Complaint Filed Over Sketchy VPN Service

from the deceptive-trade-practices dept

VPNs are important... for some situations. Unfortunately, the message that many have received in hearing about the importance of VPNs is that they somehow "protect your privacy." But that's always been wrong. They just move the privacy questions somewhere else. And sometimes it's a sketchy place. A few months back we discussed this very issue with some security experts on our podcast. All VPNs do is create a secure tunnel from where you are to somewhere else. That's useful if you don't want other people sitting in the Starbucks with you to pick up your unencrypted traffic (or other people in your hotel on the hotel WiFi), but it doesn't solve anything on larger privacy questions. The always excellent SwitfOnSecurity summed it up nicely recently:

Basically, you're just moving the risk elsewhere, and you're trusting whoever your VPN provider is -- and they may very well be worse than whatever it is you're trying to avoid. The specific use case that's almost never recommended is using a VPN on your home network (with a few specific exceptions). You may not trust Comcast/AT&T/whatever, but they may actually be a lot more serious about protecting you than a fly-by-night VPN provider.

But with so many VPN providers out there, it's not always clear how legit they are, and there certainly have been rumors and complaints about some of them. Now, the Center for Democracy and Technology (CDT) has filed an FTC complaint against one of the more well known VPN providers, Hotspot Shield VPN. You can read the short complaint yourself, but the short version is CDT says that Hotspot Shield VPN makes claims about privacy that are... not accurate, and argues that these are deceptive trade practices.

Hotspot Shield makes strong claims about the privacy and security of its data collection and sharing practices. CEO David Gorodyansky has stated that “we never log or store user data.” The company’s website promises “Anonymous Browsing” and notes that Hotspot Shield keeps “no logs of your online activity or personal information.” Hotspot Shield further differentiates itself from “...disreputable providers [that] are able to offer free VPN services [ ] because they make their money tracking and selling their users’ activities” by claiming that “Hotspot Shield neither tracks nor sells customers’ information.”

Take a wild guess what's coming next...

While connection logs can be designed to be minimally privacy-invasive, Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues. The service uses this information to “identify [a user’s] general location, improve the Service, or optimize advertisements displayed through the Service.” IP addresses, unique device identifiers, and other “application information” are regularly collected by Hotspot Shield.

And then this:

While insisting that it does not make money from selling customer data, Hotspot Shield promises to connect advertisers to unique users that are frequent visitors of travel, retail, business, and finance websites. Moreover, these entities have access to IP addresses and device identifiers collected via Hotspot Shield. Even if Hotspot Shield only provides “hashed” or “proxy” IP addresses to these partners, third parties can also link information about web-viewing habits while using the Hotspot Shield by cross-referencing cookies, identifiers, or other information.

And more:

Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes. An iframe, or “inline frame,” is an HTML tag that can be used to embed content from another site or service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage.

Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing.

But, wait, there's more...

Additional research has revealed that Hotspot Shield further redirects e-commerce traffic to partnering domains. For example, when a user connects through the VPN to access specific commercial web domains, including major online retailers like and , the application can intercept and redirect HTTP requests to partner websites that include online advertising companies.

And just one more thing...

Consumers have reported instances of credit card fraud after purchasing the “Elite” paid-version of Hotspot Shield VPN. One consumer reported “thousands of dollars” in credit card charges, as well as other suspicious online activity.

There's even more in the complaint, but those are some highlights. CDT claims that these are deceptive trade practices. Of course, the FTC doesn't need to do anything here. Such a complaint is basically asking the FTC to investigate and do something, and the FTC doesn't always do so. But at the very least, it may wake some people up about being careful which VPNs they use.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ftc, privacy, truth in advertising, vpn
Companies: cdt, hotspot shield vpn


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 9 Aug 2017 @ 4:12pm

    The ironic part is how shady some of the VPNs that have been advertised on this very website are...

    Your "daily deals" have included some truly abysmal VPNs, and you should probably have some nasty words for ol' StackSocial.

    link to this | view in thread ]

  2. icon
    Anonymous Anonymous Coward (profile), 9 Aug 2017 @ 4:29pm

    Re:

    Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

    Wow. Your reading skills are right up there. Are you always so selective? Do you read every third word, fourth word, or random words?

    link to this | view in thread ]

  3. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 9 Aug 2017 @ 5:37pm

    Re: Re:

    "Don't blame me" for crappy products that I offer, because my offers "do not reflect endorsements". And if you do, I will attack you with sarcasm and demean your character, ability and education.

