To improve your privacy, you need a virtual private network, or VPN, such as HMA (formerly Hide My Ass).
This VPN has an excellent user experience and has taken strides to improve its practices to better protect its customers.
Still, it has a high up-front cost, and comes without many of the tools more affordable competitors include.
What Is a VPN?
When you activate a VPN, it creates an encrypted tunnel to protect your data as it passes from your computer to a server controlled by the VPN.
From there, your data exits onto the open internet.
This prevents anyone lurking on your local network from monitoring or intercepting your activity.
A VPN also makes it harder for your activities to be tracked online by hiding your true IP address, and it prevents your Internet Service Provider (ISP) from gathering information about your online activities so it can sell anonymized user data to the highest bidder.
While a VPN is a powerful tool to improve your privacy, it doesn't protect against all ills.
I highly recommend that people activate two-factor authentication wherever it's available, use a password manager, and install antivirus software on their computers.
Pricing and Features
If you're looking to try HMA VPN before you buy it, you can with its seven-day trial.
That free trial does require you to create an account and hand over your credit card information.
At the conclusion of your trial, expect to be billed.
If you're in need of a great VPN, but have nothing in your wallet, you can always try a free VPN.
Most of these services place limitations on your service unless you pay, however.
TunnelBear, for example, limits its free users to a certain allotment of data.
ProtonVPN's free plan places no data limits on users, making it easily the best I've tested.
HMA does offer a monthly subscription option, but not in Australia, the UK, or the US.
In those regions, pricing starts at $59.88 per year.
That's significantly less than the $72.72 average annual cost I've tracked across the industry.
But it's significantly more than the $10.18 average cost for a monthly subscription, which is what I use to compare VPNs.
HMA also offers a three-year plan for $143.64.
Why do I put so much emphasis on monthly subscription plans? It's partly because of their ubiquity.
Just about every VPN offers one, and I prefer apples-to-apples comparisons.
It's also because I recommend against starting out with a long-term subscription, however.
There's no way to know how a VPN will work for you until you try it.
An annual plan might end up saving money, but not if it's a dud and you need to find a new product.
Many VPNs come in well below the industry averages for monthly and annual cost.
Editors' Choice winners Mullvad VPN and TunnelBear cost a mere €5 ($5.65 USD, at the time of this writing) and $9.99 per month.
Both Mullvad and TunnelBear run about $60 a year, and Kaspersky Secure Connection can be had for $29.99 per year.
To buy an HMA subscription, you can use credit cards or PayPal.
These are convenient options.
What you can't use are cryptocurrencies like Bitcoin, which are accepted by many VPN services (Private Internet Access, NordVPN, and others).
Mullvad accepts cash sent to their HQ, and TorGuard lets you use prepaid giftcards from other companies to purchase subscriptions.
Most VPN services offer at least five licenses without restriction, and HMA follows suit.
That's good, but many companies have started to do better.
A solid chunk of services allow more than five devices using the service at a time, while a few have done away with the limitation entirely.
Avira Phantom VPN, Encrypt.me VPN, Ghostery Midnight, IPVanish VPN, Surfshark VPN, and Windscribe VPN place no limit on the number of devices.
(Note that IPVanish and Encrypt.me are owned by j2 Global, the parent company of Daxdi's publisher, Ziff Davis.)
Charging more than the average for a VPN is no great sin, provided the company can justify the expense.
HMA, however, does not include many additional privacy tools.
It does include a split tunneling feature, which lets you designate which apps or sites send their data through the VPN.
That's excellent.
The company does not provide access to the Tor Anonymization network, however, nor does it offer multihop connections that route your traffic through two VPN servers for additional privacy.
ProtonVPN is the only service I have reviewed that offers all three.
VPN Protocols
There are many ways to create a VPN connection.
My preferred method uses the OpenVPN protocol, which is known for its speed and reliability.
