Our review of Hola VPN found that it is a free P2P (Peer-to-Peer) Internet privacy service that has hidden dangers that many of its less technical users may not be aware of. Hola is an Isreali based company started by Ofer Vilenski and Derry Shribman in 2012. They have apps for VPN, ad blocking, video acceleration, and GPS location. Although Hola calls its service a VPN, it actually functions like a sometimes encrypted proxy. This means that it primarily operates as an extension through your browser. Hola VPN masks your IP address and replaces it with another in the country of your choice.
Theoretically, this makes you more secure and anonymous while surfing the Internet. Additionally, it allows you to bypass censorship and overcome geo-blocking; thus allowing you to enjoy a more open Internet experience from anyhere in the world. This sounds like a good deal but is it? Read our full review and learn all of the details so you can decide for yourself.
Hola VPN Pricing
Hola VPN originally started out as a “value exchange” P2P network. This allowed you to use their network for free, in exchange for allowing other users on the network to use your computer when it is idle. A device is considered idle when:
- Computer is not being used (no mouse or keyboard activity detected).
- It is connected to an electrical source and not on battery power.
- Device is connected to the local network or Wi-Fi (not on cellular).
Hola is free for private (non-commercial) use on PCs and Macs, and requires a subscription on iOS and Android. They also have a Hola Premium service which allows you to use the Hola VPN network without having to be a part of it. You must be signed in to the Hola website for your premium membership to take effect. If you want to use it on multiple browsers, each browser must be logged into their site.
The VPN service is sold in monthly and tearly terms. A month will cost you $5 per month. Like many other VPN providers, Hola offers a discount for their longer term package. Consequently, you can get a year of Hola Premium for $45 which works out to $3.75 per month.
How Does Hola VPN Work
The Hola CDN (Content Delivery Network) architecture is built as an overlay on top of HTTP. It is a hybrid network whose nodes are composed of both peer devices from free VPN users and conventional VPN servers. They refer to this network as a “collaborative P2P Internet ” and their service as a “community powered (Peer-to-Peer) VPN”. What does this mean?
It means that they use HolaCDN to mask your IP and then to route your browser Internet traffic through an idle device of another free VPN user on their network. In exchange for this free service, you agree to allow them to use your computer or device to route other peer traffic through when it is idle. Having access to a large group of individual user non-consecutive IP addresses allows you to be more anonymous. Additionally, it also makes the network harder to detect and block. However, this is only part of the Hola VPN network story.
As we previously noted, the Hola VPN service operates on a hybrid network which consists of both free peer nodes and conventional VPN servers. Both premium paid customers and free users can use this network but paid users do not function as network nodes for other users. In addition to this, paid commercial users of their sister service, Luminati can access multiple IPs on the Hola VPN network.
This means that free VPN users machines can be used by other free users, paid Hola subscribers, and commercial Luminati customers. In a “Utopian world”, this would be a great idea for a free VPN service. However, we live in the real world and their are hidden dangers for free users in this community P2P network. Now, let us examine some of these dangers and the Luminati service.
Dangers to Users of Hola VPN
Luminati Startup and Potential Botnets
First, let us review a little bit of the history of Hola VPN. It started in 2012 as a free P2P Internet proxy service. In 2014 they started their commercial Luminati service and briefly mentioned this in their FAQ. They came under fire in 2015 when its commercial service was used to perform a DDoS (Distributed Denial of Service) spam attack on the 8chan controversial message board.
This brought to light that Hola was selling access to free user machines as nodes for commercial users. Many of their users were upset about this as most did not know that Hola had started the Luminati service. They felt that Hola had hid this from them by not explaining it prominently on their website.
Furthermore, many felt it essentially turned them into exit nodes for a potential botnet. The above comparison shows that if not managed well, the Hola/Luminati network could become a botnet source. The fact that at least one user had used it for that to attack 8chan reinforced this. Consequently, Hola updated the company FAQ to clearly show how their service operates with its sister service Luminati.
Internal Security Vulnerabilities in Hola VPN
Additionally around the same time, some well known “white-hat ” hackers issued an advisory for the Hola VPN service highlighting several security flaws that could be exploited by malicious users.
These flaws included the following:
- Local file read – allows a hacker to read arbitrary files on the host.
- Information disclosure – that could allow an attacker to persistently track you across the Internet thus negating your privacy..
