they are making backups of the steam ID and sending it to Epic servers. That's personal identifiable data and could land them into legal trouble.
 

Gavin Stevens

Formerly 'o'dium'
This is not good... not good at all... is this legit?

Shit... this is the kind of thing that can stomp a store in its tracks... what we’re they thinking?

Is it maybe some legacy stuff that’s left over from when the storefront was essentially a barebones launcher?
 

Dunki

Member
This is not good... not good at all... is this legit?

Shit... this is the kind of thing that can stomp a store in its tracks... what we’re they thinking?

Is it maybe some legacy stuff that’s left over from when the storefront was essentially a barebones launcher?
Apparently the guy who created steamspy is working on this epic store for quite a while already.

https://kotaku.com/the-guy-behind-steam-spy-has-been-working-on-epics-stor-1830890162

They seem to be tracking data at least since may 2018
 
Last edited:

jshackles

Gentlemen, we can rebuild it. We have the capability to make the world's first enhanced store. Steam will be that store. Better than it was before.
This is not good... not good at all... is this legit?

Shit... this is the kind of thing that can stomp a store in its tracks... what we’re they thinking?

Is it maybe some legacy stuff that’s left over from when the storefront was essentially a barebones launcher?

This seems to have only started in May of last year - about the same time that Valve switched everyone's privacy settings to default to private.
 

Barakov

Member
Yeah....this sounds real shady. It's almost as if they're looking for what type of games and publishers to make exclusivity deals with. Never touching that epic launcher ever again.
 
Did people think Epic employed steamspy for his level design expertise? He's shady as fuck and so are Epic, this is probably the tip of the iceberg.
 

zcaa0g

Banned
What do you expect from a Chinese owned company regardless of that 40% Tencent stake. I trust Epic as much as Tencent and I trust Tencent as much as the Chinese government.
 

MadAnon

Member
Why are you even on the internet if you are so shocked and concerned about such a thing? Your own browser and neogaf collects data on you.
 

Holammer

Member
Valve should publicly apologize for the data breach and promise to take steps to protect users from data scraping.
That would put a steaming hot potato in Epic's lap.
 

Dunki

Member
Why are you even on the internet if you are so shocked and concerned about such a thing? Your own browser and neogaf collects data on you.
They collect Data even if you set your profile on Private. IT is a clear breach of the GDPR which if reported and I hope someone does will costs them millions.
 

Fbh

Member
But what if it's just collecting that data to figure out which friends you play the most with so it can send them $10K if they only play Epic game store games for a year, thus making your friends an Epic games store exclusive?


If Epic is doing this could you imagine how bad a Google console would be?

That one is going to be on another level. Instead of regular "this friend is online" or "this game is updating" notifications it will be like "yesterday while playing you told your wife you'd fix the leaky sink... have you done it yet?"
 
Why are you even on the internet if you are so shocked and concerned about such a thing? Your own browser and neogaf collects data on you.

All of which is up front and known by the user. The user is a willing participant. Epic's tactics are not up front, aren't largely known and the user is not a willing participant unless they find out the information from a 3rd party source like reddit or neogaf and choose to continue using the launcher.
 

McCheese

Member
Hmm, I wonder why they would do this. At first, I figured it was to help with some sort of 'People you may know' friend list system or analytics, I even bet you the T&C's we agreed when we installed the thing already covers such a scenario.

But, I can't think why they would go to the effort of extracting, encrypting and storing locally instead of just silently shooting it straight over the network to Epic. Usually, you would save stuff locally if it's for offline use, and you would only need to collate it together if it was getting frequently accessed and required some sort of preprocessing. It's not like they are worried folks are going to uninstall steam and that information would be gone, so why such an elaborate system to collect and keep it?

Oh well, if it was getting sent over the network someone would have noticed already so likely just some old legacy code for some sort of steam migration tool.
 
Last edited:

Three

Member
All of which is up front and known by the user. The user is a willing participant. Epic's tactics are not up front, aren't largely known and the user is not a willing participant unless they find out the information from a 3rd party source like reddit or neogaf and choose to continue using the launcher.

