Launcher Lawlessness

Think back to 2005. You pop your Star Wars Battlefront II–or Age of Empires III, or Medal of Honor, et certa–disc into your PC and start to play. Ah, those were the days of simplicity! But no longer.

Popular Launchers (Source: Google Images)

It is now 2019 and many of the most popular PC games are accessible via game launchers. Some of the most widely-known launchers are:

  • Steam
  • Epic
  • Blizzard (formerly
  • EA Origin
  • GOG

Even Minecraft has its own launcher these days. Steam is the most comprehensive launcher with more than 780 million games available for purchase/download (according to Forbes in 2014). Some launchers host their own developers’ exclusives (such as Blizzard and their World of Warcraft or EA’s Origin and the Battlefield games), while others host a wide variety of games from many developers and studios–GOG and Steam are examples of this.

Overall, these launchers can be helpful because of the easy updates, information, and access they provide. However, launchers come with a dark side, too. With the advent of the internet and big data, information has become a currency; much like actual money, people go through great lengths to protect their information. Online privacy is an increasingly hot-button topic and the intersection of information security and game launchers has the gaming community fired up.

In 2014, EA’s Origin launcher was accused of snooping around personal files and system processes unrelated to its application. Usman Pirzada wrote an article which summarized the concern adequately (you can find it here). While EA claims to have addressed the concern, and many gamers concur, there are still reddit threads and other question out on the web years later asking “is Origin still snooping?”

More recently, Epic games has come under fire for supposed evidence of their launcher snooping around users’ systems–particularly in personal directories such as your Steam library–where it has no business snooping. u/notte_m_portent on reddit explained the concerns nicely in their post. Several knowledgeable commenters laid several of the concerns to rest, while others remained questioned.

u/SmileyBarry explains:

EGS isn’t trying to access DLLs in Fiddler directly. Fiddler adds its installation folder to your %PATH% variable on-installation (so you could run it by just typing “fiddler”). When you load a DLL by-name and not by-path (which seems to be the case since it looks like an import table entry, which are only by-name), Windows goes through all the folders in your %PATH% looking for the file you named. Fiddler was one of those folders.
As someone else said, “tracking.js” looks like some analytics library like almost everyone uses. The embedded store itself is probably a web frame that uses analytics because their web development department (like all of them) wanted to.
Reading about your root certs, IE COM classes, IE cookie folders, and other IE-related things are all part of WinHTTP. (and ironically why you can even MITM it with Fiddler, since if it used some standalone HTTP library like libcurl it wouldn’t accept your new root CA) That happens automatically when you create a session or connection and isn’t Epic’s doing, nor is it malicious.
The hardware survey bit is a little privacy-invasive but it’s probably the same hardware spec gathering that AAA game devs already do without asking you (it’s in the EULA), Steam is more of an outlier here.
EGS talking to itself is just standard IPC practice: some apps use localhost sockets (a common Linux practice), some apps uses pipes, etc.

While the technical side of the software and its interactions with the operating system and user files can largely be explained, other behaviors are left questioned with no logical explanation, as u/jhartikainen put:

I was looking at this first “oh God not one of these threads again.” A lot of registry access, DLLs, browsers, can be fairly normal because the launcher uses a browser to display stuff, etc. so it might need to load [stuff].
But it actually looks shady now that I looked into it.
I noticed that for some reason it looks up a lot of stuff in my Steam directory. What possible reason does it have for this?
I don’t fully buy the anticheat idea. It does this stuff just when you start the epic games launcher. Why would just that trigger an anticheat?
I looked at the network traffic quickly and at least it doesn’t seem to be doing anything dodgy there… so who knows what’s up with this.

Daniel Vogel, VP of Engineering at Epic Games made a statement in response to redditors’ concerns just this past month, stating;

The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.
We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.

While that sounds comforting and all, some investigation by Madjoki shows that the launcher searches for Steam installs then proceeds to get a list of files in your Steam cloud. The files contain lists of your friends and games that you’ve played (including how long you’ve played them). With a little digging, you can find this data within the Epic launcher files. Strange.

Simply because EA and Epic have been called out for these concerns, does not mean that gamers should not have the same concerns with other launchers–Steam included. With less-than-adequate evidence on each side of the argument and a lot of A-said-B-said, this topic isn’t going away any time soon. It’s in gamers’ best interest to stay up-to-date on the issues, carefully read the End User License Agreement (EULA) and Terms of Service (ToS) for all games and services they use, as well as have an understanding of what data is on their computers and what can access it.

What are your concerns with launcher privacy issues? What are your thoughts on the “if you don’t like it, don’t play” mentality? I look forward to hearing from you. We’ll see each other next time!

Game on,

~ Griff