HMA VPN Review | PCMag

HMA VPN (formerly Hide My Ass) boasts one of the best user experiences we've seen among VPNs, as well as an enormous collection of server locations, and unique tools, such as an IP address shuffler. Unfortunately, HMA still isn't transparent about its servers' locations, and the app lacks the privacy features we've come to expect from the best VPNs. Among our Editors' Choice winners, NordVPN and ProtonVPN pack in more features, even if they can't compare with HMA VPN's server options.

How Much Does HMA VPN Cost?

When you activate a VPN, it creates an encrypted tunnel to protect your data as it passes from your computer to a server controlled by the VPN. This prevents anyone lurking on your local network from monitoring or intercepting your activity. A VPN also makes it harder for your activities to be tracked online by hiding your true IP address, and it prevents your Internet Service Provider (ISP) from gathering information about your online activities so it can sell anonymized user data to the highest bidder. Keep in mind, however, that there are many ways for you to be tracked online and a VPN can only protect against some of them.

Our Experts Have Tested 19 Products in the VPN Category This Year

Since 1982, PCMag has tested and rated thousands of products to help you make better buying decisions. (See how we test.)

If you're looking to try HMA VPN before you buy it, you can do so with its seven-day trial. That free trial does require you to create an account and hand over your credit card information. At the conclusion of your trial, expect to be billed. If you're in need of a great VPN, but have nothing in your wallet, you can always try a free VPN. Most of these services place limitations on your service unless you pay, however. TunnelBear VPN, for example, limits its free users to a certain allotment of data. ProtonVPN's free plan places no data limits on users, making it easily the best I've tested.

HMA does offer a monthly subscription option, but not in Australia, the UK, or the US. In those regions, pricing starts at $59.88 per year. That's significantly less than the $69.10 average annual cost I've tracked across the industry. But it's significantly higher up-front cost than the $10.05 average cost for a monthly subscription, which is what I use to compare VPNs. HMA also offers a three-year plan for $143.64.

Just about every VPN offers a monthly subscription, and we use that figure to compare product pricing in an apples-to-apples fashion. We also recommend against starting out with a long-term subscription, because there's no way to know how a VPN will work for you until you try it. An annual plan might end up saving money, but not if it's a dud and you need to find a new product. As such, we're disappointed that HMA no longer offers the option for a monthly subscription.

Many VPNs come in well below the average we've seen for monthly and annual cost. Editors' Choice winner Mullvad VPN costs a mere 5 euros ($5.65 USD, at the time of this writing) per month. Both Mullvad VPN and TunnelBear VPN run about $60 a year, and Kaspersky Secure Connection is one of the cheapest VPNs, at $29.99 per year. 

To buy an HMA subscription, you can use credit cards or PayPal. What you can't use are cryptocurrencies like Bitcoin, which are accepted by Private Internet Access, NordVPN, and many others. Editors' Choice winners Mullvad and IVPN accept cash sent to their respective HQs, for an anonymous option.

What You Get for Your Money

Most VPN services we've reviewed offer at least five licenses without restriction, and HMA follows suit. If you're willing to bump your subscription up to $95.88 per year, the number of simultaneous connections goes up to 10. That's sure to cover even a device-heavy household. Some companies are starting to do away with this restriction altogether. Avira Phantom VPN, Ghostery Midnight, IPVanish VPN, Editors' Choice winner Surfshark VPN, and Windscribe VPN place no limit on the number of devices you can use at a time. 

(Editors' Note: that IPVanish is owned by Ziff Davis, PCMag's parent company.)

Charging more than the average for a VPN is no great sin, provided the company can justify the expense. HMA, however, does not include many additional features. Many VPNs include a split tunneling feature, which lets you designate which apps use the VPN connection and which do not. It's great for low stakes activities that require a lot of bandwidth, such as streaming video or gaming. HMA VPN only offers this feature in its Android app.

HMA VPN also does not have any of the privacy tools included with other VPNs. Some services provide VPN access to the free Tor anonymization network. You don't need a VPN to access Tor, but it is an easy way to further obscure all your online activities. Still other competitors offer multi-hop connections, which route your traffic through a second VPN server for additional security. Notably, NordVPN and ProtonVPN are the only VPNs we've reviewed that provide split tunneling, multi-hop, and access to Tor via VPN.

