Skip to Content

Privacy & Data

CDT Files Complaint with the FTC on Hotspot Shield VPN

For many Americans looking to protect their online privacy, virtual private networks, or VPNs, are a good option. However, a popular free VPN, Hotspot Shield, promises to protect its users’ privacy but has undisclosed data sharing and traffic redirection practices that violate that promise. As a result, the Center for Democracy & Technology (CDT) has asked the Federal Trade Commission (FTC) to investigate the data security and data sharing practices of Hotspot Shield Free Virtual Private Network (VPN) services, which we believe should be considered unfair and deceptive trade practices.

In an online environment increasingly hostile to private browsing, CDT and other advocates have frequently recommended VPN use to mask internet traffic, and VPN use has soared recently in the U.S. But, not all VPNs are created equal.

“People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data. That makes clear and accurate disclosures and practices essential,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project.

Hotspot Shield’s marketing claims that it does not track, log, or sell customers’ information, but its privacy policy and a source code analysis reveal otherwise. The VPN promises to connect advertisers to users who frequent websites in particular categories and while most VPNs prevent internet service providers from seeing a user’s internet traffic, that traffic is often visible in unencrypted form to Hotspot Shield. VPNs typically log data about user connections to help with troubleshooting technical issues, but Hotspot Shield uses this information to identify user locations and serve advertisements.

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this. They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks,” added De Mooy. “The product they offer fails to live up to its promises or meet the reasonable expectations of its customers.”

CDT’s complaint seeks to create awareness about the practices of some VPN services to ensure that technologies marketed as privacy-protective are clear and transparent about how user data is collected and shared.