'Free' VPN Hola is LITERALLY flogging access to users' devices

Broken nodes?

Vilenski defended Hola's business model against claims that its users had not given informed consent for their devices to be used as part of their commercial Luminati service. Vilenski explained to The Register: "Similar to how Skype spent millions to develop a P2P system for Voice which made voice calls free, Hola has (over a period of 4 years) spent millions of dollars to develop a P2P technology for HTTP that enables a free VPN network for consumers, and a good commercial VPN network for commercial use for which we get paid."

We asked F-Secure's Sullivan whether he was comfortable with Hola's business model. "Yes, in theory, the business model is acceptable," he said, "if users of the service are informed before they consent."

Sullivan thinks the problem lies at the end-user level, rather than with Hola.

"Unfortunately, many people looking to unblock restricted content for 'free' don’t really care about informed consent," he said. "So it’s difficult to tell if there is anybody really being exploited in this case. The buyer must beware just as much as the seller should be upfront."

Sullivan also disagreed with the suggestions that Hola's "idle mode" model enabled the service to conceal its commercial functions.

I’ve spoken with somebody who tried Hola and she uninstalled the Chrome plug-in because of poor performance after only a few hours. People are very demanding of software, even “free” software. I don’t think the idle mode function has anything to do with concealment – it’s all about performance. People generally know that there isn’t really such a thing as a free lunch, so any irregular performance can cause suspicion and an uninstall.

8chan's Brennan, however, thinks that Hola should be responsible for acquiring explicit and affirmative informed consent from its users.

"In my opinion, the only way that they could handle this situation is to pop up a message in plain English to all their users that says something to the effect of: 'Hey there, just so you're aware, Hola is free because it lets others use your internet connection in exchange for you using the connections of others. You may receive abuse reports based on the actions of others. If you do not consent, uninstall Hola.'"

Peer-shaped security problems

Luminati says that its VPN connection "from your Super Proxy to any of millions of nodes 'in the wild' reduce[s] the risk of man-in-the-middle attacks, snooping, or control of end nodes (as may be the case in Tor)".

Sullivan suggests this is not the case, however, as "a peer-to-peer network requires trusting all of the peers. And with 9.7 million exit nodes, Hola users undoubtedly route some of their traffic through computers infected with malware."

The business model doesn’t provide for security. 'Free' takes the 'private' out of Virtual Private Network. A VPN should be a relationship between a user and a provider, not a user and millions of others.

The security of particular VPN connections, even when they have taken place in a relationship between a user and provider, has come under some strain since the logjam cryptography bug was disclosed earlier this month. ®