Top VPN Provider Accused of Sharing Customer Traffic With Online Advertisers (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Top VPN Provider Accused of Sharing Customer Traffic With Online Advertisers (bleepingcomputer.com)

Posted by msmash on Tuesday August 8, 2017 @06:45AM from the smells-fishy dept.

Catalin Cimpanu, reporting for BleepingComputer: On Monday, the Center for Democracy & Technology (CDT) -- a US-based privacy group -- filed a complaint with the US Federal Trade Commission (FTC) accusing one of today's largest VPN providers of deceptive trade practices. In a 14-page complaint, the CDT accuses AnchorFree -- the company behind the Hotspot Shield VPN -- of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users. In its complaint to the FTC, the CDT is not accusing Anchor Free of secretly injecting ads, as users are well aware of this practice, but of not respecting promises made to its customers. More specifically, the CDT says that AnchorFree does not respect a pledge made in marketing materials that it won't track or sell customer information.

55 comments

Min score:

Reason:

Sort:

Again, is anyone surprised? by JohnFen · 2017-08-08 06:52 · Score: 4, Interesting

Your VPN provider has access to your traffic. If anyone aside from you or the party you're communicating with has access to your traffic, your communications are not secure -- even if that "anyone" uses the acronym "VPN".
1. Re:Again, is anyone surprised? by Anonymous Coward · 2017-08-08 07:05 · Score: 0
  
  Well, maybe we need a better name for these services, and even a new technological solution. Something in between a VPN and Tor in terms of the privacy gained. There is value to aggregating your traffic with a bunch of other people from a privacy perspective. Sure, a really powerful adversary can still do network analysis (you can use Tor if protection from network analysis is what you need, for example, if you are a dissident). However, most of us who use VPNs for privacy just want to confound the bulk of the naive data gathering out there. I also muck with my user agent (it's randomly changed every so often) and destroy all data on closing my browser. I would like a better solution than this, but Tor isn't the right solution for 2 reasons: (a) it's so slow and (b) it is not designed for this, and I don't want to selfishly run my traffic on the limited resources of the Tor network which should be reserved for people who really need that, like dissidents.
2. Re:Again, is anyone surprised? by Anonymous Coward · 2017-08-08 07:10 · Score: 1
  
  There is middle ground between "secure" and "not secure". You'll never stop the most determined, so all you can do is try. Well, except in your case, you just give up without a fight.
3. Re:Again, is anyone surprised? by JohnFen · 2017-08-08 07:16 · Score: 1
  
  Yes, there are different sets of needs to be sure. I'm more like you in my needs, but I don't trust third party VPN providers to help because they are themselves likely to engage in the sorts of spying that I'm trying to avoid. Still, better to have one spy than hundreds, I suppose, so it's not without value.
  I take a different compromise: I run my own VPN server and use it for internet (and LAN) access when I'm not at home. That way, I only have to engage in mitigation in one place.
  But my needs don't include things like trying to obscure my physical location, and (obviously) my ISP can still see everything that I haven't encrypted.
4. Re:Again, is anyone surprised? by geekmux · 2017-08-08 07:19 · Score: 0
  
  Your VPN provider has access to your traffic. If anyone aside from you or the party you're communicating with has access to your traffic, your communications are not secure -- even if that "anyone" uses the acronym "VPN".
  You need to understand that there is no longer any money to be made in creating solutions for the 1% of internet users that still give a shit about security and anonymity.
  That's not even taking into account governments who vehemently despise anonymous communications.
  You want secure communications? Open your wallet.
5. Re:Again, is anyone surprised? by JohnFen · 2017-08-08 07:25 · Score: 4, Insightful
  
  Open my wallet? I have no problems paying for things. The issue is -- where can I find a service that I can trust, paid or not? I submit that I can't. Not to say they don't exist, but that it's impossible to tell who they are.
6. Re:Again, is anyone surprised? by geekmux · 2017-08-08 07:32 · Score: 2, Insightful
  