Epic games has a privacy policy telling you about this data collection as does MS as does Sony as does everywhere else.

Not defending it but you would be foolish to think others aren't collecting much worse data on you
 
How is this any different from what Microsoft's Xbox app does?

AQBHlFM.png


Terraria, RE2 and CS:GO are all from Steam yet this is tracking my use of them.
 
LMAO, I'm never going to install this shitty thing. I hope devs who tie their exclusivity to this realize how much money they are leaving on the table. Even Microsoft is releasing Halo MCC on Steam.
 

zeorhymer

Member
How is this any different from what Microsoft's Xbox app does?

AQBHlFM.png


Terraria, RE2 and CS:GO are all from Steam yet this is tracking my use of them.
I don't know how the Xbox app works, but does it read your friends list and does it also copy down your unique Steam ID?
 

zeorhymer

Member
I'm not quite sure but on the surface it seems to be the same thing. Where is it stated that it's copying your Steam ID?
As I mentioned, I don't know how the MS App works. From the testing that the guy did in the OP, he found that the Epic launcher is at least writing down your Steam account ID.
 
They're obviously doing this because EA had great success with collecting data back in the day when Origin launched.

oh wait...

This is even more serious now than it was back then because of the GDPR. lol.
I'm not quite sure but on the surface it seems to be the same thing. Where is it stated that it's copying your Steam ID?
The Xbox thingy on Windows 10 doesn't sniff out your profile data and game history, the Epic Launcher apparently does this (tracking a game you've played 5 years ago)... at least according to the guy that is linked in the OP.

The Xbox thingy only detects a game when you've played it. So on the surface it seems to work like good old xfire or raptr.
 
Last edited:
They even collect the data if the profiles that are set on private
Well that just means they're collecting local information, all setting your profile to private does is make external access to community data impossible. All of this information is still able to be read locally though.

This isn't encrypted system data.
 

lukilladog

Member
This isn´t data generated by or in their web sites, games and applications, and I doubt they got Steam permission either as to be considered third party data. So it is scummy spying, unacceptable. I wonder how they are gonna raise the competitiveness banner this time.
 

Mattyp

Gold Member
Yet everyone has a chrome browser.

Speak for yourself, go extrememly out of my way to avoid anything google produced at all costs and blocking their services. Its actual baffling people put google home devices in their houses compared to uproar we had about kinect.
 

CuNi

Member
Well that just means they're collecting local information, all setting your profile to private does is make external access to community data impossible. All of this information is still able to be read locally though.

This isn't encrypted system data.

So that justifies it? It's a fact that it's doing something it should not.

BTW wouldn't it be easier for epic to just say "okay our launcher was a failure and will be shut down" instead of creating outrageous news all the time?
 
This isn´t data generated by or in their web sites, games and applications, and I doubt they got Steam permission either as to be considered third party data. So it is scummy spying, unacceptable. I wonder how they are gonna raise the competitiveness banner this time.
It's none of the above, it's literally information housed in local text files in the Steam directory. This is the biggest non-starter fake outrage thread I've seen in a while.
 

Dunki

Member
Well that just means they're collecting local information, all setting your profile to private does is make external access to community data impossible. All of this information is still able to be read locally though.

This isn't encrypted system data.
No hat means it is a clear Breach of GDPR and the most known fine is 4% of their global income.

If ou set your profile to private people can not see your friends or even what you played. Somehow the spyware still collects the data. How is this not scummy?

It's none of the above, it's literally information housed in local text files in the Steam directory. This is the biggest non-starter fake outrage thread I've seen in a while.
That is why they encrypted these information in their own files right?
 
Last edited:
No hat means it is a clear Breach of GDPR and the most known fine is 4% of their global income.

If ou set your profile to private people can not see your friends or even what you played. Somehow the spyware still collects the data. How is this not scummy?

Try doing research.

It's none of the above, it's literally information housed in local text files in the Steam directory. This is the biggest non-starter fake outrage thread I've seen in a while.
 
That is why they encrypted these information in their own files right?
Who cares why they encrypt it, it's local data that any program can access. Why are you not questioning Valve as to why they don't encrypt this information?

