On March 6 - the same day “A Bug in the System” launched - ArenaNet quietly pushed code into the Guild Wars 2 client that scanned every running process on your computer and sent that data to their servers. Nobody told us.
Key Highlights
- A March 6, 2018 update included an anti-cheat module that scanned all active processes on a player’s PC - not just known cheat programs
- Security researcher Fabian Wosar reverse-engineered the update and made the code’s behavior public
- More than 1,500 accounts were banned in the resulting wave, initially with no appeal process
- The code was quietly removed on March 27 - before most players even knew it existed
- Players in the EU are now invoking GDPR data rights to formally request what ArenaNet collected - and some are successfully using those responses to contest wrongful bans
What We Don’t Know Yet
- How many of the 1,500+ banned accounts were genuinely cheating versus false positives
- What ArenaNet’s updated anti-cheat approach looks like now that the code is removed
- Whether GDPR requests will result in mass ban reversals or only isolated cases
- If ArenaNet will publish a formal transparency report on what data was collected
Full Timeline
| Date | Event |
|---|---|
| March 6, 2018 | Episode 2 “A Bug in the System” drops; anti-cheat code pushed silently |
| March 27, 2018 | ArenaNet quietly removes the scanning component |
| Early April 2018 | Mass ban wave becomes publicly visible; players compare notes on Reddit |
| April 2018 | Fabian Wosar publishes reverse engineering findings |
| April 2018 | ArenaNet issues statement confirming the software targeted “unfair advantage” programs |
| Ongoing | EU players file GDPR data requests; some use responses to contest bans |
Let’s Start With What ArenaNet Actually Did
On March 6, buried inside the same patch that brought us the Sandswept Isles, ArenaNet shipped a component that did something the patch notes didn’t mention: it enumerated every process running on your computer and reported that list back to their servers.
Not just known cheat tools. Every process.
Security researcher Fabian Wosar - whose day job involves hunting actual malware - noticed the behavior while analyzing the update. What he found was an anti-cheat system far broader than what you’d expect for a game with no competitive prize pool on the line. The module wasn’t checking “is process X running?” It was collecting your full running process list and sending it home, with encryption that Wosar described as inadequate for the sensitivity of the data being transmitted.
The code was pulled March 27. Quietly. No announcement. No explanation.
Then in early April, the ban wave started becoming visible. Players who’d been banned in March - some with no idea why - started comparing notes on Reddit. The pattern that emerged matched exactly the period the code was active.
1,500 Bans, No Appeal Process
More than 1,500 accounts received six-month bans. Initially, there was no appeals process. No explanation beyond a generic “violation of the user agreement” form letter.
The problem with broad process scanning as a ban mechanism is obvious: having a “suspicious” process running doesn’t mean you’re cheating in Guild Wars 2. A software developer running debugging tools, a streamer with a custom audio overlay, a security researcher running a process monitor - any of these could theoretically flag. The system wasn’t designed to distinguish context.
Some of the banned players were almost certainly cheating. Others almost certainly weren’t.
That’s the blunt-force problem with broad surveillance as an enforcement tool. It can find cheaters. It will also catch people who weren’t doing anything wrong, and without a proper appeals process, there’s no mechanism to sort one from the other.
ArenaNet’s position, in their public statement, was that the software targeted programs providing “unfair gameplay advantages.” That may be true as a description of their intent. It doesn’t address the scope of what was actually collected.
The GDPR Angle Nobody Saw Coming
Here’s where the story gets genuinely interesting.
The EU’s General Data Protection Regulation officially came into force earlier this year. One of its core provisions is the right of any EU citizen to request a copy of all personal data an organization holds on them. It’s a powerful tool - and some banned GW2 players figured out they could point it at ArenaNet.
A handful of players filed formal GDPR data requests, asking ArenaNet to produce what the client had collected about them. When the responses came back, they contained the actual process lists that had been flagged - and in several cases, players were able to demonstrate that nothing in their list constituted a cheat program. They got their bans reversed.
This is significant for a few reasons.
First, it demonstrates that the data collection was real and specific - not anonymized aggregate stats, but individually attributable process logs. That raises the severity of the privacy concern considerably.
Second, it means that for EU players specifically, there’s an actual mechanism to challenge a wrongful ban that doesn’t depend on ArenaNet’s goodwill. That’s not how it should work - you shouldn’t need privacy law to make a game company be fair - but it works.
Third, it exposes the limits of ArenaNet’s ban process. If a formal data request can overturn a ban, the ban process wasn’t robust in the first place.
ArenaNet’s Response, Assessed
ArenaNet acknowledged the situation and confirmed they were targeting cheat software. They didn’t explicitly apologize for the scope of data collection or the lack of transparency about the update. The code came down March 27. The formal statement came only after the community started making enough noise that the story reached Kotaku and Vice.
The statement itself was measured and didn’t commit to much. “We’re monitoring for programs that provide unfair advantages” is true as far as it goes. It doesn’t explain why the entire running process list needed to be transmitted rather than a binary “cheat detected / not detected” signal. It doesn’t explain why players weren’t told. It doesn’t explain why there was initially no appeal process for banned accounts.
In some cases, ArenaNet did eventually acknowledge errors and offer compensation. That’s something. It’s not enough on its own to rebuild the trust that this approach damaged.
What This Means for You
If you were banned and you’re in the EU: File a GDPR data request with ArenaNet. The process is formal but documented, and based on the cases we’ve seen so far, it’s working. Get your data, review your process list, and if nothing on it constitutes a cheat tool, use that as the basis for your appeal.
If you weren’t banned: Your data was still collected during the active window (March 6 - 27) if you were playing during that period. Whether you care about that is your call. If you do, a GDPR request is still available to you.
If you’re a non-EU player: The GDPR doesn’t directly apply to you, which means the mechanism available to EU players isn’t in your toolkit. ArenaNet’s standard support channel is your only route if you believe you were wrongly banned.
If you’re still playing: The code is gone. There’s no indication ArenaNet plans to re-implement it in its original form. Your current gaming sessions aren’t being scanned. But this situation has made clear that transparency about what the client does needs to be a standard expectation, not a courtesy.
What to Watch For
- More GDPR outcomes - as more EU players receive their data responses, the picture of what was collected will become clearer. We’ll cover any significant developments.
- ArenaNet’s future anti-cheat approach - they’ve confirmed cheating is a problem they’re actively addressing. What comes next matters. A transparent approach that communicates clearly to players is possible; this wasn’t it.
- Ban reversal numbers - if the scale of false positives becomes publicly quantifiable, that changes the story significantly. Right now we’re working from individual accounts.
The irony of this story landing on the same day as an episode called “A Bug in the System” is the kind of thing that writes itself.
ArenaNet wanted to catch cheaters. That’s a legitimate goal. The way they went about it - silently, broadly, without appeal mechanisms - was a legitimate failure. What’s come out of it, unexpectedly, is a model for how players can use privacy law to hold game companies accountable. That part, at least, is worth knowing about.
Tags: ArenaNet, Anti-Cheat, Ban Wave, Privacy, GDPR, Season 4, Community, Security