A TV ad for HMA VPN, seen on 11 December 2019, began with a cartoon graphic of a woman sitting on a train texting on her phone while a voiceover stated, “Kate was beginning to think her internet browsing wasn’t as secure as she thought”. Several virtual pop-up boxes appeared against the train window, stating “KATE, YOU SEARCHED FOR SHOES”, “KATE, REVISIT OUR OFFER” and “SPECIAL OFFER FOR KATE”.
The next scene featured Kate sitting by a window in a public space with a coffee and her laptop, while the voiceover stated, “When she used internet banking on public Wi-Fi, she realised others could be accessing her account”. Two people in sunglasses and dark clothing then appeared on either side of her and peered at her laptop screen.
The next scene featured a man whispering to Kate, while the voice-over stated, “Then a tech-savvy friend told her about HMA, a virtual private network, or VPN.” Against a blue screen, large text stated “HMA!” and underneath “VIRTUAL PRIVATE NETWORK”. Kate was then seen sitting in a café with her laptop while the voiceover stated, “With HMA, your data is encrypted, to make it private and anonymous. So your browsing is safe, hidden from pesky hackers and scammers. Best of all, it works on any device”.
Two people in sunglasses and dark clothing popped up, alongside the HMA VPN logo. A close up of Kate’s laptop screen appeared, featuring the HMA VPN login page, which then transposed to a mobile phone that Kate held in her hand. The final screen featured the HMA VPN logo, followed by a search box containing the text “Search HMA VPN.” Underneath, text stated “FREE TRIAL” and “30-DAY MONEY-BACK GUARANTEE”, followed by Microsoft, Apple Store and Google Play app logos. The voiceover stated, “Search HMA VPN to start your free trial now.”
IssueThe complainant, who understood that banks had their own online security practices in place, such as HTTPS and encryption, and that HMA’s VPN service did not provide an additional security benefit in relation to online banking, challenged whether the ad was misleading.
Privax Ltd t/a HMA VPN said that although most banks had security measures in place, including HTTPS, it could not be definitively said that all banks had adequate security measures. They provided a link to an article on a website called www.netcraft.com which they said demonstrated how banks implemented HTTPS incorrectly. They said that over public Wi-Fi, users were vulnerable to ‘man-in-the-middle’ attacks, where someone could see the user’s browsing activity.
If a user connected to a website using HTTPS, a hacker would not be able to see what the user was doing on that website, but they would be able to see that the user was visiting that particular website. They said that this information was sensitive because it would let the hacker know who the user banked with.
This information could then be used by the hacker for bad purposes, such as phishing attacks. They said that HTTPS needed to be enabled on both the user’s browser and on the website they visited. If either the browser or website did not use HTTPS, the user’s browsing activity would not be encrypted. They said that their VPN software encrypted the data regardless of the browser used or the website visited.
With a VPN, the hacker would not be able to see the website that the user was visiting. HMA VPN said that even where a user’s browser used “HTTPS”, a “man-in-the-middle” would be able to hijack a user’s connection and re-direct them to a fake version of the website they were visiting, where they could be asked to provide sensitive details such as passwords and bank account details. While a browser could notify a user that the website they were visiting did not possess a security certificate to validly identify themselves, users often overrode this warning and used the website. They said that when using a VPN, this sort of attack was almost impossible.
Clearcast said that they were of the view that the ad was about the dangers of using the internet over unsecured public Wi-Fi. They were satisfied that HMA VPN added encryption to communications over public Wi-Fi. They said that although the ad included a reference to internet banking, it was about using the internet generally because the ad showed screen grabs from Kate’s phone, such as ‘You searched for shoes’, ‘Revisit our offer’ and ‘Special offer for Kate’ which were the messages people would receive when visiting retailers’ websites. They accepted that banks offered a level of security, but maintained that consumers would understand from the ad that it offered security from browsing the internet more generally. They considered that the ad was not materially misleading and did not exaggerate the capability of the service.
The ASA noted that the ad depicted several scenes where Kate used her laptop in public spaces, while the voiceover stated, “When she used internet banking on public Wi-Fi, she realised that others could be accessing her account” and “With HMA, your data is encrypted, to make it private and anonymous. So your browsing is safe, hidden from pesky hackers and scammers. Best of all, it works on any device”.
Based on that, we considered consumers would understand that online banking using a public Wi-Fi connection would make them vulnerable to hacking, data theft or phishing attempts and that HMA VPN offered an additional security benefit in relation to online banking. Therefore HMA VPN needed to demonstrate that using public networks for online banking posed security risks and that its VPN software provided additional security for online banking using a public Wi-Fi connection.
We noted the explanations from HMA VPN and Clearcast that public networks presented security risks and that the use of HTTPS encryption, did not in all circumstances indicate that a connection was completely secure. We noted that advice from several cybersecurity operators as well as an independent consumer advice provider stated that while ‘HTTPS’ offered some security protection, using a public Wi-Fi network without a VPN posed additional security risks when used for online banking.
Though some public Wi-Fi hotspots were secure, many were not, which increased the chance of hackers eavesdropping on the data transmitted by users through the public Wi-Fi connection for example, where a user banked and, depending on other factors, potentially their login details. We therefore understood that the general consensus among security and consumer protection professionals was that online banking over a public Wi-Fi network posed a security threat and that a VPN internet connection provided an additional layer of security.
With regards to the software, we acknowledged that the product was designed to add an additional layer of encryption beyond the HTTPS encryption, which already existed on internet banking websites, to provide greater security from threats on public networks. We understood that using a VPN created a private connection which encrypted all data that passed through a public Wi-Fi network. We therefore considered that the impression given by the ad that using a VPN connection for online banking over a public Wi-Fi network added an additional security benefit to the HTTPS encryption offered by banking websites had been substantiated and was not misleading. We concluded that the ad did not breach the Code.
We investigated the ad under BCAP Code rules 3.1 3.1 Advertisements must not materially mislead or be likely to do so. (Misleading Advertising), 3.9 3.9 Broadcasters must hold documentary evidence to prove claims that the audience is likely to regard as objective and that are capable of objective substantiation. The ASA may regard claims as misleading in the absence of adequate substantiation. (Substantiation) and 3.12 3.12 Advertisements must not mislead by exaggerating the capability or performance of a product or service. (Exaggeration), but did not find it in breach.
No further action necessary.