Epic Games has responded to accusations that its launcher is secretly mining users' Steam data, saying that the information it collects is used for multiple non-nefarious purposes including its Support-a-Creator program, communicating with the Unreal Editor, and importing your Steam friends list should you opt to. The launcher does scan for active processes, but Epic's vice president of engineering Daniel Vogel said that it does so to ensure that games don't attempt to update while they're running, and that the data is not sent to Epic.
Worries about the Epic launcher's data tracking were sparked by this lengthy Reddit post, which claims, among many other things, that the app enumerates running processes and attempts to access DLLs and root certificates without notifying the user. The author also claimed that data was being transmitted to Epic for unknown reasons, and that it stores hardware information in the registry.
Similar, somewhat easier to follow results were posted today on Resetera, and our own hardware master Jarred Walton confirmed that the launcher had poked around in his Steam files.
According to Vogel, the launcher does make an encrypted copy of your localconfig.vdf file from Steam, but only sends it to Epic if you opt to import your Steam friends list via the "add friend" menu in the Epic app, and then only sends hashed IDs of your friends.
Additionally, "We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics," wrote Vogel. "The launcher sends a hardware survey (CPU, GPU, and the like) at a regular interval as outlined in our privacy policy (see the 'Information We Collect or Receive' section). You can find the code here." [You must be logged in to view the Github links.]
Epic's privacy policy does state that it collects "technical information about your computer, device, hardware, or software you use to access the Internet or our services" when you use its websites, games, and applications. It also collects usage information for its websites, such as referral URLs and how long you're on them (most websites track these statistics), crash reports, location info, and "information that facilitates a safer and more personalized experience."
"The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github," Vogel continued. "The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up."
Vogel also took a moment to address accusations in the original post that Epic, due to the minority share in the company held by Tencent, has "very heavy ties to the Chinese government."
"Epic is controlled by Tim Sweeney," he wrote. "We have lots of external shareholders, none of whom have access to customer data."
Epic's response isn't satisfying everyone: Several respondents on Reddit ask why the company is collecting data preemptively and without permission, despite Vogel saying that the Steam data is only transmitted if the user opts-in to importing Steam friends. With so much existing animus around the Epic Store and its exclusivity deals, it's likely this one will keep smoldering for now.
Update: In a comment on Reddit, Epic boss Tim Sweeney acknowledged that the Epic launcher should only access the localconfig.vdf from Steam after the user has opted to import their Steam friends list, not before.
"The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It's actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it," he wrote. "Since this issue came to the forefront we're going to fix it."
He also addressed the question of why the launcher access Steam data files directly rather than using Steam's own API, saying that Epic aims to minimize its use of third-party libraries because of security and privacy concerns—not with Valve specifically, but "for the general concern of APIs collecting more data than expected."