Fake outrage.

Try doing research about the GDPR my friend. It is a breach in Europe.
Cite me the exact statute that states this is a violation of EU laws and regulations, you're saying things you don't understand. Throwing GDPR into a conversation and saying this is a violation of EU law doesn't suddenly make it so, what statute is this a violation of?
 
Last edited:

Dunki

Member
Who cares why they encrypt it, it's local data that any program can access. Why are you not questioning Valve as to why they don't encrypt this information?

Fake outrage.


Cite me the exact statute that states this is a violation of EU laws and regulations, you're saying things you don't understand. Throwing GDPR into a conversation and saying this is a violation of EU law doesn't suddenly make it so, what statute is this a violation of?
ANY FORM OF data collection needs to be clear and approved by signing. It does not matter if its easily collectable or not. In Germany we even had a case in which children could not even hang up their wishes on a public Christmas tree without signed consent of their parents. We even had discussion about doorbell names etc. To access files on your computer is not in any form allowed until you state the real purpose and if the person is ok with it. And this was not the case. They also need to get permission from Steam which I doubt they will ever get.


If you are collecting data from EU citizens, including your own employees, then GDPR applies to you, even if you are based in a country outside the EU. If you are currently subject to the Data Protection Act, based around eight principles of good information handling, you will also need to be GDPR compliant.
https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-data-collection

part of it
Consent - The request for consent must be given in an easy to understand plain language and it must be in an easily accessible form, with the purpose for data processing attached to that consent. Consent has to be distinguishable from other matters such as using the service and must be freely given and be easy to withdraw, as easy as it was for a customer to give it.

Personal Data Definition - Personal data will mean any information relating to an identified or identifiable natural person. This will include unique identifiers, including: IP addresses and cookies (where they are used to uniquely identify the device). This makes cookie use subject to the same consent requirements.

Right to Access - The person, whose data you are collecting, has the right to obtain confirmation of whether personal data concerning them is being processed, where it is being processed and for what purposes. This must be provided free of charge unless the request is repetitive, excessive or unfounded.

Right to be Forgotten - The data subject can insist that the controller erase all personal data about them and stop the processing of it by third parties. The controller can object based on if there is public interest in the availability of the data.

Breach Notification - Breach Notification must be sent to the Information Commissioners Office (ICO) and must be done within 72 hours of becoming aware of the breach. The data subject must also be notified without undue delay if it is likely to result in risk to their rights and freedoms.

Privacy by Design – Data controllers must implement appropriate technical and organisational measures to meet the GDPR requirements; i.e. hold and process only data that is absolutely necessary for the completion of duties, and limit access to personal data to those doing the processing.

Data portability - The new regulation will give individuals the right to transfer their data from one controller to another. So organisations, on request, must be able to deliver a person's data in a suitable format. Data collected via online surveys is immediately compliant with the data portability rule as it can be provided instantly without needing any further handling.
 
Last edited:
ANY FORM OF data collection needs to be clear and approved by signing. It does not matter if its easily collectable or not. In Germany we even had a case in which children could not even hang up their wishes on a public Christmas tree without signed consent of their parents. We even had discussion about doorbell names etc. To access files on your computer is not in any form allowed until you state the real purpose and if the person is ok with it. And this was not the case. They also need to get permission from Steam which I doubt they will ever get.
You should probably read Epic's terms of service, it's clear as day what they state they may access. Also they encrypt this data on their end to avert liability if they are breached so your information will be protected.
 

Dunki

Member
You should probably read Epic's terms of service, it's clear as day what they state they may access. Also they encrypt this data on their end to avert liability if they are breached so your information will be protected.
Again Wrong

  • Freely given: “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”

Which means it does not matter if its in their EULA or not. You need consent without consequences aka not being able to play your games you purchased got etc.

More info here:
https://www.criteo.com/insights/gdpr-compliance-legal-bases-collecting-personal-data/

Also they collected data since May 4th Which means that was even before the GDPR also this means they need special consent after it as well. They had to write EVERY customer so they can sign their consent. Otherwise it is a breach.
 
Last edited:
Top Bottom