Why is Hitman Pro promoting Hotspot Shield?

A: yes, no offence intended

B: maybe an unlucky choice, but that does not make HMP enemy of the Wilders clan no1, after all even their free version offers a 30 day removal option.

 

I thought that, by now, people understood the doubt raised by justenough, and I must confess that I'm in doubt as well, is whether or not the displaying of ads in a service that promises to deliver privacy breaks that privacy or not. A VPN is meant to provide privacy; not to let others know who you are. Does the displaying of the ads, and what user justenough mentioned about their TOS, break this privacy?

I never used it, and got no intentions of using it, so I don't know whether or not such will break the privacy it promises to deliver. It would be interesting to know whether or not such happens.

-edit-

Also, don't forget that for many people out there having privacy is a matter of security, literally. So, it would be actually great if anyone with deep knowledge about it could say a word about this matter.

 

I don't expect that most people read either the EULA or the posted Privacy Policies, but that's a choice we all make. Most of the time I don't read them either, but sometimes I do and I did before I installed HSS which I do use occasionally. Do you believe there is something atypical about the privacy policy? It reads like standard fare, and you left out the part where they say they do not collect any personally identifiable information. The question here is not is this objectionable, but is it any different than what every other ad serving service is doing? As I asked earlier is there something unique about the ad services used by AnchorFree that makes them "invasive" or is this standard stuff? This pertains to the original question because it seems to me that GFI's blogpost implies AnchorFree is doing something out of the ordinary that is particularly bad and so far no one has shown that.

 

And, that's what I'd like to know as well. If there's something bad, it should have been revealed. The Sunbelt blog was cryptic about it.

 

A good start would be to read the Privacy Policy. AnchorFree defines what they mean by "privacy" pretty clearly. Here is a small part of the policy:

AnchorFree does not collect any personally identifiable information on Hotspot Shield. Hotspot Shield automatically collects certain non-personally identifiable information from Users that is used in the aggregate only.
AnchorFree does not collect, store, or share any permanent identifiers of Users, including IP addresses.


Whether or not this is sufficient is up to the user. I prefer the VPN services that don't use any advertising. They are not free though and that is exactly the tradeoff.

 

And, what means this (quote from their TOS, and pointed out by user justenough):

So, they can literally force a user to give away personal information. If these users don't, then AnchorFree, as stated, can kick them out of the service until they do it. *edit* Whether these people have other choices out there, it's beside the point. The point is a VPN provider doing such. *end of edit*

Maybe this is what Sunbelt meant, just not clearly enough. Isn't this bad? I'd say it is, coming from a company that promises to deliver a VPN.

And, no one is forcing them to provide a free version. They give it, because there's a demand, but that's their own choice to do it. If they have the right to monetize their free version? Totally. Just do it in a way that won't pose a risk to their users privacy.

The problem is that not everyone reads EULAs, TOS, etc. Software vendors don't exactly advertise these conditions on the main page top either, in a very concise and clear way. It sure would awake people and scare them the heck away from their service.

 

I think that section of the TOS is bizarre. I don't really know what it means, but I've used the service from time to time and I've never been presented with a survey or required to participate in some advertising program as a condition of using the service. Still I agree that language is disturbing and inappropriate for a VPN provider.

 

The curious user can always try running the Conduit End-User License Agreement through Javacool's EULAlyzer.

I ran it, and the results produced a EULA Interest ID of 661-1D, stating...

(My personal EULA scan history has produced Interest IDs ranging from a low of 10 to a high of 878.)

Edit in: I just realized that the first EULA I ran was for the toolbar option.
So I ran the AnchorFree Hotspot Shield Software License and Terms of Service, and it produced a 590-ID Interest-ID in EULAlyzer.
IMO, the ID number by itself isn't telling us a whole bunch.

 

Unfortunately, I cannot download the installer, as I'm short on my monthly traffic, but I see in their website they offer it in other languages, such as French. If Hotspot Shield is like any other application (at least 99% of them), I have doubts the EULA will be in French. I wonder if they actually provide an EULA in the languages they provide their software?

99% software vendors don't. So, when we say most people don't read EULAS, etc., they probably simply can't, because they don't have a minimal English knowledge to understand it. Even less knowing how to use an application such as the Javacool's one, which is in English.

So, if I were a French/other guy, who doesn't understand English, how could I even understand some EULA written in English?

 

A. No offence taken, what you said was interesting, and I had to give it some thought.

B. Unlucky, careless, or on top of things, I'm not sure. As has been said, there isn't much information available about how vulnerable a user is with HSS advertising networks. It sounds like it is possible to identify who the HSS user is by tracking browsing habits, but that's not clear. Because HMP has such a good reputation here, and I automatically trust them, it would be nice to know if HMP looked thoroughly into the tracking issue raised by GFI, or even was aware of it, before making their advertising deal with HSS.

 

I wonder if the free online translation services would be sufficient? I don't know another language so I can't test it, but it would be interesting to know if something like Google Translate can translate a EULA with sufficient accuracy for non English speakers.

Agreed - I feel security vendors should be careful along these lines. Another vendor incorporated an Ask powered search box in their toolbar a while back which upset many people, and rightly so IMO since Ask is arguably spyware.

 

Yes, hello from AnchorFree. Thanks for catching this. We agree this is badly worded and don't know what it means ourselves. We will revise it shortly. We would never force a user to "participate in an advertising program" per se, however, we do reserve the right if a user is employing adblocking software to prevent access until they disable the adblocker because it deprives us of our livelihood. Believe it or not, our "free" service is quite difficult and expensive to maintain and we like to compensate our talented engineers well so we need to protect our revenue sources.

 

It's nice to see you monitoring this discussion. Perhaps you could address the blogpost mentioned earlier in the thread where the advertisers that are part of the Hotspot Shield service are characterized as "invasive"?

 

A good suggestion you made 4 days ago, Victek123, that gets to the point of this thread. So far nothing from Hitman Pro or Hotspot Shield except their previous comments, which were about side issues and with what seems to me like a bit of blowing smoke. What's common to both HMP's and HSS's comments is that they need to run ads in their free versions, which isn't exactly helpful with the doubts raised by GFI's (Vipre) examination of HSS. Just how important are the ads to them, what sort of compromises are they willing to make?

It shouldn't be that difficult to answer the issue of 'invasive networks' in HSS, or my question: before running their ad, did HMP look into or even know about the problems with HSS's free version that GFI found?

 

Imo it all boils down to GFI/Sunbelt Spyware Research Manager Eric Howes remark;
“The key test or question in this case is a simple one. AnchorFree promotes Hotspot Shield as means for ‘protecting your privacy, security, and anonymity on the web.’ What would users think if they knew that the very first thing AnchorFree does after users start a ‘private browsing session’ is hand them over to invasive advertising networks? I think they would be appalled.”

HSS clearly state on their website that the free version isn't ad free.
I think that's pretty clear so users shouldn't be that surprised when they see ads.
The GFI/Sunbelt blog text 'There is no notice on the Hotspot Shield home page or download page that the product is ad-supported.' (link) is only true in the sense that HSS clearly shows that the free version doesn't have a check mark for 'Ad Free Browsing' (link). It, indeed, doesn't say 'Ad Supported'.
So, room for a battle of semantics perhaps but hardly hardcore obfuscation by HSS.
Then about the privacy aspect of the ads.
'Art' from HSS states;
"Also, we never store real user IP address and never provide real user IP to any advertiser. Therefore, neither we nor our advertisers can disclose real IP of our user even if compelled. Although I agree that it is not very clear in our privacy policy. But we never store/share any users’ personal data. We limit list of our advertisers to only ones who agree NOT to receive real user IP."

To which Eric Howes, Sunbelt Spyware Research Manager replies;
"Moreover, it’s fairly well established at this point that users’ true identities (or something very close to them) can, given enough data, be derived from the browsing profiles created via the tracking technologies used by major ad networks."

Well, I guess that if users click on enough ads during their VPN sessions in a way that matches their ad-clicking behaviour during non-VPN sessions, a users profile can be derived 'given enough data'. But that's a pretty important part of the equation, the 'enough data'.
I'd like to see Eric Howes' definition of the rather vague 'enough' before chastizing HSS free version as not offering (sufficient) anonimity, privacy and security.
If all this is enough reason for you to uninstall HMP's free version, that's your prerogative of course but I don't see such a compelling case here.
Nor any reason to regard a business strategy of ad-supported free program versions as compromising to a company's professionality or integrity.
Just as long as HSS makes clear that their 'free VPN' browsing sessions will show ads, I don't see any problem and it's also up to the user to be somewhat aware of the product they are using and it's theoretical<->real life implications.

 

Baserk, I like how clearly you've described the situation, including that GFI could have been more detailed in it's criticism. A couple of days ago I requested that they comment here about it, but so far they haven't. Since I saw HMP's ad for HSS, I've looked for user comments at different sites, and while a lot of people like HSS, a lot have a reaction that backs up GFI saying users of the free version would be 'appalled'.

So unless I hear something different, my view is that GFI didn't like that a product promising internet privacy was also making their customers available to advertisers, and that the extent they do that is in the fine print. HSS says the advertisers promise not to harvest data from their customers, which raises a few questions in itself. And finally, I'm guessing that HMP ran the ad for HSS as a casual exchange without investigating the issues that GFI raised.

 

What questions would those be?
HSS stated that they only show ads from those advertisers who are content with receiving an anonymized/virtual (e.g. not the user's real) IP.
Could you point to the HSS statement where 'advertisers promise not to harvest data from their customers', I can't find it.

 

That wasn't clearly worded on my part, probably because I'm not clear what AnchorFree means in this exchange:

"We limit list of our advertisers to only ones who agree NOT to receive real user IP." -AnchorFree

"The real problem is that AnchorFree goes out of its way to create user expectations that are entirely opposite of the true ad-supported functionality of the product. Moreover, it’s fairly well established at this point that users’ true identities (or something very close to them) can, given enough data, be derived from the browsing profiles created via the tracking technologies used by major ad networks." -GFI

So AnchorFree is saying that their advertisers agree not to receive real users IP info, as if there is some choice in the matter, which according to AF there isn't because they strip out the IP info. I think it's probably just awkward wording and not anything sinister. Anyway, my point was that the advertisers agree to not receive IP information, but according to GFI they have the technology to identify user identity from browsing habits, without actually having the IP info, and AnchorFree says nothing about advertisers agreeing not to do that (not that it would matter much if they did).

What is really happening hasn't been cleared up in this thread, even though both HMP and HSS have commented. Let's just forget the invasive networks and identity tracking, because we don't know. The sloppiness is enough for me. HSS didn't know what was in their own EULA and had no idea what it meant? Advertisers agree to not get something that's not available anyway? HMP talks up the heroic use of HSS by oppressed peoples instead of dealing with the question? The list goes on, but my main concern is that there is no evidence from HMP that they thoroughly vetted HSS before running their ad. Do a search for user comments around the web about their experience with the ads (and other problems) in HSS free, and even though it's not a majority, it is still enough to be significant to me, and in my opinion should have been significant to HMP.

I know how highly thought of HMP is here so I have doubts about my conclusions. But as an average user, my security policy is pretty simple (feel free to say simple-minded), if something doesn't feel right, online or with software, I head in the opposite direction. So far it's worked out okay. I do the best I can with what I've got, those who are technically knowledgeable will make more informed decisions.

 

I can't see the hotspot shield ad any more

 

That's good to hear, tpro.

After a few days to think it over, maybe I over-reacted a bit when I read the GFI comments. Companies have to make a buck, we all have to use our own judgement on what software to install, and it's not clear just how 'invasive' the HSS advertising networks are, GFI could have been over-stating the risk. My long-term experience with Hitman Pro has been good, they have a great reputation here, so I'm going to give them the benefit of the doubt, which I probably should have done from the beginning.

 

I'd just ignore this non-intrusive ad. Better than installed adware.