Douglas Crawford

Douglas Crawford

June 20, 2018

HideMyAss is a big-name Virtual Private Network (VPN) provider. Within the VPN industry, however, HideMyAss (HMA) has a poor reputation. This is largely down to a history of it handing the extensive logs it keeps on customers over to the authorities, but it is also plagued by consumer dissatisfaction with the quality of the service provided.

There is also no getting away from the fact that the service is very feature-light.

What HideMyAss does have going for it, however, is a huge number of servers located in just about every country imaginable. No other VPN company has anything like this scale of network. Our latest speed test results are also quite impressive.

This makes HideMyAss a compelling proposition for the limited subset of VPN users who might need either access to a huge range of VPN sever locations, or access to a VPN server in a country that only HMA serves.

Pricing and Plans

HideMyAss has slightly increased its prices since last time we reviewed it. It offers one simple “all-in” plan, which now starts at $11.52 per month. This price goes down for six or 12-month subscriptions, dropping to $6.56 per month for the annual subscription.

Hide my ass pricing

At time of writing, a summer sale is underway. This provides savings of up to 56% (annual subscription) on the prices listed above.

A 30-day money back guarantee is available, but there are important restrictions on this. Most notably, you may not exceed 10GB of bandwidth. It is worth noting that this guarantee does not cover purchases made via Google Play or iTunes. Please also see the comments section beneath this review, as many readers report not receiving a refund to which they felt entitled.

Please also be aware that auto-renewal of subscriptions is enabled by default, and must be manually changed via the online account control panel.

Payment is via credit/debit card, PayPal, iDEAL, bank/wire transfer, UnionPay and SOFORT banking. No Bitcoin payment option is available, but then HMA is not a service to use if privacy matters to you anyway.

Features

A HideMyAss subscription offers the following features:

  • 720+ VPN servers in 320+ locations in 190+ countries
  • Five simultaneous connections
  • Supports OpenVPN, Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) VPN protocols
  • 30-day money-back guarantee (but with important limits)

That is an impressive number of server locations, and they are scattered all over the world. This includes exotic locations such as the Falkland Islands, Papua New Guinea, Malawi, Serbia, and many more.

HMA otherwise offers a very feature-light service, and the two simultaneous connections is miserly.

Privacy

HideMyAss is infamous within the security community for handing over data on its customers to the police.

The most well-known incident occurred in 2011, when HMA handed over internet records and personal details of one of its customers, Cody Kretsinger, to the police. Kretsinger was a LulzSec member accused of hacking the Sony Pictures website, and received a prison sentence for his involvement in the crime.

A similar incident also occurred last year in Galveston County, Texas, when a disgraced judge was arrested and forced out of office for harassing an ex-girlfriend. The culprit had hidden his real IP address using the HideMyAss VPN service, which the provider clearly must have handed over as evidence to Texas police.

Logs

Although now owned by Czech company Avast Software, HMA is a UK-based service. The UK now has the most draconian surveillance laws in the world.

Even before the Investigatory Powers Act (IPA) “formalised” the situation into law, UK VPN providers were required to maintain detailed connection (metadata) logs. These are now readily accessible to the police and a vast array of government agencies (at least in theory). According to HideMyAss’ privacy policy:

We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you.”

As we can see from the incidents noted above, this is more than enough logging to get you into trouble if you do something wrong. HMA says that logs are usually kept for two to three months, but the new Investigatory Powers Act legally requires that logs are kept for at least 12 months.

Upadate November 2017. HMA has provided the following response to these comments:

“HideMyAss! does not monitor the websites our customers connect to, or any of the data sent over our network.

 As a network operator, we take our responsibilities to our users and society as a whole very seriously. HideMyAss! is deeply committed to the belief that everyone has a right to keep their online activities private, secure and have the freedom to access the internet wherever they are in the world.

 Our acceptable use policy states that our service is not to be used for illegal activity. We are based in London so operate within the framework of EU and English law. We follow strict data protection regulations and we are only obliged to co-operate with disclosure requests in very specific circumstances described in our logging policy.

 Our VPN service, as with VPN services in general, is not designed to be used to commit illegal activities. Paying a subscription fee to a VPN service does not mean a user is entitled to break the law and not suffer any consequences as a result of their actions.

Being able to locate users if legally compelled to do so is imperative in order for HMA! to maintain the HMA! VPN service, because a VPN service risks losing server contracts if it cannot take action to prevent abuse, fraud or other unlawful activities such as spamming, terrorism and child pornography.

 We keep logs of the data, described in our logging policy for between 2 and 3 months unless any limited circumstances apply.  The data is stored on our secure servers, and may be transferred and stored at a destination outside the European Economic Area, as described in the privacy policy. We only log the time users connect and disconnect from our service, and we do not log users’ actual internet traffic. Please see our logging policy on our website for more details.”

In can only say that this logging policy is not consistent with UK law as enacted by the IPA. HMA tells me that it has never been approached about this. Given the current political upheavals in the UK, I am quite willing to believe that the government has not (so far) seen enforcing the IPA a priority.

Peer-to-peer (P2P) torrenting

HMA permits legal torrenting, but not downloading copyrighted material. HMA says that if it receives a Digital Millennium Copyright Act (DMCA) complaint or similar, it will not hand over your identity. Repeated complaints, however, may lead to your account being suspended.

Anecdotally, I have heard reports from HMA users who have received warnings over copyright offenses from their Internet Service Provider (ISP) or copyright holders after using the VPN for torrenting with.

Security

On its website, HMA says,

OpenVPN is using OpenSSL with algorithms 3DES, AES 256, RC5, 256 bit encryption for control channel (e.g. password, authentication, etc.).

This is meaningless techno-babble written by someone who knows nothing about encryption. Support was also unable to shed light on the issue, but I have since talked to HMA’s management. CyberGhost uses the following encryption:

Data channel: a Blowfish 128-bit cipher with HMC SHA-1 hash authentication. Control channel: an AES-256 cipher with RSA-2048 handshake encryption and SHA-1 hash authentication. Perfect forward secrecy is provided courtesy of a Diffie-Hellman key exchange.

OpenVPN Encryption
Data channel cipher
Blowfish-128
Control channel cipher
AES-256
Data Auth
HMAC SHA1
Handshake
RSA-2048
Forward Secrecy
DHE
Logs & Legal
Connection
Extensive
Traffic
None
Country
UK

Please see VPN Encryption: The Complete Guide for a detailed discussion on OpenVPN encryption, but TL:DR is that this is a secure OpenVPN setup. Data channel encryption is a little weak, but this doesn’t really matter too much as an adversary would need to crack the control channel encryption just to get to it.

Although I usually concentrate on the OpenVPN encryption used by VPN providers, I did notice that L2TP/Internet Protocol Security (IPsec) connections use a pre-shared key to authenticate connections (“HideMyAss”!). This is usually considered a big no-no, but HMA assures me it is not a problem because your username and password provides additional authentication.

The Website

The bright yellow aesthetic and cartoony branding of the HMA website does not work for me, but that is a purely subjective assessment. An FAQ is available, which does have some useful-looking articles. As already noted, though, the page on encryption is almost laughably bad.

On the plus side, the HMA website is available in a variety of languages, which is nice.

Support

Support is via live chat or a ticketed email system. I had to wait a few minutes for the live chat staff to respond to my queries, but it was friendly enough when it did.

I do not expect frontline live chat staff to have deep technical knowledge, so was happy for my more difficult questions regarding encryption to be elevated via ticketed email for attention by a more knowledgeable staff member. Unfortunately, my ticket was never answered…

The Process

Signing up

In order to subscribe, you must provide a valid email address and payment details. As already noted, it is not possible to pay for HMA anonymously. Once payment has been processed, the desktop client will auto-download.

