CDT: Hotspot Shield
Collects User Data
August 8, 2017
many Americans looking to protect their online privacy, virtual
private networks, or VPNs, are a good option. However, a popular
free VPN, Hotspot Shield, promises to protect its users’ privacy
but has undisclosed data sharing and traffic redirection
practices that violate that promise. As a result, the Center for
Democracy & Technology (CDT) has asked the Federal Trade
Commission (FTC) to investigate the data security and data
sharing practices of Hotspot Shield Free Virtual Private Network
(VPN) services, which we believe should be considered unfair and
deceptive trade practices.
In an online environment increasingly hostile to private
browsing, CDT and other advocates have frequently recommended
VPN use to mask internet traffic, and VPN use has soared
recently in the U.S. But, not all VPNs are created equal.
“People often use VPNs because they do not trust the network
they’re connected to, but they think less about whether they can
trust the VPN service itself. For many internet users, it’s
difficult to fully understand what VPNs are doing with their
browsing data. That makes clear and accurate disclosures and
practices essential,” said Michelle De Mooy, Director of CDT’s
Privacy & Data Project.
Hotspot Shield’s marketing claims that it does not track, log,
source code analysis reveal otherwise. The VPN promises to
connect advertisers to users who frequent websites in particular
categories and while most VPNs prevent internet service
providers from seeing a user’s internet traffic, that traffic is
often visible in unencrypted form to Hotspot Shield. VPNs
typically log data about user connections to help with
troubleshooting technical issues, but Hotspot Shield uses this
information to identify user locations and serve advertisements.
Shield tells customers that their privacy and security are
‘guaranteed’ but their actual practices starkly contradict this.
They are sharing sensitive information with third party
advertisers and exposing users’ data to leaks or outside
attacks,” added De Mooy. “The product they offer fails to live
up to its promises or meet the reasonable expectations of its
CDT’s complaint seeks to create awareness about the practices of
some VPN services to ensure that technologies marketed as
privacy-protective are clear and transparent about how user data
is collected and shared.