FTC Complaint Alleges Hotspot Shield Collects User Data

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,112
A complaint filed with the Federal Trade Commission (FTC) on Monday alleges that the popular free Virtual Private Network (VPN) service Hotspot Shield collects a large amount of data and intercepts user traffic.

Submitted by the Center for Democracy & Technology (CDT), the complaint (PDF) urges the FTC to investigate the data security and data sharing practices of Hotspot Shield, alleging they are “unfair and deceptive trade practices.” The complaint also claims the service engages into undisclosed data sharing and traffic redirection practices despite promising to protect the users’ privacy.

CDT, a nonprofit technology advocacy organization, suggests that Hotspot Shield’s privacy policy contradicts the advertised privacy and security claims. The service claims to keep no logs of a user’s online activity or personal information, and to store no user data, while also saying that it doesn’t track users and doesn’t sell their information.

The privacy and security claims are highlighted as key features of the Hotspot Shield VPN mobile applications in both iTunes and Google Play storefronts, but the service’s privacy policy “describes more elaborate logging practices,” the complaint reads. A source code analysis of Hotspot Shield backs these allegations, CDT says.

The organization also claims that “the VPN promises to connect advertisers to users who frequent websites in particular categories and while most VPNs prevent internet service providers from seeing a user’s internet traffic, that traffic is often visible in unencrypted form to Hotspot Shield. VPNs typically log data about user connections to help with troubleshooting technical issues, but Hotspot Shield uses this information to identify user locations and serve advertisements."

CDT also points out that Hotspot Shield’s privacy policy says that it doesn’t collect personal user information, claiming that IP addresses and unique device identifiers aren’t considered personal information by the free VPN provider. Moreover, the complaint claims the service deploys persistent cookies and that it also “works with unaffiliated entities to customize advertising and marketing messages.”

Furthermore, the complaint alleges that Hotspot Shield insists it doesn’t make money from selling customer data, but that the service also promises to connect advertisers to users that frequently access travel, retail, business, and finance websites. CDT points out that these partners can link information about users’ web-viewing habits even if they are provided only with hashed or proxy IP addresses.

An analysis of Hotspot Shield’s functionality, data sharing, and network connections was performed by Carnegie Mellon University’s Mobile App Compliance System. Researchers downloaded and tested the Android app and found “undisclosed data sharing practices with third party advertising networks” when analyzing the application permissions.

They also discovered that the app discloses sensitive information such as names of wireless networks (via SSID/BSSID information), along with identifiers such as Media Access Control addresses, and device IMEI numbers.

The VPN was also found to inject JavaScript codes using iframes for advertising and tracking purposes, and to be using more than five different third-party tracking libraries. The apps also redirect e-commerce traffic to partnering domains, the complaint also claims.

“People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data. Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this. They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks,” Michelle De Mooy, Director of CDT’s Privacy & Data Project, said.
 

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
As quoted by the lovely people at Emsisoft.

Paid vs Free VPNs
Please don’t use a free VPN service. Really. If your VPN service is not making money from your subscription fees then it is making it elsewhere, like selling your personal information to a third-party who can spam you senseless. For VPN companies to maintain their servers is very expensive and the old adage holds true: if you’re not paying for it, you’re the product.

We mean it. Don’t use a free VPN service.


VPNs: Your personal tunnel to privacy
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Hotspot Shield has always seemed shady to me, especially injecting ads to your webpages. It just seems like a horrible business plan. And now that they allegedly sold user data to advertisers which users are using hotspot shield to get away, it seems like there is really no reason to use it as a privacy service any more.

Also Hotspot shield not considering IP addresses and unique device identifiers as "personal information" is utter bullshit, if it can be used to identify or locate you, it shoudl definitely be considered as personal information.

The upside to this is I actually haven't seen anyone on this forum recommend Hotspot shield so I'm guessing their business is slowly dying off as well.
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Thanks for sharing this information, i have never used this service but didn't realise that they were so underhand and not liked, i am one of those people "who don't any better" but with people like you posting this information, it helps me to learn and be more cautious.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top