  Open my wallet? I have no problems paying for things. The issue is -- where can I find a service that I can trust, paid or not? I submit that I can't. Not to say they don't exist, but that it's impossible to tell who they are.
  Yes, it's impossible. That much is true. But the larger problem is you represent the fraction of a percent who still cares. The other 99.999% of society doesn't give a shit about privacy, so you will never find a viable solution for security.
  There is no longer any money in privacy. Therefore, there is no justified reason for anyone to provide it. No matter how you feel about that, it is true.
7. Re:Again, is anyone surprised? by Hadlock · 2017-08-08 07:36 · Score: 5, Interesting
  
  Yep, I interviewed at another company, it came out about halfway through that the reason why they're profitable is that they provide a free VPN service, then monitor mobile app traffic over the VPN to get aggregate use stats on various top 1000 apps and then sell that usage info. The world's largest investment banks are buying up this data to determine if they want to buy or sell stocks like Snapchat, etc.
  
  --
  moox. for a new generation.
8. Re:Again, is anyone surprised? by Anonymous Coward · 2017-08-08 08:19 · Score: 0
  
  where can I find a service that I can trust, paid or not?
  Like a lot of things in life, if you want it done right, you have to do it yourself. Get a VPS and run OpenVPN on it. That will frustrate extremely naive analysis, the main weakness being that the VPS' address pretty much means just you. But it's a start. Then get someone else to do the same thing. Then become each others' clients...
9. Re:Again, is anyone surprised? by Rick+Schumann · 2017-08-08 08:36 · Score: 3, Interesting
  
  "Open your wallet", he says, LOL. That won't work either. Everyone is going to LIE TO YOUR FACE about their so-called 'privacy policy', and even if they don't? Someone upstream of them will be doing the spying anyway. The best you can do is use Tor, cross your fingers that some criminals aren't compromising your exit node to either steal your identity or infect your computer with something, and make the hard choice between not being able to use all those websites that don't work because you're on Tor, or accessing them 'in the clear' and knowing that your very personally identifiable traffic is being logged by your ISP. Then if that wasn't bad enough, most people are still using Windows, so never mind ISPs spying on you, your own computer is already spying on you.
  
  The only way we'll have any real privacy on the Internet ever will be when there is a combination of strict privacy laws with stiff penalties for violating them, and 100% encryption on all traffic, including DNS lookups. Don't hold your breath waiting for it, there's too much money on the table, every Internet-related company with skin in the game would fight tooth and nail to prevent it from ever happening. As-is if you want any modicum of privacy you may as well start formulating an exit strategy for the Internet, and learn to get along without it in the long run, in this game the only way to win is to not play.
10. Re:Again, is anyone surprised? by Anonymous Coward · 2017-08-08 08:56 · Score: 0
  
  Also, if you use TOR, a lot of sites make you identify yourself in some other way before you can use them, which defeats the purpose.
11. Re:Again, is anyone surprised? by Anonymous Coward · 2017-08-08 09:20 · Score: 0
  
  If you have to trust a company to protect your privacy, you're already screwed. The trick is to get around needing to trust them.
  You could, for example, use one VPN to connect to another VPN. That way all VPN #1 knows is you use their service to connect to another VPN. And the second VPN knows who you talk to, but not where your connection originates from. Basically, you're recreating Tor at that point, badly, but it removes one layer in the need for trust.
12. Re:Again, is anyone surprised? by JohnFen · 2017-08-08 10:01 · Score: 1
  
  That would help to obscure the traffic source, but the contents of the traffic would still be visible to VPN #2.
  For my purposes, I care more about obscuring the contents of my traffic than about obscuring the location of the endpoints.
  If I need tighter security than that, then I'll use Tor.
  But, as with all security mechanisms, you can't have perfect security no matter what you do. So everyone has to decide for themselves how much makes sense and just call it good.
  For me, that means running my own VPN that connects my mobile devices to my home network, and accepting that my ISP gets to see all the traffic that I don't encrypt further. But at least my mobile carrier doesn't, nor my workplace, nor random people at a public hotspot.
13. Re: Again, is anyone surprised? by Anonymous Coward · 2017-08-08 10:10 · Score: 0
  
  I miss when words meant things. So, what percentage of being pregnant is the middle ground? What does "a little bit" pregnant mean? How about if she is 99% pregnant? Is she actually pregnant?
14. Re:Again, is anyone surprised? by JohnFen · 2017-08-08 10:22 · Score: 2
  
