Complaint to FTC Claims Hotspot Shield VPN Misleads Users About Privacy

The American Center for Democracy & Technology has filed a complaint with the FTC regulator about AnchorFree’s VPN service Hotspot Shield. According to the complaint, the service misleads users regarding their privacy.

The complaint, filed Monday and noted by Ars Technica, alleges that the agency is making claims about security and privacy that are refuted by its own privacy policy. For example, Hotspot Shield claims not to keep any logs and to guarantee the anonymity of the user. However, the privacy conditions, after investigation by the CDT, show that log files are indeed kept that go beyond just detecting technical problems.

The service is said to keep track of users’ IP addresses, which, however, it claims does not connect with web activities. It also concerns the location and a unique device identifier of users. Even though Hotspot Shield partners cannot identify users because of hashed or proxy IP addresses, the CDT claims that identification based on other properties is possible.

In addition, the organization partnered with Carnegie Mellon University to investigate the source code of the Android app. It turned out that the Hotspot Shield app reveals various sensitive data, such as WiFi SSID, MAC addresses and imei numbers. Further on, the CDT points to previous research, which showed that Hotspot Shield injects javascript by means of iframes to track users and show advertisements. The app would also redirect internet traffic to partner websites, including advertising companies.

The CDT wants the FTC to investigate, as it believes the agency’s practices are misleading and unfair to consumers. HotSpot Shield offers both free and paid VPN services. It is not known how many customers the service has. The Play Store shows that the Android app has been installed between fifty and a hundred million times.