- Three remote code execution vulnerabilities – which could allow an unsavory user to download and run executable code to install malicious software to your computer or mobile device.
- Privilege escalation – could allow a peer to and possibly give then complete control of your PC.
As a result of these criticisms of their VPN service, Hola founder, Ofer Vilenski penned an open letter to all Hola VPN users admitting that they had made mistakes. He also addressed these concerns and what they had fixed. The letter also outlined changes they were implementing going forward to increase Hola VPN security in the future. The specific concerns that he addressed were:
- Hola is about sharing resources – among other users on the VPN network.
- Does Hola make you part of a botnet? – While this is possible, they vet Luminati users and have a records verifying their real identity. Additionally, they will report bad actors to appropriate legal authorities. They feel this makes their service unattractive to criminal elements.
- Vulnerability of the Hola client – has been fixed so bad actors can no longer run remote code on devices using Hola services.
Furthermore, the letter also outlined changes they were implementing going forward to increase Hola VPN security in the future. Specifically, he stated that they were developing technical monitoring solutions to minimize the risk of abuse of their Hola/Luminati service and upgrading their security team with a Chief Security Officer. Not everyone (cybersecurity firm Vectra, Adios-Hola) agreed with his assessment of the Hola/Luminati service at the time.
Since this time, Hola has said they have trimmed and locked down their built-in console which is an integral part in the process of forwarding peer traffic when the device is idle. They have addressed some of the concerns of Adios-Hola by instituting better vetting and information gathering for commercial Luminati users. We will discuss this when we examine your privacy and anonymity while using the Hola VPN service.
Dangers of Exit Nodes
One thing that Hola downplays is the fact that free users on their network are using their home machines as exit nodes which can be problematic. This is born out by observing that some operators of Tor exit nodes have been raided by legal authorities for various cybercrimes. This is because many authorities believe that the traffic that exits from them can be traced back to its origin IP address and the perpetrator.
Because of this the EFF (Electronic Frontier Foundation) does not recommend that Tor exit nodes be operated at home. Furthermore the Tor project recommends the following tips for those who manage exit nodes:
- Inform your potential ISP(s).
- Get a separate IP for the node. Do not route your own traffic via this IP.
- Get recognizable Reverse DNS for this IP.
- Set up a Tor Exit Notice.
- Get an ARIN registration (if possible).
- Consider using a Reduced Exit Policy.
- Rate limit and optionally QoS your node.
- Consider creating an LLC to run your node.
Free Hola VPN users could face similar charges as any illegal activity that exits their computer will be traced back to their IP address and ultimately them. Additionally, Hola VPN caches information on your machine to improve their network performance. This means if legal authorities confiscate your computer they could find incriminating evidence on it because of this cache.
Although Hola says they can direct authorities to the real culprit, you could face legal issues in the meantime from overzealous prosecutors. For instance, imagine that someone uses your IP to issue some kind of threat. In this case, authorities are not usually in a talking mood when they knock down your door, arrest you, confiscate your electronic devices and ransack your house.
Hola VPN Security, Privacy and Anonymity
Hola VPN (Proxy) Security
Very little is known about the security provided by the Hola VPN service other than to say that it can be encrypted. Although we would assume that such encryption is certificate driven using TSL. The code underlying their network is proprietary so this cannot be verified. They only say that depending on the proxy rule you choose, Hola will encrypt some of your traffic. Therefore we think it is hard to depend on your traffic being encrypted.
Hola VPN Privacy and Anonymity
Your online privacy and anonymity is enhanced by changing IP addresses when accessing different websites along with your browsers incognito mode. This makes it so others can neither get information from your browser or track requests from your IP back to you. However, we feel that this is offset by all of the information the Hola service collects on their users.
Hola VPN collects both anonymous information and PII (Personally Identifiable Information). It seems that their answer to the fact that all of its free users operate exit nodes is to collect as much information as possible about every connection made from their users. This ensures that they are able to identify users who abuse their system and report them to the proper authorities. We feel that this is exactly opposite of how a privacy service should operate. Additionally, it protects their users only after the fact and as we stated this could cause legal entanglements.
