This week, certain corners of the gaming Internet have been abuzz with a bit of self-described “amateur analysis” suggesting some “pretty sketchy,” spyware-like activity on the part of the Epic Game Store and its launcher software. Epic has now stepped in to defend itself from those accusations, while also admitting to an “outdated implementation” that can make unauthorized access to local Steam information.
The Reddit post “Epic Game Store, Spyware, Tracking, and You!” points to a wide-ranging set of implications based on some broad file and network access traffic observations when the Epic Game Store is running. But much of the post is focused on Epic’s association with Chinese gaming giant Tencent, which owns a share of the company.
“Tencent is a significant, but minority shareholder in Epic,” co-founder and CEO Tim Sweeney wrote in response to the conspiracy theory in one Reddit thread. “I’m the controlling shareholder of Epic… The decisions Epic makes are ultimately my decisions, made here in North Carolina based on my beliefs as a game developer about what the game industry needs!”
Sweeney offered a similar defense of Epic’s relationship with Tencent back in December, when similar concerns first popped up. “Epic does not share user data with Tencent or any other company,” he wrote at the time. “We don’t share it, sell it, or broker access to it for advertising like so many other companies do. I’m the founder and controlling shareholder of Epic and would never allow this to happen.”
“Epic is controlled by Tim Sweeney,” Epic’s VP of Engineering Daniel Vogel added in response to another recent thread. “We have lots of external shareholders, none of whom have access to customer data.”
Vogel went on to offer explanations for some other suspicious-looking Epic Games Store app activity. A “tracking.js” file, for instance, is used to track revenue-sharing statistics for Epic’s Support-a-Creator program, he wrote. Vogel also pointed to the open source code behind features like the anonymized hardware survey, the Unreal Editor, and the Chromium-based launcher UI, which he said cause most of what the original post identifies as “sketchy” app activity.
Vogel does admit, though, that “the launcher makes an encrypted local copy of your localconfig.vdf Steam file” automatically and without explicit user permission. However, he writes, that hashed file is only sent to Epic if you choose to import your Steam friends to the Epic Game Store in order to find potential matches with others that have opted in.
Still, Sweeney acknowledged that Epic making local access to Steam files without direct permission might justifiably rub some users the wrong way. “You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends,” he wrote on Reddit. “The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It’s actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we’re going to fix it.”
“This sort of independent analysis of what data software accesses… is a healthy trend and I’d love to see it done more widely,” Sweeney wrote in another comment. “In analyzing the results, it’s important to distinguish the normal from the abnormal… and to separate technical analysis from inflammatory rhetoric, such as the insane claim that we’re a bunch of Chinese spies.”