Privacy researchers have accused Hotspot Shield VPN of logging user data and selling it to advertisers despite claims to the contrary.
In a complaint submitted to the Federal Trade Commission (FTC), the Center for Democracy & Technology (CDT) requests a government investigation into the data security and data sharing practices of Hotspot Shield. A popular VPN and Wi-Fi security solution, Hotspot Shield boasts hundreds of millions of users across Android, iOS, and desktop platforms.
"Except as explained in this Notice, AnchorFree does not collect any Personal Information about you when you use the Service. “Personal Information,” also referred to as personally identifiable information, is information that may be tied to a specific individual. Examples of Personal Information include name, email address, mailing address, mobile phone number, and credit card or other billing information. Please note, however, that for purposes of this Privacy Notice, AnchorFree does not include your IP address or unique device identifier within the definition of Personal Information."
These allegations of logging directly contradict the comments of David Gorodyansky, founder and CEO of AnchorFree, who said the following to The Huffington Post back in May:
"Given that AnchorFree is a mission-driven company, we never log or store user data. Our perspective is to protect the users not only from the bad guys like hackers, identity thieves, websites and ISPs, but to also protect the users from their (/our) selves. We believe the best way to protect user data is to not collect it."
AnchorFree has flat-out denied the CDT's complaint. As quoted in a statement provided to Tom's Guide:
"We strongly believe in online consumer privacy. This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves. The recent claims to the contrary made by a non-profit advocacy group, the Center for Democracy and Technology, are unfounded. While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns. AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns. We are reaching out to appropriate groups and remain committed to defending the privacy and internet freedom of all our users."
The FTC has yet to respond to the CDT's complaint as of this writing.
We at Graham Cluley Security News firmly believe in the value of VPNs when it comes to protect web users' privacy and anonymity. Of course, not all VPNs are created equally; some engage in deceptive policies like those set out in the CDT's legal filing.
In general, users should also look for a paid VPN solution over a free one. Providers of free VPNs have to make their money somehow, and they just might be doing it by selling user data to advertisers.