Download

Forced login on forums

This one cropped up a couple of weeks ago.

If I’m visiting the forums on say my phone or laptop it always prompts me to enter my Epic credentials even though all I want to do is read stuff. Why do I have to login just to view the forums?

Hey,

This is because of a “Single Sign-On” integration that was added to our sites after GDC. This allows you to log into the Launcher, answerhub, forums or main site and be automatically logged into all the others. It did change how the forums require you to log in, but makes travelling/posting between sites simpler. Please let me know if you have any questions, comments or concerns. We are always interested in hearing everyone’s feedback on these kinds of changes.

edit: AnswerHub isn’t currently on the SSO, but will be soon.

Well I just presented one. When I’m on my phone or laptop I don’t want to have to take the time to sign in if all I want to do is check up on a couple of threads.

Good point! I’m running this up the chain and seeing what we can do to make this easier on people who just want to read the forums without the bother of logging in (which is a bit annoying to do on a cell phone). Thanks for your feedback!

Not sure how it is on the IPhone and Android phones, but on Windows Phone I only logged in once and since then I never have the login screen seen again. Some times I see the ‘thanks for logging in’ message shortly.

What if you login once? I know passwords(if its a strong password) can be a pain to enter on a phone, but if its only once… why not?

I also use multiple devices at different locations (including my android phone), but whenever I go the forums I get automatically logged in. (“Thanks for logging in, Kia.” then I get redirected)

I use them on my phone, tables, laptop, PC … and I have only had to log in once.

Personally I find it very disturbing that the Launcher is messing with other parts of my OS/Desktop and can automatically log me in my browser.

The Launcher is an Epic Games product and my browser is another vendor’s - the two should not interact in any way that I do not know of, or approve/disapprove of in advance.

Way too many companies are trying to sell me on a “lifestyle” or provide me with their “walled garden” of what they think my experience should be. I understand that Epic wants to provide an “experience” but I did not ask for it nor is it warranted.

Let me give you a similar (but perhaps extreme) example of what Epic does here: http://www.theguardian.com/technology/2015/jun/24/samsung-disables-windows-update-laptops-hackers

Epic, please stay out of my other applications and OS related functions.

The launcher is not interacting with your browser for single sign-on. It’s pretty standard web tech, AFAIK when you signed on previously the web sites save a cookie that you logged on, and when you visit the site in the future, it queries for the cookie and prompts you to log in again (or auto-logins) if it finds it.

Note: I have no idea of the specifics or why we’re forcing you to log in if we find the cookie but it’s expired or whatever, versus only auto-logging in if it’s within the allowed duration.

Cheers,
Michael Noland

Hi Michael,

I made sure I was logged out of my browser session with the Forums here so that cookie was cleared.

Any interaction with the Launcher will re-instate that cookie, even clicking on the Latest Release Notes under Library menu or Grab the Source on GitHub generates a URL such as:

https://accountportal-website-prod07.ol.epicgames.com/exchange?exchangeCode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&redirectUrl=https%3A%2F%2Fwww.github.com which causes OAUTH to sing me into Epic’s website.

The Launcher is a separate application and not an extension of Epic’s website, because it’s not running inside the confounds of my web browser. As it stands, the Launcher is doing something I did not know, or approve of, in advance. Thus it could be considered malware, or some other kind of untrustworthy application.

I really do not want to be logged into Epic’s website if I’m clicking on a GitHub link, nor to read the Latest Release Notes from within the Launcher. The same goes for the Marketplace or any other item that could personally identify me, unless I specifically approve it. And, I don’t really have a choice because I’m forced to log-in before hand not knowing what information is being passed across the Web (including metrics of my OS, hardware, installed software, etc).

Epic has to find some other way to do a single sign-on, collect metrics (through a transparent opt-in and not defaulting without seeking user’s permission) and do other things…you know the usual way everyone else does it: log into a form on the website and store a cookie set across the unrealengine.com domain, valid for all of its sub-sites. Logging out also allowing to clear the same cookie.

Unless things change, I will have to start binary patching the Launcher to sanitize this and any other suspicious functionality I find.

Hi Amigo,

Would your concerns be satisfied with a launcher setting that disables auto-login, so that all of its links open the target pages using your web browser’s default settings with respect to that page? I think this would need to be a special setting, as most users who are logged into it in the launcher would prefer that links like “Forums” send them to the forums logged-in and ready to participate.

Do you have other privacy concerns that are best addressed within the launcher or Epic web site rather than in web browser privacy settings?

-Tim

Hi Tim,

I did not really audit the Launcher and therefore cannot say about any other privacy concerns at the moment. But, I do believe that it needs a higher level of transparency and explicit opt-ins that are clearly communicated to the user, beforehand.

Please don’t just change the EULA forcing everyone to agree to the current conditions if they wish to use the Unreal Engine. That would be an easy, but not an exemplary, way out. Epic has done such a great job in being transparent since coming into the public, and set a level pretty high for all other vendors to (try and) follow.

I wouldn’t say that the Launcher’s auto-login smears that record, but if it caught my eye, then someone else who is overly zealous about privacy and set to dissect this further might cause reputation damage to Epic.

In my example above, the GitHub link in the Launcher passes you through Epic server, rather than directly linking to the destination. What happens in-between is a “black box” and most people will shrug it off by not noticing, but someone might just decide to inspect the traffic and peer into the packets being sent (or run the Launcher through the debugger and go really deep into it).

