Anyone who has poked around the virtual private network market is aware that there are many scams. Though our best VPN for iPhone and best VPN for Android guides make recommendations as to which services you should be using on your mobile device, Google Play and the App Store are still rife with problematic applications.
One of the worst offenders is Hola VPN, an Israeli company that approaches the free VPN model from a different perspective. With over 184 million users — at least, according to its website — Hola VPN is one of the most popular VPNs around, despite the fact that the company behind it exemplifies consumer manipulation.
With write-ups from CNN Money and Business Insider, Hola VPN appears to be a legitimate service, but its manipulation of the press and consumers can’t dig it out of a damning terms of service, which says Hola VPN is selling access to your device to businesses and, potentially, criminals around the world.
What is Hola VPN?
If you’re browsing for free VPN services, Hola VPN doesn’t stick out. Like many options online, it’s a free VPN that promises to unblock most websites from any country, but it made our worst free VPN guide for a reason.
Unlike, say, Windscribe (the best Hola VPN alternative), which restricts the amount of data free users can use, there are no restrictions on Hola VPN’s free plan (read our Windscribe review). Instead, it claims that it can operate the VPN for free by creating a peer-to-peer network, which would make it so the company doesn’t need to maintain servers around the world.
That’s an interesting business model, but anyone who knows what can go wrong on P2P connections can already see the blood in the water.
Let’s get you up to speed. A VPN is a network of servers usually located around the globe. You connect to those servers before connecting to the internet, effectively masking your origin and traffic. Hola VPN is doing the same thing, but instead of maintaining a network of servers, it’s turning you into the network.
Say, for example, you’re located in the UK and a U.S. resident wants to stream BBC iPlayer (read our best VPN for BBC iPlayer guide). Instead of having a dedicated server in the UK, Hola VPN will use the computing resources of the device from the UK resident. In short, the U.S. user will tunnel through the UK user’s device.
That’s not hidden information. In fact, Hola was praised for the model when it was released in 2014. The idea was that idle devices, such as your smartphone, would create a content delivery network that would tunnel traffic and speed up the internet for people around the globe. Unfortunately, that’s not what happened.
The website Adios, Hola, which was launched by nine security experts, found multiple vulnerabilities in the system, and they weren’t just simple oversights. By routing data through your device, Hola VPN allowed anyone tunneling on the network to track you across the internet, including your installation directory, unique session key and other personal data.
What’s worse is that the app allowed anyone to execute programs on your computer, which means a hacker could unload malware on your device without your knowledge. Because of the deep-seated permissions Hola needs, users had things like rootkits, which are nasty malware that even the best antivirus software has a tough time with, installed on their devices.
That’s Hola in isolation. Unfortunately, the rabbit hole doesn’t stop there. Though accessing users’ devices is bad enough, it takes a lot of know-how. So much so that it might be more difficult than cracking someone’s device some other way. What’s scary about this story is that Hola VPN isn’t operating off a unique business model. It’s monetizing your IP address.
Hola and Luminati
Before going too deep, it’s important that you understand the connection between Hola VPN and Luminati. Ofer Vilenski is the founder of Hola VPN, HolaCDN and Luminati. He is currently president of Luminati and executive chairman of Hola. Though no one seems to be hiding that the two companies are tied together — it’s no BestVPN and Buffered — that’s proof that they are.
Luminati isn’t a VPN, though. Instead, it sells networks of slave computers. The idea is that smartphones, tablets and computers are idle during some part of the day, so Luminati harnesses the computing resources of those machines during idle time to give extra resources to businesses.
The use cases for such a service are numerous, according to Luminati on its “about” page. For example, you could test your website across multiple cities around the world or run scripts to collect information without massive computing overhead. Though those are legitimate needs, the way Luminati fills them isn’t.
Today, Luminati has 35 million residential IP addresses and 2 million mobile IP addresses. It was able to acquire one-tenth of the population of the U.S. by enslaving the devices using Hola VPN and selling the IP addresses through Luminati. Though it was a known fact back in 2015, Luminati claims that it began operating independently of Hola in 2016.
