Hotspot Shield has a questionable logging policy. While the VPN doesn’t keep any logs of your browsing history or online activity, it does collect plenty of other information and its privacy policy is often vague or misleading.
According to its terms and conditions, Hotspot Shield Elite collects the following data:
- Your IP address – encrypted, only for the duration of your session, and not linked with your activity while using the VPN.
- Your approximate geographical location – derived from your IP address and used to connect you to the nearest VPN server.
- Connection timestamps – used to monitor, support, and optimize VPN services, and stored for three years.
- Bandwidth used per user, per session – used to monitor, support, and optimize VPN services, and stored for three years.
- Device-specific information, such as device identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers.
- Non-personal logs of websites (domain names, not specific URLs) visited via Hotspot Shield’s VPN servers – these are aggregated on a monthly basis.
If you use Hotspot Shield Free, the service can also share even more data with third-party advertisers:
- IMEI Number (your unique mobile ID)
- MAC address
- Unique advertising ID
- City-level location
If you’re looking for reassurance, the company states that:
…Even if a government agency physically seizes one of our VPN servers and succeeds in breaking disk encryption on those servers, they would not find any logs or information that would reveal what any individual user was browsing, viewing, or doing online via a VPN connection.”
While it’s encouraging that Hotspot Shield isn’t able to link any behavior to your specific account, this level of data collection is still far too invasive for any user concerned about privacy or anonymity.
Monitoring and sharing Data
If you’re using Hotspot Shield Elite, the company monitors “the nature of the requests that you make to our servers (such as what is being requested, information about the device and app used to make the request, timestamps, and referring URLs)” along with a whole host of other information.
If you use the free version, you’ll also be sharing personally identifying information with advertisers. As always, it’s best to stay away from ad-supported services when trying to stay private online.
Connection timestamps could potentially be used – alongside other data points – to prove that you have visited a certain website. This is unlikely to happen, but we would rather Hotspot Shield didn’t log this information for three years.
Where is Hotspot Shield based?
Until recently Hotspot Shield was owned by Pango, formerly known as AnchorFree. But as of July 2020 it has been acquired by a security company called Aura.
Aura is based in the US, which has very intrusive privacy laws. It’s also one of the founding members of the Five Eyes intelligence alliance. These countries work together to collect, share, and analyze mass surveillance data – this alone is a red flag.
Invasive jurisdictions like the US can compel supposedly privacy-focused companies like Aura to retain and share user information.
Hotspot Shield’s transparency reports
In January 2019, Hotspot Shield released its annual Transparency Report. The report shows the number of data requests Hotspot Shield received from authorities around the world since 2016 (227) – crucially, it also showed that Hotspot Shield didn’t hand over any data.
However, the company hasn’t released another transparency report to account for the time that has passed since then, so there’s no way of knowing whether it has given up user data to any third parties.
Aura / Pango’s Controversial History
Pango provided an all-in-one subscription service to a number of online security and privacy products including Hotspot Shield Elite, 1Password, Robo Shield, and Identity Guard. It costs $12.99 a month, or $95.88 a year.
The Pango group also owned a few different VPN apps including Betternet, Hexatech, and TouchVPN, which are not part of the main Pango subscription service. These services have since been brought within Aura.
A 2016 CSIRO report brought some of the company’s questionable activities to light. Hotspot Shield’s Android VPN app was highlighted for “injecting JavaScript codes for advertising and tracking purposes.”
Essentially, Hotspot Shield was using tracking codes to collect information about users in order to sell it to third-party advertisers.
The company was also exposed for redirecting user traffic through affiliate networks in order to profit from purchases made while using the VPN service.
In 2017, Hotspot Shield was also accused of “unfair and deceptive trade practices” by the Center for Democracy and Technology (CDT).
The investigation relied on evidence that included Hotspot Shield’s own marketing materials, which overstated the privacy and security of its VPN service.
Hotspot Shield didn’t consider the logging of IP addresses collection of personal information, which is misleading and untrue.
The CDT’s report mainly targeted the free version of the app, but it was still a sizable breach of trust.
Hotspot Shield’s website materials and privacy policy have since been revamped to clearly show users what the VPN does and doesn’t collect, along with how the free app is used in conjunction with advertising. There has also been a change in leadership since then.
It’s hard to fully trust a company that has put profit before user privacy in the past, but with new management and an updated logging policy Hotspot Shield will be private enough for the majority of users.