BEFORE THE FEDERAL TRADE COMMISSION Washington, DC 20580 In the Matter of ) ) AnchorFree, Inc. Hotspot Shield VPN ) ) ) __________________________________________ ) Complaint, Request for Investigation, Injunction, and Other Relief Submitted by The Center for Democracy & Technology (CDT) ​Introduction I. 1. The Center for Democracy & Technology asks the Federal Trade Commission (Commission) to investigate the data security and data sharing practices of Hotspot Shield Free Virtual Private Network (VPN) services, a product of AnchorFree, Inc. Hotspot Shield Free VPN promises secure, private, and anonymous access to the internet. As detailed below, this complaint concerns undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act. II. ​Parties 2. The Center for Democracy & Technology (CDT) is a nonprofit technology advocacy organization dedicated to preserving the user-controlled nature of the internet. CDT advocates for the protection of democratic values online, with projects on free speech, privacy, security, and internet architecture. 3. Hotspot Shield Free VPN (“Hotspot Shield”) is a product offered by AnchorFree, Inc., a privately held corporation headquartered in California with offices in Switzerland. AnchorFree’s primary place of business is listed on its website as 155 Constitution Drive, Menlo Park, CA 94025. The company explains that its mission is to “drive universal online security, privacy and free access to content.”1 III. ​Factual Background 4. A Virtual Private Network (VPN) is a technology that enables internet users to privately send and receive data across public networks. VPNs have been marketed as a privacy-protective technology that provide a way for internet users to obscure their personal information, including their web browsing history, from third parties including Internet Service Providers (ISPs) and governments. 5. VPNs have evolved from a technology used mostly in business-to-business transactions to one that has become popular with individual consumers.2 A desire for more privacy and security online has contributed to a rise in consumer use of VPN services and apps.3 6. In March of 2017, Congress enacted a Congressional Review Act (CRA) to repeal privacy rules developed by the Federal Communications Commission that were to go into effect in 2018. The rules would have required ISPs to seek permission from customers for collecting and sharing sensitive personal information such as internet browsing history.4 7. In response to the repeal of the rules, public concern has prompted privacy advocates and others to point to VPNs as a viable way to regain some control over their private information.5 After the repeal, Hotspot Shield VPN directly appealed to this concern in a blog post that said “[a]mong the ways users can protect their web information from being captured by third parties, including their ISPs, the best is arguably a VPN.”6 Since the AnchorFree website, About Page, ​https://www.anchorfree.com/about/team/​ (last visited July 19, 2017). S​ ee​ Katie Young, ​4 Things to Know About VPN Users, ​GlobalWebIndex​ ​(Feb. 2, 2016), http://blog.globalwebindex.net/chart-of-the-day/4-things-to-know-about-vpn-users​. The data collection and use practices of ISPs has recently warranted special attention from consumers. As the gatekeepers to internet access, ISPs have broad access to information about their customers’ online activities and communications, granting ISPs a unique window into their customers’ lives. It is possible to research tremendous insights into human behavior solely by analyzing internet transmission data. 3 ​See​ Ariel Hochstadt, ​VPN Use and Data Privacy Stats for 2017​, vpnMentor Blog​ ​(Jan.1, 2017), https://www.vpnmentor.com/blog/vpn-use-data-privacy-stats/​. 4 ​See​ Federal Communications Commission, Final Rules, § 64.2004 (Customer Approval), available at https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1.pdf​. 5 ​See ​Stephen Nellis & David Ingram, ​Vote to Repeal U.S. Broadband Privacy Rules Sparks Interest in VPNs​, Reuters (March 28, 2017), ​http://www.reuters.com/article/usa-internet-privacy-idUSL2N1H52AA​; Laura Hautala, ​A VPN can protect your online privacy. But there's a catch​, CNET (Mar. 29, 2017), https://www.cnet.com/news/vpn-protect-online-privacy-its-complicated/​. 6 Chris San Filippo, ​Don't Let ISPs Monetize Your Web History: Use Hotspot Shield​, Hotspot Shield Blog (Apr. 8, 2017), ​http://blog.hotspotshield.com/2017/04/08/dont-let-isps-monetize-web-history-use-hotspot-shield/​. 