Excerpt of anonymous data that they collect according to the Hola Privacy Policy:
Anonymous Information. We collect Anonymous Information about your use of the Services for three reasons: first, to allow us to provide the Services and constantly improve them; second, for security reasons; and third, so that we can audit and track usage statistically, audit our affiliates, and calculate payments to 3rd parties. Such Anonymous Information does not enable identification of individual persons; it includes your approximate geo-location, hardware specifications, browser type and version, the date of the Software installation, the date of your last use of the Services, your operating system type, version and language, registry entries, your URL requests, and respective time stamps. We do not make any efforts to reveal your identity through this information. We may also collect information that will help us understand whether your device is used at a given moment so that we will not send it any requests.
Even though this is “supposedly anonymous” data, you should remember that it has been proven that if someone has enough anonymous data points on you, it can be used with other data to identify you. What is more this massive data collection is continued by the personal information that they also amass.
Excerpt of the PII data that they collect according to their Privacy Policy:
Personal Information. Personal information is information that may be of a private or sensitive nature, and which identifies or may identify you. The Personal Information we collect and retain include your IP address, your name and email address in the case that you provide us with this information (for instance when you open an account or if you approach us through the “contact us” option), screen name, payment and billing information (if you purchase premium services) or other information we may ask from time to time as will be required for the Services provisioning. When you create an account on the Services you are able to do so by using your credentials with a designated third party website or service (“Third Party Account”) such as Facebook®. Doing so will enable you to link your account and your Third Party Account. If you choose this option, a Third Party Account pop-up box will appear that you will need to approve in order to proceed, and which will describe the types of information that we will obtain. This information includes your Personal Information stored on your Third Party Account, such as user-name, email address, profile picture, birthday, gender and preferences. Any Anonymous Information that is specifically connected or linked to any Personal Information, is treated by us as Personal Information, as long as such connection or linkage exists.
Notice that they will let you use Facebook to sign up for the Hola VPN service. It has recently come to the public’s attention that this is how apps scrape information from Facebook accounts as their Privacy Policy shows in the list of items they will collect if you use such a third party account. Notice also that anonymous information that can be matched or linked to is treated as PII. This moves some anonymous data into the PII column.
Techniques That Hola VPN Uses to Collect Information
Hola uses various technologies to collect and store what we see as any information they can collect on their users. These methods include the following:
- Cookies – to allow Hola and its partners to ” customize the content, experience, and advertisements provided to you on websites across the Internet.”
- Pixel tags – when used with cookies allow them to track your website activity.
- Web beacons – lets them see who is reading a web page or email, when they are reading, and from which computer.
- Log data – is aggregated data that includes your IP address, browser type, webpages you visit, time spent on those pages, access times and dates, and the unique identifier generated for your device. If you are using a mobile phone, this identifier may be your mobile number.
In addition to collecting all of this data, Hola VPN also shares anonymous information with third parties for additional purposes, including marketing, research, and analytics purposes. This basically allows them to share it with whoever they want for research purposes. This is the ideal behind the recent Facebook privacy issue. They also share your email address with other partners and their opt out policy is not concrete.
Finally the following privacy policy shows that they handle abuses of their system retroactively after the event occurs. As we previously stated, this could potentially leave you vulnerable to legal repercussions as their policy seems to primarily protect themselves and their partners.
Excerpt of how Hola shares PII from their Privacy Policy
We may also share your Personal Information and other information in special cases if we have good reason to believe that it is necessary to: (1) comply with law, regulation, subpoena or court order; (2) detect, prevent or otherwise address fraud, security, violation of our policies or technical issues; (3) enforce the provisions of this Privacy Policy or any other agreements between you and us, including investigation of potential violations thereof; (4) protect against harm to the rights, property or safety of us, its partners, its affiliates, users, or the public.
In summary, the totality of the information that they collect and how it is collected can leave your privacy suspect in our opinion. It also has the potential to totally destroy your anonymity. They state that some of your data may be encrypted depending on your browser settings. We feel that the service is primarily built to unblock media services as its encryption is suspect given the proprietary nature.
Hola VPN Support
Hola VPN support is primarily by means of their FAQ on their website. You can also contact them through email but answers could take a while. Finally, they have a social media presence where you can find some answers.
Hola VPN and Ad Blocking Services: Hands On
Hola doesn’t offer the same system-level network support as other VPNs. Instead of installing a client which redirects all traffic through n encrypted tunnel, you must either install Hola’s own Chromium-based browser, or use its Chrome or Firefox browser extensions. This means Hola VPN is really acts as a proxy service. Hola also has extensions for ad blocking and video acceleration. All three of these apps are included in their Windows browser which can be downloaded from their website.
