back to article Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices. AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed …

  1. Charles 9

    But if you assume full DTA mode, isn't it prudent to assume ANY server hosting provider would have the capacity to snoop on your session, no matter how it's set up, simply because it's the host and happens to control a point outside the encryption envelope? That not even countries with privacy protections written into the law can be considered safe (because they may engage in extrajudicial activity on the sly)?

    IOW, if you must assume DTA mode, wouldn't your best bet be to simply get off the Internet altogether?

    1. Paul Crawford Silver badge

      Of course, there is no such thing as absolute security (indeed pretty much no "absolute" anything, except perhaps vodka).

      So running your own VPN server, or the option to use a VPN service provider, comes down to stacking the odds in your favour against whatever bogeyman you worry about. I think it is pretty much true that if you have the likes of GCHQ/NSA/FSB seriously targeting you then those odds are pretty poor, but that is not the vast majority of people and not the reason that many would want a VPN service.

      Take the UK for example, the odious 'snooper's charter' now means you whole internet history is recorded by your ISP and accessible to practically any petty bureaucrat for practically any reason. In the USA we have various ISPs injecting adverts and doing the same for commercial reasons. Use any half-decent VPN provider and that goes away, even if the three-letter agencies can snoop on you, they are hardly likely to tell anyone unless you are a really high-value target because that snooping ability would be more valuable information than most of what they snoop. Finally, you ought to be using end-to-end security as well, so https at least for web sites, and SSH remote log-in to any machines, etc, because you still can't totally trust a 3rd party VPN provider.

      Rolling your own VPN server gets round that aspect, but has the disadvantages that (1) a 3rd party host can compromise the machine, and (2) you don't get the anonymity benefit of sharing a few IP addresses with hundreds/thousands of other users, (3) you can't choose a country-of-exit for geoblocked services, and finally (4) generally costs more.

  2. Your alien overlord - fear me

    Someone please forward this to the Chinese !!!!

  3. Anonymous Coward
    Anonymous Coward

    The simplest approach is ..

    .. to check out where their email goes.

    [00] moi@machine:~

    $ dig +short mx





    Why am I not surprised? Next!

    1. heyrick Silver badge

      Re: The simplest approach is ..

      Nice try, but isn't that just where GSuite directs GMail?

    2. jtaylor

      Re: The simplest approach is ..

      I'm not surprised either. Google provides email hosting to many businesses.

      1. Anonymous Coward
        Anonymous Coward

        Re: The simplest approach is ..

        If you want pretent to be in the business of protecting people's privacy, everything matters, even your email. Google email is not the right thing to use in this context.

  4. Kevin McMurtrie Silver badge

    Investigate a cloud

    Domain names are registered with the address of a postal box service in Vista, CA that seems to be popular with scammers.

    Development HQ appears to be a rented building in Meno Park, CA.

    Main HQ appears to be a rented commercial room in Switzerland.

    Hosting that I could find is various on-demand services.

    I'd hate to have to piece all of that together to figure out what's going on.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Investigate a cloud

      Main HQ appears to be a rented commercial room in Switzerland.

      It has 100% US ownership in the Swiss business register, which means that the business can be legally leveraged in the US to provide information on users, with far fewer arguments than Microsoft Ireland vs DoJ to resist compliance. Swiss law doesn't provide any protection here.

      If I were looking for privacy protection, this is not the company I would use because I find too many frayed ends.

    3. Rich 11

      Re: Investigate a cloud

      I'd hate to have to piece all of that together to figure out what's going on.

      Isn't it enough to know that they're scamming people? Untangling their business structure is a nice intellectual exercise,. but -- other than perhaps for training purposes -- it has no practical use unless you are planning to file suit against them and want to know in which country you'll have to do it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Investigate a cloud

        Isn't it enough to know that they're scamming people? Untangling their business structure is a nice intellectual exercise,. but -- other than perhaps for training purposes -- it has no practical use unless you are planning to file suit against them and want to know in which country you'll have to do it.

        The tools used to untangle the business structure and what they do will allow you to identify a dodgy operation before you do business with them. As surveys have shown, there are a lot of false flag setups out there.

      2. John Smith 19 Gold badge

        "Untangling their business structure is a nice intellectual exercise,"

        Indeed. The point is it is tangled to begin with.

        Obfuscation is usually a pattern to excite suspicion.

        The illusion of privacy, without actual privacy.

  5. Winkypop Silver badge

    Never mind the quality

    Feel the width

  6. DrM

    Birds of a feather

    I'll bet Google buys them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Birds of a feather

      You could be right - it certainly seems to be pumped up exactly for that purpose. It's a VPN business, which is not actually that complex. However, if Goldman Sachs is involved I suspect there is some VC milking going on so it all has to look sophisticated and super complex.

      From a pure privacy perspective, though, the facts just don't seem to add up. If it is privacy you seek, they are in my opinion not a good choice.

  7. Pen-y-gors

    Roll your own?

    I generally agree - if you want serious VPN security then having your own VPS etc is probably the way to go.

    But for those of us not transferring GCHQ secrets to the KGB (or whatever they're called this week), a more common use of a VPN is to spoof geography - watching local TV from other countries or, in my case, testing how user sites appear in Google from other countries. Wouldn't entirely trust them though.

    1. Alan J. Wylie

      Re: Roll your own?

      I roll my own, but as well as the geographical aspect, using a big VPN provider also means that your traffic is mixed in with everyone else's, rather than a single IP address being solely associated with you.

