The wordiness and begging the question is highly suspect. Any [Windows] developer who reads this should know how to enumerate processes, find their binaries and hash them (without having to "deobfuscate" and other scary words for non-technicals).
No working set information is included in the hash (not that it would be much use) and so the leakage of information here is extremely low. The author then complains about the hashes being sent over an "insecure protocol" but, suddenly, all information regarding which protocol is missing - that would have been genuinely useful to know (unlike the prior wordiness).
> It most certainly will be problematic once the GDPR gets into effect and Arena will definitely get a data request from me so I obtain a list of all data they have about me and my account.
The disclosed information cannot be used to identify you as a natural person.
This just sounds like someone who got caught and is trying to avoid responsibility.
But, to me, it sounds like you are saying this potential bad actor is intending to use the GDPR to determine the 'secret sauce' used to detect bad actors?
In other words, "Be transparent in your evaluation methods!" with the subtext of, "then I can subvert them."
What I'm saying is much simpler. Cheaters are a very interesting crowd. In first person shooter games it's absolutely possible to dominate cheaters (because cheats only help with raw mechanical skill, not strategy or tactics) and the cheaters will often be the first to complain about cheaters when you kill them. Despite their unfair advantage, they lash out when things don't go their way - which seems to be happening here: they truly believe that they are above reprimand and that Anet must be punished for reprimanding them. The threat of GDPR is being used for this. In the broad category of shifting blame, it's very very consistent behavior and would probably make for a fascinating study.
There is always a chance that the author is being honest (having cheated in other games, but never GW2) but it's slim. I have my doubts as to whether GDPR would cover this (as it cannot be used to identify a natural person), but IANAL.
- personal data is any data about a person which could, in combination with other data that you may not have, identify a person. That's much broader than your definition. In this case, I think the claim would be that if you knew all programs installed by a person, you could figure out who that person is. It's still probably a stretch. It's good that they prevented themselves from knowing what the program is, because that could sweep up health data. ie imagine they knew you were running a blood sugar tracking program, they could infer you had diabetes. Health data is in a heightened protection class under the GDPR.
- The game would still have to service data requests, ie give me all your data about me.
In other games, the grind is clear, and the appeal of bots painfully obvious.
It's a few years since I played GW2 so things may have changed.
And might be a reason for ArenaNet to sue.
From what I have read, reporting about shortcommings in MMORPGs can get expensive quickly. There is a reason the Defcon 25 talk by Manfred was cut short. ZeniMax Online wasnt amused
edit: I did remember correctly, the very same video was taken down from youtube by Arenanet
>"DEF CON 25 - Manfred - Twe..." This video is no longer available due to a copyright claim by ArenaNet, LLC.
What alternate GDPR reality is this?
Assuming you can figure out how to reliably fingerprint someone with this information, GDPR allows collection of data that is reasonable for providing the service you are offering: a bot and cheater free game is part of the service that Anet offers. If you request this data, then what?
MMO characters often become the embodiment of their players or visa-versa. There is also your CC and billing information, which in combination with your character name (often your nic/handle) could be used to identify you on other social media. This is far more threatening than a list of running processes on your machine.
Anet may include these hashes in their GDPR compliance, but rest assured - forgetting someone means deleting the lot.
Cloud based antivirus services are even worse in this regard.
No, it's clearly spyware. They are enumerating lists of software loaded on client computers without explicit permission other than what's granted broadly in their ToS/EULA, and without speaking of the feature.
The component got removed right after their use of it -- indicating either sneakiness or internal qualms about the use of such methods -- and if one believes the guilty , it affected legitimate users, too.
>Some go much further like inspecting the Windows DNS cache...
Why is looking at DNS caches 'going further' than enumerating all software into hashes for remote analysis? DNS might have more embarrassing shit to expose on a personal level, but generally a glimpse into installed software is much more exclusive/rare/uncommon . DNS gets' discussed between your machine and a million others down the line; it hasn't been considered very private for some time now.
Does its ubiquity invalidate the term? It is software that spies on me, and its presence is, at best, less-than-explicitly communicated. That seems like spyware to me.
It's not a new topic, and not one with great answers. On the one hand, any PC gamer knows cheaters ruin multiplayer games, and developers need to participate in the cheat/anti-cheat arms race to ensure the integrity of competitive play. On the other, it's the definition of spyware.
Unfortunately, the state of the art answer is "if you don't like it, you don't have to play the game." It will be interesting to see how this plays into the inevitable changes to law that will happen.
People still bring it up, but no way would they pull that move again.
When I've installed ethereal/wireshark I've needed to face down big warnings, and properly so. A promiscuous packet sniffer is something to be wary of.
With few exceptions there seems to be no good reason for any application on my machine to see what else is running.
 - Good candidates include Anti-virus for those who run it, and those tools that help you keep your applications up to date.
CheatEngine is a great first step in developing any bot, for any game.
