This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
“What data we collect: We will store a time stamp and IP address when you connect and disconnect to our VPN service together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service."
Regarding the storing of your IP address, Hide My Ass says this:
"…Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our Site and our services. We may store this data for up to two years, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period."
So what does this tell us? Well Hide My Ass is not quite as bad as your ISP when it comes to logging data – i.e. it’s not recording the actual websites you visit. But it does know exactly when you log on to its servers and which servers you are using. The reasons it gives for this seem pretty innocuous - it’s true that most VPNs store some network data to prevent spam and troubleshoot network problems.
However, Hide My Ass also uses the phrase “to prevent abuse.” “Abuse” is one of those woolly terms that could be construed to mean a number of different things. This is combined with Hide My Ass’ worrying practice of storing its data logs for two years. Such a long time period is not needed for troubleshooting network problems and can only be useful in the aiding of surveillance efforts.
Presumably if an authority wanted to match up the times you connected to a server and the times that Hide My Ass server connected to a certain website, they may be able to determine what you were browsing. From there they could probably request Hide My Ass start logging your data (which is probably what happened in the Lulzsec case).
Hide My Ass is very upfront about how cookies work and the cookies it uses from third party advertisers. It’s also upfront about where it stores your data and that your data is transferred outside the EU, which means, in some cases, it’s not protected by the EU’s Data Protection Directive. But some of Hide My Ass’ data disclosure practices should set alarm bells ringing. Here’s what their policy says (Privax is Hide My Ass’ parent company):
5.1 In the event that Privax Limited becomes part of a group of companies, we may disclose your data to any member of such group, which means any subsidiaries of Privax, or its ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
5.2 We may disclose your personal information to third parties:
5.2.1 In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
5.2.2 If Privax Limited is, or substantially all of its assets are, acquired by a third party, in which case personal data held by it about its users will be one of the transferred assets; or
5.2.3 If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of service and other agreements; or to protect the rights, property, or our safety, our users, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
In other words, if another company buys Hide My Ass, all of your data will be transferred to them and they could theoretically do whatever they wanted with it. For a company selling a privacy service, this is worrying behaviour indeed and certainly sends out the wrong message. Any serious privacy service would not allow this to happen.
While Hide My Ass is clear and specific on the privacy issues within its policy, there’s a number of issues it does not address at all. This includes a lack of information concerning what the company will do if surveillance laws change in their jurisdiction. This is particularly problematic because Hide My Ass operates under UK law, and the UK is currently considering a major revamp of surveillance legislation. It would also be very useful to know what Hide My Ass will do if an authority requests information on a user and what happens if a DMCA notice is received, but this information is not clearly provided (though it is mention that the DMCA isn’t applicable under UK law).
To sum up..