The Federal Trade Commission must investigate claims made against VPN provider Hotspot Shield for allegedly deceptive trade practices, according to a new filing by a prominent privacy group.
Among the chief allegations in the 14-page filing, the Washington DC-based Center for Democracy & Technology (CDT) said the VPN provider violates its "anonymous browsing" promise by intercepting and redirecting web traffic to partner websites, including advertising companies.
Hotspot Shield, which we profiled last year, enables its more than 500 million worldwide users to bypass state censorship as well as regional restrictions on websites and streaming services. David Gorodynasky, chief executive of the service's parent company AnchorFree, told ZDNet at the time that about 97 percent of his users run the free, ad-supported version of the software.
In an interview in our New York newsroom, Gorodynasky said that the company doesn't make money off its customers' data, instead opting for a "zero knowledge" approach to ensure that governments cannot request data on its customers that it doesn't store.
But that isn't the case, says the CDT in its filing. It's accusing the company of logging connections and using third-party tracking to serve targeted advertising.
"Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues" by using a user's location and IP addresses to "improve the service, or optimize advertisements displayed through the service," the filing says.
The CDT is calling on the FTC to intervene under its authority to prohibit unfair and deceptive acts and practices.
The privacy group began investigating the case in April after Congress repealed broadband privacy rules, which would have prevented internet providers from selling browsing history data to advertisers. The surge in demand for VPN services following the repeal led the group to investigate Hotspot Shield, by far the largest provider for subscribers on the market.
The group partnered with researchers at Carnegie Mellon University to analyze the app and the service and found "undisclosed data sharing practices" with advertising networks.
"Further analysis of Hotspot Shield's reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing," said the complaint.
"Hotspot Shield also monitors information about users' browsing habits while the VPN is in use," it read.
The researchers also found that the app transmits some sensitive cell carrier information on mobile users over an unencrypted connection, the filing says.
VPN providers can be a godsend to anyone living in a region where state surveillance and censorship are rife, and merely a convenience to those who wish to conceal their internet history and browsing traffic from their internet providers -- and any law enforcement agency that comes along. But an inherent issue is that users have to trust their VPN providers as much, if not more than their internet provider not to also collect, monitor, or sell their data.
"People often use VPNs because they do not trust the network they're connected to, but they think less about whether they can trust the VPN service itself," said Michelle De Mooy, director of CDT's Privacy & Data Project. For many internet users, it's difficult to fully understand what VPNs are doing with their browsing data. That makes clear and accurate disclosures and practices essential."
De Mooy added that the service "fails to live up to its promises or meet the reasonable expectations of its customers."
Gorodyansky said in an email late Monday that he does "not agree" with the filling.
"We strongly believe in online consumer privacy," said Gorodyansky. "This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves."
He also called the claims in the CDT's filing "unfounded."
"While we commend the CDT for their dedication to protecting users' privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns," he added. "AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT's concerns."