Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim

CDT tries to set fed trade watchdog on internet biz

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company's software gathers data and its privacy policy allows it to share the information.

Worryingly, it is claimed the service forces ads and JavaScript code into people's browsers when connected through Hotspot Shield: "The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes."

"Hotspot Shield tells customers that their privacy and security are 'guaranteed' but their actual practices starkly contradict this," said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. "They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks."

The CDT describes AnchorFree capitalizing on the Congressional Review Act (CRA), enacted in March to kill FCC privacy rules that next year would have required ISPs to get permission before sharing customer data. "Don’t let ISPs monetize your web history: Use Hotspot Shield," AnchorFree urged in a blog post.

The CDT suggests AnchorFree is engaged in the very thing its software supposedly prevents: monetizing your web history. As well as injecting stuff into webpages, Hotspot Shield, the CDT claims, gathers location data, in part for the optimization of ads, and it collects IP addresses, unique device identifiers, and other application information.

IP address and unique device identifiers are generally considered to be private personal information, but AnchorFree's Privacy Policy explicitly exempts this data from its definition of Personal Information.

The CDT filing concedes that some level of network monitoring is necessary for VPN service providers. But AnchorFree, it contends, collects more data than is necessary for troubleshooting.

While Hotspot Shield's Privacy Policy insists "original IP address will not be permanently stored or provided to any third parties by your use of Hotspot Shield," the CDT complaint says Carnegie Mellon University’s Mobile App Compliance System indicates that the app discloses other sensitive data, including SSID/BSSID network names, MAC addresses, and device IMEI numbers.

"Contrary to Hotspot Shield's claims, the VPN has been found to be actively injecting JavaScript codes using iFrames for advertising and tracking purposes," the complaint says, adding that the VPN uses more than five different third-party tracking libraries.

In fact, the Hotspot Shield Privacy Policy says the software isn't necessarily a VPN. "AnchorFree does not guarantee that the Service will create a VPN or utilize a Proxy IP Address on all websites."

The Register tried to reach AnchorFree for comment, but its public press@anchorfree.com address repeatedly returned error messages, and the voicemail box at its headquarters in Menlo Park, Calif., was full.

A VPN is supposed to provide an encrypted tunnel to protect communication on untrusted network. But VPN providers can see their users' unencrypted traffic – such as non-HTTPS web connections – and they will generally snoop and analyze that traffic to monetize via advertising. They will also provide that information to law enforcement if presented with a lawful demand from authorities.

Efforts have been made to sort the good from the bad, but the practices of VPN providers may change over time, particularly free services that find they need a way to make money. A worryingly number of VPN Android apps are rife with malware, spying, and code injection. And paid-for VPN services have also found to be plain crap.

In a discussion of VPNs on GitHub, self-identified hacker Sven Slootweg argues not to use a VPN service at all.

"If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own," he advises.

Indeed, we believe the same. If you need a VPN and you know what you're doing, roll your own or install Algo. Otherwise, steer clear of free and commercial VPNs. You're just handing your internet traffic from one provider – your ISP – to an entirely untrusted one. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like