  Also, if you use TOR, a lot of sites make you identify yourself in some other way before you can use them, which defeats the purpose.
  Well, in fairness, that entirely depends on what you're using Tor for. If your purpose is to keep your identity a secret from the entity you're communicating with, then yes -- identifying yourself to them is counterproductive.
  If, however, your purpose is to foil third parties who want to glean information from your communication, identifying yourself to the endpoint you're intending to talk to doesn't impact that at all.
15. Re:Again, is anyone surprised? by Anonymous Coward · 2017-08-08 11:08 · Score: 0
  
  "provide a free VPN service"
  If something is free, then your information is the cost.
16. Re:Again, is anyone surprised? by geekmux · 2017-08-08 11:29 · Score: 1
  
  "Open your wallet", he says, LOL. That won't work either. Everyone is going to LIE TO YOUR FACE about their so-called 'privacy policy', and even if they don't? Someone upstream of them will be doing the spying anyway. The best you can do is use Tor, cross your fingers that some criminals aren't compromising your exit node to either steal your identity or infect your computer with something, and make the hard choice between not being able to use all those websites that don't work because you're on Tor, or accessing them 'in the clear' and knowing that your very personally identifiable traffic is being logged by your ISP. Then if that wasn't bad enough, most people are still using Windows, so never mind ISPs spying on you, your own computer is already spying on you. The only way we'll have any real privacy on the Internet ever will be when there is a combination of strict privacy laws with stiff penalties for violating them, and 100% encryption on all traffic, including DNS lookups. Don't hold your breath waiting for it, there's too much money on the table, every Internet-related company with skin in the game would fight tooth and nail to prevent it from ever happening. As-is if you want any modicum of privacy you may as well start formulating an exit strategy for the Internet, and learn to get along without it in the long run, in this game the only way to win is to not play.
  I would assume you are one of the rare humans who is actually intelligent enough to come to the conclusion that the only way to "win" is not to play. You are correct in that statement. The only way to communicate securely is to not use the internet to do it, so communication now comes at a cost.
  The statement regarding opening your wallet was addressing the generation of social media narcissists who demand everything for free. This is the same generation who no longer gives a flying fuck about security who will ultimately create the demise of it.
17. Re: Again, is anyone surprised? by Hadlock · 2017-08-08 11:35 · Score: 1
  
  Very insightful, thanks for pointing that out. I wonder if Facebook has considered using your business plan? It seems like a sound business idea, rather than just giving away expensive services for free at a cost to your business. Great idea!
  
  --
  moox. for a new generation.
18. Re: Again, is anyone surprised? by rogoshen1 · 2017-08-08 11:46 · Score: 1
  
  Are you saying you've never heard of the Schrodinger's fetus thought experiment?
19. Re:Again, is anyone surprised? by Rick+Schumann · 2017-08-08 11:54 · Score: 1
  
  They'll have to learn the hard way, I guess.
  
  TANSTAAFL
20. Re:Again, is anyone surprised? by geekmux · 2017-08-08 13:04 · Score: 1
  
  They'll have to learn the hard way, I guess.
  
  TANSTAAFL
  History dictates stupidity wouldn't have it any other way.
21. Re:Again, is anyone surprised? by AHuxley · 2017-08-08 13:54 · Score: 1
  
  But everything important has https in 2017 right?
  How much would anyone really be able to see that still has a much value as the http years?
  
  --
  Domestic spying is now "Benign Information Gathering"
22. Re:Again, is anyone surprised? by maelkum · 2017-08-09 00:07 · Score: 1
  
  The only way we'll have any real privacy on the Internet ever will be when there is a combination of strict privacy laws with stiff penalties for violating them, (...).
  That would be good, but I doubt it will happen.
  We should push for it, though.
  