    That's customer service from the Masnick gang. Good luck with that. Raised lots of money with that technique? Oh yeah, I forgot, you don't report it, because you're too embarrassed that it amounts to nothing.

    link to this | view in thread ]

  4. icon
    JoeCool (profile), 9 Aug 2017 @ 5:41pm

    Obvious solution

    Connect to the VPN through a VPN! That'll solve their problem!

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 9 Aug 2017 @ 5:59pm

    Re: Obvious solution

    And don't forget to make sure they use good encryption. Something like double ROT13.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 9 Aug 2017 @ 6:05pm

    Re: Re:

    So you're ok with TechDirt profiting from products that harm consumers? Time for a TechDirtDirt.

    link to this | view in thread ]

  7. identicon
    9Blu, 9 Aug 2017 @ 6:08pm

    Re: Re:

    Yea I'm sorry but if you lend your name to something, that's tantamount to an endorsement and no amount of weaselly disclaimers will make it not so.

    link to this | view in thread ]

  8. icon
    MyNameHere (profile), 9 Aug 2017 @ 6:33pm

    The funny part is a third party VPN has all the makings of a man in the middle attack. There is no simple way to know what (if anything) a VPN company is looking at. Are they logging all your URLs? Are they capturing passwords?

    Considering this one was recommended by Techdirt (and Torrentfreak, I think) it's hard to say any of them are much good now.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 9 Aug 2017 @ 6:54pm

    Re: Re: Re:

    Look a filthy pirate who posted this on his pirate VPN.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 9 Aug 2017 @ 7:00pm

    Re: Re: Obvious solution

    That scheme is too complex for your average person. Better you pick something simple like ROT 0

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 9 Aug 2017 @ 7:02pm

    Re:

    Use TOR. If you want you can even be an entry or relay node.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 9 Aug 2017 @ 7:04pm

    To stop the iframes from loading use noscript. Takes a while to fine tune the filter but you can once again explore the web without questionable scripts being injected.

    link to this | view in thread ]

  13. icon
    Toom1275 (profile), 9 Aug 2017 @ 7:24pm

    Re: Re:

    "Outsource your marketing, outsource your reputation amd ethics" -Popehat

    link to this | view in thread ]

  14. icon
    Eldakka (profile), 9 Aug 2017 @ 8:36pm

    This will be interesting to watch

    I don't and haven't used Hotspot Shield VPN, never even been to their website. However, on another article on this issue (on ars), there is a user comment:

    It says right in the TOS that they might inject ads or redirect certain sites to interstitials in order to make revenue.

    Now if this is true, it will be interesting to see how this plays out with respect to TOS and other various agreements, which ones take priority and so on.

    Another thing worth considering, is that Hotspot has both a free and paid for service. Which conditions apply to which services? Do the various quotes in this article about the companies statements about not logging, not passing on information etc. apply to only the paid service and not the free service, or does it apply to both?

    I can see it being that free version has the above TOS, where they will inject stuff, and that the privacy protections only apply to the paid version and the above TOS doesn't.

    So it could be a case of confusion, people applying paid-for-terms/statements to the free service, or it could be they are completely dodgy...

    link to this | view in thread ]

  15. icon
    PaulT (profile), 10 Aug 2017 @ 12:27am

    Re:

    "The ironic part is how shady some of the VPNs that have been advertised on this very website are..."

    So, of course, this is where you list them, your concerns about them and your evidence for your claims... right?

    link to this | view in thread ]

  16. icon
    PaulT (profile), 10 Aug 2017 @ 12:28am

    Re: Re: Re:

    "So you're ok with TechDirt profiting from products that harm consumers?"

    Not really, but I need something more than a random claim from a random AC before making a decision. Citations?

    link to this | view in thread ]

  17. icon
    PaulT (profile), 10 Aug 2017 @ 12:30am

    Re: Re: Re:

    "And if you do, I will attack you with sarcasm and demean your character, ability and education."

    To be fair, your character, ability and education are all demeaned by your own words and actions without anyone needing to intervene.

    link to this | view in thread ]

  18. icon
    PaulT (profile), 10 Aug 2017 @ 12:31am

    Re: But it came so highly reccomended!