  8. John Smith 19 Gold badge

    Even more insulting if they charge for this PoS. If they don't usual rule applies to "free" services

    It's complimentary (as in it compliments our business model for making money off you)

    It's not free.

  9. DropBear

    For some uses cases running your own service would completely and utterly defeat the purpose.

    1. Swarthy
      Big Brother

      Defense in depth

      Roll your own VPS, and then use that VPN to connect to a commercial one.

      If you are feeling paranoid, you can have that external VPN be in a foreign jurisdiction, and then use that to connect to a domestic VPN. Throw in a proxy for non-HTTPS traffic, and you may be able to avoid most tracking.

      1. Charles 9

        Re: Defense in depth

        You'll also be slower than molasses. And people wonder why surfing through TOR (or using Freenet) is so frickin' SLOW.

  10. Cuddles

    Don’t let ISPs monetize your web history

    ...let us do it instead!

    1. Swarthy
      Thumb Up

      Re: Don’t let ISPs monetize your web history

      Came here to post the exact same thing.

  11. Version 1.0 Silver badge

    Just checked with GCHQ ...

    They said that no way would they ever setup a shell company to provide free VPN services.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just checked with GCHQ ...

      You weren't supposed to tell anyone!


  12. nickx89

    How long they have been doing it?

    It's been a long time since AnchrFree is injecting ads for providing free service, which usually didn't work at all, they must have earned good selling users privacy to third parties.

  13. RobertSiciliano

    CDTs Math is wrong.

    As a long time user, fan, and I consult a bit to Hotspot Shield, I'm disturbed by this. But I'm not seeing how the CDT came up with their findings. I just came back from BlackHat and wonder why actual security researchers havent come to this same conclusion? I understand where there is smoke there is fire, but something is amiss here. This seems to equate to a misunderstanding.

    I’ve looked at and reviewed all the other VPNs and from what I can see, Hotspot Shield’s dedication to user privacy and integrity of protecting user data is compliant. There’s a reason why they have 500M users. It’s just better. They tell me, and I agree, specifically, Hotspot Shield does not log, store or pass to third parties the IP addresses of their users. Instead Hotspot Shield deletes the original IP address after the end of each session, protecting user privacy from websites, apps, ISP’s, criminal hackers, and malware. Deleting the IP addresses in real time, ensures that Hotspot Shield does not have the data either. They've had investigators and government agencies requesting IP addresses and data etc, and they just don't have it to give.

    Another point, made by many is Hotspot Shield offers all users its products for free, which makes people suspect, but signup is anonymous without requiring registration. There is both a free and a premium Elite version available. I’ve used both and I made the investment in Elite. Hotspot Shield serves advertising to support it. From my research, advertisers get the country the user is from, but do NOT get the real user IP address from Hotspot Shield. In a similar way Hotspot Shield does not require any log in information to use its products, setting up an account with Hotspot Shield is optional and not required. They told me payment information is stored by Apple, Google, or Chase and never seen or stored by Hotspot Shield.

    Thus Hotspot Shield does not have personally identifiable information of the user and then anonymizes the user further from other third parties (such as ISP’s or websites) from collecting such personally identifiable information. It can be argued that with 500M users, Hotspot Shield is the world’s most popular Internet Privacy platform and most trusted VPN. And FYI, 70% of the world’s largest security companies use Hotspot Shield’s technology integrated into their security suites. Hotspot Shield has passed security audits of all of its partners. AnchorFree, Hotspot Shield’s parent company, takes user privacy extremely seriously and deals with privacy with the absolute highest integrity.

    And with countries like Russia and China banning VPNs, I'd think the larger concern here would be oppressive regimes further encroaching on citizens lives. Robert Siciliano

    1. Anonymous Coward
      Anonymous Coward

      Re: CDTs Math is wrong.

      You know, you lose quite a lot of credibility if you publicly label yourself as " #1 best selling author" because I'm pretty sure that will be someone like JK Rowling or Tom Clancy - you know, authors that people have actually heard of?

      In addition, for someone allegedly interested in the topic of privacy you have too many social media trackers on your website - you may want to fix that.

      The issue is credibility, and ANY media rep worth his or her salary will tell you that credibility takes ages to build, and mere split seconds to lose. Loose ends harm HotSpot's credibility and I don't care that HotSpot and AnchorFree "take privacy seriously" - as far as I can tell, they leave a lot to be desired when it comes to protecting privacy from a non-US perspective.

      Privacy is not just making bland statements and wiping logfiles.

  14. Donn Bly

    I haven't seen the claimed behavior

    I use HotSpot Shield vpn on my malware sandbox machine so that I can make it appear to be sitting in another country, and have been using it for well over a year. In that time, I have NEVER seen it inject ads or javascript into a web page -- and as this is a machine that I use to test suspicious files and intentionally infect from time to time I am generally LOOKING for such behavior.

    I wonder if they are referring to Hotspot Shield's "free" browser toolbar, which is not a VPN (nor do they claim it to be). While they do claim that it gives some level of obfuscation, it's a different product, and not one that as a VPN user I have ever had reason to install.

  15. sjaaky

    Watch out with "FREE" parasite VPNs

    Be very careful with free VPNs, if you really want free than at least use some of the tested ones with a zero log policy

  16. benaam433

    Does it happens same with the premium version of Hotspot Shield. I was searching about it on the internet and I found an article on a site that claims that it won't happens when you'll buy its premium version. You might read the article on your own.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like