Sponsored Post
You can't have privacy without transparency, which is why it's important to note that the following content is sponsored. However, we do reserve the right to not write content if we do not agree with a company's ethos or their product.
The winds of change are blowing through the VPN industry. There are no grey areas left for providers to hide. You are either a bad ass ‘no logs’ provider that users can trust, or you are condemned to the history books. There is no halfway house.
Well, as of May 2020, HMA (the artist formerly known as Hide My Ass!) is officially a bad ass ‘No Logs’ provider. That’s right, HMA does not keep any logs. That is, it does not keep any logs of importance. Let’s dig into that a little bit.
According to HMA’s updated policy, it no longer logs any of the following:
- Your originating IP address. In 2019, HMA began anonymizing the last octet of any IP address connected to its servers (for example, 92.113.234.243 would become 92.113.234.000).
- Any of your DNS queries. HMA uses self-hosted zero-log DNS servers so queries are also protected from exposure to third parties.
- When you were connected. This is a big one. While HMA still logs the day users connected, it doesn’t collect timestamps of connections.
- Exactly how much data is transferred. Again, this is an important change, as data transfer can potentially be used to build pictures of activity, this takes HMA one step closer to the holy grail.
- Activity. This is a bit of no-brainer but HMA clearly states in its policy that it logs no user activity, including sites you log into, services you try, apps you have running, streams you’re watching, etc.
What’s in a policy?
Central to the premise of consumer VPNs is that the user must trust them more than they trust their internet service provider. Using a VPN essentially pushes the issue of privacy further upstream. Rather than your ISP (and by proxy, the authorities) being your gateway to the internet, you bypass them and place your trust in your VPN provider.
Now, VPN providers are not above the law. They are compelled to comply if and when the authorities in their jurisdiction come knocking (or indeed the jurisdiction of the server in question, but that’s a conversation for another time). They can drag their feet, but ultimately they have little choice but to hand over all the logs they hold on users… unless they don’t have any logs to hand over, of course.
That’s why the vast majority or providers now splash ‘no logs’ across their sales pages. The concept is simple: if you don’t keep any records, you don’t have anything to hand over to authorities. The problem is that when you unpick these privacy policies, you realise that it’s all a bit more complicated than ‘logs’ vs ‘no logs’. The fact is, it is technically impossible to run a quality VPN network without at least some logging.
Ultimately, the question is whether these logs can be used to paint an accurate enough picture to identify users on the network. Exactly what is logged by a provider is usually buried on the 497th page of the Privacy Policy, written in some legal jargon that makes no sense to even the most sophisticated reader.
What is HMA's no logs policy?
HMA has a troubled past in terms of the logs in kept… but it was always quite explicit about what it did and did not log.
The new policy is written in plain English and is not only clear about what it doesn’t log, but also spells out exactly what it DOES log. So let’s take a look at that too:
- The dates you connect. HMA says this is done exclusively for troubleshooting and customer service. As mentioned above, it doesn't track specific timestamps, just the day and if it was morning (12 AM) or evening (12 PM).
- A general idea of how much data is transmitted. As we said before, specific data transfer amounts are not logged, but the new policy says it does keep general tabs on data transmission. This is floored to the first digit. So, if you transmit/receive 235MB, it records 300. If you transmit/receive 7,589 MBs, it records 7,000. The provider says it does this to plan for network capacity and to prioritise improvements to its network architecture.
And that’s about it. So, strip away all the mumbo jumbo – let’s say you asked HMA exactly what it knew about your activity. It could tell you nothing more than "an entity connected on the afternoon of June 24 and transmitted between 300-400MBs of data."
And it deletes all of that data in 35 days. To recap, that’s no logging originating IP addresses, no logging of DNS queries, no logging of timestamps of connections, and no logging of exactly how much data is transferred.
Nobody can erase the past, but they can learn from it and grow. HMA has had some issues in years gone by, but the distance between the company we once knew and the company we are seeing today is nothing short of astronomical. Its privacy policy is crystal clear on what it collects and why, and its product has always been hard to criticize. Its server infrastructure dwarfs many top tier providers and the newest version of the client includes some pretty decent features like IP Refresh.
The new logging policy brings it in line with the most trusted providers and these claims are currently being verified and scrutinized by a third-party auditor (we’ll attach the results to this article when we see them).
We’ll be re-reviewing HMA’s service from scratch in the coming weeks with an open mind and hope in our hearts. Watch this space.
If you want to learn more about the changes HMA have made to their service, check out their recent blog post.