Earlier today, Reddit user PhoenixPoint and ResetEra member Madjoki found out that the Epic Games Launcher may be collecting your Steam history at startup. As part of their investigation, they found that at startup, the Epic Games Launcher searches your local computer for a Steam install. If it finds that Steam is installed, it then apparently proceeds to pull a list of files typically stored in your Steam Cloud. This data includes game saves for all users that have logged in to Steam on your computer.

Madjoki also found that it pulls a list of your Steam friends and their name history. Now, the friends thing isn't too unusual because the Epic Games Launcher does allow you to import your Steam friends to see if they have an Epic Games account.

Here is what Madjoki has found thus far.

Epic Games Launcher on start up searches for Steam install and proceeds to get list of files in your Steam Cloud (this includes mostly game saves for every user that has logged in on your PC).

Steam Cloud is stored under userdata\[account id]\ if you wanna check.

It will also create encrypted copy of config\localconfig.vdf.
This file contains your steam friends, their name history (groups you're part of, are considered "friends").

It seems friends might be used for friends suggestions, but I don't even use that feature and it collects more than that.

While it's called "localhistory" it is synced from cloud

It will read, encrypt and then write copy to: C:\ProgramData\Epic\SocialBackup\RANDOM HEX CODE_STEAM ACCOUNT ID.bak
It will also keep historical entries there.

As for contents of file:

Example of friends entry:
Click image for larger version

Name:	MEgXCG2.png
Views:	87
Size:	9.9 KB
ID:	3493711

Play history, will contain last playtime:
Click image for larger version

Name:	5peS608.png
Views:	116
Size:	31.7 KB
ID:	3493710

300 = Day of Defeat

{ "LastPlayed"  "1384125348"}
(1384125348 is unix timestamp near end of 2013). Apparently I have played this then.

To replicate these findings you can use Microsoft's Process Monitor:


It's recommended to add filter: "ProcessName is EpicGamesLauncher.exe" otherwise there will be tons of crap. Also you can set Drop Filtered events to save on memory.

First step is finding out where Steam is:
Click image for larger version

Name:	TYgs6Hg.png
Views:	57
Size:	20.8 KB
ID:	3493709

Then it will enumerate everything in Steam Cloud.

It doesn't seem to read anything, but just names of all your saves of games:
Click image for larger version

Name:	s7aZl70.png
Views:	62
Size:	192.5 KB
ID:	3493708

Then it will read localconfig.vdf:
Click image for larger version

Name:	qpgGA4s.png
Views:	61
Size:	283.5 KB
ID:	3493707

after it's done:
Click image for larger version

Name:	8pGAeFK.png
Views:	263
Size:	85.1 KB
ID:	3493706

42834588 = steam account id

76561197960265728 + account id = steam id = 76561198003100316 (this is my account)
The problem with all of the non-Steam friends related data is the fact that Epic, by way of the Epic Games Launcher, pulls your list of played games and last played time prior to you ever granting them permission to do so. This is done without any forward facing notification. It's also done prior to any permissions being granted by the end user to scrape this data. It's also odd that Epic would choose to scrape this Steam information and not use the readily available free Steam API that other major studios have used (EA with Apex Legends, for example) without issue.

Epic Games did issue a response. This statement comes from Daniel Vogel, VP of Engineering at Epic Games.

We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.

The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy(see the “Information We Collect or Receive” section). You can find the code here.

The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.

The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up.

The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.

We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.

Epic is controlled by Tim Sweeney. We have lots of external shareholders, none of whom have access to customer data.

Daniel Vogel
VP of Engineering
Epic Games Inc.
No, the github links probably won't work for you. You apparently need to tie your github account with your Epic account to be allowed access to those specific links.

Of course, the statement from Vogel doesn't address why any data has been scraped prior to a user giving their consent to do so. This is actually illegal to do this throughout Europe thanks to GDPR. GDPR says that you need to specifically state what data you would be collecting. A user than has to grant permission for this to happen. It is only after permission has been granted can the data be collected.

I'm sure we'll have more information on this one as it develops.