VPN Shame

A Compiled List of VPN Services That Have Been Caught Logging, Lying or Hacked

Free VPN HotSpot Shield Logs User Data to Sell — 01/07/2018

Free VPN HotSpot Shield Logs User Data to Sell

HotSpot shield is a popular free VPN service for bypassing region locks and firewalls around the world.

The very first paragraph on the front page of the site touts privacy and security as the main uses of their product:

“Hotspot Shield VPN acts like an underground tunnel that connects you to your favorite websites. When you connect to a VPN, it turns a public network into a private network using military-grade encryption so hackers, identity thieves, advertisers, governments, ISPs, and others can’t monitor what you’re doing on the internet.”

The site repeatedly claims that they allow you to surf “securely and anonymously” around the web.

Pay special attention to these words!

Here they specifically name one of the primary purposes of the software is protecting you from surveillance and ad networks:

They even go as far as to claim that privacy is a fundamental human right, and that they are defending you:

They also repeatedly throw around the word “anonymously” and focus on how “they don’t log your IP address.”From the marketing on the front page of their site, you would think that installing HotSpot shield would protect you from ad networks and surveillance, and that they don’t log your information. Let’s take a look at their data collection policies and see how these claims hold up under some scrutiny.

From the AnchorFree (Hotspot Shield’s parent company) privacy policy page:

It is important to understand the entirety to what is being said here. They are extremely careful to repeatedly tell you that they do not store your IP address, nor do they link your device information to you. But the devil is in the details, as it seems that they do collect your IMEI and your “network information.” To an ad network, your IMEI is better than an IP address. It is a unique serial number that is burned into every phone, and it uniquely identifies you no matter what network you are on or where you travel. Your IP address changes frequently, your IMEI never changes. They also don’t define what “network information” they collect, since they do not collect IP addresses. Let’s dig further.

The ad-supported version of HotspotShield (the one that everyone uses) shares your “city level” location. Furthermore, the app allows injecting of complex ads with javascript. This means that tracking cookies and independent data collection are not only possible but probable. And because they inject ads everywhere you go, this is happening continuously as you browse the web on HotSpot Shield.

Furthermore, the “city level” location is an information sharing issue, because in order to do this they have to pull an IP address and give it to one of the third-party services that control IP location information. This means that your IP address is being shared to outside parties to make this technically possible.

So they share your information with third party online advertisers… Which they explicitly said they do not do earlier. The “city-level location” also reappears (which requires them to share your IP with a 3rd party), and they also say that they can and will sell all of their information to anyone who wishes to acquire their business. They continue to affirm that they have very little personal information to collect on each person, and they go through great troubles to convince you that they are not sharing significant amounts of information about you, despite the fact that they have expensive infrastructure to pay for and the service is free.

Hotspot shield is not providing a free service out of the kindness of their hearts. It needs to make money while not charging you. They are paying their bills and turning a profit by selling your information.

So let’s take a look at what the HotSpot Shield app actually does while you’re using it.

Here is research conducted by the Center for Democracy and Technology, where experts reverse-engineered components of the app and found that the app injects cookies and iframes (javascript), runs supercookies (cookies that follow you from site-to-site) and shares information with 5 third-party ad networks. The app also redirects users who visit certain shopping websites to their own custom servers that direct users toward buying certain products or replacing a website’s ads with their own.

Furthermore, the information that they share with outside parties is not encrypted and can be intercepted by any listening party. So much for “privacy and anonymity.”

The closing paragraph of the CDT’s complaint to the FTC sums up the situation beautifully: