The digital rights advocacy group Center for Democracy & Technology (CDT) urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive trade practices.
“The Center for Democracy & Technology asks the Federal Trade Commission
(Commission) to investigate the data security and data sharing practices of Hotspot
Shield Free Virtual Private Network (VPN) services, a product of AnchorFree, Inc.
Hotspot Shield Free VPN promises secure, private, and anonymous access to the internet.” reads the compliant. As detailed below, this complaint concerns undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act. “
“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”
The experts that analyzed the source code of the application discovered the company is using several tracking libraries, it is very curious considering the company’s motto was “Don’t let ISPs monetize your web history: Use Hotspot Shield,”.
“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting
“inline frame,” is an HTML tag that can be used to embed content from another site or
service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage. Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the” continues the compliant.
“VPN uses more than five different third-party tracking libraries, contradicting 34
statements that Hotspot Shield ensures anonymous and private web browsing.”
The CDT claims the VPN application gathers location data to optimize the advertising features, and it collects IP addresses, unique device identifiers, and other information (SSID/BSSID network names, MAC addresses, and device IMEI numbers.).
The CDT filing argues AnchorFree collects more data than normally needed to VPN service providers for their operations.
(Security Affairs – Hotspot Shield, VPN)