Although it is owned by the same company that owns Avast and AVG antivirus, HMA isn't bundled with any of those products. Those brands have VPNs of their own, too. Avast Secure Line VPN is bundled with the Avast One security suite and AVG Secure VPN is bundled with AVG Ultimate. Kaspersky, Bitdefender, and Norton LifeLock are all antivirus companies that also offer standalone VPN products.

Remember that there's a lot VPNs can't protect against. We strongly recommend you enable multi-factor authentication wherever it's available, use a password manager to create unique and complex passwords for each site and service, and use standalone antivirus software.

What VPN Protocols Does HMA VPN Offer?

There are many ways to create a VPN connection. We have long preferred services that support OpenVPN, as it is open-source and can be picked over for any potential vulnerabilities by anyone with the interest to do so.

HMA supports different protocols on different platforms. The Windows and Android apps use OpenVPN, which is great. The iOS and macOS apps use IKEv2, which is another modern and secure protocol. 

The heir apparent to OpenVPN is WireGuard, another open-source VPN protocol. We've seen much wider adoption of WireGuard in 2021 as it rapidly becomes a mainstream option. HMA VPN currently does not support WireGuard, but that's not an issue—yet.

Servers and Server Locations

Having servers in many different countries gives you lots of options for spoofing your location. It also means you're more likely to find a server near you, wherever you happen to be. On its face, HMA VPN has the largest selection of server locations. The company boasts that it offers servers in 290 locations, across 190 countries. This far exceeds the next-highest contender, Express VPN, which has servers in 94 countries.

The list of available server locations offered by HMA is particularly noteworthy because it covers regions often ignored by other VPN companies. It has, for example, numerous server locations across the continent of Africa. Some VPNs might offer one or two server locations in Africa, while most ignore the continent completely. HMA also thoroughly covers South America, another often-ignored region, and is one of the very few companies to have Iran and Iraq as server locations. It even offers server locations in places with repressive internet policies, such as Turkey, Russia, and Vietnam. It also offers servers in Beijing, another rarity.

There's a big caveat to this coverage: While HMA VPN lists all these locations, they don't have physical servers in most of them. Instead, the company makes use of virtual locations, which are servers configured to appear somewhere other than where they are. Virtual locations aren't inherently bad and can allow companies to cover unsafe areas while storing servers in safer locations. Of the 190 countries listed by HMA VPN, only 79 countries actually host servers. That's still well above the 50-country average we've seen across the industry. Plus, virtual locations should work just as well for spoofing your location.

HMA VPN is transparent about its use of virtual locations. On its website, you can toggle its online server list between all available locations and only virtual locations. This clarifies which are virtual but makes it harder to tell which are physical. It also doesn't make clear where the servers for these virtual locations are actually located. That's a problem if you're looking to get a nearby server, since servers physically closer to you are likely to provide better performance. It's also a problem if you're very particular about where your web traffic is routed.

An HMA representative explained to me that the company does not own all its server infrastructure but has taken steps to secure all its servers. These steps include full-disk encryption to prevent datacenter employees from accessing information, keeping its certificate authority private keys on isolated infrastructure, and so forth. These are reasonable precautions. Other companies opt to own all their machines, and some like ExpressVPN and NordVPN have moved to RAM-only servers which are wiped as soon as they are disconnected to prevent tampering.

Your Privacy With HMA

When we review VPNs, we read the company's privacy policy and speak with representatives to better understand how your data is used and stored. In the case of HMA, the company should be commended on its clear privacy policy. A few years ago, the company made enormous changes to its practices, gathering far less data and improving privacy for customers.

The policy states, and company representatives confirm, that HMA does not log users' originating IP addresses, their DNS requests, any data transferred over HMA's network, or users' browsing history. That's exactly as it should be. The company does log the day of connection (but not the time), and a “rounded” amount of transferred data for 35 days. Additionally, the company also logs certain application actions, like connection attempts and uninstalls, and stores this data for two years. Again, the company says this information cannot be traced to individual users. We appreciate HMA VPN's transparency on these points, and that HMA VPN explains what it uses this data for. Still, we feel that it should strive to collect less information or retain it for far less time.

There is a caveat, however. The company says that its free proxy browser plug-in still logs IP addresses, domain names of sites visited, and a timestamp. The company's privacy policy says that this information is deleted every 30 days and is needed to prevent abuse of a free service. That's an uncomfortable amount of personally identifiable information. Were this the core VPN product, we would not recommend readers use it. HMA should either rethink its proxy plug-in, or discontinue its use if so much customer data is required.

The company confirmed to us that it only makes money through the sale of VPN subscriptions. That's great, since a company you trust with your privacy shouldn't be profiting by selling your data.

HMA is owned by Privax, which in turn is owned by the Avast Group, of Avast antivirus fame. Note that Avast SecureLine VPN, AVG Secure VPN, and HMA! VPN are all owned by the same company. While HMA VPN operates on its own infrastructure, Avast and AVG-branded VPNs share the same back end. In 2020, a PCMag investigation revealed that Avast has already monetized its users' data gathered through a browser plug-in associated with the Avast antivirus product. It does not appear that any VPN data was involved.

The actual location of a VPN company also matters, as it can inform what protections are afforded to customers. HMA has its company headquarters in London and operates under the legal jurisdiction of the United Kingdom. Notably, the UK does have mandatory data retention laws. That's not ideal. Many other VPN services operate in countries without mandatory data retention laws, or in ones that have favorable privacy protections for consumers. The company tells me that most of its infrastructure is located in the Czech Republic, the home of Avast's corporate headquarters. 

HMA's owner, Avast, does publish a transparency report that includes information on HMA. This document outlines how many requests the company has received for information from law enforcement and how the company responded. Unfortunately, it's not easy to find (we had to ask a PR contact), but we're very happy to see that it has finally been updated. Even better, the number of disclosures has dropped steadily since 2017, and the company didn't disclose any user information in 2021 after receiving 101 requests from law enforcement. Previously, the company said it disclosed “root IP addresses.” We have reached out to the company to see if this is still the case.

Many VPN companies have started publishing the results of third-party audits to establish their privacy bona fides. These audits aren't always useful, but a good audit is an excellent way for a company to make itself accountable to customers. In 2020, HMA announced that VerSprite had completed an audit of its no-logs policy. The entire report has not been publicly released, but a representative explained to me that VerSprite examined both HMA's apps and its backend, giving HMA a “low risk user privacy impact rating.” The audit seems comprehensive; however, we'd like to see more information released and a regular cadence for future audits. By contrast, TunnelBear has delivered annual public audits for years.

Avast, HMA's parent company, also publishes a warrant canary. This subtly allows the company to communicate if it has been subject to legal requirements that prevent the company from even acknowledging those requirements. The canary document mentions that the company has not been ordered to create any backdoors for accessing user content, which is great. More companies should include this language and update their warrant canaries in a similar manner.

Security is all about trust. If you don't feel like you can trust a company for whatever reason, you should seek out one you feel comfortable with. Fortunately, there are a great many to choose from, especially when it comes to VPNs.

Hands On With HMA

We had no trouble installing the Windows version on an Intel NUC Kit NUC8i7BEH (Bean Canyon) desktop running the latest version of Windows 10. Interestingly, you have the option to login with a username and password or with an activation code. Mullvad and ExpressVPN have both done away with logins entirely, and instead use anonymous codes to activate the client software.

The latest version of the HMA client looks very modern, built around a single, monochromatic blue window with Jack, the formerly eponymous donkey of HMA, in the center. Elements animate subtly and menus snap open nicely. Between the colorful interface and cartoon mascot, it shares a lot in common with TunnelBear, although we think TunnelBear has the edge in the friendliness and ease of use department.

A tutorial will walk you through your first session. Even if you ignore this, the big toggle switch that activates the VPN is hard to miss. By default, the app will connect you to what it thinks is the fastest VPN server. You can, however, run a speed test to confirm the choice. This is a surprisingly powerful little tool that pulls up nearby servers, runs tests on all of them, and then picks a winner. 

