Yesterday, we learned that the Epic Store client was copying a Steam user data file called localconfig.vdf. According to Epic, the client stores a local, encrypted version of the file and does nothing with it unless you opt to import your Steam friends, at which point it sends only hashed friend IDs to Epic's servers.
Epic CEO Tim Sweeney said that this process was a rush job designed in "the early days of Fortnite," and that it's going to be fixed. He also said that the Epic Store doesn't use the Steam API due to Epic's own user privacy concerns, not regarding Steam's API in particular, but because of a "general concern of APIs collecting more data than expected." He pointed to this article (opens in new tab) about Facebook data harvesting.
In a statement sent to Bleeping Computer (opens in new tab) today, Valve's Doug Lombardi said that the company is "looking into what information the Epic launcher collects from Steam." It sounds like Valve isn't too pleased about the whole thing.
"The Steam Client locally saves data such as the list of games you own, your friends list and saved login tokens (similar to information stored in web browser cookies)," wrote Lombardi. "This is private user data, stored on the user's home machine and is not intended to be used by other programs or uploaded to any 3rd party service.
"Interested users can find localconfig.vdf and other Steam configuration files in their Steam Client’s installation directory and open them in a text editor to see what data is contained in these files. They can also view all data related to their Steam account at: https://help.steampowered.com/en/accountdata (opens in new tab)."
In other words, Valve doesn't think the Epic Store client should be touching localconfig.vdf at all, and presumably would prefer it if Epic used the Steam API to gather friends lists.
For Epic's part, it has not said that the entire file is uploaded, only that it parses out user IDs and uploads hashes (opens in new tab) of them, should users import Steam friends. In the future, Valve could potentially encrypt local user data to prevent the Epic client and other software from copying it.
Valve hasn't said that, though. In an email to PC Gamer, Lombardi said that Valve has nothing more to add at the moment. I've also contacted Epic to see if it has a response beyond yesterday's Reddit posts, and will update this article if I receive a reply.