A privacy non-profit has urged the Federal Trade Commission (FTC) to investigate alleged deceptive and unfair trade practices by the provider of the popular Hotspot Shield Free VPN.
The Center for Democracy & Technology (CDT) claimed in a lengthy filing that it contradicts headline privacy and security claims in its own privacy policy; facilitates targeted ads; redirects traffic to secret VPN servers and “employs insecure and unreasonable data security practices.”
The tool, produced by Hotspot Shield, has managed to attract around 500 million customers from around the world with promises of “anonymous browsing” and claims that it keeps “no logs of your online activity or personal information.”
It even distances itself from other “disreputable” free VPN services which “make their money tracking and selling their users’ activities.”
However, its own privacy policy reveals that the VPN logs user connection data “to identify [a user’s] general location, improve the Service, or optimize advertisements displayed through the Service”, the filing states.
Hotspot Shield Free VPN claims to clear any browsing info after each session, but it actually “deploys persistent cookies and concedes that it works with unaffiliated entities to customize advertising and marketing messages”, the FTC filing continues.
CDT’s research was aided by Carnegie Mellon University’s Mobile App Compliance System, which it claims found “undisclosed data sharing practices with third party advertising networks.”
“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes,” the filing alleges.
“Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing.”
Hotspot Shield also redirects e-commerce traffic to partner websites that include online advertising companies, CDT claimed.
It also argued that consumers using the paid for version of the VPN have become victims of credit card fraud.
This could be because the app doesn’t transmit mobile carrier information through an HTTPS connection, rendering it susceptible to leaks or attacks from malicious third parties, the FTC complaint alleges.
Media reports quote David Gorodynasky, CEO of parent company AnchorFree, as saying the claims are “unfounded”.