1 2 1 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 CRA, many major VPN providers have reported a significant increase in downloads, subscriptions, and web traffic from U.S. internet users.7 A. Hotspot Shield Makes Strong Privacy and Security Claims That Are Contradicted By Its Privacy Policy 8. Hotspot Shield makes strong claims about the privacy and security of its data collection and sharing practices. CEO David Gorodyansky has stated that “we never log or store user data.”8 The company’s website promises “Anonymous Browsing” and notes that Hotspot Shield keeps “no logs of your online activity or personal information.”9 Hotspot Shield further differentiates itself from “...disreputable providers [that] are able to offer free VPN services [ ] because they make their money tracking and selling their users’ activities” by claiming that “Hotspot Shield neither tracks nor sells customers’ information.”10 9. These claims are highlighted as key features of the Hotspot Shield VPN mobile application. In iTunes, the application’s description states that “Hotspot Shield doesn’t track or keep any logs of its users and their activities. You are completely private with Hotspot Shield.”11 AJ Dellinger, ​VPN Services Report Huge Increase In Downloads, Usage Since Broadband Privacy Rules Were Repealed​, International Business Times (Apr. 12, 2017), http://www.ibtimes.com/vpn-services-report-huge-increase-downloads-usage-broadband-privacy-rules-were-252460 5​. 8 Shira Weiss, ​“Improving the World” Through Internet Security: Chatting with David Gorodyansky, CEO of AnchorFree​, Huffington Post (May 1, 2017), ​http://www.huffingtonpost.com/entry/5907586ee4b05279d4edbe33​. 9 Hotspot Shield, Homepage, ​https://www.hotspotshield.com/​ (last visited July 24, 2017). 10 Levent Sapci, ​A Beginner’s Guide to Hotspot Shield VPN​, Hotspot Shield Blog (Jan. 19, 2016), http://blog.hotspotshield.com/2016/01/19/a-beginners-guide-to-hotspot-shield-vpn/​. While Hotspot Shield offers a paid “elite” version of its VPN service that promises an “ad-free browsing experience,” it does not state whether it continues to collect and share user information with third parties. ​See also ​Stephen Cooper, ​Review: Hotspot Shield VPN Review 2017 – What’s Changed?​, Best VPN (Jul. 19, 2017), ​https://www.bestvpn.com/hotspot-shield-review/ (finding that while “[t]he company states that advertising is removed for paid subscribers, [ ] that probably just means the display of the company website…hidden advertising structures are written into the software, so most likely continue for paid users”). 11 iTunes Preview Page for AnchorFree, Hotspot Shield VPN Unlimited Privacy Security Proxy iOS app. Retrieved on 7/26/17: ​https://itunes.apple.com/us/app/hotspot-shield-free-vpn-proxy-wi-fi-privacy/id443369807?mt=8​. 7 2 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 Screenshots: Hotspot Shield VPN Description in iTunes/iOS App Store 10. Similarly, the description of the Hotspot Shield Free VPN Proxy & WiFi Security app provided in the Google Play Store states that “Hotspot Shield doesn’t track or keep any logs of its users and their activities. Your security and privacy are guaranteed!”12 12 Google Play Store page for AnchorFree, Hotspot Shield Free VPN Proxy & Wi-Fi Security Android app, Retrieved on 7/26/17: ​https://play.google.com/store/apps/details?id=hotspotshield.android.vpn​. 3 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 Screenshots: Hotspot Shield VPN Description in the Google Play Store B. Hotspot Shield Engages in Logging Practices and Uses Third-Party Tracking Libraries to Facilitate Targeted Advertisements 11. Hotspot Shield’s​ ​description for its iOS and Android mobile applications declares a “no logs” policy; however, its Privacy Policy,13 which covers and includes its Hotspot Shield services, describes more elaborate logging practices.14 12. VPN providers generally create two types of logs: connection logs and usage logs. Connection logs include dates and timestamps corresponding to each user’s VPN session duration, amount of data transferred, and can sometimes consist of incoming and Hotspot Shield, Privacy Policy, ​https://www.hotspotshield.com/privacy/​ (last updated Apr. 22, 2015) [hereinafter “HSS Privacy Policy”]. 14 When using a VPN service, a user’s internet connections are routed through servers either run by or controlled by the VPN provider. VPN providers may log data about this connection. These VPN logs serve a variety of functions, ranging from operations ​to delivery of third-party advertising. 13 4 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 outgoing IP addresses.15 Connection logs are primarily used for troubleshooting technical issues.16 By contrast, usage logs are much more inclusive. Specifically, usage logs contain software use and browsing history information, including websites accessed and files downloaded.17 13. VPN providers typically must engage in some logging either to monitor bandwidth or to enforce restrictions on the number of devices that can access the VPN service.18 14. While connection logs can be designed to be minimally privacy-invasive,19 ​Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues. ​The service uses this information ​to “identify [a user’s] general location, improve the Service, or optimize advertisements displayed through the Service.”20 IP addresses, unique device identifiers, and other “application information” are regularly collected by Hotspot Shield.21 Screenshot: Hotspot Shield VPN Privacy Policy 15. Importantly, the Privacy Policy makes clear that neither IP addresses nor unique device identifiers are considered to be personal information by Hotspot Shield.22 ​See ​Sven Taylor, VPN Logs – What You Need to Know, RestorePrivacy (Mar. 27, 2017), https://restoreprivacy.com/vpn-logs/​. 16 ​See id. See also VPN Logs​, Torrent VPN Guide, ​http://www.best-bittorrent-vpn.com/vpn-logs.html​. 17 ​See ​Taylor, ​supra​ at 15; Torrent VPN Guide, ​supra​ at 16. 18 ​See ​Taylor, ​supra​ at 15. 19 ​See id. 20 ​Id. 21 HSS Privacy Policy, ​supra​ at 13. 22 HSS Privacy Policy, ​supra​ at 13. ​Cf. ​Definition of “Personally identifiable information” under the California Online Privacy Protection Act, which includes any identifier “that permits the physical or online contacting of a specific individual.” Cal. Bus. & Prof. Code § 22577(a). The California Attorney General’s Office interprets this category to include “information that is collected passively by the site or service, such as a device identifier or geo-location data.” Making Your Privacy Practices Public, California Department of Justice (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf​. This is a clarification that Hotspot Shield added to its latest iteration of its Privacy Policy. Compare HSS Privacy Policy, ​supra​ at 13, with Hotspot Shield Privacy Policy (last modified Dec. 13, 2011), available via Wayback Machine at ​https://web.archive.org/web/20150407052832/http://www.anchorfree.com:80/privacy.php​. 15 5 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 Screenshot: Hotspot Shield VPN Privacy Policy 16. Hotspot Shield also monitors information about users’ browsing habits while the VPN is in use. While Hotspot Shield claims that “any browsing information or other similar information relating to your online activities transmitted by you to our servers when using Hotspot Shield is ​cleared​ after your VPN ‘session’ is closed,” 23 it also deploys persistent cookies24 and concedes that it works with unaffiliated entities to customize advertising and marketing messages.25 It is unclear to what extent records of browsing habits and other usage logs are attached to virtual, proxy IP addresses or other unique identifiers. 17. While insisting that it does not make money from selling customer data,26 Hotspot Shield promises to connect advertisers to unique users that are frequent visitors of travel, retail, business, and finance websites.27 Moreover, these entities have access to IP addresses and device identifiers collected via Hotspot Shield. Even if Hotspot Shield only provides “hashed” or “proxy” IP addresses to these partners, third parties can also link information about web-viewing habits while using the Hotspot Shield by cross-referencing cookies, identifiers, or other information.28 18. Carnegie Mellon University’s Mobile App Compliance System was used to provide researchers with insight into Hotspot Shield’s functionality, data sharing, and network connections. Researchers downloaded the Hotspot Shield binary file from the Android HSS Privacy Policy, ​supra​ at 13. (emphasis added) Hotspot Shield notes that the “persistent cookie remains after you close your browser and may be used by your browser on subsequent use of our Service.” ​Id. 25 ​See id. 26 Zack Whittaker, ​Hotspot Shield Co-Founder Explains Why He Doesn't Want Your Data​, ZD Net (Jan. 12, 2016), http://www.zdnet.com/article/hotspot-shield-co-founder-explains-why-he-does-not-want-your-data/​. 27 AnchorFree’s Advertising Opportunities Page, ​https://www.anchorfree.com/advertise/​ (last visited Jul. 24, 2017). 