Tweet
Madjoki also found that it pulls a list of your Steam friends and their name history. Now, the friends thing isn't too unusual because the Epic Games Launcher does allow you to import your Steam friends to see if they have an Epic Games account.
Here is what Madjoki has found thus far.
Epic Games Launcher on start up searches for Steam install and proceeds to get list of files in your Steam Cloud (this includes mostly game saves for every user that has logged in on your PC).
Steam Cloud is stored under userdata\[account id]\ if you wanna check.
It will also create encrypted copy of config\localconfig.vdf.
This file contains your steam friends, their name history (groups you're part of, are considered "friends").
It seems friends might be used for friends suggestions, but I don't even use that feature and it collects more than that.
While it's called "localhistory" it is synced from cloud
It will read, encrypt and then write copy to: C:\ProgramData\Epic\SocialBackup\RANDOM HEX CODE_STEAM ACCOUNT ID.bak
It will also keep historical entries there.
As for contents of file:
Example of friends entry:
Play history, will contain last playtime:
300 = Day of Defeat
(1384125348 is unix timestamp near end of 2013). Apparently I have played this then.
To replicate these findings you can use Microsoft's Process Monitor:
https://docs.microsoft.com/en-us/sys...nloads/procmon
It's recommended to add filter: "ProcessName is EpicGamesLauncher.exe" otherwise there will be tons of crap. Also you can set Drop Filtered events to save on memory.
First step is finding out where Steam is:
Then it will enumerate everything in Steam Cloud.
It doesn't seem to read anything, but just names of all your saves of games:
Then it will read localconfig.vdf:
after it's done:
42834588 = steam account id
76561197960265728 + account id = steam id = 76561198003100316 (this is my account)
Steam Cloud is stored under userdata\[account id]\ if you wanna check.
It will also create encrypted copy of config\localconfig.vdf.
This file contains your steam friends, their name history (groups you're part of, are considered "friends").
It seems friends might be used for friends suggestions, but I don't even use that feature and it collects more than that.
While it's called "localhistory" it is synced from cloud
It will read, encrypt and then write copy to: C:\ProgramData\Epic\SocialBackup\RANDOM HEX CODE_STEAM ACCOUNT ID.bak
It will also keep historical entries there.
As for contents of file:
Example of friends entry:
Play history, will contain last playtime:
300 = Day of Defeat
Code:
"300"
{ "LastPlayed" "1384125348"}
To replicate these findings you can use Microsoft's Process Monitor:
https://docs.microsoft.com/en-us/sys...nloads/procmon
It's recommended to add filter: "ProcessName is EpicGamesLauncher.exe" otherwise there will be tons of crap. Also you can set Drop Filtered events to save on memory.
First step is finding out where Steam is:
Then it will enumerate everything in Steam Cloud.
It doesn't seem to read anything, but just names of all your saves of games:
Then it will read localconfig.vdf:
after it's done:
42834588 = steam account id
76561197960265728 + account id = steam id = 76561198003100316 (this is my account)
Epic Games did issue a response. This statement comes from Daniel Vogel, VP of Engineering at Epic Games.
We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.
The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy(see the “Information We Collect or Receive†section). You can find the code here.
The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.
The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up.
The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.
We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.
Epic is controlled by Tim Sweeney. We have lots of external shareholders, none of whom have access to customer data.
Daniel Vogel
VP of Engineering
Epic Games Inc.
The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy(see the “Information We Collect or Receive†section). You can find the code here.
The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.
The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up.
The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.
We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.
Epic is controlled by Tim Sweeney. We have lots of external shareholders, none of whom have access to customer data.
Daniel Vogel
VP of Engineering
Epic Games Inc.
Of course, the statement from Vogel doesn't address why any data has been scraped prior to a user giving their consent to do so. This is actually illegal to do this throughout Europe thanks to GDPR. GDPR says that you need to specifically state what data you would be collecting. A user than has to grant permission for this to happen. It is only after permission has been granted can the data be collected.
I'm sure we'll have more information on this one as it develops.
