Releasing a new game launcher might be harder than Epic Games thought. People have complained about the Epic Games Store since its launch, and on March 14, a Reddit post about various privacy concerns got enough attention to warrant a response from Epic.
The post’s main complaint involved the Epic Games Store copying Steam’s localconfig.vdf file, regularly accessing root certificates, and tracking its users’ activity in several ways. Some of those concerns could be explained away by the Epic Games Store being a glorified web browser; others could not.
Epic Games VP of Engineering Daniel Vogel responded to the post. In his response, Vogel said tracking is used to monitor page statistics and enable the Support-A-Creator program. He also said the launcher scans active processes to make sure it doesn’t update a running game and that it regularly sends users hardware surveys.
But this part of Vogel’s response caught some attention:
“We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.”
But why copy the file before someone makes it clear that they want to import their Steam friends to the Epic Games Store?
Epic Games CEO Tim Sweeney eventually chimed in to explain that “the current implementation is the result of a system that was built quickly and then rapidly modified before launch.” (This makes it seem like he’s talking about the Epic Games Store launch; in another comment, he said he’s talking about Fortnite.)
“It’s a klunky method that we’ll fix,” Sweeney said. He also explained that Epic didn’t just use the Steam API because “we avoid including third-party code in our engine wherever possible, as it often brings its own privacy, security, and licensing complications (though Valve has a fine reputation).”
In another comment, Sweeney cited a report about iOS apps sending private data to Facebook to explain “the general concern of APIs collecting more data than expected.” He also said:
“You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It’s actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront, we’re going to fix it.”
A Valve spokesperson told Bleeping Computer that it is “looking into what information the Epic launcher collects from Steam.” The localconfig.vdf file doesn’t just contain a friends list–it also stores information about the games someone owns, saved login tokens, and other data that’s only meant to be used by Steam.
Some of the furor surrounding the Epic Games Store isn’t warranted– as we said above, some of its activity can be explained by it being a Chromium browser wrapped in an app. But it’s clear that Epic might not have been as ready as it thought to release a game launcher that could compete with Steam.