ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Hotspot Shield Accused of Snooping on Users

This week, a controversy has popped up in the world of Virtual Private Networks (VPNs). It surrounds a US-based provider called Hotspot Shield. The VPN firm has been around since 2008. Since then it has enjoyed a total of around 500 million downloads worldwide. That's a staggering amount of downloads. The VPN has accrued these by offering the service for free to around 97% of its users.

Now, a non-profit advocacy group called the Center for Democracy and Technology (CDT) has filed a 14-page complaint with the Federal Trade Commission (FTC), detailing what it feels to be "unfair and deceptive trade practices." This news came as something of a surprise to me, as I know the ProPrivacy.com review of Hotspot Shield tells readers (in the Privacy and Security section) that:

“Hotspot Shield’s terms of service give the company the right to collect user activity information and to “share” that information with third parties.”

I contacted CDT directly to get a bit more information about what it felt Hotspot Shield was doing wrong. CDT's Joseph Jerome told ProPrivacy.com the following:

“I'd say that ProPrivacy's review highlights exactly what Hotspot Shield does wrong. As the review points out, there's a lot of covert tracking going on with Hotspot Shield and much confusion over what the VPN does and does not do, particularly once you pay for the "ad free" version. That's misleading and unfair to consumers. Full stop. 

"Hotspot Shield's privacy policy is just not clear. It's also buried underneath statements on the app store that the VPN has no logs, protects confidentiality and anonymity, and shares no "personal" information. What are consumers to make of this situation? Hotspot Shield can't have things both ways - VPNs can't say one thing and do another when it comes to protecting privacy. That's a fundamental tenet of Section 5 of the FTC Act's prohibition against unfair and deceptive trade practices.”

Personal Information

There's no doubt that the Hotspot Shield privacy policy does stand somewhat awkwardly next to its claims on the App Store. On the Android Play store, the VPN says,

“Disguise your online identity and access blocked apps and sites with Hotspot Shield, while keeping your mobile activities anonymous, private and secure!”

That statement certainly doesn’t seem to line up consistently with a service that admits in its policy to collecting data and sharing it with third parties. That's a practice that we always condemn here at ProPrivacy.com - it's one of several reasons we warn people away from free VPN services. 

A casual look at the Hotspot Shield privacy policy, which was last updated in 2015, instantly raises an eyebrow:

“Except as explained in this Notice, AnchorFree does not collect any Personal Information about you when you use the Service. “Personal Information,” also referred to as personally identifiable information, is information that may be tied to a specific individual. 

"Examples of Personal Information include name, email address, mailing address, mobile phone number, and credit card or other billing information. Please note, however, that for purposes of this Privacy Notice, AnchorFree does not include your IP address or unique device identifier within the definition of Personal Information.”

The idea that IP addresses shouldn’t be considered personal information is ludicrous. With wording like this, the CDT’s complaint to the FTC certainly starts to sink in.

Cdt Grab

Plenty of Issues

As our review points out, Hotspot Shield has other problems too. A recent study conducted by the Commonwealth Scientific and Industrial Research Organization (CSIRO) revealed that Hotspot Shield’s apps contain tracking software. This both records its users' activities and sells that data to advertisers. In fact, the researchers discovered five different tracking libraries hidden within Hotspot Shield’s code. 

In addition, the CSIRO study found that Hotspot Shield was redirecting users to affiliate links when they entered specific web addresses such as eBay, Alibaba, Best Buy, Target, Macy’s, and others. Thus, when a Hotspot Shield user buys anything from those websites, Anchor Free receives a commission.

It is worth noting here that Hotspot Shield’s parent company, Anchor Free, has a separate business that serves Hotspot Shield users adverts - both in the app and on the webpages they visit.

Anchor Free

Nothing out of the Ordinary

VPNs that offer their services for free should always be regarded with suspicion. Providing a fast and reliable VPN service that has strong encryption, plenty of servers, and a watertight privacy policy isn’t going to be free for the end user unless the VPN creates a revenue stream elsewhere. 

Admittedly, some VPNs do offer trusted free VPN services that are designed to tempt users into subscribing to the full premium service. Those free VPNs don’t sacrifice their users’ privacy. However, they do restrict the service with bandwidth limits or usage limits of around 500 Mb per month.

Hotspot Shield, on the other hand, falls into a different category of free VPNs. It offers the service for free by using advertising to create a revenue stream. The privacy policy clearly states that it will collect and share data with third parties. The question is, what is that data? And is the VPN doing something fundamentally wrong?

Question Mark

A Denial

We decided to contact Hotspot Shield to give the firm a chance to express its views regarding the CDT’s allegations. It provided me with the following official statement:

“AnchorFree is a recognized leader in consumer online privacy and internet freedom. Our Hotspot Shield application is trusted by more than 500 million users, who rely on it to secure access to all of the world’s information. We strongly believe in online consumer privacy.

