Yesterday, the Federal Trade Commission (FTC) received a complaint against the Virtual Private Network (VPN) service Hotspot Shield alleging that the service intercepts traffic and collects user data.
The complaint was filed by the Center for Democracy & Technology (CDT) and it urges the FTC to investigate Hotspot Shield’ data security and data sharing practices, calling them as “unfair and deceptive trade practices.”
In addition, the complaint states that despite the promises to protect users’ privacy, the VPN service is engaged into undisclosed data sharing and traffic redirection practices. According to the nonprofit technology advocacy organization CDT, the privacy policy of Hotspot Shield contradicts the advertised privacy and security claims.
For instance, Hotspot Shield claims to keep no logs of a user’s online activity or personal information, and to store no user data, while at the same time saying, that it doesn’t track users and doesn’t sell their information.
iTunes and Google Play storefronts highlight privacy and security claims as key features of the Hotspot Shield VPN mobile applications, however, the VPN’s privacy policy “describes more elaborate logging practices,” the complaint reads. CDT says that a source code analysis of Hotspot Shield backs these allegations.
In addition, the organization states that “the VPN promises to connect advertisers to users who frequent websites in particular categories and while most VPNs prevent internet service providers from seeing a user’s internet traffic, that traffic is often visible in unencrypted form to Hotspot Shield. VPNs typically log data about user connections to help with troubleshooting technical issues, but Hotspot Shield uses this information to identify user locations and serve advertisements.”
The advocacy organization also says that Hotspot Shield deploys persistent cookies and “works with unaffiliated entities to customize advertising and marketing messages.” Besides, CDT alleges that Hotspot Shield insists it doesn’t make money from selling customer data, while at the same time promising to connect advertisers to users that frequently access travel, retail, business, and finance websites. According to CDT, these partners can link information about users’ web-viewing habits even if they are provided only with hashed or proxy IP addresses.
According to Michelle De Mooy, Director of CDT’s Privacy & Data Project, “People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data. Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this. They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”
