WHAT’S IN THIS REVIEW?
As the name implies, HideMyAss (HMA) is marketed as one of the best VPN providers if you’re hoping to obfuscate your connection. When it comes to speeds and streaming they promise the world, but how does it measure up in reality? Are they really ‘the biggest VPN network in the world’ as they claim?
Here’s everything you could possibly need to know about HMA, with lots of information about the service found in our extensive review.
HideMyAss is an extremely popular VPN provider, perhaps due to an eye-catching name which helped them to gain a solid foothold in the market during the early 2010s. They’ve since rebranded to ‘HMA VPN’, and are currently owned by Avast.
They have made a number of grandiose claims in recent years, although they do offer superior speeds, as well as access to key streaming platforms worldwide. They’re now audited, and HMA updated their ‘no logs’ policy in 2020.
They’re held back by flaws which we’ll get into below, but it’s perfect if you’re looking for a VPN to compliment your online entertainment needs. However, despite some improvement in recent years, they’re still lacking when it comes to protecting their users’ privacy.
HideMyAss was created by a sixteen-year-old student from the UK in 2005. Jack Cator wanted to circumvent restrictions his school had on accessing games and music websites from their network and used open-source code to do so. Numbers quickly began to grow, and the service had 10 million users and 215,000 paying subscribers of its VPN service as of 2014.
A genuine success story, HMA was acquired by AVG Technologies for ‘$40 million with a $20 million earn-out upon achievement of milestones in 2015’. HMA became part of Avast after its 2016 acquisition of AVG Technologies, which is where we are in terms of current ownership today.
It’s been a wild ride, but is there any link to Cator’s original aim? HideMyAss is still one of the better VPNs if you want to access blocked websites, but Avast has faced a number of recent controversies surrounding privacy and the collection of user data.
Put simply, their browser extensions were discovered to be collecting detailed user data, including browsing history and behavior, and sending it to a remote server. They collected this information about their 400 million users, repackaging it “into various different products that are then sold to many of the largest companies in the world.”
In full damage limitation mode, Avast CEO Ondřej Vlček released a blog post in January 2020:
“I’d like to take this opportunity and address the situation regarding Avast’s sale of user data through its subsidiary Jumpshot. Avast’s core mission is to keep people around the world safe and secure, and I realize the recent news about Jumpshot has hurt the feelings of many of you, and rightfully raised a number of questions – including the fundamental question of trust.”
Vlček went on to mention they had decided to ‘terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect’, but in his own words, there are too many questions of trust raised to be able to recommend Avast’s products from a privacy standpoint.
Pros & Cons
We’ve weighed up the pros and cons, giving you a bite-size overview of what to expect from the HMA VPN.
HMA VPN knows its strengths and hones in on them. Below we lay out the main pros HideMyAss includes in its service:
- HMA has an extensive server network, including coverage in Asia and Africa
- Great for streaming, including Hulu and US Netflix
- Seven-day free trial
- Clean and crisp UI
- A variety of extra features such as a kill switch and automatic connection to the fastest server based on location
- Good customer service
- Free proxy service
Despite excelling in performance, HMA has its own drawbacks worth considering:
- Lack of flexibility for payment options, forcing the user to commit long-term
- Owned by Avast, who have had issues with privacy in the past
- Disclosed “root IP addresses and email addresses” twice in 2020
- Limited configuration options
With more of a focus on speeds and streaming, HMA isn’t laden with many additional features outside of making sure it all works quickly. They’ve obviously aimed to make it especially easy to use, including labeled P2P servers and the ability to connect to the fastest possible server with a few clicks.
Here are some of the extras you’ll find with the HMA VPN service.
A feature you’ll find with any competent provider, a kill switch will disconnect your device from the internet if you lose connection to the VPN server unexpectedly. HideMyAss ran for over 24 hours without dropping during testing, but it’s a nice feature to have nonetheless.
In comparison to a traditional VPN connection, the IP Shuffle feature goes one step further by randomly changing the IP address during your VPN session. HMA claims that this ‘makes it harder for hackers, trackers, and attackers to pinpoint your location’.
If you’re overly suspicious, you can set a custom range, switching the IP address every few minutes. However, when the system switches from one IP to another, you’ll be disconnected from the VPN for a few seconds each time. As such, you’ll need to keep the kill switch on to hide your IP address.
You’ll be connected within the same region, so IP Shuffle is a great addition if you want to keep it moving.
Lightning Connect & Speed Test
‘Lightning Connect’ can be used to automatically select the fastest server based on your location. It’s better than doing so manually, and you’ll always be getting the best speeds possible.
On that note, HMA also has an inbuilt speed test, if you’d like to choose from a range of the best available options. We’ve checked it out in detail below, which can be found in the Speed Stats section.