Granted you are using SSL, but that makes it even more ambiguous as you can’t easily see the contents of the communication. What is the Launcher doing in the background - it has access to the file system, or at least the current user’s home folder and everything inside it. And what is the exchangeCode parameter, does it uniquely identify me as a user and logs my activities on Epic servers for whatever purposes? Has that been disclosed to me somewhere in advance?

While on the same subject, another example is CrashReportClient, which potentially sends quite a number of things back to Epic that could be considered “personal information”. The fact that there’s a checkbox that says “I agree to be contacted by Epic via email…” sounds like a huge elephant in the room. I am personally identified, even though I did not, nor was I prompted to, include my personal details for communication during this session that crashed. Does that not sound just a tiny bit like a “Big Brother is watching”?

At least in the case of the CrashReportClient, full source code is available and anyone with an inclination can take a look under the hood.

This is not the case with the Launcher and I understand some of the reasons why (Marketplace purchases/transactions) but perhaps there’s a way to open all that to the public scrutiny as well, just like the rest of the code is. The Community has far more resources than Epic does. It could find, if any, faults and point them out rather than potentially having to learn of them through someone’s malicious actions in the future. Remember, obscurity is not security!

Thank You.

I would prefer to log in my self really.Not a company doing it for me.

Feeding the data monster, because ‘we can’…

+1 Amigo!

  • US corporations tend to see user tracking as a benign act. And perhaps it is, as long as everyone plays fairly. But problems arise when some players don’t, or when the rules keep changing Orwell-Animal-Farm style, and the data gets slurped and merged in ways that we can’t possibly imagine. The fact that both Facebook and Google are being prosecuted in Europe right now should speak volumes about what were just two popular start-ups a decade ago.

  • Whatever this data is for Epic, whatever the reason you’re hoovering it all up, please don’t go down the slippery slope of gobbling it just because you can, because it may prove useful later in ways no one can imagine today, or just to monetize it because everyone else is! Instead, please focus on kicking out great game engines as you always have…

We here at Epic spend a lot of time trying to do things right, but don’t always have as much consistency or forethought as we’d like. I absolutely hate companies that don’t respect user privacy. So we’ll work to get this right.

Regarding the launcher login issue, I think the best solution for launcher privacy would be to have a persistent global option to disable login when clicking on a web browser link to an Unreal Engine web site. Disabling it always for everybody would make some of the links less convenient, for example Account Settings (which opens in a web browser) would require a redundant login.

The launcher login concerns are exacerbated by some broken functionality such as requiring web logins for public operations such as forum browsing which don’t inherently require it, and didn’t require it previously. Non-Epic links such as GitHub should not go through this Epic-based web redirector. Google and Bing do that pervasively and I hate it as much as you guys do.

I’ll chat with the folks responsible for the crash reporter to find out more about what it reports. I do find it antisocial that it doesn’t have a “Close without sending” button. As for the other detail, I think Firefox used to have a cool crash reporter option that showed you a text file containing absolutely all of the info it’s going to send, so there is no uncertainty about it.

With default settings like that checkbox, we try to default to what is most useful for the community at large, rather than optimizing for either extreme data collection or extreme privacy. The checkbox for optionally sending email address (I assume that’s what it means by “contact”, though it’s more vague than it should be!) is so we can follow up with folks reporting important crashes we’re unable to reproduce here. It can be very handy for bug turnaround.

Weird … I thought if you just clicked the big “X” button at the top of the window it never sent the crash report.

Thanks again Tim, for taking the time to address this.

Just a note regarding CrashReportClient, as per above. The CRC does not prompt the user for a contact email address, and as far as I’m aware, it does not use the Launcher login email either.

Instead, it uses MachineId and EpicAccountId parameters which are already pre-filled, therefore that data has already been collected and stored by Epic (without an opt-in?!). That in my head screams klaxons more than prompting me for an email address, because these Ids personally identify me in the Epic database and are apparently connected to my account information (from where my email would be used to contact me).

Although, as qdelpeche said, one can click X and close CRC without (hopefully) sending any information. Never the less MachineId and EpicAccountId issue remains.

Yes, we need to fix this.

Speaking from the back-end as the Dev that built most of our SSO, Authentication, and in house web tracking functionality, I’m very cognizant of allowing people to opt out of data collection and “magic” behavior.

Our web tracking respects the Do Not Track header (DNT), which is quickly becoming the standard for indicating that you don’t want to be tracked. Enabling the DNT header in your browser will cause our services to not track any data about your activity on our sites. You may still see calls to a tracking site, but we are discarding the data. Information about enabling this for Firefox and Chrome can be found in the links below:

https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature
https://support.google.com/chrome/answer/114836?hl=en

The exchange code that is sent to your browser is only used to log you in so that you have a more seamless experience, and doesn’t inherently identify you. The code is single use and is generated each time the launcher opens an external link. Furthermore, it can only be used by our authentication systems.

For the required login on forums behavior, we are looking for people who are running into this, as you should be seeing the “Thanks for logging in” message not the login screen. We’re attempting to keep you logged in to the forums via your existing SSO session, but this is failing for some users. If you are experiencing this, please reach out so that we can get a bit more info from you.

Please also consider asking whether users want to download the latest Launcher Update or not, or download anything in that matter.
The Launcher right now with internet is almost certain to download something every time you start it. If you quickly want to jump into a project, or if your connection is slow, then this is bad.
Also just downloading without asking…I mean this is generally really bad practice.