Update (Feb 26, 6:20am PST): Zwift’s CEO Eric Min just posted the following on the forum thread related to this topic:
I would like to personally issue an update on a situation that has escalated over the last 48 hours, concerning a ban imposed on a Zwift community member.
Having been brought up to speed, it is clear to me that this situation could have been better handled by both parties. The performance increasing exploit was until now, relatively unknown both within Zwift and outside, but this is no excuse to not have addressed it. The exploit is detectable, and we have the ability to look back and identify those to have used it. That said, our priority is not to look back, but to look forward, and fix this as a matter of priority in one of the upcoming game releases.
For this reason, we have taken the decision to lift the 30-Day shadow ban issued to Luciano. For clarity, a shadow ban does not prevent a Zwifter from using Zwift, they simply do not show to others.
Neither party had ill intent and I can only apologise to all involved, but in particular to Luciano himself. We have an obligation to the community to address exploits on the platform and will fix this particular exploit as a matter of priority.
It is important for us to uphold our terms of service as they exist to protect the enjoyment of the majority of Zwifters. Rather than share information on how to exploit a performance bug, we would always encourage members of the community to come forward to Zwift with performance exploits they find. The process on how to bring such issues to the attention of Zwift hasn’t always been clear, so in order to improve this, we plan to introduce a bug bounty program that will not only make it easier for Zwifters to highlight issues but will also reward them for doing so. We will need time to develop this program but will share information in due course.
Co-founder & CEO
We’ll talk more about this in coming posts, I’m sure. Especially the good news about the bounty program! But for now, I wanted to share that Luciano has been freed. 😊
This week a bit of a kerfuffle has arisen in the Zwift racing community. I feel it’s right to document the key parts of the story, at least from my perspective. I’ll finish with a few thoughts of my own.
The Story Begins
On Wednesday, February 16, Luciano (who writes the hilarious Lucianotes series here on Zwift Insider) contacted me via Facebook Messenger, asking for my thoughts on a potential Zwift racing exploit.
(I’m not going to detail what the exploit here, but let’s just say it’s an easy exploit to execute, and could massively affect race results.)
Neither of us thought the proposed exploit would even work. It was too easy, too obvious. But Luciano said he would test it the following day (I was traveling and unable to do any testing for a few days). We figured it would make for an interesting Zwift Insider post: “I tried to cheat in a race, but it didn’t work.”
The next day Luciano pinged me again:
He explained how he tested the exploit, and what the results were. Here’s my reply:
We put together a plan for Luciano to compose a Google doc containing details of how he tested and verified the exploit, then I would share that with ZwiftHQ to make sure the right eyes saw it, when I was back in the office. That was on Friday.
The following Tuesday, Luciano shared the basics of the exploit on a private team Discord server. It became apparent to him that other teams/racers already knew about the exploit, that ZADA had been informed of the exploit, and that Zwift had been told about the exploit years ago.
So on Wednesday, February 23, I woke up to the news that Luciano had published the exploit’s details on a free WordPress site he spun up for just that purpose. He then shared that post on the Zwift Racers Facebook group and Zwift’s forum. He tried to share it on WTRL’s Facebook page (because his main concern was that the TTT and ZRL were not affected) but that post was rejected because it promoted cheating.
And that’s when the %#&! hit the fan.
As the Zwift Racers and forum posts started blowing up, Luciano’s post was shared on Reddit.
Then a few hours later, things took a surprising turn. Zwift put Luciano’s profile into “Watopian in Review” mode.
Anyone who has read Luciano’s posts here on Zwift Insider knows he obsesses over Zwift racing – particularly the Thursday TTT. He and his Coalition team had planned a big TTT the next day, at WTRL’s TTT Worlds. He asked me, “May I race being Watopian in Review?” I didn’t know. But I had my doubts.
On the Zwift Racers Facebook thread, one rider posted #FreeLuciano when they heard his account was locked/banned. This hashtag would begin showing up everywhere, including the comments of Zwift Community Live’s Thursday TTT stream.
WTRL posted on their Facebook page, referencing Luciano’s post without actually naming him. They subsequently took the post down, but here it is:
I immediately reached out directly to Zwift via a private Slack channel to find out what was going on, because Luciano had received no communication from Zwift at this point. I was told that Luciano had received a 30-day shadowban due to his publishing/promoting a Zwift racing exploit.