28 Further, Hotspot Shield likely provides little protection against device or browser fingerprinting efforts. ​See ​Yael Grauer, ​The Impossible Task of Creating a “Best VPNs” List Today​, Arstechnica (Jun. 1, 2016), https://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/​. 23 24 6 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 Play Store, then tested the app without running it, also known as a “static” test.29 CMU’s analysis of Hotspot Shield’s Android application permissions found undisclosed data sharing practices with third party advertising networks. While Hotspot Shield’s Privacy Policy focuses largely on IP address protections, providing that “[y]our ​original IP address will not be permanently stored or provided to any third parties by your use of Hotspot Shield,”30 it discloses other sensitive information, such as names of wireless networks (via SSID/BSSID information), and other unique identifiers such as Media Access Control addresses31 and device IMEI numbers. Screenshot: Carnegie Mellon University Mobile App Compliance System 29 Specifically, the Mobile App Compliance System downloaded Android Package Kit (APK) files from the Google Play Store and then conducted a static analysis of the downloaded APK. This analysis included extraction of app permissions and evaluation of first and third party use of Android APIs to assess what data types are collected by the app publisher and shared with which third parties. 30 HSS Privacy Policy, ​supra​ at 13. 31 A Media Access Control (MAC) address is a unique hardware address that is installed into a device by the manufacturer. ​See ​Bradley Mitchell, ​Media Access Control (MAC),​ Lifewire (Sep. 13, 2016), https://www.lifewire.com/media-access-control-mac-817973​. Because “your phone's MAC address remains the same regardless of the network and transmits even without actually connecting to the Internet,” researchers have long warned against the possibility of consumer tracking via MAC addresses. Latanya Sweeney, ​My Phone at Your Service​, Tech@FTC Blog (Feb. 12, 2014), https://www.ftc.gov/news-events/blogs/techftc/2014/02/my-phone-your-service​. 7 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 19. Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.32 An iframe, or “inline frame,” is an HTML tag that can be used to embed content from another site or service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage.33 20. Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries,34 contradicting statements that Hotspot Shield ensures anonymous and private web browsing. C. Hotspot Shield’s Apps Redirect User Traffic to Secret VPN Servers 21. Additional research has revealed that Hotspot Shield further redirects e-commerce traffic to partnering domains. For example, when a user connects through the VPN to access specific commercial web domains, including major online retailers like and , the application can intercept and redirect HTTP requests to partner websites that include online advertising companies.35 D. Hotspot Employs Insecure and Unreasonable Data Security Practices 22. Consumers have reported instances of credit card fraud after purchasing the “Elite” paid-version of Hotspot Shield VPN. One consumer reported “thousands of dollars” in credit card charges, as well as other suspicious online activity.36 23. A static code analysis of Hotspot Shield also reveals that the app does not transmit Mobile Carrier information through an HTTPS connection. This unencrypted transmission can be vulnerable to leaks or outside attacks. Muhammad Ikram et al., ​An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps, Proceedings of the 2016 Internet Measurement Conference​ ​(Nov. 14-16, 2016), https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf​. 33 Definition: IFrame, TechTarget, http://whatis.techtarget.com/definition/IFrame-Inline-Frame (last visited Jul. 10, 2017). 34 Ikram et al., ​supra ​note 32, at 11. 35 ​Id. 36 ​See, e.g.,​ ​Lots of fraudulent activity since purchasing Hotspot Shield Elite, ​Reddit (Jan. 2017), https://www.reddit.com/r/vpnreviews/comments/5f9emw/lots_of_fraudulent_activity_since_purchasing/. 