Valve has confirmed it is investigating what information the Epic Launcher is collecting from Valve’s online digital store client, Steam, after users claimed Epic was accessing and tracking Steam data without consent.
The issue began with a Reddit thread that accused the Epic Games Store of using a tracking pixel to access root certificates and DLLs without the user’s knowledge – claims later substantiated by PC Gamer.
"We are looking into what information the Epic launcher collects from Steam. The Steam Client locally saves data such as the list of games you own, your friends’ list and saved login tokens (similar to information stored in web browser cookies)," a Valve spokesperson told Bleeping Computer (thanks, GI.biz). "This is private user data, stored on the user’s home machine and is not intended to be used by other programs or uploaded to any 3rd party service."
Epic VP of engineering Daniel Vogel explained the issue was down to "a tracking pixel (tracking.js) [Epic uses] for [its] Support-A-Creator program so [it] can pay creators", and said the root certificate and cookies access was "a result of normal web browser start up". Subsequently, CEO Tim Sweeney, too, responded by acknowledging the issue and confirming a fix was on its way.
"You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends," Sweeney said on Reddit. "The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It’s actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we’re going to fix it.
"We don’t use the Steam API because we work to minimize the number of third-party libraries we include in our products due to security and privacy concerns."
In response to Valve statement, Epic responded with the following: "We’ve responded to in full here: https://www.reddit.com/r/PhoenixPoint/comments/b0rxdq/epic_game_store_spyware_tracking_and_you/eijlbge/.
"We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file."