VPN provider Hotspot Shield (owned by AnchorFree) is under attack for misleading marketing and mistreatment of user information. On August 7, advocacy group Center for Democracy and Technology filed a formal complaint with the Federal Trade Commission (FTC) accusing Hotspot Shield of engaging in a slew of unfair and deceptive practices, in violation of Section 5 of FTC Act. Research for the filing was conducted by CDT, in conjunction with researchers at Carnegie Mellon University.
Although they advertise things including “complete anonymity and “completely private” service that is “guaranteed,” the company is in fact sharing and selling user data, implementing persistent cookies, and in the most egregious instances of all, redirecting traffic to partner domains. These practices not only represent significant privacy threats, but vary greatly from what the company promises users.
I wish I could say I’m surprised by this news, but I’m not. We have long cautioned VPN users to be skeptical of VPN providers that make the false promise of anonymity when trying to convince users to buy their VPN. Our article “I Am Anonymous When I Use a VPN – 10 Myths Debunked” goes into this issue in more detail. While these revelations are concerning, I’ve pointed this all out before. Providers using hyperbolic marketing messages and mishandling user data is, on the whole, not uncommon. It’s about time someone filed a formal complaint with the FTC (we’re good friends with CDT, and glad they’ve taken the initiative to do so). The fact that a VPN provider is the culprit here, however, makes things worse:
Privacy products inherently require a great deal of trust, so when a provider who promises to protect you not only betrays that trust but outright lies, it’s a bad situation.
Of course some amount of data collection is necessary to run a business (at Golden Frog we log a very minimal amount of data in order to provide better service and we’re transparent about it). But what Hotspot Shield is doing goes well beyond a “typical” privacy violation or sharing data with advertisers. Their policies don’t accurately reflect their actions, and are written as to minimize important definitions and concepts; according to Hotspot Shield, an IP address is not even considered “personal information!” Their claims are so exaggerated, they actually flat-out lie: “We never log or store user data” (this is pretty much technically impossible).
Even the most privacy-conscious user who does read the policy would be mislead by this! It reminds us once again of the importance of selecting a privacy provider you can trust. I’ll be following up with a longer piece later this week, which will explore what you – as a consumer and privacy advocate – can do to ensure your privacy is protected and you are not mislead by your provider.
Hotspot Shield issued a response a day after the filing, stating the claims are “unfounded” and they are “surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns.” They also said they value privacy and transparency in data practices. You can read their full statement here.
And don’t forget to check back later this week for my follow-up piece!