It's also open-source, and therefore has been picked over for potential vulnerabilities by anyone with the interest to do so.
HMA supports different protocols on different platforms.
The Windows and Android apps use OpenVPN, which is great.
The iOS and macOS apps use IKEv2, which is another modern and secure protocol.
The heir apparent to OpenVPN is WireGuard, another open-source VPN protocol.
What makes it attractive is the newer security technology it's built on, and the apparently excellent speeds it affords users.
I haven't thoroughly tested WireGuard, but the initial results have been promising.
HMA currently does not support WireGuard, but that's not an issue—yet.
Other VPNs, such as Mullvad and NordVPN, have gone all in on this new technology.
Servers and Server Locations
Ideally, a VPN company will offer a server that's near wherever you are.
The theory has always been that the closer the server, the better the performance.
Having many server locations also gives you a lot of options for spoofing your locations.
On its face, HMA is the winner for geographic diversity.
The company boasts that it offers servers in 290 locations, across 190 countries.
This far exceeds the next-highest contender, Express VPN, which has servers in 94 countries, followed by CyberGhost with servers in 90 countries.
The list of available server locations offered by HMA is particularly noteworthy because it covers regions often ignored by other VPN companies.
It has, for example, numerous server locations across the continent of Africa.
Some VPNs might offer one or two server locations in Africa, while most ignore the continent completely.
HMA also thoroughly covers South America, another often-ignored region, and is one of the very few companies to have Iran as a server location.
It even offers server locations in places with repressive internet policies, such as Vietnam and Russia.
There's a big caveat to this coverage: Most of it is not what it appears to be.
HMA makes heavy use of virtual servers.
These are software-defined servers, meaning that one hardware server can play host to several virtual ones.
Moreover, virtual servers can be configured to appear somewhere other than the true location of their hardware hosts.
There's nothing wrong with virtual servers per se.
Many VPN companies use them to cope with sudden demand on their networks.
A few have cleverly used virtual servers to provide access to dangerous regions by placing the host machine in a safer location.
As long as it's clear to users where their data is actually headed, I have little problem with virtual servers.
HMA tests my tolerance.
It has servers in 66 real locations across 36 countries, all of which serve the 130-odd other countries.
No other VPN service I have reviewed has so many virtual server locations.
HMA also doesn't do a great job communicating which servers are virtual, or where they are located.
The company needs to clarify these practices to users, both in the app and on the company's website.
An HMA representative explained to me that the company does not own all of its server infrastructure, but has taken steps to secure all of its servers.
These include full-disk encryption to prevent datacenter employees from accessing information, keeping its certificate authority private keys on isolated infrastructure, and so forth.
These are reasonable precautions.
Other companies opt to own all their machines, and some like ExpressVPN have moved to RAM-only servers which are wiped as soon as they are disconnected to prevent tampering.
Your Privacy With HMA
When I review VPNs, I read the company's privacy policy and speak with representatives in order to better understand how your data is used and stored.
In the case of HMA, the company should be commended on its clear privacy policy.
The company has also made enormous changes to its practices, as it gathers far less data than the last time I reviewed it.
The policy states, and company representatives confirm, that HMA does not gather or log user IP addresses, DNS requests, or browsing data.
That's excellent, and more companies should strive to collect as little information as possible.
The company does still log the day of connection (but not the time), and a "rounded" amount of transferred data for 35 days.
While the company says that none of this information could be connected to a user, it should strive to collect less information or retain it for far less time.
These improvements come with a caveat.
The company says that its free proxy browser plugin still logs IP addresses, domain names of sites visited, and a timestamp.
The company's privacy policy says that this information is deleted every 30 days, and is needed to prevent abuse of a free service.
That's an uncomfortable amount of personally identifiable information.
HMA should either rethink its proxy plugin, or discontinue its use if so much customer data is required.
The company confirmed to me that it only makes money through the sale of VPN subscriptions.
That's great, since a company you trust with your privacy shouldn't be profiting by selling your data.
HMA is owned by Privax, which in turn is owned by the Avast Group, of Avast antivirus fame.
Note that Avast SecureLine VPN, AVG Secure VPN, and HMA! VPN are all owned by the same company.
While HMA VPN operates on its own infrastructure, Avast and AVG-branded VPNs share the same back end.
Earlier this year, a Daxdi investigation revealed that Avast has already monetized its users' data gathered through a browser plugin associated with the Avast antivirus product.
It does not appear that any VPN data was involved.
The actual location of a VPN company also matters, as it can inform what protections are afforded to customers.
HMA has its company headquarters in London, and operates under the legal jurisdiction of the United Kingdom.
Notably, the UK does have mandatory data retention laws.
That's not ideal.
Many other VPN services operate in countries without mandatory data retention laws, or in ones that have favorable privacy protections for consumers.
The company tells me that most of its infrastructure is located in the Czech republic, the home of Avast's corporate headquarters.
HMA's owner Avast does publish a transparency report that includes information on HMA.
This document outlines how many requests the company has received for information from law enforcement and how the company responded.
Unfortunately, it's not easy to find (I had to ask my PR contact) and has not been updated since 2018.
The report does not paint a flattering picture of HMA in this time period, showing that it responded to 43 percent of requests in 2017, and includes a note that says the company also disclosed "root IP addresses" as part of the requests.
Given the changes that HMA has recently made to its service, it's unlikely that this kind of information would be released again, but it's impossible to say without an up-to-date report.
Many VPN companies have started publishing the results of third-party audits, in order to establish their privacy bona fides.
These audits aren't always useful, but a good audit is an excellent way for a company to make itself accountable to customers.
TunnelBear has committed to doing annual public audits and has stuck to that promise.
In August, HMA announced that VerSprite had completed an audit of its no-logs policy.
The entire report has not been publicly released, but a representative explained to me that VerSprite examined both HMA's apps and its backend, giving HMA a "low risk user privacy impact rating." The audit seems comprehensive, and I'd like to see HMA release more information in the future and expand the scope of its audits beyond the company's no-logs policy.
Avast, HMA's parent company, also publishes a warrant canary.
This subtly allows the company to communicate if it has been subject to legal requirements that prevent the company from even acknowledging those requirements.
The canary document mentions that the company has not been ordered to create any backdoors for accessing user content, which is great.
More companies should include this language, and update their warrant canaries in a similar manner.
Security is all about trust.
If you don't feel like you can trust a company for whatever reason, you should seek out one you feel comfortable with.
Fortunately, there are a great many to choose from, especially when it comes to VPNs.
Hands On With HMA
I had no trouble installing the Windows version on an Intel NUC Kit NUC8i7BEH (Bean Canyon) desktop running the latest version of Windows 10.
Interestingly, you have the option to login with a username and password or with an activation code.
Mullvad and ExpressVPN have both done away with logins entirely, and instead use codes to activate the client software.
The latest version of the HMA client smartly balances ease of use without skimping on some surprisingly useful tools.
The app is built around a single, monochromatic blue window with Jack, the formerly eponymous donkey of HMA, in the center.
Between the colorful interface and cartoon mascot, it shares a lot in common with TunnelBear, although I think TunnelBear has the edge in the friendliness and ease of use department.
Still, HMA isn't a trial.
A tutorial will walk you through your first session.
Even if you ignore this, the big toggle switch that activates the VPN is hard to miss.
By default, the app will connect you to what it thinks is the fastest VPN server.
You can, however, run a speed test to confirm the choice.
This is a surprisingly powerful little tool that pulls up nearby servers, runs tests on all of them, and then picks a winner.
If you know the region you're looking for, you can simply click the button at the bottom of the main screen and you'll be presented with a list of servers.
You can search the list, or have it broken down by region.
I prefer map interfaces,...
