Free VPN? You had best read the small print...

HolaIf you're a user of the free version of the VPN service Hola, I hope you read the small print.

Because while you might use the Hola VPN proxy to cover your tracks while surfing the web, watching Netflix programmes in other countries, your computer's resources might be being leased out for others to pass their data through.

And, what's worse as Business Insider reports, it's possible that bad guys are using your bandwidth and your CPU time to launch internet attacks:

"One of the most popular Chrome extensions is selling its users' bandwidth, largely without their knowledge — and it can be used by hackers to maliciously attack websites."

Indeed, controversial forum 8Chan says it has suffered multiple DDoS attacks via Hola, and describes the service as "the most unethical VPN [it has] ever seen".

Smarting from the attack, Hola has tried to defend itself in the press.

"We have always made it clear that Hola is built for the user and with the user in mind. We've explained the technical aspects of it in our [frequently asked questions] and have always advertised in our FAQ the ability to pay for non-commercial use."

But it seems to me that it's likely that many of Hola's 47 million users didn't understand (or perhaps not even read) what the software was actually going to do, and wasn't aware that Hola would be letting other people use their bandwidth.

Hola's FAQ explains that it doesn't run its own proxy servers, but instead takes advantage of a peer-to-peer community of computers.

What is a community powered (Peer-to-Peer) VPN?
Hola is the first community powered (Peer-to-Peer) VPN, where users help other users to make the web world-wide again. This means that Hola routes your traffic through other nodes (peers) in the Hola network, as opposed to routing through power-hungry costly servers. This allows Hola to provide you with a superior VPN service with minimal underlying costs. Since it uses real peers to route your traffic and not proxy servers, it makes you more anonymous and more secure than regular VPN services. This also means that Hola is harder to detect and block.

In other words, other Hola users are using your computer to surf the web.

Now, there's nothing wrong with Hola using your computer in that way, if you're comfortable with it.

But even if you are comfortable with it, you should ask yourself - as a responsible internet citizen - whether it's the right thing to do or not.

Just because software is free doesn't mean it's bad.

Similarly, just because you've paid for a piece of software doesn't mean it's good.

Magnifying glassBut if you are going to use free software, don't forget to ask yourself why it might be free. What, if anything, are the people behind the software hoping to get from your usage of their software?

It might be that they're trying to raise brand awareness in order to see a version of their product they sell commercially with enhanced features (no doubt you'll have seen a couple of messaging inviting you to buy the Pro version).

Or perhaps they're hoping to collect useful data from your usage of the product (anonymised, one would hope) that will help them make their services stronger, and sell those on to other customers.

Or it might be something altogether less altruistic, such as an opportunity to meddle with your browser settings, interfere with your search results or bombard you with irritating pop-up adverts for penis pills.

The important thing is for you to ask yourself the question, and - where possible - read the small print before installing the software.

Update: Hola's CEO Ofer Vilenski has posted an update on the company's blog, saying it will make clearer to customers in future how its product works and how it has responded to two vulnerabilities found in the last week:

"Two vulnerabilities were found in our product this past week. This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them. In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community. We are now undergoing an internal security review, as well as an external audit we have committed to with one of the big 4 auditing companies’ cyber auditing team."

(Visited 838 times, 1 visits today)

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

9 Responses

  1. Callum

    June 1, 2015 at 5:15 pm #

    In that case, does the same apply to users of the mobile app? I used to use the chrome extension but I'm still using the app on my phone and it really would be a shame if the same applied because it actually is a very good, solid service.

  2. Andrew Staples

    June 1, 2015 at 5:51 pm #

    The lesson for consumers here goes beyond the 'if it’s free, you are the product' cliché. Instead, it’s that you when you choose an encryption service, you need to be able to trust that service and the company behind it. The best VPNs are run by legitimate companies that are care about the fight for online privacy and are transparent about what they do, or don’t do, with your personal data.”

  3. Paul Swengler

    June 1, 2015 at 6:23 pm #

    Thank you Graham.

