Hotspot Shield VPN accused of redirecting user traffic to advertisers

A renowned privacy group Center for Democracy & Technology (CDT) has accused Hotspot Shield VPN developed by AnchorFree, Inc. of violating user privacy by intercepting web traffic, keeping activity logs and redirecting it to third-party websites especially advertising companies.

In a 14-page filing, the group has accused the company of utilizing “unfair and deceptive trade practices” despite stating that it does not sell, track or log user data. CDT has asked FTC (Federal Trade Commission) to investigate the matter.

According to one of the accusations, “Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues” by using a user’s location and IP addresses to “improve the service, or optimize advertisements displayed through the service.”

The group has also accused the company of forcing javascript and ad codes into browsers of its customers whenever they use Hotspot Shield. “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”

In a statement, Michelle De Mooy, Director of CDT’s Privacy & Data Project said that “Hotspot Shield tells customers that their privacy and security are ‘guaranteed, ‘ but their actual practices starkly contradict this. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

“While insisting that it does not make money from selling customer data,26 Hotspot Shield promises to connect advertisers to unique users that are frequent visitors of travel, retail, business, and finance websites.27 Moreover, these entities have access to IP addresses and device identifiers collected via Hotspot Shield.

[…]

Even if Hotspot Shield only provides “hashed” or “proxy” IP addresses to these partners, third parties can also link information about web-viewing habits while using the Hotspot Shield by cross-referencing cookies, identifiers, or other information,” according to page 7 of the filing.

The group discovered these privacy flaws after teaming up with researchers at Carnegie Mellon University who noted that “When a user connects through the VPN to access specific commercial web domains, including major online retailers like target.com and macys.com, the application can intercept and redirect HTTP requests to partner websites that include online advertising companies.”

In a blog spot from April 2017, Chris San Filippo of Hotspot Shield wrote that the company is against ISPs selling user web history to third parties. “Internet service providers (ISPs) being able to sell user web history to third parties, to advertisers possibly bombarding users with ads, the looming elimination of the FCC’s privacy rules can lead to privacy and anonymity anxiety for a lot of users in the US.”

However, CDT’s filing accuses the company of doing exactly what it kept on opposing publically. In an email conversation with ZDNet, David Gorodyansky, CEO of AnchorFree said he does not agree with the filling.

“We strongly believe in online consumer privacy. “This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves.”

Previously, CDT accused smart toys “My Friend Cayla and I-Que” of spying on users and sending conversation and other data back to the company’s server. In their filing, the group stated that these dolls are violating the Children’s Online Privacy Protection Act (COPPA) as well as the FTC rules.

After a few months, Germany banned the My Friend Cayla doll citing that it can listen to the conversations of kids and apart from responding in real-time to them, it also conducts surveillance.

As far the Hotspot Shield VPN, it will be interesting to see what FTC has to say about the issue since only its Android app has been downloaded by 50,000,000 – 100,000,000 users. But meanwhile remember, next time if someone tells you “There is no such thing as a free lunch,” simply believe them.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.