Hide My Ass VPN – Review 2020
To improve your privacy, you need a virtual private network, or VPN, such as HMA (formerly Hide My Ass). This VPN has an excellent user experience and has taken strides to improve its practices to better protect its customers. Still, it is an expensive VPN service, and comes without many of the tools more affordable competitors include.
What Is a VPN?
When you activate a VPN, it creates an encrypted tunnel to protect your data as it passes from your computer to a server controlled by the VPN. From there, your data exits onto the open internet. This prevents anyone lurking on your local network from monitoring or intercepting your activity. A VPN also makes it harder for your activities to be tracked online by hiding your true IP address, and it prevents your Internet Service Provider (ISP) from gathering information about your online activities so it can sell anonymized user data to the highest bidder.
While a VPN is a powerful tool to improve your privacy, it doesn’t protect against all ills. I highly recommend that people activate two-factor authentication wherever it’s available, use a password manager, and install antivirus software on their computers.
Pricing and Features
If you’re looking to try HMA VPN before you buy it, you can with its seven-day trial. That free trial does require you to create an account and hand over your credit card information. At the conclusion of your trial, expect to be billed. If you’re in need of a great VPN, but have nothing in your wallet, you can always try a free VPN. Most of these services place limitations on your service unless you pay, however. TunnelBear, for example, limits its free users to a certain allotment of data. ProtonVPN’s free plan places no data limits on users, making it easily the best I’ve tested.
HMA has done away with its monthly plan and starts pricing at $83.88 per year. That breaks down to $6.99 per year—well below the $10.10 average monthly cost of a VPN. The actual price you pay at checkout (remember, $83.88) is significantly higher than the $73.06 per year industry average for yearly plans, however, and that’s the price I give most weight to in my reviews.
Why do I put so much emphasis on monthly subscription plans? It’s partly because of their ubiquity. Just about every VPN offers one, and I prefer apples-to-apples comparisons. It’s also because I recommend against starting out with a long-term subscription, however. There’s no way to know how a VPN will work for you until you try it. An annual plan might end up saving money, but not if it’s a dud and you need to find a new product.
Many VPNs come in well below the industry averages for monthly and annual cost. Editors’ Choice winners Mullvad VPN and TunnelBear cost a mere €5 ($5.65 USD, at the time of this writing) and $9.99 per month. Beating the average annual price isn’t difficult, either. Both Mullvad and TunnelBear run about $60 a year, and Kaspersky Secure Connection can be had for $29.99 per year.
To buy an HMA subscription, you can use credit cards or PayPal. These are convenient options. What you can’t use are cryptocurrencies like Bitcoin, which are accepted by many VPN services (Private Internet Access, NordVPN, and others). Mullvad accepts cash sent to their HQ, and TorGuard lets you use prepaid giftcards from other companies to purchase subscriptions.
Most VPN services offer at least five licenses without restriction, and HMA follows suit. That’s good, but many companies have started to do better. A solid chunk of services allow more than five devices using the service at a time, while a few have done away with the limitation entirely. Avira Phantom VPN, Encrypt.me VPN, Ghostery Midnight, IPVanish VPN, Surfshark VPN, and Windscribe VPN place no limit on the number of devices. (Note that IPVanish and Encrypt.me are owned by j2 Global, the parent company of PCMag’s publisher, Ziff Davis.)
Charging more than the average for a VPN is no great sin, provided the company can justify the expense. HMA, however, does not include many additional privacy tools. It does include a split tunneling feature, which lets you designate which apps or sites send their data through the VPN. That’s excellent. The company does not provide access to the Tor Anonymization network, however, nor does it offer multihop connections that route your traffic through two VPN servers for additional privacy. ProtonVPN is the only service I have reviewed that offers all three.
VPN Protocols
There are many ways to create a VPN connection. My preferred method uses the OpenVPN protocol, which is known for its speed and reliability. It’s also open-source, and therefore has been picked over for potential vulnerabilities by anyone with the interest to do so.
HMA supports different protocols on different platforms. The Windows and Android apps use OpenVPN, which is great. The iOS and macOS apps use IKEv2, which is another modern and secure protocol.
The heir apparent to OpenVPN is WireGuard, another open-source VPN protocol. What makes it attractive is the newer security technology it’s built on, and the apparently excellent speeds it affords users. I haven’t thoroughly tested WireGuard, but the initial results have been promising.
HMA currently does not support WireGuard, but that’s not an issue—yet. Other VPNs, such as Mullvad and NordVPN, have gone all in on this new technology.
Servers and Server Locations
Ideally, a VPN company will offer a server that’s near wherever you are. The theory has always been that the closer the server, the better the performance. Having many server locations also gives you a lot of options for spoofing your locations.
On its face, HMA is the winner for geographic diversity. The company boasts that it offers servers in 290 locations, across 190 countries. This far exceeds the next-highest contender, Express VPN, which has servers in 94 countries, followed by CyberGhost with servers in 90 countries.
The list of available server locations offered by HMA is particularly noteworthy because it covers regions often ignored by other VPN companies. It has, for example, numerous server locations across the continent of Africa. Some VPNs might offer one or two server locations in Africa, while most ignore the continent completely. HMA also thoroughly covers South America, another often-ignored region, and is one of the very few companies to have Iran as a server location. It even offers server locations in places with repressive internet policies, such as Vietnam and Russia.
There’s a big caveat to this coverage: Most of it is not what it appears to be. HMA makes heavy use of virtual servers. These are software-defined servers, meaning that one hardware server can play host to several virtual ones. Moreover, virtual servers can be configured to appear somewhere other than the true location of their hardware hosts.
There’s nothing wrong with virtual servers per se. Many VPN companies use them to cope with sudden demand on their networks. A few have cleverly used virtual servers to provide access to dangerous regions by placing the host machine in a safer location. As long as it’s clear to users where their data is actually headed, I have little problem with virtual servers.
HMA tests my tolerance. It has servers in 66 real locations across 36 countries, all of which serve the 130-odd other countries. No other VPN service I have reviewed has so many virtual server locations. HMA also doesn’t do a great job communicating which servers are virtual, or where they are located. The company needs to clarify these practices to users, both in the app and on the company’s website.
An HMA representative explained to me that the company does not own all of its server infrastructure, but has taken steps to secure all of its servers. These include full-disk encryption to prevent datacenter employees from accessing information, keeping its certificate authority private keys on isolated infrastructure, and so forth. These are reasonable precautions. Other companies opt to own all their machines, and some like ExpressVPN have moved to RAM-only servers which are wiped as soon as they are disconnected to prevent tampering.
Your Privacy With HMA
When I review VPNs, I read the company’s privacy policy and speak with representatives in order to better understand how your data is used and stored. In the case of HMA, the company should be commended on its clear privacy policy. The company has also made enormous changes to its practices, as it gathers far less data than the last time I reviewed it.
The policy states, and company representatives confirm, that HMA does not gather or log user IP addresses, DNS requests, or browsing data. That’s excellent, and more companies should strive to collect as little information as possible. The company does still log the day of connection (but not the time), and a “rounded” amount of transferred data for 35 days. While the company says that none of this information could be connected to a user, it should strive to collect less information or retain it for far less time.
These improvements come with a caveat. The company says that its free proxy browser plugin still logs IP addresses, domain names of sites visited, and a timestamp. The company’s privacy policy says that this information is deleted every 30 days, and is needed to prevent abuse of a free service. That’s an uncomfortable amount of personally identifiable information. HMA should either rethink its proxy plugin, or discontinue its use if so much customer data is required.
The company confirmed to me that it only makes money through the sale of VPN subscriptions. That’s great, since a company you trust with your privacy shouldn’t be profiting by selling your data.
HMA is owned by Privax, which in turn is owned by the Avast Group, of Avast antivirus fame. Note that Avast SecureLine VPN, AVG Secure VPN, and HMA! VPN are all owned by the same company. While HMA VPN operates on its own infrastructure, Avast and AVG-branded VPNs share the same back end. Earlier this year, a PCMag investigation revealed that Avast has already monetized its users’ data gathered through a browser plugin associated with the Avast antivirus product. It does not appear that any VPN data was involved.
