Hotspot Shield VPN accused of violating users' privacy, spying on web browsing habits

AnchorFree, the California-headquartered company behind the popular virtual private network (VPN) service Hotspot Shield, has been accused of "unfair and deceptive trade practices" by a US privacy group for allegedly over-collecting user data for advertising purposes.

"Hotspot Shield engages in logging practices and uses third-party tracking libraries to facilitate targeted advertisements," read the 12-page complaint, filed by the US Centre for Democracy and Technology (CDT) to the Federal Trade Commission (FTC) on 7 August 2017.

Hotspot Shield "monitors information about users' browsing habits while the VPN is in use," the legal filing stated, further alleging it "deploys persistent cookies and concedes that it works with unaffiliated entities to customise advertising and marketing messages".

VPN software helps internet users circumvent controls on the web, and is often used to help obscure personal details from unwanted snooping or interception.

Hotspot Shield bosses have previously claimed that the firm's software "never" stores user data and that it is designed to enable "anonymous" online browsing.

In its complaint, CDT admitted that VPN providers "must engage in some logging to monitor bandwidth or to enforce restrictions" on how many devices are accessing the service. However, the group alleged that Hotspot Shield goes beyond the expected data collection remit.

It has claimed that the service relies on user data to "identify a user's general location" and "optimise advertisements displayed through the service". It said IP addresses and "unique service identifiers" are both scooped up as the company does not consider these to be personal information.

The filing also alleged that Hotspot Shield "promises to connect advertisers to unique users that are frequent visitors of travel, retail, business and finance websites." Analysis of its source code also indicated that the free VPN "uses more than five third-party tracking libraries."

The company's chief executive officer David Gorodynasky, in a statement to technology website Zdnet, said: "We strongly believe in online consumer privacy.

"This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves.

"While we commend the CDT for their dedication to protecting users' privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns."

The CDT is now asking the FTC to launch an investigation into AnchorFree's widely-used VPN service to decide if its data security practices are legal, claiming the company now needs to clear up its advertising policies. At the time of writing, all claims in the filing remain allegations.