FTC must scrutinize Hotspot Shield over alleged traffic interception, group says

A privacy advocacy group has filed a formal complaint with the Federal Trade Commission, alleging that Hotspot Shield, a popular free VPN service, collects numerous pieces of data and intercepts traffic in contrast to the company's claim that it provides "complete anonymity."

In its 14-page filing, which was submitted Monday morning, the Center for Democracy and Technology claims that the company displays persistent cookies and works with various other entities for advertising purposes, among other alleged unsavory practices.

The CDT partnered with researchers from Carnegie Mellon University to determine that the VPN service sometimes "redirects e-commerce traffic to partnering domains." As the complaint continues:

For example, when a user connects through the VPN to access specific commercial web domains, including major online retailers like www.target.com and www.macys.com, the application can intercept and redirect HTTP requests to partner websites that include online advertising companies.

The organization wants the FTC to open an investigation into what the CDT has dubbed Hotspot Shield’s "unfair and deceptive trade practices."

As Ars has reported previously, some VPN providers are likely to be more scrupulous than others: but in the end there’s no way for most users to know in a meaningful and obvious way that they should trust one provider over another. (We published an article in May 2017 explaining how to roll your own VPN!)

When Ars attempted to contact Anchor Free, our e-mails were returned as undelivered.

UPDATE August 10 2:34pm ET: Ars received an e-mail from Nati Katz, a spokesman for AnchorFree, who wrote that he had been "asked to relay a quick statement AnchorFree issued on the matter, and have not distributed wide."

The two paragraph statement largely doesn't address the specific points in the CDT's complaint, but does say: "we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves," adding that "AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns."

Ars has asked Katz and/or AnchorFree to respond to the specific points about persistent cookies and traffic injection. We will update this post if we hear back.

UPDATE 2 August 10 5:02pm ET: After Ars pressed on the allegations of traffic injection and persistent cookies, Katz again sent a statement that did not fully address the points raised in the CDT complaint.

“We never redirect our users’ traffic to any third-party resources instead of the websites they intended to visit. The free version of our Hotspot Shield solution openly and clearly states that it is funded by ads, however, we intercept no traffic with neither the free nor the premium version of our solutions. Our users’ online privacy has always been our absolute priority.”

We have sent further questions and again will update this post with any more responses.