PrivacyCDT files complaint with the FTC against Hotspot Shield VPN

Published 9 August 2017

For many Americans looking to protect their online privacy, virtual private networks, or VPNs, are a good option. The Center for Democracy & Technology (CDT) says, however, that a popular free VPN, Hotspot Shield, promises to protect its users’ privacy but has undisclosed data sharing and traffic redirection practices that violate that promise. Plixer said that the claims by CDT ignore the internet market realities.

For many Americans looking to protect their online privacy, virtual private networks, or VPNs, are a good option. The Center for Democracy & Technology (CDT) says, however, that a popular free VPN, Hotspot Shield, promises to protect its users’ privacy but has undisclosed data sharing and traffic redirection practices that violate that promise. As a result, the CDT has asked the Federal Trade Commission (FTC) to investigate the data security and data sharing practices of Hotspot Shield Free Virtual Private Network (VPN) services, which we believe should be considered unfair and deceptive trade practices.

CDT says that in an online environment increasingly hostile to private browsing, CDT and other advocates have frequently recommended VPN use to mask internet traffic, and VPN use has soared recently in the U.S. But, not all VPNs are created equal.

“People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data. That makes clear and accurate disclosures and practices essential,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project.

Hotspot Shield’s marketing claims that it does not track, log, or sell customers’ information, but its privacy policy and a source code analysis reveal otherwise. The VPN promises to connect advertisers to users who frequent websites in particular categories and while most VPNs prevent internet service providers from seeing a user’s internet traffic, that traffic is often visible in unencrypted form to Hotspot Shield. VPNs typically log data about user connections to help with troubleshooting technical issues, but Hotspot Shield uses this information to identify user locations and serve advertisements.

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this. They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks,” added De Mooy. “The product they offer fails to live up to its promises or meet the reasonable expectations of its customers.”

CDT’s complaint seeks to create awareness about the practices of some VPN services to ensure that technologies marketed as privacy-protective are clear and transparent about how user data is collected and shared.

Plixer said that the claims by CDT ignore the internet market realities. Michael Patterson, CEO of Plixer says, “Anyone who thinks they can do something anonymously on the Internet is uninformed. Everything is tracked and if you use a free service like Hotspot Shield — in exchange for the free service they are likely grabbing something from you. Nothing is free. Almost no one reads the End User License Agreement (EULA) of the applications they install. Consumers may want to read it and become aware of what they are giving up. The Internet has brought the age of big data and that means nearly everything we install or bring into our homes is trying to upload information about us for capital gain.”