Update — April 2020

Welcome to our most notorious blog post.

Over the last 9 years, anyone that wanted to convince you that HMA was not a trustworthy VPN has linked to this post — ironically one in which the company was trying very much to be transparent and honest.

This single incident from 2011 arguably changed the shape of the entire VPN industry. It exposed a reality that most consumers were unaware of, and pushed many VPN providers to claim they ran their services with no log privacy policies — whether or not that was true. In fact, so many VPN services lied about it that at this stage honest VPN companies need auditing to prove that they truly live up to the claim.

At HMA, we have welcomed this change to the industry. Customers of VPN services should demand transparency from their VPN providers. And not just in their policies, but also about their beliefs and their standards.

So what are our policies? And what do we believe in?

As of April 2020, HMA is a fully No Log VPN provider

It's true. But we don't expect you to take our word for it. We are in the process of getting our infrastructure audited by an independent security company. When it's done, it will confirm the following:

When you are connected to HMA VPN, we don't know:

Your originating IP address .

. Any of the DNS queries you make . We rely on our own secure, zero-log DNS servers so your queries are also protected from exposure to 3rd parties.

. We rely on our own secure, zero-log DNS servers so your queries are also protected from exposure to 3rd parties. When you were connected .

. How much data you've transferred .

. What you did while connected.

What we do collect:

Your day of connection — but no exact timestamp

We floor all connection times to either 12 am or 12 pm. This helps us know things like how many daily active users are on our network, or troubleshoot for drops in service.

Floored amounts of data transmitted

We always floor that transmitted data to the first digit value: if you download 385 MBs of data, we only record 300. Upload 1,857 Mb, we only record 1,000. We collect this so we can plan for more capacity on our network.

Even then, these are tied to "entities", not you

Floored data sets — and the fact all of our users share IP addresses — already means we don't have enough data to identify anyone on our networks.

But we decided to take it even further.

The floored data sets we do collect aren't attributed to you, but to an internal, free-floating entity we've created in our network. It represents you by proxy but is never tied to your actual accounts, usernames, etc.

This allows us to do proper maintenance, planning, and development without risk to your privacy.

Summary

Here's what all that gobbledegook really means — what we really see:

We know that an entity connected on the morning of April 23, and transmitted more than 400 MBs of data. We know this for 35 days and then delete it.

That's pretty much it. Any actual personally identifiable information, like names, emails, etc aren't used or stored on our VPN servers.

So why go through all the hassle?

What do we believe in?

HMA has come a long way since the Lulzsec incident.

Nine years is an eternity in the world of tech startups — and HMA is no longer a startup. We've gone through two acquisitions and had nearly complete staff turnovers several times over.

Companies — just like the people who make them — change.

Given all the revelations on the abuse of trust and invasion of our privacy by our governments, the positions espoused in the past by our company — expressed and recorded below — were ultimately short-sighted, and do not represent our beliefs today.

While we still do not condone criminal activity, the choice should not be to undermine the privacy of all to police a few.

We aren't going to hide from our past, but we won't be tied by it.

Privacy is a right — and required for freedom

It may sound cliché, but we really do believe that privacy is the bedrock on which so many of our other freedoms are built:

Free speech: You need the privacy to explore new political ideas before you share them with the rest of the world. Without speakeasies, there would be no American revolution.

Creativity: Artists need privacy to explore their inner worlds, delve deep, and come back with riches to share. Without space, your outer critics become your inner critics.

Business: Innovations aren't built in public. If your competition can see your work in real-time, what would be the point of launching something new?

A lot of this thinking we carry over from our past. HMA was at the forefront of helping in the Arab Spring and other social movements for freedom around the world. We will be so again.

Providing privacy means providing transparency

If you're going to trust someone with your privacy, they should trust you back — and that starts with being open about who they are, what they think, and how they operate.

While you may not always agree with us, we will always be clear where we stand.

Just as we were honest and transparent then, we will be honest and transparent now — and strive to be even more so.

It's part of who we are.

About the past

With that in mind, we will always keep this post alive. We want everyone to see who we were, who we've become, and who we are becoming.

Mistakes teach you. They don’t define who you are.

----------------------------------------------------------------------------

Original post from 2011