Hotspot Shield VPN accused of logging user data, selling it to advertisers

Accused VPN provider denies allegations…

Hotspot Shield VPN accused of logging user data, selling it to advertisers

Privacy researchers have accused Hotspot Shield VPN of logging user data and selling it to advertisers despite claims to the contrary.

In a complaint submitted to the Federal Trade Commission (FTC), the Center for Democracy & Technology (CDT) requests a government investigation into the data security and data sharing practices of Hotspot Shield. A popular VPN and Wi-Fi security solution, Hotspot Shield boasts hundreds of millions of users across Android, iOS, and desktop platforms.

The CDT states in its filing that Hotspot Shield collects user connection data like IP addresses, unique device identifiers, and other "application information" while in use. That's probably because the VPN doesn't consider these pieces of data as sources of personal information. It says as much in its privacy policy.

Screen shot 2017 08 09 at 8.45.27 am

"Except as explained in this Notice, AnchorFree does not collect any Personal Information about you when you use the Service. “Personal Information,” also referred to as personally identifiable information, is information that may be tied to a specific individual. Examples of Personal Information include name, email address, mailing address, mobile phone number, and credit card or other billing information. Please note, however, that for purposes of this Privacy Notice, AnchorFree does not include your IP address or unique device identifier within the definition of Personal Information."

These allegations of logging directly contradict the comments of David Gorodyansky, founder and CEO of AnchorFree, who said the following to The Huffington Post back in May:

"Given that AnchorFree is a mission-driven company, we never log or store user data. Our perspective is to protect the users not only from the bad guys like hackers, identity thieves, websites and ISPs, but to also protect the users from their (/our) selves. We believe the best way to protect user data is to not collect it."

But the claims of deceptive trade practices and misleading data security statements don't end there. The CDT goes on to accuse Hotspot Shield of injecting Javascript code into users' browsers for advertising and tracking purposes. It also charges the VPN with selling customer data to advertisers, using multiple third-party tracking libraries, "redirecting e-commerce traffic to partnering domains," transmitting Mobile Carrier data over a non-HTTPS web connection, and mishandling customers' payment information, as evidenced by some users' claims of credit card fraud resulting from their purchase of the Elite version of the VPN.

AnchorFree has flat-out denied the CDT's complaint. As quoted in a statement provided to Tom's Guide:

"We strongly believe in online consumer privacy. This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves. The recent claims to the contrary made by a non-profit advocacy group, the Center for Democracy and Technology, are unfounded. While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns. AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns. We are reaching out to appropriate groups and remain committed to defending the privacy and internet freedom of all our users."

The FTC has yet to respond to the CDT's complaint as of this writing.

We at Graham Cluley Security News firmly believe in the value of VPNs when it comes to protect web users' privacy and anonymity. Of course, not all VPNs are created equally; some engage in deceptive policies like those set out in the CDT's legal filing.

As a result, it's important that users carefully review a VPN's privacy policy before they download a solution onto their machines. Doing so might not reveal everything a company does with customers' data, but it could provide a useful snapshot. (With respect to Hotspot Shield, I think many people would consider IP addresses and unique device identifiers to fall under the category of personal information.)

In general, users should also look for a paid VPN solution over a free one. Providers of free VPNs have to make their money somehow, and they just might be doing it by selling user data to advertisers.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

One Response

  1. OliverK

    August 11, 2017 at 10:14 pm #

    Basically, this is just another reason why people should stick to paid VPNs. I've been with ExpressVPN for nearly 2 years now and I'm still satisfied.

Leave a Reply