Eid Mubarak to all our Muslim friends
July 16, 2015
ProtonMail Offer – On hold!
September 20, 2015
Show all

Free VPNs and why you should be wary

We get it – signing up for a VPN and paying money for it seems a waste when there are free VPN services out there! But do you really know what you’re getting into with a free service?

The first question is how is a free VPN sustained? There are obviously lots of ongoing costs in running a VPN service the biggest one being servers and bandwidth. Without a paid model, there has to be a way to monetize unless someone is running VPNs at a huge operating loss out of goodwill.

“If you’re not paying for a product, you ARE the product.”

– Anonymous

The most common way is to serve advertising, selling customer data or aggregated statistics on customer use. However Hola VPN, a free VPN provider, took it a step further by using a user’s bandwidth!

With over 7 million installs on the Chrome Webstore alone, it’s easy to trust such a provider. It’s free, and it works on almost all devices. You’re thinking: It must be pretty huge with a lot of servers all over the country then!

Nope. Hola uses user devices as endpoints. This means that no one is routed through servers owned by Hola but instead of through each other. And there is evidence that this has been abused leading to potentially serious security ramifications for its users.

A paid for VPN service (example: BolehVPN) instead only routes traffic through it’s own servers and its own bandwidth and uses proven techniques in ensuring privacy. The responsibility lies with us and also because we do monitor our server’s overall bandwidth usage (not user activity), we are able to ensure a consistent quality of service across our servers. The trust of the VPN provider is still key but Hola’s approach introduces outside factors as well as other users can also abuse the system as we shall see below.

What is an endpoint though?

Endpoints are nodes that talk to websites or services that other Hola users access. Basically: YOU are the VPN server. This means that your bandwidth is being used, and your real IP potentially exposed. And there’s no way to opt-out for free, only if you purchase Hola Premium.

Hola also sells YOU to commercial users through their Luminati site; their endpoints are sold as use for brand monitoring, load tests, or in one case they were used for a DDOS attack on 8chan. This means that your real IP is the IP that will show up on a website or services logs if someone were to use Luminati for illegal activities. To their credit, Hola says they have a record of the real ID of Luminati users. But do you really want to risk the headache of explaining all this to your local authorities?

You can read more about Hola’s response here.

What’s the takeaway?

Things are seldom for free. Take this in mind when choosing whether to go for a free or paid VPN service. Alternatively, if you don’t mind the slow loading speeds, TOR makes an excellent privacy tool for free, however remember that you are trusting an anonymous exit node/endpoint as well. Read more about this here and here.



  1. krasnal says:

    While your point is reasonably put wrt Hola, there are still some free VPN services that do at least have a plausible business model without us necessarily being the product. I’m of course referring to those that have a paid-for service but offer a free service with a restricted bandwidth or limited daily quota. If Boleh were to offer such a genuine but technically restricted service – whether for commercial or altruistic reasons – you might well be a bit miffed to find it was being tarred with the same brush as “services” like Hola.

    Slightly off topic, but totally relevant to a paid-for service, it’s now 4 months since you announced the key-reissue programme and two months since you said that it would be happening “pretty soon and in a matter of weeks”. Why the delay?

    • Reuben says:

      Krasnal: you’re correct in those technically restricted VPNs that makes more business sense 😀 but i kinda think those are like trials.

      The key reissue program is dependent on our new portal, which honestly is running into some difficulties but nothing overly serious. The Ramadhan month also resulted in a drop in productivity unfortunately.

      Unlike other VPN providers which do not entirely rely on PKI to deal with certificate validity and use more conventional methods of authentication. Our system means that even if our portal is brought down for whatever reason, users will still be able to connect to the VPN servers without any central authentication system. This of course introduces some complexity and I apologize deeply for the delay. Hope to give you some good news soon!

Leave a Reply

Your email address will not be published. Required fields are marked *