The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.
"Hotspot Shield tells customers that their privacy and security are 'guaranteed' but their actual practices starkly contradict this," said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. "They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks."
The CDT describes AnchorFree capitalizing on the Congressional Review Act (CRA), enacted in March to kill FCC privacy rules that next year would have required ISPs to get permission before sharing customer data. "Don’t let ISPs monetize your web history: Use Hotspot Shield," AnchorFree urged in a blog post.
The CDT suggests AnchorFree is engaged in the very thing its software supposedly prevents: monetizing your web history. As well as injecting stuff into webpages, Hotspot Shield, the CDT claims, gathers location data, in part for the optimization of ads, and it collects IP addresses, unique device identifiers, and other application information.
The CDT filing concedes that some level of network monitoring is necessary for VPN service providers. But AnchorFree, it contends, collects more data than is necessary for troubleshooting.
The Register tried to reach AnchorFree for comment, but its public firstname.lastname@example.org address repeatedly returned error messages, and the voicemail box at its headquarters in Menlo Park, Calif., was full.
A VPN is supposed to provide an encrypted tunnel to protect communication on untrusted network. But VPN providers can see their users' unencrypted traffic – such as non-HTTPS web connections – and they will generally snoop and analyze that traffic to monetize via advertising. They will also provide that information to law enforcement if presented with a lawful demand from authorities.
Efforts have been made to sort the good from the bad, but the practices of VPN providers may change over time, particularly free services that find they need a way to make money. A worryingly number of VPN Android apps are rife with malware, spying, and code injection. And paid-for VPN services have also found to be plain crap.
In a discussion of VPNs on GitHub, self-identified hacker Sven Slootweg argues not to use a VPN service at all.
"If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own," he advises.
Indeed, we believe the same. If you need a VPN and you know what you're doing, roll your own or install Algo. Otherwise, steer clear of free and commercial VPNs. You're just handing your internet traffic from one provider – your ISP – to an entirely untrusted one. ®