  (...) and 100% encryption on all traffic, including DNS lookups. Don't hold your breath waiting for it, there's too much money on the table, every Internet-related company with skin in the game would fight tooth and nail to prevent it from ever happening.
  There is a solution for this, albeit not a popular one (yet).
  It is called Cjdns: https://en.wikipedia.org/wiki/...
  A networking protocol (and a reference network called Hyperboria) using encrypted IPv6 where your address is also your public key. It can be run over the traditional network.
  If you care about privacy and security you can make your website available over Cjdns.
23. Re:Again, is anyone surprised? by JohnFen · 2017-08-09 01:53 · Score: 1
  
  HTTPS only covers web traffic. Most of the traffic I generate is not web-based.
Good News Everyone! by sexconker · 2017-08-08 07:01 · Score: 1

I'm shocked. Shocked!
Well, not that shocked.
This explains a lot. by Anonymous Coward · 2017-08-08 07:04 · Score: 0

Cancelling my subscription today!
How else are they supposed to make money? by known_coward_69 · 2017-08-08 07:06 · Score: 2

selling t-shirts and coffee cups?
1. Re:How else are they supposed to make money? by Anonymous Coward · 2017-08-08 07:17 · Score: 1
  
  There is this thing called money. You can exchange it for goods and services. I'm surprised you haven't heard of it.
2. Re:How else are they supposed to make money? by geekmux · 2017-08-08 07:25 · Score: 2
  
  selling t-shirts and coffee cups?
  Yes. Seems to work for OpenBSD.
3. Re:How else are they supposed to make money? by Penguinisto · 2017-08-08 07:45 · Score: 1
  
  selling t-shirts and coffee cups?
  How about selling the VPN access itself. Anyone who trusts a freebie VPN provider is naïve at best, an idiot at worst.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
4. Re:How else are they supposed to make money? by known_coward_69 · 2017-08-08 08:07 · Score: 1
  
  these is mostly for cheapo people who don't want to buy stuff. no way you can sell it for the real price it costs to run it. Not like the upstream bandwidth is free
5. Re:How else are they supposed to make money? by JohnFen · 2017-08-08 08:46 · Score: 1
  
  Agreed.
  I would agree with your statement even more if you removed the word "freebie" from it.
I would be more shocked by bravecanadian · 2017-08-08 07:06 · Score: 2

If most of the VPN providers aren't selling customer / traffic data.
You know what they say... by The+MAZZTer · 2017-08-08 07:16 · Score: 2

...if you aren't paying for it, you're not the customer. If you aren't the customer, you're the product.
At least, I'm assuming this wasn't a paid service...
1. Re:You know what they say... by jmcharry · 2017-08-08 07:22 · Score: 2
  
  They charge for the service.
2. Re:You know what they say... by JohnFen · 2017-08-08 07:23 · Score: 5, Interesting
  
  That statement is obsolete, since you're often the product even when you are paying for it.
3. Re:You know what they say... by Anonymous Coward · 2017-08-08 07:50 · Score: 0
  
  Exactly as JohnFen says. You are the product. You can pay, plead, or get on your knees, you are still the product.
  By the way, selling a product that performs the exact opposite of it's advertised use is criminal fraud?
4. Re:You know what they say... by Anonymous Coward · 2017-08-08 07:50 · Score: 0
  
  If it can be monetized, it will be monetized. Why leave money on the table? Why not double-dip, like ads on paid cable? I need a bigger yacht than the next guy.
5. Re:You know what they say... by pnutjam · 2017-08-08 08:12 · Score: 2
  
  They are a free provider with a paid option, this seems to impact their free service which is understood by users to inject ads.
  For reference:
  https://www.bestvpn.com/hotspo...
  
  Stick with a legitimate paid company, I use airvpn and have a referal in my signature. I've also had good luck with piavpn.
  
  --
  Cheap storage VM.
6. Re:You know what they say... by Anonymous Coward · 2017-08-08 12:04 · Score: 0
  
  It doesn't matter how much you pay, they can always make more by selling the data as well.
  You cannot achieve security in the current model of the internet. Too many people have sold out to get the data and too many governments are actively undermining/sabotaging it. There's even propaganda flying around suggesting VPN = ZOMGZTERRORISTS. The only people who can have security now are government because they regulate it by killing the people that attempt to break theirs.
from the article: But an inherent issue is by turkeydance · 2017-08-08 07:19 · Score: 1

... that users have to trust their VPN providers as much, if not more than their internet provider not to also collect, monitor, or sell their data.
Re:Trump 2020 by GLMDesigns · 2017-08-08 07:38 · Score: 1

Keep making things up.

