VPN provider accused of snooping

US digital rights lobby group the Centre for Democracy and Technology (CDT) has filed a complaint against virtual private networking provider Hotspot Shield for allegedly tracking and intercepting customer data.

The CDT claims [pdf] the provider logs connections, monitors users' browsing habits, and redirects traffic and sells customer data to advertisers.

Hotspot Shield is available for free from Google and Apple app stores and has an estimated 500 million installed users around the world.

The VPN app is used to bypass censorship and geo-blocking of content. It is developed and marketed by Anchorfree GmbH, headquartered in California and with offices in Switzerland, CDT said.

Hotspot Shield is said to "secure all online activities" and hide users' IP addresses, their identities, and protect them from tracking. The company also says no connections logs are kept.

But testing the Hotspot Shield app with Carnegie Mellon University's mobile app compliance system showed otherwise, CDT said.

Researchers found that Hotspot Shield engages in "undisclosed data sharing practices with third party advertising networks" involving sensitive information such as unique device identifiers.

The app also injects Javascript with inline frame code for advertising and tracking. Reverse engineering of the app also revealed five different third-party tracking librarires, CDT said, and Hotspot Shield redirects traffic to secret VPN servers.

The CDT claimed this amounted to deceptive trading practices and contravenes US law.

It is asking the US Federal Trade Commission to conduct an investigation into Hotspot Shield's data collection and sharing practices, and to order the provider to stop mispresenting privacy and security promises in its advertising.

Anchorfree has been contacted for comment.