If you’re a user of the free version of the VPN service Hola, I hope you read the small print.
Because while you might use the Hola VPN proxy to cover your tracks while surfing the web, watching Netflix programmes in other countries, your computer’s resources might be being leased out for others to pass their data through.
And, what’s worse as Business Insider reports, it’s possible that bad guys are using your bandwidth and your CPU time to launch internet attacks:
“One of the most popular Chrome extensions is selling its users’ bandwidth, largely without their knowledge — and it can be used by hackers to maliciously attack websites.”
Indeed, controversial forum 8Chan says it has suffered multiple DDoS attacks via Hola, and describes the service as “the most unethical VPN [it has] ever seen”.
Smarting from the attack, Hola has tried to defend itself in the press.
“We have always made it clear that Hola is built for the user and with the user in mind. We’ve explained the technical aspects of it in our [frequently asked questions] and have always advertised in our FAQ the ability to pay for non-commercial use.”
But it seems to me that it’s likely that many of Hola’s 47 million users didn’t understand (or perhaps not even read) what the software was actually going to do, and wasn’t aware that Hola would be letting other people use their bandwidth.
Hola’s FAQ explains that it doesn’t run its own proxy servers, but instead takes advantage of a peer-to-peer community of computers.
What is a community powered (Peer-to-Peer) VPN?
Hola is the first community powered (Peer-to-Peer) VPN, where users help other users to make the web world-wide again. This means that Hola routes your traffic through other nodes (peers) in the Hola network, as opposed to routing through power-hungry costly servers. This allows Hola to provide you with a superior VPN service with minimal underlying costs. Since it uses real peers to route your traffic and not proxy servers, it makes you more anonymous and more secure than regular VPN services. This also means that Hola is harder to detect and block.
In other words, other Hola users are using your computer to surf the web.
Now, there’s nothing wrong with Hola using your computer in that way, if you’re comfortable with it.
But even if you are comfortable with it, you should ask yourself – as a responsible internet citizen – whether it’s the right thing to do or not.
Just because software is free doesn’t mean it’s bad.
Similarly, just because you’ve paid for a piece of software doesn’t mean it’s good.
But if you are going to use free software, don’t forget to ask yourself why it might be free. What, if anything, are the people behind the software hoping to get from your usage of their software?
It might be that they’re trying to raise brand awareness in order to see a version of their product they sell commercially with enhanced features (no doubt you’ll have seen a couple of messaging inviting you to buy the Pro version).
Or perhaps they’re hoping to collect useful data from your usage of the product (anonymised, one would hope) that will help them make their services stronger, and sell those on to other customers.
Or it might be something altogether less altruistic, such as an opportunity to meddle with your browser settings, interfere with your search results or bombard you with irritating pop-up adverts for penis pills.
The important thing is for you to ask yourself the question, and – where possible – read the small print before installing the software.
Update: Hola’s CEO Ofer Vilenski has posted an update on the company’s blog, saying it will make clearer to customers in future how its product works and how it has responded to two vulnerabilities found in the last week:
“Two vulnerabilities were found in our product this past week. This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them. In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community. We are now undergoing an internal security review, as well as an external audit we have committed to with one of the big 4 auditing companies’ cyber auditing team.”
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.