A Virtual Private Network (VPN) is a technology that is intended to help keep user information encrypted and private. According to a complaint filed by the Center of Democracy and Technology (CDT), AnchorFree’s Hotspot Shield VPN is not properly securing its users and is unfairly sharing user information.
The CDT made its claims in a 13-page complaint filed with the U.S Federal Trade Commission (FTC) and alleges that AnchorFree is engaged in unfair and deceptive trade practices. AnchorFree denies the allegations.
“Among other concerns, the complaint details the ways in which Hotspot Shield’s marketing claims around privacy and security directly contradict its actual practices and policies – the description of the Hotspot Shield app in Google’s Play Store announces, Your privacy and security are guaranteed!, while CDT’s investigation found the opposite,” Michelle De Mooy, Director, Privacy and Data Project at CDT wrote in a blog post.
The CDT, working with the developers of Carnegie Mellon University’s (CMU) Mobile App Compliance System, claim that they found multiple instances where Hotspot Shield shared sensitive data with third-party advertising networks. Additionally the CDT alleges that Hotspot Shield injects JavaScript code that is used for advertising and tracking purposes. CDT also alleges that the security of Hotspot Shield isn’t complete as mobile carrier information is not transmitted over an encrypted SSL/TLS connection.
AnchorFree’s Hotspot Shield provides both free and paid VPN services to consumers. In an email statement sent by the company to eWEEK, AnchorFree said that it is a recognized leader in consumer online privacy and internet freedom.
“Our Hotspot Shield application is trusted by more than 500 million users, who rely on it to secure access to all of the world’s information,” AnchorFree stated. “We strongly believe in online consumer privacy.”
AnchorFree also rejected the CDT’s allegations, noting that the information Hotspot Shield users provide to AnchorFree is never associated with their online activities when they are using Hotspot Shield. AnchorFree also stated that it does not store user IP addresses and it protects user personally identifiable information from both third parties and from AnchorFree.
“The recent claims to the contrary made by a non-profit advocacy group, the Center for Democracy and Technology, are unfounded,” AnchorFree stated. “While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns.”
While CDT has filed a complaint with the FTC, it’s not yet publicly known what, if any action or investigation the FTC might take. According to the FTC’s media resources information web page, all FTC investigations are non-public.
“If a company itself announces that it is the subject of an FTC investigation, we can confirm that fact,” the FTC states. “However, we can’t discuss complaints about specific companies or the status of ongoing investigations.”
At the recent Black Hat USA security conference, FTC Commissioner Terrell McSweeny provided conference attendees with an overview of how her agency handles complaints against cyber-security products. McSweeny explained that marketers of cyber-security products are subject to the same truth-in-advertising laws as all other advertisers. Those laws aim to protect American consumers from what the FTC refers to as unfair and deceptive practises.
McSweeny explained that one element of deception is an omission of facts or a practise that is likely to mislead the consumer. She told Black Hat USA attendees that cyber-security vendors should make sure that marketing materials do not imply or leave the impression of something that is not true, from the perspective of a reasonable consumer.
For its’ part, AnchorFree wants to be clear about what it is doing .
“AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns,” the company stated. “We are reaching out to appropriate groups and remain committed to defending the privacy and internet freedom of all our users.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.