Hotspot Shield VPN

On Monday, the Center for Democracy & Technology (CDT) — a US-based privacy group — filed a complaint with the US Federal Trade Commission (FTC) accusing one of today's top VPN providers of deceptive trade practices.

In a 14-page complaint, the CDT accuses AnchorFree — the company behind the Hotspot Shield VPN — of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users.

Currently, Hotspot Shield is offered as a free and paid product. The free product injects ads in users' web traffic, and the elite version provides an ad-free VPN experience. The company has always been upfront with this policy, and in an interview with ZDNet last year, AnchorFree's CEO said that 97% of its estimated 500,000 userbase is using his company's free VPN service.

CDT partnered with CMU experts to review VPN service

In its complaint to the FTC, the CDT is not accusing Anchor Free of secretly injecting ads, as users are well aware of this practice, but of not respecting promises made to its customers.

More specifically, the CDT says that AnchorFree does not respect a pledge made in marketing materials that it won't track or sell customer information.

The privacy-focused group claims that this did not happen. The CDT says it partnered with experts from Carnegie Mellon University to review AnchorFree's free VPN service. Their investigation revealed the opposite.

VPN provider accused of selling data to advertisers

"Hotspot Shield’s marketing claims that it does not track, log, or sell customers’ information, but its privacy policy and a source code analysis reveal otherwise," the CDT wrote in a press release yesterday.

"The VPN promises to connect advertisers to users who frequent websites in particular categories and while most VPNs prevent internet service providers from seeing a user’s internet traffic, that traffic is often visible in unencrypted form to Hotspot Shield," the CDT adds. "VPNs typically log data about user connections to help with troubleshooting technical issues, but Hotspot Shield uses this information to identify user locations and serve advertisements."

The CDT would like the FTC to investigate the VPN provider based on its complaint. Below are some of the other accusations put forward by the privacy group:

 → Hotspot Shield VPN client for Android collects other sensitive information, such as names of wireless networks (via SSID/BSSID information), and other unique identifiers such as Media Access Control addresses and device IMEI numbers.
 → The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.
 → VPN uses more than five different third-party tracking libraries,  contradicting statements that Hotspot Shield ensures anonymous and private web browsing.
 → Hotspot Shield further redirects e-commerce traffic to partnering domains.
 → Consumers have reported instances of credit card fraud after purchasing the “Elite” paid-version of Hotspot Shield VPN.
 → Hotspot Shield also reveals that the app does not transmit Mobile Carrier information through an HTTPS connection.
 → AnchorFree made deceptive claims to the media and in its promotional materials.