nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim

CDT tries to set fed trade watchdog on internet biz

By Thomas Claburn, 7 Aug 2017

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company's software gathers data and its privacy policy allows it to share the information.

Worryingly, it is claimed the service forces ads and JavaScript code into people's browsers when connected through Hotspot Shield: "The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes."

"Hotspot Shield tells customers that their privacy and security are 'guaranteed' but their actual practices starkly contradict this," said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. "They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks."

The CDT describes AnchorFree capitalizing on the Congressional Review Act (CRA), enacted in March to kill FCC privacy rules that next year would have required ISPs to get permission before sharing customer data. "Don’t let ISPs monetize your web history: Use Hotspot Shield," AnchorFree urged in a blog post.

The CDT suggests AnchorFree is engaged in the very thing its software supposedly prevents: monetizing your web history. As well as injecting stuff into webpages, Hotspot Shield, the CDT claims, gathers location data, in part for the optimization of ads, and it collects IP addresses, unique device identifiers, and other application information.

IP address and unique device identifiers are generally considered to be private personal information, but AnchorFree's Privacy Policy explicitly exempts this data from its definition of Personal Information.

The CDT filing concedes that some level of network monitoring is necessary for VPN service providers. But AnchorFree, it contends, collects more data than is necessary for troubleshooting.

While Hotspot Shield's Privacy Policy insists "original IP address will not be permanently stored or provided to any third parties by your use of Hotspot Shield," the CDT complaint says Carnegie Mellon University’s Mobile App Compliance System indicates that the app discloses other sensitive data, including SSID/BSSID network names, MAC addresses, and device IMEI numbers.

"Contrary to Hotspot Shield's claims, the VPN has been found to be actively injecting JavaScript codes using iFrames for advertising and tracking purposes," the complaint says, adding that the VPN uses more than five different third-party tracking libraries.

In fact, the Hotspot Shield Privacy Policy says the software isn't necessarily a VPN. "AnchorFree does not guarantee that the Service will create a VPN or utilize a Proxy IP Address on all websites."

The Register tried to reach AnchorFree for comment, but its public press@anchorfree.com address repeatedly returned error messages, and the voicemail box at its headquarters in Menlo Park, Calif., was full.

A VPN is supposed to provide an encrypted tunnel to protect communication on untrusted network. But VPN providers can see their users' unencrypted traffic – such as non-HTTPS web connections – and they will generally snoop and analyze that traffic to monetize via advertising. They will also provide that information to law enforcement if presented with a lawful demand from authorities.

Efforts have been made to sort the good from the bad, but the practices of VPN providers may change over time, particularly free services that find they need a way to make money. A worryingly number of VPN Android apps are rife with malware, spying, and code injection. And paid-for VPN services have also found to be plain crap.

In a discussion of VPNs on GitHub, self-identified hacker Sven Slootweg argues not to use a VPN service at all.

"If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own," he advises.

Indeed, we believe the same. If you need a VPN and you know what you're doing, roll your own or install Algo. Otherwise, steer clear of free and commercial VPNs. You're just handing your internet traffic from one provider – your ISP – to an entirely untrusted one. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing