Speaker 0
0:10 – 0:13
Welcome to Tech Talk. Bye. CT.
Speaker 1
0:13 – 2:10
Tea. Welcome to CDT's tech talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Waslowski and it is time to talk tech. If you wanna take control of your online privacy, you've probably considered using a VPN. That's smart, but not all VPNs are created equal. CDT filed a complaint with the FTC about one popular VPN that we believe isn't living up to its privacy promises. We'll take an in-depth look at why that is. And we'll also be talking about a new tool from CDT that helps developers of algorithms think about the broader social ramifications of the decisions they program. Yes. The algorithms that are making digital decisions for everyone popular free virtual private network, or VPN, Hotspot Shield, promises online privacy to its users. But CDT believes the FTC should investigate its practices. In a recently filed complaint, CDT asked the FTC to look into the data security and data sharing practices of the Hotspot Shield virtual private network free service, which CDT believes should be considered unfair and deceptive trade practices. Ever since the broadband privacy rules were overturned by Republicans in congress, Internet users have been looking for ways to take control of their own privacy. VPNs have been a popular option, so it's concerning to hear just how imperfect an option some might be. Our director of privacy and data, Michelle Des Moines, joins us to talk about this important complaint. Welcome, Michelle. Thank you so much, Brian. It is always a pleasure to be on the show. I love your energy today. This is great. We need good energy on this show. So first, you know, I just like to start here. For those who don't know, what exactly is a VPN and what do most VPN products claim to do or promise to deliver?
Speaker 0
2:10 – 3:15
Sure. So a virtual private network is a technology that enables Internet users to privately send and receive data across public networks. So basically, what that means is if you would like to communicate in a way that won't broadcast information to your Internet service provider or other entities about your browsing, where you're going online, this is one way to do that. So that would make sense. With no broadband privacy rules, you might wanna use it. Absolutely. And, you know, one of the things that brought it to our attention or or maybe raise the urgency of the need to to look more closely at some of these VPNs was the the repeal of the broadband privacy rules and the the course of voices afterwards saying use VPNs, you know, including Including us. Yeah. Including the FTC, including the Federal Trade Commission saying, here's one option for users. And it's really because there are so few. And and so that here was one option for, people to sort of reclaim their privacy. And we decided, you know, maybe we should look about we should look more closely into this. There have been rumors for years that there are a lot of, you know, not great practices going on in VPNs. And so it was worth looking into, and we found some troubling practices.
Speaker 1
3:15 – 3:31
So tell me about those troubling practices. I know you partnered actually SmartSpot Shield. Mhmm. What exactly did was your research? And then let's turn we'll turn to the complaint. What did you look into specifically?
Speaker 0
3:31 – 3:56
Sure. So we worked with Carnegie Mellon's tool. It's called the mobile app compliance tool. And, really, it does a static analysis, of code in different apps, and it helps you kind of identify what is going on. What is the app doing? Where is it sending information? Who can see it? What kind of data is it is it collecting and using? And that's what we did with the Android app of the AnchorFree,
Speaker 1
3:58 – 4:08
Hotspot Shield VPN service. It's a very long, long name. I know I've messed it up three times already, including the number of times I had to read that intro. Hotspot Shield. Alright. We looked at that,
Speaker 0
4:08 – 6:01
and what we found was that a lot of the claims that the company was making about the privacy and security of the user data were were deceptive, we think. And so what we found were things like the, the app was sending different kinds of I IP address, things like that that would be considered personal information by most people, and it would be be really, really unexpected for a user to know that this this data was being sent by the VPN. And so Sent to who? Where what do you mean by sent? So it kinda gets techy. I can get into that if you want. I'd like you to nerd out on me. Go for it. I'll do it. I'll do it. So, for example, there are things there are things there are logs called connection logs and usage logs, and VPN providers usually use these. Right? So the connection logs are, like, dates and and time stamps corresponding to a user session. This helps them track what's going on, amount of data transferred, things that aren't super identifiable. And most mostly connection logs are used by the company to troubleshoot, to see if there's a problem. Sure. Right? Usage logs will contain things like software use and browsing history information, a little more sensitive type of information. There are ways to to collect this kind of information in a way that is privacy protective. So what we found was that Hotspot Shield was engaging in logging practices around user connection data beyond troubleshooting. So this was the more sensitive type of data that they were collecting. And and this was not something that they were telling their users. So this was the deceptive part. Right? The fact that if you are going to the service and it says privacy guaranteed, which is an actual claim that the company made on the Android, Play Store, this is something that they say. And then you look at their privacy policy and it says, well, we actually might use usage log data to identify your usage log data to identify your general location, improve the service, optimize advertisements displayed through the service.
Speaker 1
6:02 – 6:20
Those types of things led us to dig deeper and say, well, what does it mean? How where is advertising coming into play? So what you're finding here is a contradiction between what they're kind of, for lack of a better word, marketing says about their product and then what they actually say once you dig deeper into that kind of nebulous world of privacy policies. Right. Which as as we all know, nobody is reading these except for people like us. And, you know,
Speaker 0
6:21 – 6:40
nobody is reading these except for people like us. And, you know, we're writing it. We're glad you're reading it. Yeah. Of course. And and, you know, honestly, it's it's not a great practice to bury things in your privacy policy anyway, But to not disclose it and to, in fact, say quite the opposite of what you're doing, we felt rose to the level of deceptive.
Speaker 1
6:40 – 7:01
Okay. Any other parts of the complaint that you think would be of interest to our listeners that we should highlight? Well, all parts. All parts, read it on cdt.org. I actually read it, and complaints, if you've never read one, are are kind of an interesting little formula of how you file them. But, lots of great information and screenshots in there. So I think there are there are visuals. Yes. There are. Visuals are good.
Speaker 0
7:01 – 8:43
Well, I mean, I think one of the the parts of the complaint that we worked really hard on was the unfairness aspect. So, you know, as as your listeners probably know, the FTC Act, section five of the FTC Act is is where the FTC gets its enforcement authority, and it's to enforce unfair and deceptive trade practices. And so the unfair part, you know, the deceptive part was saying one thing and doing another. The the unfair part was we didn't feel like users had a lot of choice here. And part of the reason is because companies like AnchorFree will hire affiliates to write reviews, basically. So they will hire people to to go to different sites. This is a widespread practice. It's not just AnchorFree. And they will they will add different kinds of reviews, and they're all positive. Right? So this is a practice that happens a lot. But the problem with that is Probably not just VPNs across Oh, absolutely not just VPNs. Yeah. This is definitely widespread. And but the problem is when you're using a VPN and you have an expectation of privacy, which is then, you know, correlated with the types of marketing claims that they're making, you and you look at the reviews, which is maybe the only place where you can get a differentiation, get an idea of how the different services compare, and that is all, you know, stocked with very favorable reviews because it's stocked by affiliates, that's an unfair practice, we think. And so, you know, not having a way for consumers to compare the different services, that's important. Not having, you know, a way for the consumers to complain or to get their money back if they feel like this is not you know, this isn't what I signed up for. You know, there really was was no option for that. And I we think in general, the just lack of transparency about all these different practices, etcetera,
Speaker 1
8:44 – 9:10
is also unfair to consumers. Okay. So lot of questions raised, you know, by me. So if we're recommending use a VPN, what are some things that, you know, the average consumer, you know, this flags that obviously all VPNs aren't created equal, aren't great. Right? So, probably none are perfect. They're a tough technology. But, what should they be looking for? If even these reviews you can't use, is there anything, any advice you would give?
Speaker 0
9:10 – 10:27
Well, I wouldn't say to completely discount the reviews because typically, depending on the type how savvy you are, you can read through them and see some of the real problems. So people, you know, real users will post problems. And in fact, under some of the places where AnchorFree is listed as one of the best VPNs, you'll see complaints that people have had about about the Hotspot Shield, app for a number of years. A lot of journalists have also sort of tried to raise issues with this app. As far as I know, it hasn't it hasn't been an an FTC complaint. But that's Until now. Until now. But I think the way to to try to inform yourself is to read. So in other words, let's look at those reviews, but also read the the articles that have been written about these things. Don't take those as gospel because, actually, a lot of them list AnchorFree, Hotspots, Shield as one of the best best VPNs. So I think what this tells people is if you really want a service that is going to protect your data, read the privacy policy, look at the reviews and you probably have to pay for it. Yeah. So free, definitely, you you get what you pay for sometimes. Yes. Has there been a response from Hot Spot Shield AnchorFree yet? Not to my knowledge. Not to your knowledge. I'd be curious to hear their reaction. I'm sure they're not pleased,
Speaker 1
10:28 – 11:00
but I, you know, I definitely think that this is hopefully a wake up call for them. So as far as I know, I haven't heard anything, though. Okay. Okay. So no easy answers here. A lot to come. I've seen a lot of media attention on this one. So, congratulations on getting the complaint filed and advocating for consumers on this one. Thank you. And I encourage everyone to take a look online and and read the complaint. And, certainly, if you're considering a VPN, you know, you have lots of questions to ask. That's right. And I think one of the the things that we hate the most is when there's a privacy product that is promising people this
Speaker 0
11:00 – 11:07
anonymity and and these things that are so difficult nowadays to find online. It just we think that that's more more egregious
Speaker 1
11:07 – 12:26
harm that you're promising something that you're not delivering. Alright. We'll leave it on day. Thanks so much for joining, Michelle. Thank you. So you wanna build an algorithm? Of course, you do. Algorithms are the mathematical decision making geniuses that run so much of the digital world, including the results we get in search and the ads we see on news sites. Algorithms are also used to make much bigger decisions, such as eligibility for social services or sentencing in the criminal justice process. CDT wants to make sure that big data and automation are used in ways that create better outcomes for everyone, which means values such as equality and justice need to be baked into the underlying algorithms. To that end, CDT has created a digital decisions tool for developers to help address some of the underlying biases that might unintentionally program into their algorithms. Our tool creator, Natasha Duarte, joins us to talk about it. Welcome. Thank you. You are a lady in lavender today looking stunning in this jacket that I wish our podcast listeners could see. It's amazing. Thanks, Brian. I do it for the fans. And I am your fan of one. But here we go. So tell us about this tool. In general, what is this online tool? How does it work?
Speaker 2
12:27 – 13:27
Okay. So this tool is, for people who are, building algorithms or who are looking to maybe, purchase an algorithm from a third party, to solve a problem. And, it gives them the questions that they should be asking to scrutinize how the algorithm works, what data goes into it, and how it's being used, to try and figure out where there might be bias or unfairness or ethical issues, that might need to be mitigated or that they might need to consider before they decide how and whether to use the algorithm. And so the tool is really, reflects the kind of, world that we want to see, which is one in which, values like, democracy and equality, get baked into the technology that is being used to make decisions that affect our lives. You can tell I read her blog post, which is wonderful. It's at cdt.org
Speaker 1
13:27 – 13:50
because I use some of the same language that you use. Yeah. I'm informed, Natasha. This is great. So this is something that you want people to use kind of in the development stages. Or if, as you said, if someone is, you know, considering purchasing or using an algorithm for something big, ask the developer of that. So it's kind of a two way conversation that can happen. Yeah. So we did design it to sort of fit into,
Speaker 2
13:52 – 14:50
the stages that one might go through when they're, developing an algorithm and automated decision making system, where they sort of define the problem they're trying to solve with it, and they, you know, they build it, they choose the data that goes into it, they train it, and they test it, and then they deploy it. And so these are questions that ideally would be asked at the front end, in order to, sort of avoid some of the biggest, negative outcomes, like discriminatory decisions that affect people negatively. But they can also be asked at the point where, a person or an entity is is looking to contract a purchase, one of these tools, they can ask these questions. And, you know, if there are an if there are questions that, someone who is trying to sell you a tool can't answer, there should be red flags.
Speaker 1
14:51 – 15:13
Good point. So how did you go about creating this? I mean, this sounds like there's a lot of research study in to you know, in terms of, you know, what what truly should be asked, what best practices should be. It sounds like you created a lot of stuff here. Yes. CDT developed this tool over several years. I didn't even know that, and I work here. Yeah.
Speaker 2
15:14 – 15:58
So it was developed, through a lot of, different types of research. We read a lot and we we spent a lot of time talking to, engineers and, data scientists and academics, who work on these schools and who study them, to understand several different things. You know, what does the actual process look like, and how can we best fit our guidance into that process? And, you know, what pitfalls should we be concerned about? There, are other groups out there who are who are working on ensuring that digital decisions are fair and who have been, you know, developing best practices, and we wanted to make sure that we incorporate all of those best practices
Speaker 1
15:59 – 16:21
into our questions. Okay. Very cool. So why don't you walk us through the tool a little bit? Let's let's just say, you know, I want to start a business. You know, I'm I'm working with developers. I love to travel. So let's just say it's an online travel business, you know, and I want to serve up, you know, great packages of, you know, trips to you. What are some of the questions that I should be asking? How would I use this tool?
Speaker 2
16:23 – 16:52
Okay. So, so one question is, you know, what information are you going to use to train your tool? So, so when when we build an algorithm to make these kinds of decisions, usually, certain sets of data are used in order to, if it's a machine learning algorithm, the the algorithm will, you'll feed this training data to the algorithm, and the algorithm will sort of learn from that data and look for
Speaker 0
17:02 – 17:03
travel
Speaker 2
17:05 – 17:47
tool, you might look at, information about travel that people have booked on, websites in the past. You might look at, you know, flights that are popular, destinations that are popular, and then you might write some some rules or some, you might decide what features in that data the algorithm should, should consider when it makes decisions about what travel to recommend to people. So that might include, popular destinations. It might include, what destinations are, you know, a good price at a good time of year, where the weather is good,
Speaker 1
17:47 – 17:58
and stuff like that. Where can I go astray, though? Like, what could I screw up? What are the things that this tool should hopefully alleviate? Like, if I put all that in, how do I end up with a discriminatory algorithm?
Speaker 2
17:59 – 19:13
So let's say that you are going to, train this algorithm on data about where people have booked travel on popular travel websites like Expedia and Orbit, or, you know, whatever, your your popular travel website of choice. So you're gonna get, maybe you'll get a a good cross section of where people are going, but what about people who are booking travel, through travel agents, in more traditional ways or by calling the airline and booking travel? You might be missing, certain groups of people by focusing on certain datasets that maybe are are more readily available but less representative. So people who are in an older age group may be using those travel websites less, but they'd be maybe using travel agents more or calling airlines more. And so you may be sort of, ending up with results that are skewed toward, what younger people like, or you may end up with results that are skewed toward what wealthier people like. And so you may be, in that way sort of excluding some groups of people from quality recommendations.
Speaker 1
19:13 – 19:24
Okay. And this tool would help me think through that to make sure that, you know, the examples you just gave were not maybe horrible, but they could be horrible if I was offering, like, different price points or showing different options,
Speaker 2
19:25 – 19:43
in that sort of way. And so the tool would ask you who is represented in your data. And if there are if your data over represents or under represents some groups, are there ways that you can, improve that by including other datasets or manipulating the data in some way to make it more representative?
Speaker 1
19:44 – 19:49
Okay. Very cool. So have any developers used the tool yet? Have you gotten any feedback, responses from it just yet? Yeah. So we've showed it to a few people.
Speaker 2
19:51 – 20:32
Yeah. So we've showed it to a few people. It's only been out for online for a short amount of time. But we have been talking about it and showing it to a few people, and there's definitely been a lot of interest in it. And, we are working, with people to get some feedback, and and we wanna we keep improving the tool. So we hope that we'll get a lot of good feedback, both positive and negative. We wanna make it as possible to, the needs of people who are building these tools. And we want to, we wanna make sure that we include, you know, all of the the best practices and values that we
Speaker 1
20:33 – 21:40
like equality and diversity that we wanna make sure are baked into the technology. So we are actively soliciting lots of feedback and looking forward to some really good conversations about it. Alright. So it's essentially a beta tool. That sounds great. You'll get a lot of feedback. We actually have in the room Tim Hoagland who designed the tool, did the beautiful design of it. So when you visit cdt.org and find the digital decisions tool, thank you, Tim. It looks beautiful. More to come. Alright, Natasha. Thank you for joining. And definitely every developer should check that out and send feedback. Should they send it to you, Natasha? Where should they send feedback? Yeah, of course. It's natashacdt dot org. Fantastic. Thanks for joining, Natasha. Thank you. That's it for this episode of tech talk. You can read more about CDT's work on privacy and data including our FTC complaint on the free VPN and the digital decision tool at cdt.org. And if you'd like to get updates on all of CDTs advocacy efforts, subscribe to our e newsletter through the CDT website and follow us on social media. I'm Brian Wasilowski. Thanks so much for listening.