VPN privacy policies decoded: Hide My Ass

Privacy & Security Posted on June 6, 2013

VPN privacy policies decoded: Hide My Ass

This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.

Hide My Ass is arguably the most well-known VPN service on the market, offering both free and paid versions of its platform. The company faced strong criticism back in 2011 after it disclosed user data concerning a members of Lulzsec to the authorities. But what does it’s privacy policy actually say?

Data retention

Thankfully Hide My Ass' privacy policy is pretty specific and written in clear language that’s easy to understand. Hide My Ass runs a number of different services, but what we’re interested in firstly is the data retention policy for its VPN platform. Here’s what it says:

“What data we collect: We will store a time stamp and IP address when you connect and disconnect to our VPN service together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service."

Regarding the storing of your IP address, Hide My Ass says this:

"…Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our Site and our services. We may store this data for up to two years, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period."

So what does this tell us? Well Hide My Ass is not quite as bad as your ISP when it comes to logging data – i.e. it’s not recording the actual websites you visit. But it does know exactly when you log on to its servers and which servers you are using. The reasons it gives for this seem pretty innocuous - it’s true that most VPNs store some network data to prevent spam and troubleshoot network problems.

However, Hide My Ass also uses the phrase “to prevent abuse.” “Abuse” is one of those woolly terms that could be construed to mean a number of different things. This is combined with Hide My Ass' worrying practice of storing its data logs for two years. Such a long time period is not needed for troubleshooting network problems and can only be useful in the aiding of surveillance efforts.

Presumably if an authority wanted to match up the times you connected to a server and the times that Hide My Ass server connected to a certain website, they may be able to determine what you were browsing. From there they could probably request Hide My Ass start logging your data (which is probably what happened in the Lulzsec case).

Data disclosure

Hide My Ass is very upfront about how cookies work and the cookies it uses from third party advertisers. It’s also upfront about where it stores your data and that your data is transferred outside the EU, which means, in some cases, it’s not protected by the EU’s Data Protection Directive. But some of Hide My Ass' data disclosure practices should set alarm bells ringing. Here’s what their policy says (Privax is Hide My Ass' parent company):

In other words, if another company buys Hide My Ass, all of your data will be transferred to them and they could theoretically do whatever they wanted with it. For a company selling a privacy service, this is worrying behavior indeed and certainly sends out the wrong message. Any serious privacy service would not allow this to happen.

Missing information

While Hide My Ass is clear and specific on the privacy issues within its policy, there’s a number of issues it does not address at all. This includes a lack of information concerning what the company will do if surveillance laws change in their jurisdiction. This is particularly problematic because Hide My Ass operates under UK law, and the UK is currently considering a major revamp of surveillance legislation. It would also be very useful to know what Hide My Ass will do if an authority requests information on a user and what happens if a DMCA notice is received, but this information is not clearly provided (though it is mention that the DMCA isn’t applicable under UK law).

To sum up..

Hide My Ass' privacy policy is well written, clear and honest in places. However, it also overlooks a number of key privacy-related issues and reveals a very worrying data sharing practice. There’s also serious concerns over of the length of time Hide My Ass stores user data.  

Privacy
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.

7 Comments

Baneki Privacy Labs

22.07.2013

There’s a critique of the HMA ToS over at Cultureghost’s customer forum:

https://www.cryptocloud.org/viewtopic.php?f=17&t=2769&p=3761#p3761

Their ToS are as bad as any we’ve seen in the industry. Still.

Jimmy

23.07.2013

HideMyAss is a great piece of software, but their privacy policy is indeed a little worrying…

Would you keep using it, or would you switch to another solution?

Ritz

09.08.2013

Hey Dennis,

Thanks a bunch for this and other useful articles. After reading you articles only I came to know about the “real” online privacy. Thanks a bunch buddy!

As for HMA, I’ve been their user for over an year now, but hey, NO MORE!! After knowing their so-called privacy services/promises for/to their users, I DON’T TRUST THEM (yeah, “sellmyass” name suits them the best!).

Now I’ll be choosing between IVPN or AirVPN only (the providers that really does take privacy of their users seriously!). However will always love to read more of your articles and gain knowledge.

Keep up the good work and best of luck!

Best regards,

Ritz

Dundale

24.10.2013

I would not use this service anyway plus the name is silly and not pg for most people who do not like language even to this degree.

Phillipe Gratneau

30.12.2013

I used HMA before but because of Privacy Policy and logging I changed to ExpressVPN through vpnepress.net website. They also have great information on privacy and VPN options that users don’t know about.

matt

14.03.2014

I used hma for 1 year and thought the service was worth it.

The logging was distressing but not known at the time of signup.

I did recieve a copyright complaint, and was temporarily suspended

until I responded that it “wouldn’t happen again”.

Moving on to another more privacy minded vpn.

Chris

04.09.2014

I contacted a major car manufacturer using my HMA email because I didn’t want to be inundated with emails from the company’s agents. And guess what - HMA sold my personal address to them. THAT’S incredibly annoying and I would not recommend HMA.
IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN TunnelCrack vulnerability assessment Privacy & Security

IVPN TunnelCrack vulnerability assessment

Posted on September 7, 2023 by IVPN Staff

Context TunnelCrack is the combination of two independent security vulnerabilities (LocalNet attack and ServerIP attack) that affect VPN applications. The research paper detailing these vulnerabilities was published and presented on 11 August 2023. IVPN apps were not tested by the researchers, and unlike other providers, we did not receive a vulnerability disclosure.
Most people don't need a commercial VPN to work from home securely Privacy & Security

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.