Yesterday, the Federal Trade Commission (FTC) received a complaint against the Virtual Private Network (VPN) service Hotspot Shield alleging that the service intercepts traffic and collects user data.
The complaint was filed by the Center for Democracy & Technology (CDT) and it urges the FTC to investigate Hotspot Shield’ data security and data sharing practices, calling them as “unfair and deceptive trade practices.”
For instance, Hotspot Shield claims to keep no logs of a user’s online activity or personal information, and to store no user data, while at the same time saying, that it doesn’t track users and doesn’t sell their information.
In addition, the organization states that “the VPN promises to connect advertisers to users who frequent websites in particular categories and while most VPNs prevent internet service providers from seeing a user’s internet traffic, that traffic is often visible in unencrypted form to Hotspot Shield. VPNs typically log data about user connections to help with troubleshooting technical issues, but Hotspot Shield uses this information to identify user locations and serve advertisements.”
The advocacy organization also says that Hotspot Shield deploys persistent cookies and “works with unaffiliated entities to customize advertising and marketing messages.” Besides, CDT alleges that Hotspot Shield insists it doesn’t make money from selling customer data, while at the same time promising to connect advertisers to users that frequently access travel, retail, business, and finance websites. According to CDT, these partners can link information about users’ web-viewing habits even if they are provided only with hashed or proxy IP addresses.
According to Michelle De Mooy, Director of CDT’s Privacy & Data Project, “People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data. Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this. They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”