The actual location of a VPN company also matters, as it can inform what protections are afforded to customers. HMA has its company headquarters in London, and operates under the legal jurisdiction of the United Kingdom. Notably, the UK does have mandatory data retention laws. That’s not ideal. Many other VPN services operate in countries without mandatory data retention laws, or in ones that have favorable privacy protections for consumers. The company tells me that most of its infrastructure is located in the Czech republic, the home of Avast’s corporate headquarters.
HMA’s owner Avast does publish a transparency report that includes information on HMA. This document outlines how many requests the company has received for information from law enforcement and how the company responded. Unfortunately, it’s not easy to find (I had to ask my PR contact) and has not been updated since 2018. The report does not paint a flattering picture of HMA in this time period, showing that it responded to 43 percent of requests in 2017, and includes a note that says the company also disclosed “root IP addresses” as part of the requests. Given the changes that HMA has recently made to its service, it’s unlikely that this kind of information would be released again, but it’s impossible to say without an up-to-date report.
Many VPN companies have started publishing the results of third-party audits, in order to establish their privacy bona fides. These audits aren’t always useful, but a good audit is an excellent way for a company to make itself accountable to customers. TunnelBear has committed to doing annual public audits and has stuck to that promise. HMA should do something similar.
Avast, HMA’s parent company, also publishes a warrant canary. This subtly allows the company to communicate if it has been subject to legal requirements that prevent the company from even acknowledging those requirements. The canary document mentions that the company has not been ordered to create any backdoors for accessing user content, which is great. More companies should include this language, and update their warrant canaries in a similar manner.
Security is all about trust. If you don’t feel like you can trust a company for whatever reason, you should seek out one you feel comfortable with. Fortunately, there are a great many to choose from, especially when it comes to VPNs.
Hands On With HMA
I had no trouble installing the Windows version on an Intel NUC Kit NUC8i7BEH (Bean Canyon) desktop running the latest version of Windows 10. Interestingly, you have the option to login with a username and password or with an activation code. Mullvad and ExpressVPN have both done away with logins entirely, and instead use codes to activate the client software.
The latest version of the HMA client smartly balances ease of use without skimping on some surprisingly useful tools. The app is built around a single, monochromatic blue window with Jack, the formerly eponymous donkey of HMA, in the center. Between the colorful interface and cartoon mascot, it shares a lot in common with TunnelBear, although I think TunnelBear has the edge in the friendliness and ease of use department.
Still, HMA isn’t a trial. A tutorial will walk you through your first session. Even if you ignore this, the big toggle switch that activates the VPN is hard to miss. By default, the app will connect you to what it thinks is the fastest VPN server. You can, however, run a speed test to confirm the choice. This is a surprisingly powerful little tool that pulls up nearby servers, runs tests on all of them, and then picks a winner.
If you know the region you’re looking for, you can simply click the button at the bottom of the main screen and you’ll be presented with a list of servers. You can search the list, or have it broken down by region. I prefer map interfaces, because if the app doesn’t have the location I am looking for, maps make it easier to pick the next best option. NordVPN, TunnelBear, and ProtonVPN are just a few of the products that lean heavily on a map interface.
Unfortunately, the app won’t let you select specific servers. The finest level of granularity available is a city. I also noticed that P2P and streaming servers were clearly marked, but it’s still not clear which servers are virtual and which are not.
In the app you’ll find a kill switch, which shuts down internet access should your VPN become disconnected. You can also opt to have HMA restrict internet access from only specific apps.
While HMA doesn’t have the rate privacy tools the VPN industry offers (or even all of the typical ones), it does have some unique features that are quite handy. On the main page, you can click a button next to your IP address to cycle to a new IP address. The app says that this might unblock sites that refuse access to VPN users, although I just like the privacy implications of being able to change my IP address so easily. You can also configure the app to automatically cycle your IP address at set intervals, which is very nifty.
Having a VPN that doesn’t change your visible IP address or leaks your DNS information isn’t much use. In my testing, I confirmed that HMA did change my public IP address and obfuscated my ISP. Using the DNS Leak Test Tool I confirmed that the service was not leaking my information. Note that I only tested one server. Other servers may be improperly configured.
HMA and Netflix
If you’re alive this far into the 21st century, you’re probably streaming video and music on a daily basis. Unfortunately, many streaming companies, and especially Netflix, block VPN users.