They also have a GPS relocation app for Android.
Hola Chromium Based Browser for Windows
Hola VPN in Action
After you set up the Hola Chromium-based browser to your PC, it will reside in the Windows system tray. Clicking on it will maximize it to your desktop. Clicking on the Hola VPN flame icon in the top right of the browser will show the most popular websites in the US. The encircled down arrow will open the Hola VPN website with a list of the most popular sites. Scrolling and selecting a website will open it in the most appropriate country to access it.
If a website has more than one location, the most popular one will be used as shown in the case of Netflix below which defaults to the US library of content. Notice the Hola VPN icon has been replaced by the country flag of the unlocked media location.
Selecting this flag will let us change the location of our Netflix library of content. Notice that clicking on the flag opens a list of countries. Not all countries in this list have a Netflix library. If you select one of these countries, the location change will fail which can be annoying because you may think the app failed. This means that most times you should just accept the country the app chooses to unblock the website.
However, if you know another country that has Netflix content, you can change to that country. For example, selecting the US flag icon and scrolling through the list of countries to Japan results in the following. This allows us to change from the US-Netflix to Japan-Netflix.
Alternately, we could have used the search field to make the change.
You can also choose other websites to unblock either by typing in the name of the site in the search such as raiplay, the Italian media site. Alternately, you can reopen the browser and choose the site from the popular websites page.
Hola Ad Blocker in Action
Right clicking on the shield icon beside the Hola VPN icon to the right of the url box will open the options for the Hola ad blocker. It is divided into two tabs: general and whitelisted domains. The general tab has two optional toggles:
- Show “Block Element” right-click menu item
- Show “Hola ad blocker” panel in developer tools
The white-listed domains tab lets you add and remove domains for websites that you do not want to block ads from. Simply, type the domain name and then select the “Add domain” button.
To see the number of ads blocked on the current site along with the total of all ads blocked, click on the ads blocked icon. Also notice that the icon has a “1” on it indicating that one ad has been blocked on the current website.
Hola Video Accelerator in Action
The last app included in the Hola Custom browser is the video accelerator. Its usage has been simplified to just turning it on or off for the current website. It can speed video and help you avoid buffering if you are experiencing it. Else, you will not notice any perceptible changes.
You can see from our examination of the custom Hola Chromium-based browser that it is primarily meant to unblock geo-restricted content. It has three extensions added to it: Hola VPN, Hola Ad Blocker, and Hola Video Accelerator. All three of these are value-pay P2P free apps that request use of your computer for the free use of the apps and associated network. They are simple, easy to use apps. The VPN app is easier to use if your chosen site is among their most popular list.
Installing and Using the Hola VPN for Android
Search for the Hola VPN on your Android device. Tap on “Install” to open the Google Play Store to begin the installation process to your phone. Once there, tap “Install” and accept the access parameters that the app needs. After the app finishes its installation process, tap “Open” to run it.
When the app opens, it will offer you P2P access to their network and explain to you that it is a shared resource network. If you do not want to share your resources, you can select the Hola Premium option. If you agree to share your mobile phone when not in use, tap “I got it” and then “Continue”. You can tap on the menu icon (three horizontal dots) to choose the app options. The primary options of the app are the unblocker, popular list, and settings. Other options allow you to clear the history and share the app on social media.
The app defaults to US location and tapping on the US flag icon opens the popular sites list.
Tapping on one of these sites such as Netflix allows us to unblock it using the chosen country by tapping on “Open”. Alternatively, we can choose the flag icon and search for another Netflix library such as that in Japan and open it instead. Notice the US flag icon has been replaced by the Japanese one.
In addition to the toggles for the unblocker and the popular list, their are optional settings for general use, device web options, and apps. The general screen has options for interacting with the Hola website including getting help, updating the app, changing peer status, accessing the FAQ, and others. The Web screen displays settings for interacting with the Web from your mobile device, as well as, some advanced website settings. The last screen just has the apps toggles for the unblocker and suggestions.
In addition to unblocking websites on your mobile phone, Hola VPN also allows you to choose apps that you want to run through the VPN service. After tapping on the app you want to tunnel, select “Open”. The app prompts you to set up the VPN service on your Android device. Tapping on the “Also change my GPS location” will open the store to install the app if you have not yet done so.
