Hotspot Shield VPN’s Privacy and Security Promises Contradict Practices

In March, just after Congress repealed rules that would have required internet service providers (ISPs) to get permission before using customers’ sensitive information, virtual private network (VPN) companies with apps reported a huge spike in downloads. Consumers were looking for a way to control who could view their online activities by using a VPN, a technology that enables internet users to privately send and receive data across public networks. VPNs are frequently cited by advocates (and regulators) as one of the few ways for the public to obscure personal information online. But some VPNs fail to live up to their promises.

As detailed in the complaint CDT filed today with the Federal Trade Commission (FTC), we believe Hotspot Shield Free VPN (Hotspot Shield) has employed unfair and deceptive trade practices as defined under Section 5 of the FTC Act. Among other concerns, the complaint details the ways in which Hotspot Shield’s marketing claims around privacy and security directly contradict its actual practices and policies – the description of the Hotspot Shield app in Google’s Play Store announces, “Your privacy and security are guaranteed!”, while CDT’s investigation found the opposite.

Working with the developers of Carnegie Mellon University’s (CMU) Mobile App Compliance System to examine the Android app’s practices, CDT found numerous instances where Hotspot Shield shared sensitive data such as the names of wireless networks, Media Access Control addresses, and device IMEI numbers with third-party advertising networks without disclosing it to users. Hotspot Shield also says it has a “no logs” policy, but its privacy policy tells a different story: “When using a VPN service, a user’s internet connections are routed through servers either run by or controlled by the VPN provider. VPN providers may log data about this connection. These VPN logs serve a variety of functions, ranging from operations to delivery of third-party advertising.”

Another analysis found that the Hotspot Shield app was actively injecting JavaScript codes using iframes for advertising and tracking purposes. An iframe, or “inline frame,” is an HTML tag that can be used to embed content from another site or service onto a webpage. Iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage. We also found that Hotspot Shield also does not transmit mobile carrier information through an HTTPS connection, contrary to its leading claims of robust security. Such unencrypted transmissions can be vulnerable to data leaks or outside attacks.

Finally, Hotspot Shield makes it difficult for users to avoid harm by reading reviews or otherwise performing due diligence in choosing a VPN service; reviews are frequently manipulated by affiliates hired by VPNs.

Hotspot Shield’s surreptitious practices and deceptive claims are a betrayal of the trust placed in them by users. VPNs should be in the business of giving individuals a real option for confidential internet activity, and should not use deceptive claims to expose internet users to security risks or prey upon their limited ability to compare services.

Hotspot Shield’s actual practices and policies speak much louder than its claims, and we hope the FTC is listening.