GW2 doesn't have to trust the client for CE to be useful, it's just that the usefulness is different than what you're using it for currently. The goal of CE in developing an MMO bot is to figure out where in memory things like player location, party members, linked list of all nearby objects, etc, are. This allows the user to write the bot in a way that's pulling information directly from memory. CE is a great way to back into this data (coupled with a debugger/disassemble, of course).
This is also hardly the first such incident (unfair bans or borderline spyware anti-cheats), it'll end without any long term echos as always.
If you were sure you were banned unfairly and went to the support they'd just link you to some ToS or other, saying that all bans are 101% sure, confirmed, irreversible, etc. If you went to forums you'd get insults, told that you deserved it, that you're making excuses, that there are no legitimate reasons to run CE, etc. or at best told that you were an idiot to have CE running in the background and thus deserve a ban for being so careless.
Eventually you might get unbanned automatically, with an apology and a freebie - or not. It depends on the specific company, how many people were banned, how big of an issue it is, does the company bother to fix it, is it reported by the media as a problem, etc.
It's kind of a crapshoot and a circus but then again - it's just games (except for the 1% of esportsmen) and they don't have such a bad track record compared to important companies (Facebook, Equifax, etc.) that leak or sell people's life affecting data.
MMOs have to trust the client, to a large extent, in order to avoid janky gameplay on ~150ms connections.
Wow, what a non-apology.
So I'd appreciate a warning that I'm being spied on, and perhaps a description of ways they're avoiding sensitive data. But the game I'm going to quit is the one where I can't get away from cheaters: not the one where the game makers are being overzealous in watching for them.
But, that's neither here nor there. Regardless of my personal feelings, the average gamer agrees with you. Arenanet had pure intentions. They were trying to fulfill the wishes of their fans, so the mistake in how they rolled this out will be forgiven.
however with all the talk about privacy it never ceases to amaze me how fast people will give it up if they get what they want or worse, if something bad or inconveniencing happens to people they don't like. what does that say about society when people will give up something just to punish or deprive others.
There's literally zero point to competitive online gaming if cheaters run rampant, you might as well not bother. Of course people interested in competitive online gaming support countermeasures.
I also believe in a police force and laws. Giving up my ability to rob without legal consequences in order punish and deprive others.
I'm not to convinced that says many bad things about me though.
Nobody invested in a competitive game is going to want cheaters running rampant.
I liked how GW2 was free forever after the initial purchase. I would come back every now and then to check out the new content.
Sadly, I don't keep any spyware on my computer. No exception. Even if I love the game, that's an instant uninstall for me.
They even told me so when I installed it: https://support.steampowered.com/kb_article.php?ref=7849-RAD...
This is not spyware, this is a platform I chose out of trust.
Guild War 2's spyware is exactly that, a spyware. I never agreed to it, or if I did it was out of some legal black pattern.
If you are saying that Steam was very upfront with its anti-cheat measures and that you agreed to it then so be it.
This is one of the multiple reasons I don't mind Steam's scans. They are doing it on the behalf of thousands of games.
When people are worried about their privacy due to the VAC, they are quick to respond. Even better, they don't simply throw a legal team at the community but take the time to address fears and trust issues. 
I am not saying that Valve is perfect. They might mess up in the future. But so far, they have yet to breach my trust.
The real takeaway here is the lack of care and regard that Anet exercised in the implementation of this anti-cheat system, and the callousness and ego demonstrated by the programmer posting his updates to Twitter.
Kind of like walking into Target. They are scanning you even before you enter the doors now days, and tracking everything you do or buy. Even more so if you use their credit card. The reason they can do that is because you agree to their terms...
This is also a reason why I would never log on to a Corporate companies "free WiFi" ...
It should have limited effect on any competently written online game as the game state would be decided by the server, not the client.
So in essence it can be constitute as cheating even if you don’t break any game mechanics directly but simply automate actions which most online games prohibit.
The smart thing to do is to look for when tools are actually injecting themselves into your process, not just looking for the presence of the process itself. That is just a completely inept way of going about it.
Anyway: Whether he botted or not is not the point of the thread. Even if everyone they caught would have cheated (according to their and your definition) that's still a pretty significant privacy intrusion from ArenaNet.
That has nothing to do with the commonly accepted definition of cheating. Using in game mechanics which harm the player base in some way is considered cheating in every competitive game ever made. "The devs messed up" is not an OK to do whatever you like, that would ruin these games.
So Starcraft, Counter Strike, and PUBG all have botched game designs? Please..
The more you participate, the more stuff you get (for various values of 'stuff') is the central design conceit of just about all MMOs. Breaking it is one of the most drastic and damaging ways to cheat.
Something like this could probably be built with a Raspberry Pi and some image pattern-matching software. If you just wanted to record some statistics in order to give an edge in certain games, you could probably build a phone app to watch you play.
However most games either don't have any anticheats at all, or have very limited ones. Specifically you can run most games under a normal user and run the cheat under an administrator user. Let Windows help hide it.