- 12 months: $2.99 per month
- 36 months: $4.99 per month
- Free Trial: 7 days
As with many other VPN providers, HideMyAss has split their service into a couple of separate plans, with the price varying depending on the amount of time you’re willing to commit to.
There’s a choice between either a 12-month or 36-month contract, which doesn’t offer any real flexibility. (Many VPNs charge a lot for one month, but at least there’s an option to do so in the first place.)
What HMA does offer is the incentive of highly discounted prices, although you’ll have to pay for the entire contract up front. If you need 10 simultaneous connections rather than five, there are also further savings to be made.
In terms of a refund, you can take advantage of their 30-day guarantee, in which ‘you get your money back, no questions asked.’
HMA also has a free trial, which can be used for seven days. However, you’ll be billed for their shortest contract at the end.
HideMyAss has a simple logging policy which can be found on their website. It states;
“We collect only approximate connection and disconnection times, duration of visit, and bandwidth usage. This information is for diagnostic purposes and helps us prevent abuse.”
That’s more information than is necessary, and it’s slightly obtrusive when all things are considered. For example, they mention that they keep no records of timestamps of your connections, but they do record approximate data, which is essentially the same thing.
HMA’s logging policy claims were backed by cyber-risk consulting firm VerSprite following an independent review in 2020. Their CEO, Tony UcedaVélez, is quoted on the HMA website where he discusses their work with the VPN:
“We worked to help validate the assurances made from the no-logging policy and helped them understand the nature of the risks identified so that they could improve the product’s overall privacy level.”
It’s definitely a step in the right direction, although I couldn’t find a report from the consultancy firm itself.
Meanwhile, the LulzSec fiasco that happened a decade ago still hangs over the company. When an HMA user hacked Sony’s servers, he was thrown to the wolves. Here’s the HMA response from the time:
“It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using.
The now-notorious post has been used as a stick to beat the company with ever since, and is a clear reason to give it a miss from a privacy standpoint.
They hope the audit will work to change hearts and minds, and note; “As of April 2020, HMA is a fully No Log VPN provider”.
It’s hardly the most trustworthy standpoint to begin with, and they’ll need to work hard if they want to regain any credibility in the online privacy sector. The audit is certainly a step in the right direction, but it’s not enough to make it a viable option as of now.
HMA claims to be one of the fastest providers on the market. In fact, they boast of speeds of up to 20 Gbps, which is insane if true.
For example, 1 Gbps will see you downloading data at a rate of 112.06 MB/second. At this speed, you can download a 500 MB video conference in roughly 4 seconds. (Now times that by 20.)
HideMyAss has an inbuilt speed test, which I decided to check for myself. Results are found below:
According to the app, there were a number of high-speed servers to choose from in a host of European locations, so I should have seen similar speeds when compared to my normal connection.
For parity, here are baseline stats while connected to Wi-Fi on a busy Saturday morning without a VPN:
I connected to one of the optimal HMA London servers and ran the test again, expecting to see similar results in terms of pure numbers:
Download speeds of 183 Mbps are undeniably fast enough to get the job done, but a significant drop of over 100 Mbps wasn’t what I was expecting. (I ran the test again the next day, and it rose to roughly 240 Mbps, but there will be strain at peak times.)
Next, I checked one of their US servers, which is optimized for streaming:
Both download and upload speeds were pretty impressive, and not especially far away from my baseline download speed of 300 Mbps. It’ll certainly be good enough to stream 4K content if you so wish.
Despite a few mixed results, HideMyAss scores highly in terms of pure speeds. Servers in regions such as Africa and the Middle East are useful and also lightning-fast. For example, here are the stats while connected to Egypt:
However, all is not necessarily what it seems when it comes to the HMA server network.
Server Locations & Network
HMA appears to have one of the most comprehensive networks on the market, with over 1,060 servers found in 290+ locations across 210 countries.
The majority of their servers are found in key locations such as Germany, the US, and the UK, but there’s a good mix of smaller countries and territories included. This includes the likes of Somalia and many others that are traditionally disregarded by VPN providers.
In fact, no region is left untouched, and HideMyAss deserves credit for ensuring that there are VPNs and servers found in some of the farthest regions of the world.
Better still, we’ve noted that HMA really does have some of the fastest VPN servers, so you’ll be able to connect with no issues as long as you have semi-decent speeds to begin with.
It’s worth mentioning that many of HMA’s servers are of the virtual variety. This means that the server is actually physically located outside the country they claim to be in, but it can still use that country’s IP address so it appears as though you’re connecting to the region in question.
Virtual servers can be a problem for a range of security-related reasons, such as your information being sent to different jurisdictions than the ones you would expect to be processing your data.
Restore Privacy looked into HMA’s use of virtual locations and concluded that “less than half of reportedly non-virtual locations are physically plausible”.
In other words, their network isn’t as impressive as it seems, although there’s no denying the speeds they can offer.
Streaming & Torrenting
Streaming is a major plus for HideMyAss. They have committed to ensuring that their service can be used to unblock numerous popular platforms, and they’ve made it easy to locate the best servers to get the job done.
The UK-based Donkey Town server unblocked BBC iPlayer with no issues, adding a Play button that couldn’t be found with their normal servers.
The same goes for US streaming sites, including Netflix and Hulu. If you do run into any issues while attempting to unblock a website, the IP Refresh feature should give you access with a click or two. HMA definitely scores highly here.
“Our VPN does support torrenting as this is a legitimate technology for sharing data over the internet. However, we do not support the use of torrenting to share copyright material illegally.”
Censorship is a bit of a mixed bag. On the one hand, HideMyAss pulled out of Russia in 2019 following an email from Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology, and Mass Media). They were asked to block any websites that appeared on a Russian federal government blacklist and were one of 10 providers that were ordered to begin interfacing with the FGIS database immediately.
HMA noted their position in a blog post:
“They’ve already approached the locations that host our servers and demanded access to them, and sooner or later they would start demanding we give them a backdoor to see exactly what goes through our service.”
Then again, Avast released a transparency report, last updated in November 2020. The table below shows all government requests seeking access to Avast customer data that they received in 2020:
“We have had 76 requests from law enforcement agencies. The countries that requested data for criminal investigations were United Kingdom (13 requests), United States (16 requests), Spain (5 requests), Germany (9 requests), Belgium (1 request), Brazil (1 request), Czech Republic (11 requests), France (15 requests), Hungary (2 requests), Singapore (2 requests), Italy (1 request). From these requests, we disclosed data 1 time in the United Kingdom and 1 time in the United States. The data we disclosed in these instances were root IP addresses and email addresses.”
It’s not ideal, and looks worse when you see that they had a disclosure rate of 39% for HMA in 2017. In other words, of the 102 requests received, they gave up information 40 times.
Platforms & Devices
Native HideMyAss platforms:
HMA is available on a typical range of desktop and mobile devices, as noted above. They allow for an unlimited number of installs, but that comes with an important caveat. As they note;
“Installing HMA VPN isn’t quite the same thing as “using” HMA VPN. While it can be installed on any number of devices, you can only have it turned on in up to 5 devices at the same time, or 10 with our friends and family plan.”
Five simultaneous devices isn’t especially generous, and you’ll have to pay extra if you want to take advantage of their ‘friends and family plan’. A 12-month plan with five connections is advertised at $4.99 per month, and 10 is priced at $7.99 per month.
You’ll also be able to connect the VPN with compatible routers, along with game consoles and other devices on your network.
Encryption & Security
HMA scores well in terms of encryption and security features. It works differently depending on your OS, as they explain in detail:
“HMA uses only the highest encryption standard: 256-bit AES. On Windows and Android, we implement it with the OpenVPN protocol in Galois Counter Mode (AES-256-GCM), with 4096-bit RSA keys for handshakes, authenticated with SHA256. On Mac and iOS, we implement it with IKEv2/IPsec, built atop Apple’s own stack, to ensure the best compatibility.”
This means that Apple devices don’t use the popular OpenVPN protocol, while there’s no support for the up-and-coming WireGuard. It’s a shame, as the experimental WireGuard protocol could offer improved performance and bandwidth when compared to the widely used IPsec and OpenVPN options.
More flexibility in terms of choosing different protocols would be great, but it’s unlikely to affect the average user who just wants to watch the latest shows. In any case, HideMyAss is undeniably secure no matter which device you decide to use.
When coupled with features such as the kill switch and the ability to change your IP address at selected intervals, it makes for a strong package.
On the surface, HMA has a lot going for it. The speeds are legendary, while their server network is second to none, despite the use of virtual versions to pad numbers. Then there’s the ease of use, coupled with the ability to unblock any streaming platform worth watching. It’s also highly affordable, despite issues relating to contract length.
It’s when you start to dig a little deeper, that questions are raised in terms of what they plan to do with your data, as well as their willingness to adhere to information requests about their users.
It was their free antivirus software rather than a VPN, but HideMyAss owner Avast was caught selling user data less than 12 months ago, and it would be incredibly naive to give them the benefit of the doubt so soon after the fact.
HMA does score highly in terms of encryption and security features, and the recent audits are certainly a step in the right direction. Releasing a transparent report is the next logical step, and should help to repair any reputational damage suffered over the last few years.
It hasn’t veered away from the original aim, which was to provide a way to unblock websites and bypass online restrictions. However, they are somewhat lacking from a privacy perspective, so a recommendation depends on what you plan to use the VPN for.
It’s perfect for streaming, but HMA is probably not the best choice from a censorship perspective.