Guides are also available for setting up manually on other platforms.

The Windows Client

The Windows software looks surprisingly reserved when compared to the website! I like the clean interface.

Instant Mode automatically connects you to a server chosen by HMA. Although I am in the UK, this turned out to be in France. Freedom Mode connects you to server in the closest free speech country. In my case this was the UK.

HideMyAss offers an almost insane number of server and server location options!

Preferences are fairly basic, and there is no kill switch. I was told that, “As for DNS leak, we don’t have that issue,” but was then referred to a webpage offering advice on what to do it you have a DNS leak!

That said, as we can see later, I did not actually encounter any DNS leaks. So who knows?

The client is OpenVPN only, although you can choose between OpenVPN User Datagram Protocol (UDP) or OpenVPN Transmission Control Protocol (TCP), presumably using TCP port 443. This can be useful for evading VPN blocks. Since OpenVPN is the VPN protocol you should be using anyway, I do not consider lack of other options in the client to be an issue.

Performance (Speed, DNS, WebRTC, and IPv6 Tests)

According to our new scientific speed tests, Hide My Ass scored as follows – Average Speed: 30.37 Mbit/s Max Speed/Burst Result: 180.7 Mbit/s. These are impressive results, and put HMA in fourth place overall of the providers we have tested, and in first place in terms of burst results.

Although I am a little confused over whether the Windows software includes DNS leak protection features, I detected no DNS or other IP leaks. Please note, though, that my ISP (Virgin Media UK) does not support IPv6 connections. I am therefore unable to test for IPv6 leaks at this time. This is a situation that should change in the near future.

I was able to access US Netflix using HMA with a US server, and (update November 2017) I am assured BBC iPlayer can be accessed through the server called “Donkey town.”

Other Platforms

HMA offers custom software for Windows, Mac OS, iOS, and Android. Unlike the Android app, the iOS app uses the IPsec VPN protocol. A command line script is available for configuring OpenVPN in Linux.

Manual setup guides for the various VPN protocols supported by HMA are also available for a number of platforms. This includes for Boxee, a selection of routers, Windows Mobile and so forth. It is also possible to buy pre-configured HideMyAss routers from FlashRouters.

The Android App

Assuming that you don’t mind the usual HideMyAss aesthetic, the Android app is pretty smart looking.

It uses the OpenVPN protocol.

Android users gain access to HMA’s huge server list.

For some reason Paranoid Mode connected me to a server in Ireland! All-in-all, the app is very polished and works well.

Conclusion

I liked:

  • Huge number of servers located just about everywhere
  • Android app is good
  • Fast servers are available
  • US Netflix and BBC iPlayer available
  • Great speed test results
  • No IP leaks
  • 5 simultaneous connections

I wasn’t so sure about:

  • 30-day money-back guarantee, but there are important restrictions on this, as well as reports of people not receiving refunds they are entitled to

I hated:

  • Based in UK with a past history of betraying users
  • Many connection logs
  • P2P: no (technically speaking, legal torrenting is allowed)
  • Support did not answer more technical questions

Despite a high profile among VPN consumers, HideMyAss is poorly regarded by those in the know. A big reason for this is its history of betraying users to the authorities. It could be argued that being based in Britain means that HMA has little choice in such situations, but whatever. It is not a service that you can trust with your privacy.

Next to PureVPN, HideMyAss is also the service that BestVPN.com has received the most complaints about. These center on poor customer service, not honoring its money back guarantee, and poor speed performance. I was therefore a little surprised to see rather good speed test results!

The main reason to choose HMA is the size and diversity of its VPN server network. It has servers in over 190 countries, so if you really need a VPN server in the Cook Islands, Equatorial Guinea, Haiti, Lebanon, or a host of other unusual locations, then HideMyAss is pretty much the only option available.