VPN privacy policies decoded: Hide My Ass
Privacy & Security Posted on June 6, 2013
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
Hide My Ass is arguably the most well-known VPN service on the market, offering both free and paid versions of its platform. The company faced strong criticism back in 2011 after it disclosed user data concerning a members of Lulzsec to the authorities. But what does it’s privacy policy actually say?
Data retention
Thankfully Hide My Ass’ privacy policy is pretty specific and written in clear language that’s easy to understand. Hide My Ass runs a number of different services, but what we’re interested in firstly is the data retention policy for its VPN platform. Here’s what it says:
“What data we collect: We will store a time stamp and IP address when you connect and disconnect to our VPN service together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service.”
Regarding the storing of your IP address, Hide My Ass says this:
"…Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our Site and our services. We may store this data for up to two years, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period."
So what does this tell us? Well Hide My Ass is not quite as bad as your ISP when it comes to logging data – i.e. it’s not recording the actual websites you visit. But it does know exactly when you log on to its servers and which servers you are using. The reasons it gives for this seem pretty innocuous - it’s true that most VPNs store some network data to prevent spam and troubleshoot network problems.
However, Hide My Ass also uses the phrase “to prevent abuse.” “Abuse” is one of those woolly terms that could be construed to mean a number of different things. This is combined with Hide My Ass’ worrying practice of storing its data logs for two years. Such a long time period is not needed for troubleshooting network problems and can only be useful in the aiding of surveillance efforts.
Presumably if an authority wanted to match up the times you connected to a server and the times that Hide My Ass server connected to a certain website, they may be able to determine what you were browsing. From there they could probably request Hide My Ass start logging your data (which is probably what happened in the Lulzsec case).
Data disclosure
Hide My Ass is very upfront about how cookies work and the cookies it uses from third party advertisers. It’s also upfront about where it stores your data and that your data is transferred outside the EU, which means, in some cases, it’s not protected by the EU’s Data Protection Directive. But some of Hide My Ass’ data disclosure practices should set alarm bells ringing. Here’s what their policy says (Privax is Hide My Ass’ parent company):
-
5.1 In the event that Privax Limited becomes part of a group of companies, we may disclose your data to any member of such group, which means any subsidiaries of Privax, or its ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
-
5.2 We may disclose your personal information to third parties:
-
5.2.1 In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
-
5.2.2 If Privax Limited is, or substantially all of its assets are, acquired by a third party, in which case personal data held by it about its users will be one of the transferred assets; or
-
5.2.3 If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of service and other agreements; or to protect the rights, property, or our safety, our users, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
-
In other words, if another company buys Hide My Ass, all of your data will be transferred to them and they could theoretically do whatever they wanted with it. For a company selling a privacy service, this is worrying behavior indeed and certainly sends out the wrong message. Any serious privacy service would not allow this to happen.
Missing information
While Hide My Ass is clear and specific on the privacy issues within its policy, there’s a number of issues it does not address at all. This includes a lack of information concerning what the company will do if surveillance laws change in their jurisdiction. This is particularly problematic because Hide My Ass operates under UK law, and the UK is currently considering a major revamp of surveillance legislation. It would also be very useful to know what Hide My Ass will do if an authority requests information on a user and what happens if a DMCA notice is received, but this information is not clearly provided (though it is mention that the DMCA isn’t applicable under UK law).
To sum up..
Hide My Ass’ privacy policy is well written, clear and honest in places. However, it also overlooks a number of key privacy-related issues and reveals a very worrying data sharing practice. There’s also serious concerns over of the length of time Hide My Ass stores user data.
Suggest an edit on GitHub.
7 Comments
Baneki Privacy Labs
22.07.2013
There’s a critique of the HMA ToS over at Cultureghost’s customer forum:
https://www.cryptocloud.org/viewtopic.php?f=17&t=2769&p=3761#p3761
Their ToS are as bad as any we’ve seen in the industry. Still.
Jimmy
23.07.2013
HideMyAss is a great piece of software, but their privacy policy is indeed a little worrying…
Would you keep using it, or would you switch to another solution?
Ritz
09.08.2013
Hey Dennis,
Thanks a bunch for this and other useful articles. After reading you articles only I came to know about the “real” online privacy. Thanks a bunch buddy!
As for HMA, I’ve been their user for over an year now, but hey, NO MORE!! After knowing their so-called privacy services/promises for/to their users, I DON’T TRUST THEM (yeah, “sellmyass” name suits them the best!).
Now I’ll be choosing between IVPN or AirVPN only (the providers that really does take privacy of their users seriously!). However will always love to read more of your articles and gain knowledge.
Keep up the good work and best of luck!
Best regards,
Ritz
Dundale
24.10.2013
Phillipe Gratneau
30.12.2013
matt
14.03.2014
I used hma for 1 year and thought the service was worth it.
The logging was distressing but not known at the time of signup.
I did recieve a copyright complaint, and was temporarily suspended
until I responded that it “wouldn’t happen again”.
Moving on to another more privacy minded vpn.
Chris
04.09.2014