Like what the title says. There’s always a catch unless it’s FOSS. So, what is the catch with them giving games for free that you can keep forever? What will the developers of the games get as a thank you?
Like what the title says. There’s always a catch unless it’s FOSS. So, what is the catch with them giving games for free that you can keep forever? What will the developers of the games get as a thank you?
One catch is that Epic’s mystery code is allowed to execute on your computer.
Note that I don’t mean just their launcher. Often, if not always, the games themselves are linked with Epic code, ostensibly for license checks and/or integration with Epic services. This gives them the ability to snoop on stored data, installed/executing processes, biometrics, etc.
Running those free games with an alternative launcher does not protect against this.
It’s not just a theoretical concern, either. Epic has already been caught copying Steam files, collecting friends play history, and scanning running processes.
https://www.resetera.com/threads/developing-epic-games-launcher-appears-to-collect-your-steam-friends-play-history-up2-valve-responds-see-threadmarks.105385/
https://old.reddit.com/r/fuckepic/comments/wakewr/epic_games_spyware_vs_steam_vs_as_comparision_ea/
https://www.pcgamesn.com/epic-launcher-spyware
I don’t trust them, their CEO, or Tencent (which owns a significant chunk of Epic), so I don’t run games that come from them.
Citing “fuckepic” 🤦. The spyware claims from amateurs not even understanding the basics of Process Monitor have been long debunked by people who aren’t even sympathetic to Epic (1, 2).
Trying to discredit people because of the forum on which they discussed a topic, or because you view them as beneath your skill level, is a more than a little misguided, and frankly, disingenuous.
Epic themselves have admitted to copying Steam data and scanning running processes, as has been documented in various news articles. (example, example)
In any case, the point is not one particular incident or report, but rather that they have the capability, grant themselves permission to use it via their policy documents, and have earned distrust among a lot of gamers. Posting condescending emoji here doesn’t change that.
Edit: P.S. In future comments defending Epic, you might do readers the courtesy of stating up front that you are moderator of an Epic Games forum.
Why would I trust a random cropped screenshot from a bad faith subreddit about hating everything related to Epic? Either of us can run Process Monitor, filter by the desired process, and see if their claims have merit. They don’t.
The article and post I linked already explain the Steam and process list parts. How in your opinion does any program that needs to check if a process is running do that? Where would you expect Epic to get your Steam friends list if you’re asking it to import your Steam friends?
This is such an underrated comment for such an important point.
Is this an issue when using the Heroic launcher as well? None of the links mention this being an issue with Heroic.
Heroic Games Launcher doesn’t change the code in the game executable itself, so yes, it is still an issue when using Heroic.
Install Heroic via Flatpak and use Flatseal so you decide what it gets access to.
Flatpak permissions are famously coarse, and its sandboxing mechanism is weak and full of holes. It can be useful for guarding against damage caused by programming mistakes, but I would not recommend it to anyone wanting protection from adversarial software.
What would be your recommended way to run the Epic Launcher?
I do not recommend running Epic software at all.
But imagine if someone did want to use it, what would be your recommended approach? You seem quite knowledgeable in this area and I’m sure we could all learn something.
You might want to read my other comments elsewhere on this post.
Please keep in mind that no matter what technical measures you take, accepting Epic’s “free” games requires agreeing to their terms and conditions, which they can change after you get the games. I really don’t recommend it.
Even without that, I don’t think a game running on their own wine prefix can interact with your Steam running on Linux system directly.
It would be pretty amazing if this godforsaken company only looked at Linux to fuck us like that.
And there we have the catch! If not one of them. Many thanks :)
can it be sandboxed in a sensible way? (on linux specifically)
You could download and play the games on a machine that is never used for any other purpose, but it would still be able to collect biometric data (mouse movement, keystroke patterns, voice if you have a microphone, etc.) and probe/fingerprint your network.
Short of a dedicated machine, the closest you’re likely to get is a hypervisor-based virtual machine. Of course, that won’t safeguard your biometrics or (in most cases) your network, either.
Such a machine would be safer if you never gave it network access, so it couldn’t exfiltrate any data that it had collected, but downloading games requires network access at some point, and it would only take milliseconds for a “helper” process (perhaps quietly installed or launched with the game) to leak the data.
In general, hostile code will always be unsafe. If it concerns you, it’s best to avoid it entirely.