    This is a wake up call. VPN is a useful tool which, is some cases will provide anonymity, but unfortunately it also comes with problems. Many sites block by IP, which means your ISP/Government or Big data tracker is watching. Or alternatively they are watching, hacking and blocking by IP. I have had even craigslist block a VPN connection due to IP.

    The opposing forces of wanting what the web provides vs the skills to properly use them vs the education required to make educated decisions seems a war we can't win. Seems the eternal struggle similar to: We like to eat, and we get fat. We want to be thin and healthy but we want to eat. We want security and anonymity but we also want free.

    Thanks for a great article.

  4. Coyote

    June 1, 2015 at 7:39 pm #

    "Hola is the first community powered (Peer-to-Peer) VPN, where users help other users to make the web world-wide again. This means that Hola routes your traffic through other nodes (peers) in the Hola network, as opposed to routing through power-hungry costly servers. This allows Hola to provide you with a superior VPN service with minimal underlying costs. Since it uses real peers to route your traffic and not proxy servers, it makes you more anonymous and more secure than regular VPN services. This also means that Hola is harder to detect and block."

    VPN? Superior VPN? More anonymous? More secure? Harder to detect and block? I've read a lot of claims but that one is quite an impressive fabrication (indeed notice the problems reported). It isn't that it is free that's the problem – it is that they're not offering what they claim in the first place. This is similar to a trojan horse but it drops a 'backdoor' to [your] resources rather than malware/etc. per se (there are semantics to trojan horse so it could be or could not but semantics is always an issue so choose your poison).

    It sounds more like a very naive, very immature version of tor. Perhaps except that the nodes aren't necessarily servers (as I've read before this is what tor uses but I don't use it either so I can't really comment beyond any similarities). But that's not a VPN. In any case free VPNs (In various forms) that don't have these issues as described in this post do exist.

  5. Anonymous

    June 2, 2015 at 6:52 am #

    Good write up.

    >But if you are going to use free software, don't forget to ask yourself why it might be free. What, if anything, are the people behind the software hoping to get from your usage of their software?

    Solid advice.

  6. John

    June 3, 2015 at 12:58 pm #

    You get what you pay for! I've had a paid VPN set up for ages, one of the many perks was that i could set it up on my router directly and watch us netflix direct on my smart TV. it's not that expensive! just check out one of the many review sites and pick one! http://reviewmyvpn.com;

  7. Daz

    June 3, 2015 at 3:18 pm #

    I'm quite sure random people using your bandwidth, goes against the ToCs of most, if not all, ISPs. There's a good chance you could have your service suspended or terminated.

    • Coyote in reply to Daz.

      June 5, 2015 at 12:00 am #

      If it's unauthorised use of their bandwidth they won't do anything at all (if they do they have other issues). That seems to be what is here. In any case, you're quite wrong – it isn't all ISPs (for example, mine) and those that it is depend on the plan (and I would hazard a guess that many ISPs fit here rather than not allowed at all – there's certainly enough nodes not following this policy, that would suggest this). ISPs that allow servers (for example, mine), as one (and I challenge an ISP that doesn't allow them to to determine with 100% certainty that what they think is a server is indeed a server[1] 100% of the time). But ignore the issue of plans and different ISP policies – ISPs have other tools to their disposal, tools that are more powerful here than policies: traffic shaping and bandwidth caps, among others. The latter means they can charge more (something that they unsurprisingly don't mind), too, if they enforce it (not all do; for example, mine), which monetarily would be beneficial to them. Illegal activities is another issue entirely, and that would also depend on what laws rule them (and they follow or otherwise they feel obligated to enforce).

      In the end, this abuse by this 'VPN' is unauthorised which basically makes the entire issue moot.

      [1] Even while ignoring the semantics of what is a 'server'.

  8. Pam1994

    September 8, 2015 at 12:17 pm #

    I prefer Express VPN and B.VPN both are my favorite, becuase of their speed and security. you can try download Express VPN from their official website and B.VPN from here https://itunes.apple.com/us/app/bvpn/id955436453?ls=1&mt=8 or here https://play.google.com/store/apps/details?id=com.steelkiwi.bvpn&hl=en

Leave a Reply