Installing Hola GPS Relocation App for Android
Once on the Google Play Sore, tap install to add the app to your Android phone and accept the required accesses. Once this finishes, tap “Open” to run the app. Choose to login to the free or subscription version of the app and tap “Go”.
If this is the first time that you have used the app, tap “Settings”. The software will warn that you are about to change developer options which could have erratic results. Tap “OK” to close this warning. Choose the option to “Select mock location app” and then tap “Hola Fake GPS”. The GPS relocation app is now ready to use.
Move the Hola GPS location icon to the region you want to spoof and tap “Go”. This will change your apparent GPS location. Tapping on “Stop” will allow you to choose another GPS location to spoof. You can zoom and scroll the map to make this selection easier. Once you have your new location, tap “Go” to lock it down.
The Android Hola VPN app is as easy to install and use as its Windows counterpart. A tap or two will allow you to change your browser country of origin. This lets you unblock the website that you choose. You can also run the apps you choose though the VPN service. Hola will also let you spoof your GPS location. Remember these are free P2P sharing resource apps.
Conclusions
Hola VPN is a proxy based service that is operated by the Israeli-based company Hola. It is one of a few “value exchange” services that they offer. These services include Hola VPN, Hola Ad Blocker, Hola Video Accellerator, and Hola GPS Locator for Android. All of these services have one thing in common. They are all free if you agree to share your computer or mobile device with the peer network when not being used.
Hola VPN is their community driven privacy service. It is ran as either an extension for the Google Chrome or Foxfire browsers. Else, Windows users can use the Hola custom Chromium-based browser to run it. The browser has the ad blocker and video accelerator extensions pre-installed.
Rather than being a full VPN service, Hola VPN is a proxy that wll help you unblock geo-restricted websites such as Rai Play, BBC iPlayer, Netflix and others. Very little is known about its encryption. Hola states that the service is sometimes encrypted depending on your settings but we found no settings we could change that would affect the encryption in the custom browser version running on Windows 10. Consequently, we found the encryption non existent at worst and suspect as best.
Additionally, free users should be aware that they are acting as exit nodes for the peer community network unless they sign up for the premium paid service. For those not familiar with the term “exit node”, it means that anything done by the user can be tracked to the machine used by them. This mean that if a peer uses your idle computer or mobile device for an illegal purpose, it will be tracked back to you.
This threat is potentially heightened in that Hola also markets its community-built P2P VPN network as a service using its sister service Luminati which has been used as a botnet to attack (DDoS) a website in the past. This could lead to legal issues for you as it has for exit node users on the Tor network. Hola’s way to combat this is to collect all the information on both their individual and commercial clients to identify and prosecute abusers of their network. We feel this is the antithesis to the idea of a privacy service and disconcerting at best. Also, the broad usage criteria stated in their Privacy Policy left us uneasy as to the privacy of the information collected.
Things we liked about the service:
- They offered a free proxy to unblock restricted websites for those who did not have the financial resources or access to a true VPN service because of their geo-political circumstances (VPNs banned in their country).
- They had an ad blocker and video accelerator.
- Hola offered a cheap alternative paid subscription for those who did not want to share their resources with the network.
Things we disliked about the service:
- Free users are used as unrestricted exit nodes.
- It had some internal vulnerabilities due to the design of its infrastructure.
- If not monitored closely, its Luminati service could be abused as a botnet.
- Due to these vulnerabilities, Hola collected and stored a massive amount of both anonymous and personal information on all of their users to guard against abuse of its system.
- Protection for their users is retro-active, meaning that they can prove you were not the culprit by using their stored information to identify the real cybercriminal after the fact. This could cause legal issues for some users as it has for Tor exit node operators.
Hola VPN is a community P2P based privacy network in which users share resources to create the network and share it freely. It is also monetized by making its nodes available for commercial clients to conduct brand research. We believe that it is primarily only useful and proxy unblocker for restricted Internet sites. Also, be aware that if you participate in the free service, you agree to become an exit node for the network with no control over what the peer does while using your device. Therefore we do not recommend the free Hola VPN service unless it is your only choice. We would highly recommend Private Internet Access as an alternative. PIA will protect your privacy and unblock geo-restrictions without the risks of using Hola.