    Was that before or after the information about their activities? Do you attack every site they sold through, or just the one you have a weird fetish for?

    link to this | view in thread ]

  19. icon
    PaulT (profile), 10 Aug 2017 @ 12:36am

    Re:

    "The funny part is a third party VPN has all the makings of a man in the middle attack"

    Of course it does. That's obvious, which is why you pick one you trust, or you face the issues referenced in this very article.

    "Considering this one was recommended by Techdirt "

    No, it literally wasn't, as per the quote above.

    "(and Torrentfreak, I think) "

    And Groupon. And Techradar. And Softonic. And CNet. And Gizmodo (to list the first page of Google results I get when searching for previous deals).

    Are you weirdos also attacking those sites, or are you just morbidly obsessed with this one?

    "it's hard to say any of them are much good now."

    Still better than nothing.

    link to this | view in thread ]

  20. identicon
    Cowardly Lion, 10 Aug 2017 @ 4:36am

    Re: Re:

    I'm a big fan of this site:

    https://www.privacytools.io/

    I think I might have seen it mentioned here a while back. Anyway, there's a link on there in the VPN section to a guy who maintains a spreadsheet of VPNs:

    https://thatoneprivacysite.net/vpn-comparison-chart/

    It's a useful reference site for anyone looking into pukka VPN providers by comparing all the different features they offer. Personally I've been using AirVPN (Italian) for years, and also NordVPN (Panamanian) for a nearly 2 years. No problems with either. The sheer number of servers that Nord have makes it possible to use US endpoints for Netflix. Yes, I'm an evil geo-dodger and I just don't give a damn!

    link to this | view in thread ]

  21. icon
    PaulT (profile), 10 Aug 2017 @ 4:51am

    Re: Re: Re:

    "Yes, I'm an evil geo-dodger and I just don't give a damn!"

    Very few real people actually feel guilty about bypassing geo restrictions. People see they're paying more for the service than someone in the US, but maybe getting 1/3 of the service, if that? Nobody is going to feel guilty about accessing value for their money. Which, of course, is why Netflix were forced to clamp down on VPNs by the studios - they knew nobody cared about their licencing model, they only knew they were being ripped off.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 10 Aug 2017 @ 5:10am

    Re: Re: But it came so highly reccomended!

    Not every site purports to have a thorough understanding of technology issues and a pro-user bent. If you can't see the hypocrisy you're a lost cause.

    link to this | view in thread ]

  23. icon
    PaulT (profile), 10 Aug 2017 @ 5:24am

    Re: Re: Re: But it came so highly reccomended!

    "Not every site purports to have a thorough understanding of technology issues and a pro-user bent."

    Perhaps not, but some of the ones that also offered this VPN certainly do. Are you attacking any of those, or are you too moist over the fact that you have something to attack this site with that has a basis in fact, as opposed to the usual fictions you peddle?

    link to this | view in thread ]

  24. icon
    Mason Wheeler (profile), 10 Aug 2017 @ 8:30am

    CDT claims that these are deceptive trade practices.

    That's putting it mildly!

    Consumers have reported instances of credit card fraud after purchasing the “Elite” paid-version of Hotspot Shield VPN. One consumer reported “thousands of dollars” in credit card charges, as well as other suspicious online activity.

    That's not "deceptive trade practices"; that's a crime. That's something that people should literally be sent to prison for.

    Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes. An iframe, or “inline frame,” is an HTML tag that can be used to embed content from another site or service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage.

    Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing.

    Not sure if that one's a crime, but if it's not it definitely should be. One could probably make a case that it's a CFAA violation (yay for finding a good use for it!) if nothing else. This is something else that people should be sent to prison for.

    Forget the FTC and "deceptive trade practices;" they should be filing complaints with the FBI over this stuff!

    link to this | view in thread ]

  25. icon
    OA (profile), 10 Aug 2017 @ 1:21pm

    Re:

    Or uMatrix.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 10 Aug 2017 @ 6:01pm

    Re: Re: Re:

    thatoneprivacysite is also recommended by the EFF as the place to get info, and thatoneprivacyguy who runs it is a pretty swell fellow.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward Using VPN, 10 Aug 2017 @ 9:16pm

    The claims of all the paid VPN providers always bug me so I set up my own VPN server and it's far, far more secure.

    link to this | view in thread ]

  28. identicon
    So-Sammy, 11 Aug 2017 @ 2:12pm

    TL;DR only 'luxury' VPNs like Express VPN and PIA are worth a damn.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.