After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.
You can't evaluate VPN service providers without seeing HideMyAss. They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox.
Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight). Others complain that the service is "feature light".
HideMyAss has a massive network of termination points (one of the biggest in the world).
HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).
Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.
Once a season, HideMyAss does run a 50% off promo so....
The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.
Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support.
HideMyAss supports OpenVPN, PPTP and L2TP.
People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.
Is HideMyAss Secure and Private?
So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime).
There are dozens of other such claims, just do a quick Google search.
Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.
The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.
Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.
If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak.
Is HideMyAss secure?
I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).
Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.
I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information.
Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection.
Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function.
One item I will add here is the ability to get US Netflix. I test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet.
I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile.