How was the article?

1466660cookie-checkValve Is Investigating Epic Games Store Datamining Steam User Info
Features
2019/03

Valve Is Investigating Epic Games Store Datamining Steam User Info

There were several things that happened recently involving the Epic Games Store that caused a chain reaction of events. First, the Epic Games Store enables users to import their friends list from Steam. Second, users began monitoring the Epic Games Store’s processes while it was running. Third, people began to freak out when they discovered that Epic’s client was accessing Steam user data outside of the Steam API. This prompted Epic Games CEO, Tim Sweeney, to chime in about the matter, and it even managed to get Valve to issue a statement about the third-party access of user data outside of the Steamworks API.

Bleeping Computer first quoted Tim Sweeney, who made various replies in the comment section on various sub-reddit threads, explaining…

“You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It’s actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we’re going to fix it.

 

“We don’t use the Steam API because we work to minimize the number of third-party libraries we include in our products due to security and privacy concerns (not from Valve specifically, but see e.g. https://www.macrumors.com/2019/02/22/ios-apps-sending-private-data-to-facebook/ for the general concern of APIs collecting more data than expected)

 

“[…] We’re working to update the implementation so that the Epic Games launcher only touches the Steam file at all if you choose to import friends”

The problem a lot of people had was that the client was touching Steam user data even before the Epic Games Store client was given permission to touch the data.

What’s more is that it completely bypassed the Steam API that was designed for third-parties to access user data. The API was an integral part of how the Counter-Strike: Global Offensive gambling dens were able to utilize user profiles in making trades and bets for skins. Valve, however, put out a cease and desist letter for gambling websites after the Washington State Gambling Commission came down on them for facilitating gambling via the API that third-party websites were using for loot box betting.

In this case, however, Valve made it known that third parties are not supposed to manually access locally stored user data via bypassing the API, with Valve’s Doug Lombardi telling Bleeping Computer…

“We are looking into what information the Epic launcher collects from Steam.

 

“The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies). This is private user data, stored on the user’s home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

 

“Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: https://help.steampowered.com/en/accountdata.”

There are two groups who are criticizing Epic Games for this conundrum.

On one side there are users who fear that their data is being collected and used for spying via the Chinese government because Tencent Gaming has a 40% stake in Epic Games. People are afraid that their privacy data will be used against them by the Chinese in some capacity. Epic Games CEO and founder, Tim Sweeney, has repeatedly stated that they do not send user data to Tencent.

On the other side, there are programmers and developers severely admonishing Epic Games for bypassing the Steam API in order to access Steam friends list. While Epic Games VP of engineering, Daniel Vogel, mentioned that the Epic Games Store client is only collecting Steam friends list data, inquiring minds were skeptical about that claim because Epic encrypts the user data it collects from Steam, so it’s unclear if it’s only collecting friends list data and not the rest of the user data it parses that includes library information, time played, etc.

Developer Derek Smart stated that the issue isn’t whether or not the data is being sent back to Tencent, but a client accessing user data from a competing client. Across multiple tweets, Smart explained…

“What’s hilarious to me is that some people think that Epic is sending their data to Tencent; and this Steam access is an extension of that. If they were doing that – at all – Fortnite is massive enough to provide massive seed data. They don’t need Steam.

 

“As a [developer] & gamer, my primary concern since this came to light has nothing to do with the crazy things people are coming up with. My concern is that one party has access to data curated by a competitor – and it contains data which could very well constitute trade secrets.

 

“Anyone who has spent 10 mins observing Tim’s posts going back decades, should immediately know that he’s a big advocate of open systems; and aggregating data for undeclared purposes simply isn’t something that he would stand for, let alone condone. Regardless, this issue should be igniting debate about one party accessing data collected by a third-party, though *legally* said data belongs to the USER, and NOT the collector. But as usual, people are outraged by nonsensical and inconsequential bs with zero factual basis.”

Bleeping Computer reached out to Epic Games once more for a response regarding Valve’s investigation into how the Epic Games Store is utilizing client data, but they simply referred to Dan Vogel’s post on Reddit, where they highlighted the section stating that they’re only collecting Steam’s friends list data and encrypting it to be sent to Epic’s servers.

[Update:] According to a post over on /r/Games/, users who put together a  script to check the encrypted files being sent to Epic, discovered that the Epic Games Store client is doing more than just collecting and sending Steam friends list data back to the servers. It’s also sending library and app usage data back to Epic Games as well.

Gamers and casuals on the outside looking in still aren’t convinced that this is all bening, and there are still plenty of people who fear that Tencent’s looming shadow over the company is too big to overlook at the moment. It will be interesting to see what comes out of Valve’s investigation and whether Epic will readjust their strategies for acquiring friends list data.

(Thanks for the news tip Derek Smart)

(Main image courtesy of Coverop)

Other Features