If you know the region you're looking for, you can simply click the button at the bottom of the main screen, and you'll be presented with a list of servers. You can search the list, or have it broken down by region. NordVPN, TunnelBear, and ProtonVPN are just a few of the products that lean heavily on a map interface, which is handy for when you need to find a server in a general area.

Unfortunately, the HMA app doesn't let you select specific servers. The finest level of granularity available is a city. We also noticed that P2P and streaming servers were clearly marked, but it's still not clear which servers are virtual, and which are not. HMA VPN provides this information on its website, but it should be in the app as well.

In the app you'll find a kill switch, which shuts down internet access should your VPN become disconnected. You can also opt to have HMA cut off internet access for only specific apps, instead of halting all the traffic from your machine. We were not able to induce the error necessary to test these features.

While HMA doesn't have the privacy tools competitors offer, it does have some unique features that are quite handy. On the main page, you can click a button next to your IP address to cycle to a new IP address. The app says that this might unblock sites that refuse access to VPN users, although we just like the privacy implications of being able to change IP address so easily. You can also configure the app to automatically cycle your IP address at set intervals, which is very nifty.

Having a VPN that doesn't change your visible IP address or leaks your DNS information isn't much use. In our testing, we confirmed that HMA changed our public IP address. Using the DNS Leak Test Tool, we confirmed that the service was not leaking my information. Note that we only tested one server. Other servers may be improperly configured.

We were able to stream some Netflix content, but only a limited selection was available while connected to a US server. That's not ideal. Note, however, that VPN blocking is a bit of a cat-and-mouse game. The service that works for watching Netflix with a VPN today might be blocked tomorrow.

Speed and Performance

Using a VPN makes your web traffic jump through more hoops than normal, or optimal. As a result, you're probably going to see a decrease in speed and an increase in latency. To get a sense of this impact, we compare the average results from Ookla's speed test tool to find the percent change with the VPN on and off. To learn more about our testing, and its limitations, see the quite literally named How We Test VPNs.

(Editors' Note: Ookla is owned by Ziff Davis, PCMag's parent company.)

HMA's download and upload results were middling. We found that HMA VPN reduced download SpeedTest results by 43.2% and upload results by 53.3%. Both are slightly worse than the median result across all the services we've tested this year. Its latency results, however, were startling. According to our tests, HMA VPN reduced latency over baseline by 0.2%.

This requires some context. Latency, sometimes called ping time, measures the time it takes to send a request to a server and receive a response. Using a VPN means that you add the additional step of routing traffic through the VPN server. If that server is far away, your latency will go up. In this case, we had to use different test servers for the baseline and VPN results. What likely happened is that the one of the servers was close to our actual location than the other, resulting in slight gains while the VPN was in use. Given the high population density of New York City, where all our testing occurs, it's likely that HMA has several servers in the area and the one we used is perhaps very close to our offices.

We ran these results past our colleagues at Ookla who agreed that it wasn't a significant result, and certainly doesn't suggest that HMA VPN could reliably or significantly improve latency. What would be fair to say is that it had extremely little impact on our testing, and likely reflects a hefty investment in servers by HMA VPN.

The ongoing COVID-19 pandemic has limited our access to the PCMag Labs, so we now test VPNs in batches and publish the results throughout the year. You can see how HMA VPN compares against all the VPNs we've tested so far this year in the chart below.

We strongly recommend against selecting a VPN based on speed. There's no guarantee that you'll have similar results. In fact, we're certain you won't. Consider, instead, the privacy protections and overall value of the product.

Excellent for Spoofing Your Location

While we will always mourn the retiring of the cheeky “Hide My Ass” branding, HMA carries on the best of that storied brand. Its user interface is one of the best in the business, making it easy to get online quickly. The app also offers numerous options for spoofing your location, and the company continues to make strides improving its transparency. 

We really like the unique tools HMA VPN includes with its app, but we're disappointed split tunneling and multi-hop connections aren't available. We also think HMA VPN needs to be more explicit about where its servers are located. None of our Editors' Choice winners can match HMA VPN's server presence, but many, such as NordVPN and ProtonVPN, offer more features; some, such TunnelBear, are even friendlier; and some, like Mullvad VPN, offer a better value.