I'm a capitalist, Libertarians are capitalists. Carl Menger, Ludwig von Mises, Hayek, Rand, Rothbard, Friedman were all capitalists and ALL would disagree. That is not how capitalism works. Try reading several of the above authors instead of remaining ignorant.

--
If you're scared of your govt then you need to further restrict its powers
Vote 3rd Party in 2016 and beyond
roll your own VPN by SethJohnson · 2017-08-08 08:31 · Score: 1

Here's what I did. Perhaps it would work for your level of security / privacy needs:

1. Rent VPS (Virtual Private Server) running linux. From my vendor, I get 2TB of data transfer per month for less than $5.00.

2. Set up OpenVPN on remote CentOS linux server.

3. Install OpenVPN on my laptop. Verify against DNS leakage.

That process took about 15 minutes to set up and it's pretty straightforward. Security may be additionally enhanced by locating the remote VPS in another country, though your performance may suffer. The monthly cost of the VPS can be defrayed by using the server to host websites and files in addition to its service as a VPN gateway.

--
$5 / month hosted VPS on linux = awesome!
1. Re:roll your own VPN by JohnFen · 2017-08-08 08:38 · Score: 1
  
  Yeah, I've been running my own VPN for about a decade now -- pretty similar to your setup, except I don't rent a host, I run it on my own set of servers at home.
  I'm still exposed to my ISP, of course. Also, this isn't a solution that the average person can really do.
2. Re:roll your own VPN by Anonymous Coward · 2017-08-08 23:10 · Score: 0
  
  Yeah, I've been running my own VPN for about a decade now -- pretty similar to your setup, except I don't rent a host, I run it on my own set of servers at home.
  I'm still exposed to my ISP, of course. Also, this isn't a solution that the average person can really do.
  WTF are you talking about? Do you even know what a VPN is and is for?
3. Re:roll your own VPN by JohnFen · 2017-08-09 01:56 · Score: 1
  
  Yes, I do. Do you?
Slashdeal VPN!!! by sizzlinkitty · 2017-08-08 12:07 · Score: 1

Anyone else notice this is one of the VPN's constantly advertised on slashdot? Glad to see slashdot is interested in promoting shady services.
Solution by yooy · 2017-08-08 17:34 · Score: 1

1. Pay VPN service with bitcoins 2. Access VPN through TOR
1. Re:Solution by maelkum · 2017-08-09 00:00 · Score: 1
  
  Bitcoin is not a good tool for this. The payment is not anonymous, and the fact that *a transaction occurred* cannot be forgotten.
  A better option would be to pay for a VPN with cash.
Re:Trump 2020 by apraetor · 2017-08-15 07:44 · Score: 1

Actually, that IS how Capitalism works -- because Capitalism does no more or less than incentivize any activity that can earn you a buck. The disincentive is competition and loss of customers.. and that only applies if there are substitute goods available, and would require the company to actually be disclosing their conduct.. otherwise they are able to profit regardless because no one knows to ditch the service.
Re:Trump 2020 by GLMDesigns · 2017-08-15 07:51 · Score: 1

Maybe from a socialist strawman perspective but not from someone who wants to build a profitable business. Screwing over your customers hurts a business. Businesses that appear invincible at one point in time often become irrelevant not too much later - especially if they mess up with their customers.

So, no. This is not how capitalism works. Why don't you actually read (or in the case of Milton Friedman watch) what capitalists say about business and how to grow it as opposed to thinking that straw man arguments are valid?

--
If you're scared of your govt then you need to further restrict its powers
Vote 3rd Party in 2016 and beyond
Re: Trump 2020 by apraetor · 2017-08-15 19:31 · Score: 1

Hurting customers is only bad for business when it can lead to a loss of customers. As we have seen time and again, that doesn't apply monopolies. That was the major motivation for making them illegal -- the usual checks built into capitalism don't work, since they are predicated on competition. Capitalism is great, but it's also full of corner cases which libertarians always try to dream away with magical thinking and praying to their capitalist god. If someone thinks Capitalism is infallible and a cure-all, more perfect, less in need of keeping a watchful eye than the men who created it.. then that is religion, not science. My background is economics, don't make the mistake of devolving to ad hominem attacks.