What’s a shadowban, you ask? On Zwift, this basically means you can see others, but they can’t see you. You also don’t show up in race results. It’s a way of removing bad actors from the game experience, while still allowing those riders to use the game.
I explained to the Zwift folks I was chatting with that Luciano was a well-intentioned dude who only published the post because he knew other racers knew about it and Zwift had been told about it long ago, with nothing was being done. But they held the line – he had violated Zwift’s Terms of Service and the ban was justified. Specifically the cheater catch-all section 5.vii:
“Use our Platform other than for its intended purpose and in any manner that could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying our Platform or that could damage, disable, overburden or impair the functioning of our Platform in any manner;”
It became clear that he wouldn’t be making that race. I pinged Eric Min via Facebook to make sure he knew about the issue, and to express my disappointment at Zwift’s handling of the situation.
Luciano hadn’t received any notice from Zwift about his account being under review, so he reached out to support. That poor support chat host eventually forwarded Luciano to another team (I think it’s fair to say Luciano had turned into a “special case” at this point). Eventually Luciano received a more complete email explaining his ban, and the need for him to take down his post:
Luciano sent this in reply:
Thanks for getting back to me. I was not aware of what a shadowban was.
Could you please refer which articles of the TOS I have specifically violated so I get the context and I do not repeat the mistake in case I eventually decide to remain a Zwifter?
As you point generically to the terms of service but no point in particular, I see nothing on performance metrics nor reporting functional issues. I am not exposing anything relating to the code (I have no such technical capacity) nor vulnerability of the platform… just a functional issue. An easy and obvious functional issue that you and many already knew about and not preventing you from running races and competitions without any problem.
That mentioning publicly functional issues is sanctionable with any type of ban is news to me, and I don’t see it mentioned anywhere. The same regarding the fact that such situations should be exclusively reported through a support ticket.
I would be also grateful If you could also let me know where I can find the different sanctions or bans applicable to Zwifters, as the notion of customer associated to the one of sanction is rather an illogical one from my perspective.
Performance wise I don’t see how I can be considered to have benefitted in any aspect. The test was done during an Individual Time Trial, with no draft, therefore no influence on the race, and I made sure I would not be eligible to any Zwiftpower points as I explain very clearly in the video.
On the second point. The cheat was reported in many occasions to Zwift, including ZADA and many users, and also through tickets, as many other Zwifters have now reported to me. WTRL facebook post (https://www.facebook.com/WTRLracing/posts/1133810887356502) acknowledges this is a well-known cheat for two years, so I don’t understand at all how my post has any impact on the capacity to cheat. It is surprising that you define it as a guide to cheat while at the same time you acknowledge it is there for years, and publicly written still in Zwiftpower forums.
If anything, I feel Zwift has ignored the previous reports and failed to ensure the basic functionalities in order to try to prevent such an easy cheat that it had known for a long time.
I want just to show how ridiculous the situation is.
Anyhow, I am really surprised about the way all this is handled. I think I have been a very active member of the community and the platform for almost two years now, encouraging many people to join, providing a lot of support to different clubs and teams and even writing tons of articles on how fun Zwift is both in Zwift Insider, on Facebook etc…
Today was an eye-opener of the very little that you care about your users overall, and obviously a breach of trust and faith as an until now delighted customer.
There are other alternatives to Zwift in the market, that I like way less than Zwift I am not going to lie, but are good enough so I don’t have to be compromising on basic things as feeling valued as a customer and as a human being.
Obviously, at this point in time, I don’t see any possibility that I delete the wordpress post. I will just voice my opinion on this topic with the same intensity that I have been promoting Zwift until now. I will see in a month from now where I stand and I understand you will make the decisions suiting the best Zwift corporation interests.
No worries, I am not going to refer to an overutilized freedom of speech concept that has nothing to do here. It is just a matter of personal ethics. I would like to be able to finish saying Ride On.. but that ship has passed.
Have a great day.
Disappearing Posts, Re-Appearing Issue
Then the posts started disappearing. The Zwift Racers topic went away. The Zwift forum topic disappeared. And WTRL took down their thread as well. (These post removals weren’t a surprise, as Zwift has never allowed discussion of specific cheating/exploits in their forums or Facebook groups.)
