Skip to content or view screen version

Hattrick.org, A game with no privacy

Lucio | 20.09.2007 18:25 | Repression | Social Struggles | Technology

Don´t forget: Behind each game there is a company...

Name, birthday, adresses, e-mailadresses, passwords, failed logins with wrong passwords, ingame-mails - everything is stored !forever! and !not decrypted! in the database of Hattrick Ltd.
All these private details are used by volunteers without a written contract (not even a non disclosure agreement was in place)...

Over a period of ten years www.hattrick.org attracted millions of users, who like the idea of managing a virtual football (soccer)-team, train a team, win or lose matches, become league-champion and meet people from all over the world.

Most of them had no idea everything they do in the game is logged, stored and free for volunteers from all over the world to see. Those volunteers, so-called Gamemasters, have access to the complete database. Why? To find cheaters, people trying to get an advantage by having two teams, for example.

What tools those Gamemasters have, what kind of data they have access to and, even what private user-data were stored was a BIG secret. There was no privacy agreement to accept for user, the privacy statement is hidden at the hattrick-page and only in english available.
Furthermore, it was forbidden to talk about data-issues or Gamemaster-tools at the game-forums, users who asked the company to show them their stored data got no answer.

Users who worried about data protection did not only know which data were collected and stored, they did furthermore not know the laws of which country are appliciable: The game Hattrick was invented in Sweden in 1997, over the years it became a very succesful business. In 2003 Hattrick Ltd was moved to Gibraltar, while the mother company Extralives AB stayed in Sweden, until now doing the main work like development, user-management et al. The servers which contain the user-data were moved to Switzerland in November 2006.

An article at a german online paper four weeks ago showed in detail, how many private data are collected by Hattrick Ltd. (  http://www.netzeitung.de/internet/717475.html) . The article is based on the blog of a former Gamemaster, who made the secrets public (  http://htsecrets.blogspot.com/search/label/Gm%20Rules). The document shows, how organized private data were collected and used.
Not only were every password and all failed logins stored, maybe with passwords used for private email accounts, financial transactions or other occasions. The Gamemasters had free access to those data and used the passwords to secretly log into users-accounts, where they can read private ingame-mails, read notices, see everything.

Since Hattrick Ltd is registered in Gibraltar, the company has to follow the laws of this country.
The company did not:
- register the database at the national register
- provide written contracts for its Gamemasters
- have a privacy statement for users to accept

Hattrick Ltd reacted quickly and admitted their wrongdoing and even admitted they once hired a 13 year old kid as a Gamemaster. The owner of the company made a statement saying they would register at the Gibraltar database and provide written contracts for their volunteers and privacy statements.
The passwords and failed logins, they told, were no longer visible to the Gamemasters, a fact, which cant be proven.

Until now Hattrick Ltd is not registered at the Gibraltar database. Until now there are no written contracts with the Gamemasters. Until now there is no privacy statement to accept - it will be in place in one month... Until now the owners of Hattrick Ltd did not inform their users to change sensitive passwords maybe used in the game.

Please, take this as a reminder to be careful with your private data.


Lucio