When is a VPN not private? When you’re not paying for it

One of the world’s most popular virtual private networks (VPN) is not so private, according to a complaint filed earlier this week with the US Federal Trade Commission (FTC).

The Center for Democracy & Technology (CDT), a nonprofit that advocates for free speech and privacy, contends that the free Hotspot Shield VPN, a product of AnchorFree, Inc., is engaging in “unfair and deceptive trade practices” by promising, “secure, private and anonymous access to the Internet” when it is actually tracking, collecting and sharing user data with third parties.

At one level, this probably sounds like a “no-such-thing-as-a-free-lunch” situation.

If a service is “free”, in the sense that you’re not paying money for it, then you’re paying in some other way. In the case of Hotspot Shield, that means being required to look at ads or having at least some of your personal data – location, browsing habits, purchasing history etc – collected and sold to third parties for marketing.

But that is at the heart of what has rapidly become a very public squabble between the CDT and AnchorFree, which says Hotspot Shield has more than 500m users. CDT contends that if users are “paying” for a service with their data, that ought to be made more clear to them.

After all, the whole idea of a VPNs is there in the middle word of the title: “private”. They are promoted as a way to keep your identity and browsing history secret – from everybody.

And that is indeed what AnchorFree promotes. Among the screenshots included in the CDT complaint is a Hotspot Shield VPN description on the iTunes/iOS App Store, which says, “Stay private and anonymous online. Prevent anyone from tracking your IP address, identity and location from websites and online trackers. Enjoy complete anonymity.”

The company also declares there are “no logs kept. Hotspot Shield doesn’t track or keep any logs of its users and their activities. Your security and privacy are guaranteed.”

Except that’s not what’s in the fine print. AnchorFree’s actual privacy policy, among other things, says that:

• IP address or unique device identifiers are not considered personal information – something that would probably be news to most of their customers.
• The service gathers location data, in part for the optimization of ads.
• The service uses cookies and automatically collected information to, “provide customized advertisements, content and information.”
• The service may “enter into agreements with unaffiliated entities which possess technology that allows us to customize the advertising and marketing messages users receive while using the service.”
• The service will disclose personal information to law enforcement, not just in response to a warrant or subpoena, but to “otherwise cooperate” with law enforcement or government agencies.
• The service doesn’t guarantee that it will create a VPN or use a proxy IP address on all websites.

Beyond that, the CDT complaint claims that Hotspot Shield has been found to be “actively injecting JavaScript codes using iframes for advertising and tracking purposes”.

AnchorFree CEO David Gorodyansky, who has called CDT’s claims “unfounded”, told Naked Security in an email exchange:

Privacy and user trust is the key to our business. We have never given up or sold any user data, and our perspective on user data protection is to not store any data related to user IP addresses or personally identifiable information.

Asked to clarify how that statement squared with language in the company’s privacy policy, Gorodyansky said that “we are in the process of updating our privacy policy to reflect the reality around how our systems work, and the reality is that many of the items [in the above list] are not actually accurate”.

How common such disconnects between promotion and written policy are is hard to estimate. The FTC, while it acknowledged receipt of the complaint from CDT about Hotspot Shield, declined to comment on whether there are any other investigations into allegedly false VPN claims. Joanna Gruenwald Henderson of the FTC said:

FTC Investigations are non-public, and we do not comment on investigations or even the existence of an investigation.

Part of the problem, of course, is that hardly anybody reads Terms of Service (ToS) agreements or privacy policies because they generally are pages upon pages of dense legalese. The Finnish security company F-Secure famously did an experiment in 2014, creating a spoof ToS that said those who wanted to use a “free” Wi-Fi service would have to give the company their first-born child. Plenty of people agreed – obviously not having read the fine print.

But another reality is that, as is the case with just about anything online, nothing is entirely bulletproof. Naked Security’s Paul Ducklin, who provided a tutorial with pros and cons of VPNs a couple of years ago, also reminded users in an earlier post that both security and privacy of VPNs come with some qualifications.

VPNs can be “excellent tools” to improve privacy, anonymity and secrecy,” he wrote, but also noted that, “the ‘private’ in ‘virtual private network’ means nothing more than that the VPN provides a connection that can be made to behave as though you had a direct hookup to your destination network.

“In other words, a VPN is implicitly private more in the sense that your family car is classed as a private/light goods vehicle than in the sense of private-as-in-privacy,” he wrote.