"This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves.

"The recent claims to the contrary made by a non-profit advocacy group, the Center for Democracy and Technology, are unfounded. While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns.”

As you can see, the VPN claims not to be storing IP addresses or any personally identifiable information. This seems to stand in contrast to the privacy policy’s assertion that IP addresses are not considered “personal information” and that the firm will store data and share it with third parties. I pointed this out to Tim Tsoriev from Anchor Free, to which he responded,

“We do not keep our users' personally identifiable information or sell it to any third parties. We do not collect our users' IPs. 

"You are right that our existing privacy policy sends a wrong message. We are in the process of updating it to reflect the reality around how our systems work, and the reality is that many of the below items are not accurate.”

A Success Story?

When it comes to protecting consumer privacy, it's essential that firms’ privacy policies stand up to scrutiny. Badly worded and confusing privacy policies that leave an element of doubt can be extremely frustrating for consumers. In addition, they can lead consumers to believe they are getting a level of service that, in reality, they aren’t. 

In the case of VPNs - where people are relying on the service to provide them with privacy - that necessity is all the more acute. As such, we applaud the CDT for raising this issue with the FTC. 

If we are to take Hotspot Shield’s comments at face value, it would appear that the VPN believes it has not been wrongfully handling its users’ data. This is entirely possible. Here at ProPrivacy.com, we understand that it's not difficult for VPNs to keep certain records about their users without also storing personally identifiable information. 

For example, it might be possible for a VPN to know how many users it has within a particular country, without it actually keeping a record of each individual user’s IP address. 

For now, we will have to wait on the FTC’s investigation to be sure that this is the case. However, Hotspot Shield’s suggestion that it plans to update its privacy policy is certainly good news. As far as I'm aware, that's exactly what CDT wanted to get out of this: clarity for consumers. As such, this complaint appears to have resulted in a positive result already.

Confused Woman

Should I Use Hotspot Shield?

Whether or not you should use Anchor Free's VPN is really up to you. There is no doubt that there are better VPNs out there, with better privacy policies. 

However, Hotspot Shield does have its merits if you want a VPN to unblock online content in a nation where there's censorship. If you need a VPN to get around a landlord’s strict website blocks, or blocks imposed by another local network administrator (such as a workplace), Hotspot Shield will also do the trick. Furthermore, it will help to keep your data secure while on public WiFi (so that hackers can’t steal your passwords and bank details) and in private (from your Internet Service Provider and government snooping). Hotspot Shield does successfully do these things. 

In the end, you must ask yourself what level of privacy you desire. If a free VPN that serves you adverts and makes money out of you isn’t a particular concern, then Hotspot Shield can be a godsend. Many people in locations such as Turkey and the Ukraine use the VPN successfully to get around government website blackouts. 

At the end of the day, if a VPN is free it should be regarded with suspicion. If you want the very best privacy available online, then you should bite the bullet and invest in a top VPN service.

Honeypot

Final Thoughts

Finally, remember that there is a chance that Hotspot Shield is, in reality, doing more wrong than it admits. In a worst case scenario, it could even be a honeypot. Since the US decided to permit Internet Service Providers to sell data to third parties, many US citizens have begun using VPNs. Hotspot Shield has enjoyed a particularly massive influx.

That's concerning, because the VPN is based in the US. As such, it could easily have been served a warrant and gag order and could be secretly gathering data for the US government. For this reason alone, this story will be worth keeping an eye on. It may well be worth staying away from Hotspot Shield until a time when the FTC restores confidence in the service.

Opinions are the writer's own.

Title image credit: Hotspot Shield home page.

Image credits: CDT, Anchor Free,amasterphotographer/Shutterstock.com
 Peshkova/Shutterstock.com
 NatBasil/Shutterstock.com

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

3 Comments

Shelly
on March 5, 2020
Thanks for the informative article. Any VPNs that you would personally recommend? Currently looking at Atlas VPN but can't find any reviews of it.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Shelly
on March 6, 2020
Hi Shelly. Please check out Best VPN Services for our overall recommendations, or 5 Best No-Logs VPNs if privacy is a particular priority for you. We have not reviewed Atlas VPN because there are far too many mobile app-only VPN services out there, most of which are very low quality. Its perfectly possible that Atlas VPN bucks this trend, but we have no plans for reviewing it in the foreseeable future and instead strongly recommend sticking with established full VPN services which have built up a good reputation for themselves.
Joe
on August 12, 2017
I don't trust governments on principal. I also wouldn't use a US(or UK) based VPN. And since the FTC is the government, I wouldn't trust anything they say!

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service