A complaint has been filed with the U.S. Federal Trade Commission alleging that a free VPN service marketed as a provider of secure and anonymous internet access shares user data and redirects traffic to partners, including online advertising companies.
The Center for Democracy and Technology (CDT) is asking the FTC to investigate Hotspot Shield VPN and alleges unfair and deceptive trade practices.
“Hotspot Shield’s lack of transparency about its logging, use of third-party tracking libraries, and redirection of user traffic also constitutes an unfair trade practice under Section 5 of the FTC Act, and is also subject to investigation and injunction by the Commission,” the CDT said in its complaint, filed Monday with the FTC.
AnchorFree, parent company of Hotspot Shield, said in a statement given to Threatpost that information provided by users is never associated with their online activity.
“The recent claims to the contrary made by a non-profit advocacy group, the Center for Democracy and Technology, are unfounded,” said CEO and founder, David Gorodyansky.
“While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns,” Gorodyansky said. “AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns. We are reaching out to appropriate groups and remain committed to defending the privacy and internet freedom of all our users.”
The CDT said that following the March’s Senate vote to roll back the Federal Communications Commission’s broadband privacy rules, it partnered with Carnegie Mellon University to look at Hotspot Shield. Using CMU’s Mobile App Compliance System, the group analyzed the app’s Android binary and uncovered undisclosed data sharing including wireless network information and device identifiers such as MAC addresses and IMEI numbers.
The CDT complaint alleges that the mobile VPN service injects JavaScript code using iframes for advertising and tracking user activity. In the complaint, the CDT said the VPN uses at least five different third-party tracking libraries.
This activity is in contradiction to Hotspot Shield and AnchorFree’s marketing, which promises anonymous browsing features and includes promises never to log or store user data, online activity or personal information.
VPNs do, however, create connection logs for troubleshooting. The CDT claims Hotspot Shield goes well beyond.
“While connection logs can be designed to be minimally privacy-invasive, Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues. The service uses this information to ‘identify [a user’s] general location, improve the Service, or optimize advertisements displayed through the Service,'” the complaint said “IP addresses, unique device identifiers, and other ‘application information’ are regularly collected by Hotspot Shield.”
The CDT also points out that the VPN’s privacy policy excludes a user’s IP address or device identifiers from what it considers personal information.
The complaint also said that Hotspot Shield monitors users’ browsing habits while the VPN is in use, and that it deploys persistent cookies.
While insisting that it does not make money from selling customer data, Hotspot Shield promises to connect advertisers to unique users that are frequent visitors of travel, retail, business, and finance websites,” the complaint states. “Moreover, these entities have access to IP addresses and device identifiers collected via Hotspot Shield. Even if Hotspot Shield only provides ‘hashed’ or ‘proxy’ IP addresses to these partners, third parties can also link information about web-viewing habits while using the Hotspot Shield by cross-referencing cookies, identifiers, or other information.”
The CDT is asking the FTC to ensure that privacy-related tools disclose data collection and sharing activities and initiate an investigation into Hotspot Shield’s data security practices, in addition to collection and data sharing, and provide refunds and other relief where appropriate.