32 8 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 Screenshot: Carnegie Mellon University Mobile App Compliance System 24. Hotspot Shield provides a blanket caveat to its claims to security and privacy. Its Privacy Policy states that “[a]s described in our Terms, [ ] we may not provide a virtual IP Address for every web site you may visit and third-party web sites may receive your original IP Address when you are visiting those web sites.”37 The referenced Terms (of Use) further emphasizes that “software is not perfect and due to defects, bugs, or other reasons, or for no reason at all, AnchorFree does not guarantee that the Service will create a VPN or utilize a Proxy IP Address on all websites.”38 This directly contradicts the stated purpose of HotspotShield and defies consumers’ reasonable expectations for the functionality of the product. III. ​Legal Analysis 25. Section 5 of the FTC Act prohibits unfair and deceptive acts and practices and empowers the Commission to enforce the Act’s prohibitions.39 26. Misrepresenting the level of privacy and security available to individuals while using the Hotspot Shield VPN application is a deceptive trade practice under Section 5 of the FTC Act, subject to investigation and injunction by the Commission. 27. Hotspot Shield’s lack of transparency about its logging, use of third-party tracking libraries, and redirection of user traffic also constitutes an unfair trade practice under Section 5 of the FTC Act, and is also subject to investigation and injunction by the Commission. A. Hotspot Shield VPN’s Claims About Privacy and Security Are Deceptive Trade Practices 28. A company’s “representation, omission, or practice” is considered deceptive under Section 5 of the FTC Act if it is likely to mislead a consumer acting reasonably under the HSS Privacy Policy, ​supra​ at 13. AnchorFree, Hotspot Shield Software License & Service Terms, ​https://www.anchorfree.com/terms-of-service/ (last modified Jul. 22, 2016). 39 ​See​ 15 U.S.C. § 45 (2010) 37 38 9 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 circumstances and is likely to affect a consumer’s conduct or decision regarding a product or service.40 29. Hotspot Shield’s statements to the media, application descriptions that users’ “security and privacy are guaranteed!,” and Privacy Policy, which begins with the phrase, “Protecting the web for your security, privacy and anonymity!,” are misleading and would lead the average user to believe the VPN service is more secure and more privacy-protecting than the reality of Hotspot Shield’s data practices. 30. These statements are also important to a consumer’s decision to use Hotspot Shield VPN, constituting “material” claims.41 42 Hotspot Shield touts “anonymous web browsing,” “complete Wi-Fi security,” and the ability to “protect [sensitive data] from snoopers” as key benefits of using its VPN.43 As mentioned above, consumer demand for privacy and security protections predominate the list of reasons why users access and use VPNs.44 Misrepresenting the functionality of its product makes it difficult for consumers to meaningfully decide how or whether to purchase, download, or use Hotspot Shield VPN. B. HotSpot Shield’s Data Collection and Sharing Practices, and Its Failure to Provide Adequate Security, Are Unfair Trade Practices 31. The Commission may find a company’s practice to be unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”45 32. There are three elements to an unfairness claim: first, the injury suffered by consumers must be “substantial.” This generally involves monetary harm. With respect to data security, the Commission has previously found that the failure to “employ reasonable and appropriate measures to protect personal information against unauthorized access” is an 40 Fed. Trade Comm’n, FTC Policy Statement on Deception (1983), https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception​. 41 Id. 42 ​The Commission has explained that examples of material claims include representations about a product's performance, features, safety, price, or effectiveness. Fed. Trade Comm’n​, Advertising FAQ's: A Guide for Small Business (Apr. 2001), https://www.ftc.gov/tips-advice/business-center/guidance/advertising-faqs-guide-small-busines​s. 43 Hotspot Shield, Benefits of VPN, ​https://www.hotspotshield.com/benefits/​. 44 ​See ​Paul Gil, ​10 Reasons to Use a VPN for Private Web Browsing​, Lifewire (Jul. 21, 2017), https://www.lifewire.com/reasons-to-use-a-vpn-for-private-web-browsing-2483583​. 45 ​FTC v. Direct Marketing Concepts, Inc., 569 F. Supp. 2d 285 (D. Mass. 2008); FTC v. Seismic Entertainment Productions, Inc., Civ. No.1:04-CV-00377 (Nov. 21, 2006); ​see also​ FTC Policy Statement on Unfairness (1980) (codified into the FTC Act as 15 U.S.C. § 45(n)). 10 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 unfair trade practice.46 Hotspot Shield’s insecure practices present potential monetary harm for paying customers, as well as the potential risk of identity theft and fraud for all users. 