That’s not true, though. Hola’s end-user license agreement, which is marked as last updated in 2018, clearly states that “in return for free usage of Hola Free VPN Proxy, Hola Fake GPS Location and Hola Video Accelerator, you may be a peer on the Luminati network.”
The Dangers of Being a Peer
Though we already talked about the dangers of Hola VPN being an enclosed peer-to-peer network, the idea that others can purchase access to your device is even more frightening. Essentially, Luminati is legally selling botnets, a product that would normally only be available on the dark web for the purpose of cybercrime.
Botnet is short for “robot network.” The concept is simple to grasp. It’s a network of machines that have bots installed on them. Bots allow whoever is at the helm to do almost anything they want on your device. By installing Hola VPN, you’re agreeing to install a bot on your machine.
Hola doesn’t hide the fact that it’ll use extra resources on your machine, but it isn’t clear what those resources could be used for. Botnets are a hot commodity, generating tons of revenue for those who run them through ad fraud, cryptocurrency mining and distributed denial-of-service attacks.
One of the most infamous botnets was known as ZeroAccess, which gathered 1.9 million IP addresses in a P2P network. Symantec, which created Norton Security (read our Norton Security review), studied the botnet in 2013 to see just how much of an effect it had.
It found that the botnet had two purposes: mining bitcoin and committing click fraud. The bitcoin mining generated around $2,000 per day, adding up to around $800,000 in a year, while the click fraud brought in tens of millions.
ZeroAccess used the slave computers to falsify clicks on advertisements, making it seem as if ads were more popular than they were. Just from that, the botnet generated 488TB of traffic per day, which hurt those who were wrapped up in it. Each user who was part of the botnet spent around $110 more in electricity per year, adding up to $204 million annually.
To put that in perspective, the amount of electricity ZeroAccess used could power over 100,000 homes.
That’s a network of 1.9 million IP addresses. Luminati is sitting with 37 million. While distributed among many users, the environmental and economic effects are still present. By being a peer in the Luminati network, you’re potentially increasing your electricity bill, putting money in the hands of criminals and stealing much needed electricity.
We’re not saying everyone using Luminati is a criminal. There are legitimate use cases for it. It could be used for cybercrime, though. Vulnerabilities in Hola VPN’s system allow Luminati users to deliver malware to users’ devices and harness the power of a network to commit any of the crimes that can be committed with a botnet.
Save the Headache
Though we understand that saving money is important, your privacy is something you should value. It isn’t worth the potential danger of using a free VPN, such as Hola VPN, to unblock new movies on Netflix or protect your torrenting. In the end, you’re always paying, and the low monthly price that legitimate VPNs charge ends up being cheaper in the long run.
We’d forgive you for looking past our best VPN, ExpressVPN, if you’re on a budget. Though we think it’s worth the price — you can see why in our ExpressVPN review — it’s no doubt one of the more expensive options.
There are budget options, though, most notably CyberGhost and Private Internet Access. CyberGhost’s monthly price isn’t impressive — it’s the same as ExpressVPN’s — but its multi-year contracts are unmatched. For the same price as a year’s worth of service from ExpressVPN, you can get three years with CyberGhost (read our CyberGhost review).
CyberGhost is the cheapest provider we’d still consider top-shelf, but PIA isn’t far below it. PIA is much cheaper, too. At half the monthly rate of CyberGhost, with considerable discounts on multi-year plans, PIA is the best value on the market (read our PIA review).
For only a few dollars per month, you can have a legitimate VPN protecting you. Free options are attractive, but the gross misuse of your consent can lead to a nightmare scenario. Hola VPN is that nightmare. Even when a provider isn’t as degenerate as Hola, free VPNs usually mean that your data is being collected and sold for profit.
Unfortunately, Hola VPN isn’t the only one of its kind. Though it may be the only one to stoop so low, there are plenty of VPN scams online. It’s never a good idea to cheap out, and that’s especially true with VPNs. If you’re looking to stream, torrent or just protect yourself online, make sure to go with a legitimate service.
Which VPN are you using? Let us know your thoughts about it in the comments below and, as always, thanks for reading.