Popular VPN Service Allegedly Puts Ads in Browsers

If you use AnchorFree's HotSpot Shield VPN app, a claim from the Center for Democracy and Technology (CDT) might give you pause. The non-profit advocacy group alleges the VPN is tracking users and filling their browsers with ads.

Credit: Tomohiro Ohsumi/GettyCredit: Tomohiro Ohsumi/Getty

The Register reports that the CDT has filed a complaint with the Federal Trade Commission with a request to investigate.

"[T]he VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes," the CDT writes, pointing out that the VPN's security claims are contradicted by AnchorFree's own privacy policy. Additionally, the complaint suggests that the VPN can redirect HTTP requests to partner websites.

Update: 12:55 p.m. ET: AnchorFree issued a statement:

"We strongly believe in online consumer privacy," it reads. "This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves. The recent claims to the contrary made by a non-profit advocacy group, the Center for Democracy and Technology, are unfounded. While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns. AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns. We are reaching out to appropriate groups and remain committed to defending the privacy and internet freedom of all our users."

Because the whole point of a VPN is to anonymize your web habits, this claim is worrying. It suggests HotSpot Shield collects IP addresses, location and other identifying information to sell to advertisers.

Unfortunately, it's difficult to figure out what exactly VPN providers do with your data. A lot of it is a matter of trust and picking through privacy policies with a fine-toothed comb. Sometimes, though, even that is not enough.

Until this is cleared up, we'd recommend steering clear of HotSpot Shield VPN. You can find the VPN apps we recommend here.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
This thread is closed for comments
3 comments
Comment from the forums
    Your comment
  • RobertSiciliano
    As a long time user, fan, and I consult a bit to Hotspot Shield, I'm disturbed by this. But I'm not seeing how the CDT came up with their findings. I just came back from BlackHat and wonder why actual security researchers havent come to this same conclusion? I understand where there is smoke there is fire, but something is amiss here. This seems to equate to a misunderstanding.

    I’ve looked at and reviewed all the other VPNs and from what I can see, Hotspot Shield’s dedication to user privacy and integrity of protecting user data is compliant. There’s a reason why they have 500M users. It’s just better. They tell me, and I agree, specifically, Hotspot Shield does not log, store or pass to third parties the IP addresses of their users. Instead Hotspot Shield deletes the original IP address after the end of each session, protecting user privacy from websites, apps, ISP’s, criminal hackers, and malware. Deleting the IP addresses in real time, ensures that Hotspot Shield does not have the data either. They've had investigators and government agencies requesting IP addresses and data etc, and they just don't have it to give.

    Another point, made by many is Hotspot Shield offers all users its products for free, which makes people suspect, but signup is anonymous without requiring registration. There is both a free and a premium Elite version available. I’ve used both and I made the investment in Elite. Hotspot Shield serves advertising to support it. From my research, advertisers get the country the user is from, but do NOT get the real user IP address from Hotspot Shield. In a similar way Hotspot Shield does not require any log in information to use its products, setting up an account with Hotspot Shield is optional and not required. They told me payment information is stored by Apple, Google, or Chase and never seen or stored by Hotspot Shield.

    Thus Hotspot Shield does not have personally identifiable information of the user and then anonymizes the user further from other third parties (such as ISP’s or websites) from collecting such personally identifiable information. It can be argued that with 500M users, Hotspot Shield is the world’s most popular Internet Privacy platform and most trusted VPN. And FYI, 70% of the world’s largest security companies use Hotspot Shield’s technology integrated into their security suites. Hotspot Shield has passed security audits of all of its partners. AnchorFree, Hotspot Shield’s parent company, takes user privacy extremely seriously and deals with privacy with the absolute highest integrity.

    And with countries like Russia and China banning VPNs, I'd think the larger concern here would be oppressive regimes further encroaching on citizens lives. Robert Siciliano
  • PeterKendrick
    The reason thy have 500M users is because they are one of the oldest VPN provider in the industry, and the fact people are always looking for free VPN service and don't care about their security. I was one of those users once, and the reason I stopped using it was because frequent disconnect, bandwidth throttle, and agressive pop-up ads after every few minutes. Every time I closed my default browser it would open it up again. It's no wonder they would be doing such things for long.
  • AndrewFreedman
    Anonymous said:
    As a long time user, fan, and I consult a bit to Hotspot Shield, I'm disturbed by this. But I'm not seeing how the CDT came up with their findings. I just came back from BlackHat and wonder why actual security researchers havent come to this same conclusion? I understand where there is smoke there is fire, but something is amiss here. This seems to equate to a misunderstanding.


    Robert, I appreciate your commenting. For the readers of the post, however, I feel I should point out a conflict of interest in that consulting.

    Readers, here's Robert's blog on the HotSpot Shield website.

    You can read HotSpot Shield's terms here, which does mention some of these practices. (See, for instance, section 1.1).