But the Zwift community had caught wind of what was happening, and James Eastwood, ever the stalwart advocate for fair Zwift racing, created a Zwift forum post which didn’t detail the exploit, but asked Zwift to let the community know the status of a fix. See that post here >
The initial posts had been removed, but the Zwift community was sharing the perceived injustice of Luciano’s shadowban to the world. Mass media reporters began contacting Luciano about the situation, the Reddit thread was alive and well, and James’ Zwift forum post took on a life of its own with hundreds of replies and several posters (including James Eastwood himself, as well as Zwiftalizer’s Mike Hanney) posting that they were pausing their Zwift accounts to protest Zwift’s handling of the situation.
Thursday morning Luciano unpublished his post and wrote to tell Zwift support he’d taken it down. And Zwift finally replied to James’ forum thread with their point of view:
Friday morning road.cc published a post about the situation.
Luciano tells me that as time goes on, he’s hearing from more and more Zwifters who have seen this exploit used in races. Including one very prominent race organizer who reported the issue to Zwift four years ago.
And that brings us to where we are right now.
Here’s what I posted in the Zwift forum thread on this topic. I think it explains how I feel about this ugly and avoidable situation:
Just to go on record here, since my reply in Zwift Racers was deleted with the rest of the thread…
First, let me say this: I think Luciano could have handled this better by reaching out to Zwift with the issue, perhaps even telling them he would take it public on X date even if it wasn’t fixed because he was concerned that it’s actively being used by cheaters. Then if Zwift didn’t respond, he would have a stronger case for publicly posting the hack.
So I’d say he jumped the gun a bit. Which is hard to fault him for, when he had multiple people telling him Zwift already knew about the exploit, and race teams knew about it too. That’s hard information for a rabid Zwift racer to just sit on.
Since Luciano went against Zwift’s ToS, Zwift has the “legal” standing to shadowban him or do whatever they’d like with his account. They’re within their rights to do so. But that doesn’t make it the BEST decision on their part, and I’ve tried to communicate this to ZHQ this via private channels in no uncertain terms.
I would have loved to see Zwift take this approach with Luciano’s WordPress post:
We just saw your post about the Companion exploit. While we don’t like seeing Zwift exploits shared publicly, we know by the content of your post that you did it in order to clearly demonstrate the hack to us and get our attention so it would be fixed. It worked!
Since your post demonstrates how to cheat in Zwift races, we’ve taken what we hope is a temporary disciplinary measure and shadowbanned your account, which is our standard practice in these cases. We request that you take the post down immediately so more Zwifters don’t learn about the exploit. Once you do so, we will reinstate your account.
On our side, this exploit has been moved near the top of the list of bug fixes. We anticipate at least a temporary fix rolling out in the month of March.
Some of you are bugging me to do a Zwift Insider post about this topic. I’m still not sure what that’s going to look like, but I’ve been in near-constant contact with Luciano during all of this. We’ve joked about how many parts this series of posts is going to have, as the saga continues way past what Luciano foresaw. All that to say, I’m sure this will be talked about on ZI… I just can’t promise exactly when and how.
In the end I, like many of you, wish Zwift had handled this differently – in a way that showed they value Luciano as a person. He may have jumped the gun, but Zwift could have easily taken the high road and come out of this sparkling clean. Now it’s just sort of… ugly all around. And that bums me out. Heck, I got my Zwift Insider kit in game finally this week, and I haven’t even ridden with it yet because I’ve had a bad taste in my mouth for two days.
I’m not leaving Zwift like some of you. I’m just annoyed to see this script playing out again. I hope Zwift learns from this and does better next time.
Whew… that was cathartic.
Ride on, my friends.
Wrapping It Up
What began as Luciano’s attempt to reveal a game exploit has turned into a story about how Zwift handled Luciano’s revealing of the exploit. But it didn’t need to turn out like this.
I’m sure this isn’t the last we’ll write about #FreeLuciano… or about the exploit in question. But I think it’s enough for today. My hope is that this post does a good job of telling the story fairly and truthfully up to this point, while also sharing my position on how things unfolded.
And I hope ZwiftHQ can take a step back, look at how this situation spiraled, change their processes to avoid it happening again… and #FreeLuciano.
I’m sure some of you will have thoughts on this topic. Feel free to share below, but keep it civil. Thanks for reading!