I had no trouble streaming Netflix while I was connected to an HMA server in the US. That’s great. Note, however, that VPN blocking is a bit of a cat-and-mouse game. The service that works for watching Netflix with a VPN today might be blocked tomorrow.
Beyond VPN
Other services, like Private Internet Access and CyberGhost, include ad and tracker blocking, but HMA does not offer this kind of ability. TunnelBear offers a free standalone tracker blocker for browsers, as well as the subscription-powered RememBear password manager.
TunnelBear isn’t the only company diversifying its portfolio of products. NordVPN also offers a password manager product, as well as the NordLocker encrypted file system. ProtonVPN and TorGuard both offer secure email services. HMA has no comparable sweeteners or spinoffs.
Although it is owned by the same company that owns Avast and AVG antivirus, HMA isn’t bundled with any of those products. Hotspot Shield notably comes with a Pango account, that entitles you to several other privacy services.
Speed and Performance
Using a VPN makes your web traffic jump through more hoops than normal, or optimal. As a result, you’re probably going to see a decrease in speed and an increase in latency. To get a sense of this impact, I compare the average results from Ookla’s speed test tool to find the percent change with the VPN on and off. (Note that Ookla is owned by Ziff Davis, which also owns PCMag.) To learn more about our testing, and its limitations, see the quite literally named How We Test VPNs.
HMA performed remarkably well in speed tests. It reduced download speed test results by only 42.2 percent, and upload speed tests results by 58.9 percent. It increased latency by a mere 35.4 percent. Those scores were enough to put it in third place among all the VPNs I tested.
You can see how HMA compares against the nine best contenders out of the nearly 40 VPN products I’ve tested.
Overall, Hotspot Shield VPN holds the title of fastest VPN, but it’s a close competition. Surfshark is right behind, and has a shockingly good upload score. Despite that, I strongly recommend against selecting a VPN based on speed. There’s no guarantee that you’ll have similar results. In fact, I’m certain you won’t. Consider, instead, the privacy protections and overall value of the product.
HMA on Other Platforms
HMA has apps for Android, iOS, macOS, and Windows. The company also provides instructions for configuring Linux computers to use the service. While any device can be manually configured in this way, it’s better to use a first-party app. These are easier to use, and grant access to other features that you’re already paying for.
HMA also has proxy extensions for the Chrome and Firefox browsers. This will let you spoof the location of your browser traffic, but a different mechanism is used to encrypt your traffic than what’s used in the VPN app.
You can also manually configure a router to use HMA, which extends VPN protection to every device on your network. Alternatively, you can purchase a preconfigured router that works with HMA. I haven’t tested this arrangement, but it sounds a bit tedious.
New Name, New Direction
While we mourn the retiring of the “Hide My Ass” branding, HMA carries on the best of that storied brand. The colorful, cheeky design is easy to use and approachable for novices. The company uses solid VPN technology, has an impressive array of servers and server locations, and some of the best speed test scores we’ve yet seen. More importantly, the company has also made strides to better protect the privacy of its customers. This is especially gratifying, given that, over the years, we felt HMA had lost its luster as the VPN market became more competitive. When we started work on this review, we fully expected that we might have to lower HMA’s score again, but the efforts made to improve protecting customer privacy changed our minds.
That said, there’s still room for improvement. HMA should update its transparency report and continue to improve its privacy practices, especially regarding its proxy browser plugin. Other companies have made privacy, transparency, and clearly communicating those principles key parts of their offerings. HMA should do the same. The company also needs to rethink its use of virtual servers, or at least better communicate how those servers are used and where they are located. Virtual servers don’t need to be a liability, but their use does need to be clear to users.
HMA VPN Specs
Supported Client Software | Android, iOS, macOS, Windows |
Allows 5+ Simultaneous Connections | Yes |
500+ Servers | Yes |
Geographically Diverse Servers | Yes |
P2P or BitTorrent | Yes |
Blocks Ads | No |
Free Version | No |
Advanced Features | No |
Connects to Tor | No |
Server Selection Helper | Yes |
Advanced Settings | No |
Product Category | Encryption |