 Valve has used deep learning for CSGO https://www.pcgamer.com/vacnet-csgo/
 Third parties have done work for Dota 2, with hints of official Valve variants coming as well https://www.reddit.com/r/DotA2/comments/8816oh/12_of_all_mat...
I remember something similar for Eve Online bots many years ago. That solution was capturing video frames straight from the video card(so, detectable), but that's basically the same idea.
Monitoring in game behavior can easily detect naive bots, which are most of them(you are logged in 24/7 doing the same thing).
Virtually every single multiplayer/MMO-like game does this. All of Asia does it - every country there, for instance, and a lot more invasively and insecurely.
Hackshield and XIGNCODE outright read through your process memory for content and keyword searches, not just hash matching - I've been issued bans for browsing security forums because of a freetext process title match in Firefox.
Gameguard, hackshield, xigncode (all 3 are Korean) send data insecurely, unsigned, over plaintext HTTP including PII across the public internet, run boot-mode driver rootkits, and are leaps and bounds worse than anything like Warden. They are also insecure and provide holes for actual malware to hide in with their awful client side rootkit process/file-hiding hooks.
League of Legends, for instance, runs outside of Asia perfectly fine, with a reasonable anticheat that detects its own processes being screwed with, not very invasive, not insane.
In League of Legends Korea, a Korean company basically installs one of these invasive rootkits - and even requires browser plugins to log in. The founder of that company previously run for president in Korea and have virtually a monopoly on this crap. Some of it is required by local law.
 http://static.leagueoflegends.co.kr/common/js/aosmgr_common.... - note the plaintext http everything too
They are equally bad in other companies, other games. For some reason they are horrifically toxic even when publishing a completely Western made game.
Of course, it's incredibly difficult to impossible to "run a game" from outside the country, their structure effectively forces you to open a subsidiary or separate company inside the country and give up control / be subject to those laws.
The average player, even if they consent, is in no way informed enough to understand what having such a system installed means. They don't understand the value of the information they are leaking, and thus they are not in a position to give informed consent.
Many of those installing this kind of software are literal children, and thus quite incapable of giving informed consent.
Because I would much rather play a cheat-free game and have well-intentioned programs scan for foul-play than the opposite.
Simply having Cheat Engine running is enough for VAC To flag you and lock you out of any multiplayer via Steam.
Used to play GW2 quite actively until they released their first expansion, as i got kinda tired of their "episode" cadence and that future "episodes" would require the expansion.
So pretty strange author is surprised by that.
What they care about is if you're cheating to get max-tier weapons/armor and if you're cheating in the PvP tournaments.
In the in-game store they sell an instant max character boost that's 100% legal within the games terms. Why would they also be selling powerleveling or botting services?
You can get a character to max level very quickly if you already have access to a few max level characters.
There's no reason to pay for a shady power leveling service either; you can buy a level 80 boost directly from ANet. Max level boosts are a pretty standard MMO thing these days.
- First, the spyware angle.
The software actively spied on the user and sent back everything. No other anti-cheat does this and no company ever betrayed users like this. (Except for ESEA who implemented a bitcoin miner in their client at some point. And yes, people including me remember.)
- The fact that people got banned for not even cheating!
This is the ridiculous part.
First, ArenaNet or Guild Wars 2 has NO RIGHTS to ban users for cheating in any other title. Valve has no right to ban me, because I install a mod for GTA V. Blizzard cannot ban me, because I use a trainer for FFXV.
Second. Other companies like Evenbalance makes sure there is a valid signature, and they even do screenshots, etc. It's not just a blind ban "because I think so".
I hope, some at least, see the pattern/point here.
Third. I, for example, had MMOMinion's framework installed, and of course, I may have launched it by mistake, I cannot remember. It was pinned in my start menu but I have not used it in a year or so. I did NOT have the bots installed for either GW2 and FFXIV - so the program by itself had zero capability to even attach a cheat.
So basically, I had zero cheats installed, but had a software that COULD BE used for cheats. This is beyond ridiculous. It's like banning everyone for using Windows, because Windows is capable of running cheats. This is just utter nonsense, there are no words to describe such level of stupidity.
- To top this all off, Anet still did not post anything, still have not accepted that they just pulled a huge blunder. Their "chief of security" (some weaboo with "excellent skills" as he has just demonstrated) should have been apologizing ever since the spyware was found. But no, to hell with that. Their only response is "you accepted the eula."
tl;dr: The bans are false positive. Lots of them. It's a messed up ban, it should not have stayed active, it should have been reverted a long time ago until they come up with a better solution.
"But privacy!" is going to fall on deaf ears otherwise. Just like "it's just video games lol."
I'm sure their last bit was in jest. If you've never wanted to upload a punch through the internet, you probably haven't experienced cheating.
I haven't actually played competitive online games for close to 10 years but no, it definitely wasn't a joke. If you think that's crazy, you should see what I think should happen to people who litter when they hike!