home << Policy << auto complaint filed over sketchy vpn service
Thu, 10 Aug 2017
Complaint Filed Over Sketchy VPN Service
Furnished content.
VPNs are important... for some situations. Unfortunately, the message that many have received in hearing about the importance of VPNs is that they somehow "protect your privacy." But that's always been wrong. They just move the privacy questions somewhere else. And sometimes it's a sketchy place. A few months back we discussed this very issue with some security experts on our podcast. All VPNs do is create a secure tunnel from where you are to somewhere else. That's useful if you don't want other people sitting in the Starbucks with you to pick up your unencrypted traffic (or other people in your hotel on the hotel WiFi), but it doesn't solve anything on larger privacy questions. The always excellent SwitfOnSecurity summed it up nicely recently:Basically, you're just moving the risk elsewhere, and you're trusting whoever your VPN provider is -- and they may very well be worse than whatever it is you're trying to avoid. The specific use case that's almost never recommended is using a VPN on your home network (with a few specific exceptions). You may not trust Comcast/AT&T/whatever, but they may actually be a lot more serious about protecting you than a fly-by-night VPN provider.But with so many VPN providers out there, it's not always clear how legit they are, and there certainly have been rumors and complaints about some of them. Now, the Center for Democracy and Technology (CDT) has filed an FTC complaint against one of the more well known VPN providers, Hotspot Shield VPN. You can read the short complaint yourself, but the short version is CDT says that Hotspot Shield VPN makes claims about privacy that are... not accurate, and argues that these are deceptive trade practices.Hotspot Shield makes strong claims about the privacy and security of its data collectionand sharing practices. CEO David Gorodyansky has stated that we never log or storeuser data. The company's website promises Anonymous Browsing and notes thatHotspot Shield keeps no logs of your online activity or personal information. HotspotShield further differentiates itself from ...disreputable providers [that] are able to offerfree VPN services [ ] because they make their money tracking and selling their users'activities by claiming that Hotspot Shield neither tracks nor sells customers'information. Take a wild guess what's coming next...While connection logs can be designed to be minimally privacy-invasive, HotspotShield engages in logging practices around user connection data, beyond troubleshootingtechnical issues. The service uses this information to identify [a user's] general location,improve the Service, or optimize advertisements displayed through the Service. IPaddresses, unique device identifiers, and other application information are regularlycollected by Hotspot Shield. And then this:While insisting that it does not make money from selling customer data, Hotspot Shieldpromises to connect advertisers to unique users that are frequent visitors of travel, retail,business, and finance websites. Moreover, these entities have access to IP addresses anddevice identifiers collected via Hotspot Shield. Even if Hotspot Shield only provideshashed or proxy IP addresses to these partners, third parties can also link informationabout web-viewing habits while using the Hotspot Shield by cross-referencing cookies,identifiers, or other information. And more:Contrary to Hotspot Shield's claims, the VPN has been found to be actively injectingJavaScript codes using iframes for advertising and tracking purposes. An iframe, orinline frame, is an HTML tag that can be used to embed content from another site orservice onto a webpage; iframes are frequently used to insert advertising, but can also beused to inject other malicious or unwanted code onto a webpage.Further analysis of Hotspot Shield's reverse-engineered source code revealed that theVPN uses more than five different third-party tracking libraries, contradictingstatements that Hotspot Shield ensures anonymous and private web browsing. But, wait, there's more...Additional research has revealed that Hotspot Shield further redirects e-commerce trafficto partnering domains. For example, when a user connects through the VPN to accessspecific commercial web domains, including major online retailers like and , the application can intercept and redirectHTTP requests to partner websites that include online advertising companies. And just one more thing...Consumers have reported instances of credit card fraud after purchasing the Elitepaid-version of Hotspot Shield VPN. One consumer reported thousands of dollars incredit card charges, as well as other suspicious online activity. There's even more in the complaint, but those are some highlights. CDT claims that these are deceptive trade practices. Of course, the FTC doesn't need to do anything here. Such a complaint is basically asking the FTC to investigate and do something, and the FTC doesn't always do so. But at the very least, it may wake some people up about being careful which VPNs they use.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 10-Aug-2017
path: /Policy | permalink
comment...
home << Policy << auto complaint filed over sketchy vpn service
|
|