33. While emotional impacts and other more subjective types of harm do not ordinarily make a practice unfair,47 the Commission has also suggested that consumers can be unfairly harmed by the sharing of information for undisclosed purposes in ways that betray consumer trust.48 It is thusly unfair for Hotspot Shield to present itself as a mechanism for protecting the privacy and security of consumer information, while profiting off of that information by collecting and sharing access to it with undisclosed third parties. Consumers who employ Hotspot Shield VPN do so to protect their privacy, and Hotspot Shield’s use of aggressive logging practices and third-party partnerships harm its consumers’ declared privacy interests. 34. Second, “the injury must be one which consumers could not reasonably have avoided.” Companies may not withhold from consumers “critical price or performance data,” which would leave consumers unable to make informed comparisons. 35. The Commission’s use of its enforcement authorities are designed to promote the “free exercise of consumer decision making,”49 and Hotspot Shield’s practices unfairly limit consumers’ ability to make meaningful free market decisions. 36. Hotspot Shield users could not have avoided the harm at issue here. While there are other VPNs on the market, consumers lack any meaningful way of making comparisons among different providers. Reading user reviews of VPN services, for example, may not provide accurate information; they are frequently manipulated by hired affiliates to VPN service. 50 As users have pointed out, “[a]lthough there are multiple ‘top VPN’ lists available online, they are often riddled with affiliate links, making it hard to ascertain their accuracy.”51 ​Complaint for Injunctive and Other Equitable Relief, FTC v. Wyndham Worldwide Corp., No. 2:12-cv-01365-SPL (D.N.J. June 26, 2012). 47 FTC Policy Statement on Unfairness (1980) (codified into the FTC Act as 15 U.S.C. § 45(n)). 48 Statement of Chairman Pitofsky and Commissioners Anthony and Thompson, In the Matter of Touch Tone Information, Inc., File No. 982-3619 (1999), https://www.ftc.gov/sites/default/files/documents/cases/1999/04/ftc.gov-majoritystatement.htm. 49 FTC Policy Statement on Unfairness (1980). 50 ​Grauer, ​supra​ at 28. 51 ​See id. ​See also ​Violet Blue, ​Good Luck Finding a Safe VPN​, Engadget (Apr. 7, 2017), https://www.engadget.com/2017/04/07/good-luck-finding-a-safe-vpn/​ (finding that many articles purporting to explain and review VPNs are “are profit-seeking endorsements for affiliate VPN services”). 46 11 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017 37. Third, the injury “must not be outweighed by an offsetting consumer or competitive benefit that the sales practice also produces.” Consumers do not derive a countervailing benefit from policies and procedures that compromise the privacy and the integrity of their information, particularly for a product that presents itself as a tool to protect users’ security and privacy. While an ad-supported VPN may be beneficial in certain instances, it should not be paired with a product or service that tells users that it ensures anonymity, privacy, and security. IV. Grounds for Relief 38. CDT seeks to ensure that technologies marketed to consumers as privacy protective provide clear and accurate disclosures about data collection and third party data sharing of user information. 39. CDT urges the Commission to conduct an investigation pursuant to its regulatory authority into the data collection and sharing practices of Hotspot Shield VPN. 40. Based upon Hotspot Shield’s unfair and deceptive trade practices, CDT specifically asks the Commission to: 1) Initiate an investigation into the data security practices of Hotspot Shield, as well as the application’s data collection and sharing practices; 2) Order Hotspot Shield to cease misrepresenting its privacy and security practices in its advertising materials, Terms of Service, and Privacy Policy; 3) Order Hotspot Shield to provide consumers with more clear, accurate, and accessible information about Hotspot Shield’s advertising practices; 4) Order Hotspot Shield to implement a comprehensive privacy and security program, including an independent third-party audit of the technical security features of its VPN applications; 5) Order Hotspot Shield to provide consumers with refunds where appropriate; and 6) Provide such other relief as the Commission finds necessary and appropriate. Respectfully submitted, Michelle De Mooy Director, Privacy and Data Project Center for Democracy & Technology Joseph Jerome Policy Counsel, Privacy and Data Project Center for Democracy & Technology 12 In re AnchorFree, Inc. Hotspot Shield VPN August 7, 2017