Privacy group accuses Hotspot Shield of snooping on web traffic

(Image: AnchorFree/Pinterest)

The Federal Trade Commission must investigate claims made against VPN provider Hotspot Shield for allegedly deceptive trade practices, according to a new filing by a prominent privacy group. Among the chief allegations in the 14-page filing[1], the Washington DC.-based Center for Democracy & Technology (CDT) said the VPN provider violates its “anonymous browsing” promise by intercepting and redirecting web traffic to partner websites, including advertising companies. Hotspot Shield, which we profiled last year[2], enables its more than 500 million worldwide users to bypass state censorship as well as regional restrictions on websites and streaming services.

David Gorodynasky, chief executive of the service’s parent company AnchorFree, told ZDNet at the time that about 97 percent of his users run the free, ad-supported version of the software. In an interview in our New York newsroom, Gorodynasky said that the company doesn’t make money off its customers’ data, instead opting for a “zero knowledge” approach[3] to ensure that governments cannot request data on its customers that it doesn’t store. But that isn’t the case, says the CDT in its filing.

It’s accusing the company of logging connections and using third-party tracking to serve targeted advertising. “Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues” by using a user’s location and IP addresses to “improve the service, or optimize advertisements displayed through the service,” the filing says. The CDT is calling on the FTC to intervene under its authority to prohibit unfair and deceptive acts and practices.

The privacy group began investigating the case in April after Congress repealed broadband privacy rules[4], which would have prevented internet providers from selling browsing history data to advertisers. The surge in demand for VPN services following the repeal led the group to investigate Hotspot Shield, by far the largest provider for subscribers on the market.

The group partnered with researchers at Carnegie Mellon University to analyze the app and the service and found “undisclosed data sharing practices” with advertising networks. “Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing,” said the complaint.

“Hotspot Shield also monitors information about users’ browsing habits while the VPN is in use,” it read. The researchers also found that the app transmits some sensitive cell carrier information on mobile users over an unencrypted connection, the filing says. VPN providers can be a godsend to anyone living in a region where state surveillance and censorship are rife, and merely a convenience to those who wish to conceal their internet history and browsing traffic from their internet providers — and any law enforcement agency that comes along.

But an inherent issue[5] is that users have to trust their VPN providers as much, if not more than their internet provider not to also collect, monitor, or sell their data. “People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself,” said Michelle De Mooy, director of CDT’s Privacy & Data Project. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data.

That makes clear and accurate disclosures and practices essential.” De Mooy added that the service “fails to live up to its promises or meet the reasonable expectations of its customers.” Several attempts to reach the company were unsuccessful.

An email to Gorodyansky went unreturned at the time of writing.

Contact me securely[6]

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More[7]

ZDNET INVESTIGATIONS

References

  1. ^ in the 14-page filing (www.documentcloud.org)
  2. ^ we profiled last year (www.zdnet.com)
  3. ^ a “zero knowledge” approach (www.zdnet.com)
  4. ^ Congress repealed broadband privacy rules (www.zdnet.com)
  5. ^ an inherent issue (www.zdnet.com)
  6. ^ Contact me securely (medium.com)
  7. ^ Read More (medium.com)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *