Hotspot Shield Review

Hotspot Shield has a questionable logging policy. While the VPN doesn’t keep any logs of your browsing history or online activity, it does collect plenty of other information and its privacy policy is often vague or misleading.

According to its terms and conditions, Hotspot Shield Elite collects the following data:

• Your IP address – encrypted, only for the duration of your session, and not linked with your activity while using the VPN.
• Your approximate geographical location – derived from your IP address and used to connect you to the nearest VPN server.
• Connection timestamps – used to monitor, support, and optimize VPN services, and stored for three years.
• Bandwidth used per user, per session – used to monitor, support, and optimize VPN services, and stored for three years.
• Device-specific information, such as device identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers.
• Non-personal logs of websites (domain names, not specific URLs) visited via Hotspot Shield’s VPN servers – these are aggregated on a monthly basis.

If you use Hotspot Shield Free, the service can also share even more data with third-party advertisers:

• IMEI Number (your unique mobile ID)
• MAC address
• Unique advertising ID
• City-level location

If you’re looking for reassurance, the company states that:

…Even if a government agency physically seizes one of our VPN servers and succeeds in breaking disk encryption on those servers, they would not find any logs or information that would reveal what any individual user was browsing, viewing, or doing online via a VPN connection.”

While it’s encouraging that Hotspot Shield isn’t able to link any behavior to your specific account, this level of data collection is still far too invasive for any user concerned about privacy or anonymity.

Monitoring and sharing Data

If you’re using Hotspot Shield Elite, the company monitors “the nature of the requests that you make to our servers (such as what is being requested, information about the device and app used to make the request, timestamps, and referring URLs)” along with a whole host of other information.

If you use the free version, you’ll also be sharing personally identifying information with advertisers. As always, it’s best to stay away from ad-supported services when trying to stay private online.

Connection timestamps could potentially be used – alongside other data points – to prove that you have visited a certain website. This is unlikely to happen, but we would rather Hotspot Shield didn’t log this information for three years.

Where is Hotspot Shield based?

Until recently Hotspot Shield was owned by Pango, formerly known as AnchorFree. But as of July 2020 it has been acquired by a security company called Aura.

Aura is based in the US, which has very intrusive privacy laws. It’s also one of the founding members of the Five Eyes intelligence alliance. These countries work together to collect, share, and analyze mass surveillance data – this alone is a red flag.

Invasive jurisdictions like the US can compel supposedly privacy-focused companies like Aura to retain and share user information.

Hotspot Shield’s transparency reports

In January 2019, Hotspot Shield released its annual Transparency Report. The report shows the number of data requests Hotspot Shield received from authorities around the world since 2016 (227) – crucially, it also showed that Hotspot Shield didn’t hand over any data.

However, the company hasn’t released another transparency report to account for the time that has passed since then, so there’s no way of knowing whether it has given up user data to any third parties.

Aura / Pango’s Controversial History

Pango provided an all-in-one subscription service to a number of online security and privacy products including Hotspot Shield Elite, 1Password, Robo Shield, and Identity Guard. It costs $12.99 a month, or $95.88 a year.

The Pango group also owned a few different VPN apps including Betternet, Hexatech, and TouchVPN, which are not part of the main Pango subscription service. These services have since been brought within Aura.

A 2016 CSIRO report brought some of the company’s questionable activities to light. Hotspot Shield’s Android VPN app was highlighted for “injecting JavaScript codes for advertising and tracking purposes.”

Essentially, Hotspot Shield was using tracking codes to collect information about users in order to sell it to third-party advertisers.

The company was also exposed for redirecting user traffic through affiliate networks in order to profit from purchases made while using the VPN service.

In 2017, Hotspot Shield was also accused of “unfair and deceptive trade practices” by the Center for Democracy and Technology (CDT).

The investigation relied on evidence that included Hotspot Shield’s own marketing materials, which overstated the privacy and security of its VPN service.

Hotspot Shield didn’t consider the logging of IP addresses collection of personal information, which is misleading and untrue.

The CDT’s report mainly targeted the free version of the app, but it was still a sizable breach of trust.

Hotspot Shield’s website materials and privacy policy have since been revamped to clearly show users what the VPN does and doesn’t collect, along with how the free app is used in conjunction with advertising. There has also been a change in leadership since then.

It’s hard to fully trust a company that has put profit before user privacy in the past, but with new management and an updated logging policy Hotspot Shield will be private enough for the majority of users.

We have measured Hotspot Shield’s performance when connected to servers in countries around the globe.

If you’re looking to stream video content from another country, Hotspot Shield’s connection speeds will do the job easily.

The company claims this impressive performance is thanks to its proprietary connection protocol, Hydra VPN. This technology is supposedly designed to fix the latency issues associated with other encryption protocols like OpenVPN.

Unlike most VPNs, Hotspot Shield doesn’t automatically connect you to the nearest or fastest VPN server upon startup – it always picks a US server. For the best speeds, we recommend picking a server closer to your physical location.

Local speed tests measure the difference in connection speed before and after connecting to a VPN server near your physical location.

Connecting to a nearby server is the best way to get the fastest speeds, although you won’t benefit from all the unblocking capabilities of a VPN.

We began our testing with a download speed of 95.97Mbps. After connecting to Hotspot Shield’s UK server this number dropped to 86.64Mbps – a percentage speed loss of just 10%.

On other European servers the speed loss dropped by just 1%. This is incredibly impressive when compared to most VPN services – even the best VPNs experience a speed loss of around 5-10%.

Connections to nearby servers were stable and reliable over time – we were able to connect consistently and did not experience any dropped connections during our testing.

International server speeds

To test international speeds we repeated the same process while connected to servers in Germany, United States, Singapore, and Australia. This simulates accessing websites or streaming content outside of your home country.

We found that Hotspot Shield’s international speeds were almost as fast as its local performance. Speed loss is negligible, meaning that you can stream foreign content with ease.

We tested speeds when connected to four servers across the US and found our average download speed was 80Mbps. This is a percentage speed loss of just 17% – an impressive speed, especially for the distance from our physical location.

Here are the full US speed results:

• Dallas: 88Mbps (download) & 31Mbps (upload)
• LA: 84Mbps (download) & 27Mbps (upload)
• New York: 62Mbps (download) & 66Mbps (upload)
• Seattle: 92Mbps (download) & 27Mbps (upload)

Across the world in Singapore we measured download speeds of nearly 70Mbps. In Australia speeds reached 59Mbps, a drop of just 39% – one of the best speeds in Australia we’ve ever recorded. This performance is incredible given the physical distances involved; most other VPNs struggle to maintain even 50% of the original speed on this type of long-distance connection.

Here are the full international speed test results:

• Germany: 93Mbps (download) & 95Mbps (upload)
• USA: 79Mbps (download) & 43Mbps (upload)
• Singapore: 68Mbps (download) & 18Mbps (upload)
• Australia: 59Mbps (download) & 14Mbps (upload)

Switching between servers is also very fast. However, beware that the kill switch doesn’t protect traffic when you change servers.

It’s therefore best to close down all your browser tabs and apps before you do so to ensure the highest levels of privacy.

Hotspot Shield’s upload speeds aren’t quite as speedy as its downloads, but they are still more than good enough for torrenting if you connect to a nearby server.

Ping times are also a little high and the software isn’t manually configurable, so Hotspot Shield isn’t ideal for gaming.

How fast is Hotspot Shield compared to other VPNs?

To give the best comparison of VPN services we run an automatic custom VPN speed test tool.

It tests the ping, download and upload speed of each VPN four times per day, with speeds capped at 100Mbps (a number similar to what you might get on your home internet connection).

It shows the VPN’s average speed loss compared to the connection with no VPN running. You can see how Hotspot Shield fared versus other popular VPNs over the past two months. The data below is taken from a New York to New York connection.

Compare Hotspot Shield’s speeds across different world cities

Thanks to its proprietary VPN protocol Hotpsot Shield is one of the fastest VPNs we’ve seen. Over the last few months it has maintained an average download speed drop of under 10%.

This performance carries over to other VPNs that use Hotspot Shield’s proprietary infrastructure, including similar VPN services like Bitdefender and McAfee Safe Connect .

Hotspot Shield is a safe VPN using AES-128 encryption and leak protection to secure your internet traffic while it travels through the network.

We detected no IP, DNS, or WebRTC leaks when using the desktop and mobile applications, but the browser extensions weren’t as secure. They leaked both DNS requests and WebRTC information, which means your ISP would be able to view your browsing activity.

Hotspot Shield’s kill switch

The Windows, Android, and iOS apps come with a VPN kill switch that shields your IP address if your internet connection suddenly drops.

The kill switch is disabled by default, and isn’t currently available for macOS, which is disappointing for a VPN with such a large user-base.

It also doesn’t activate when you change servers, which temporarily exposes your true IP address. This flaw may only expose your personal information for a couple of seconds, but it’s still a privacy concern.

DNS leak proof but no WebRTC protections

Windows users will find DNS leak protection enabled by default. IPv6 and WebRTC leak protection aren’t built-in though, so privacy-conscious users should disable these settings in their browser.

Lack of extra features

If you expect advanced features like split tunneling, double-hop, or an ad-blocker, then Hotspot Shield isn’t for you.

That said, there is a ‘domain bypass’ feature that allows you to route certain websites outside the VPN tunnel.

Hotspot Shield’s past security flaws

It’s also worth noting that security researchers found a major security flaw in Hotspot Shield’s code in February 2018.

The flaw allowed hackers to see users’ true location via their WiFi network name. This was later addressed and fixed. Read Hotspot Shield’s clarification of the incident here.

The amount of third-party trackers in the Android app and the lack of transparency regarding its connection protocol are also points of concern.

Hydra VPN: Hotspot Shield’s unique connection protocol

Hotspot Shield doesn’t use standard VPN protocols like OpenVPN. Instead, it offers IKEv2 and its own proprietary protocol called Hydra VPN (previously known as Catapult Hydra).

There’s not a lot of information about Hydra VPN available online.

We do know that Hydra VPN is optimized to deliver lightning-fast speeds. This is due to its focus on the data transport aspect of VPN performance, which supposedly makes long-distance connection speeds 2.4x faster than connections using OpenVPN.

According to Hotspot Shield, Hydra VPN is based on TLS 1.2. It uses 128-bit AES encryption, 2048-bit RSA certificates for server authentication, and incorporates perfect forward secrecy.

For casual users, Hydra’s VPN encryption is more than secure enough to keep you safe.

We spoke to a Hotspot Shield representative to understand exactly how Hydra VPN works. We were told:

“[Hydra VPN] relies on OpenSSL library (same as used by OpenVPN). It’s an enhancement of a transport protocol: it works inside the already established VPN tunnels to increase the speed of reliable data transfer.

In particular, it is an improvement of TCP protocol: when packets are randomly lost during the long distance connections, Hydra VPN doesn’t confuse this loss with last-mile congestion and doesn’t decrease the throughput like old-style TCP.

These improvements are applied packets that are already encrypted within a secure tunnel. Hydra VPN can increase throughput of any type of VPN tunnel, including OpenVPN and IPSEC.”

One issue with proprietary technology like this is there’s no simple way to see exactly what is going on behind the scenes. Most closed-source protocols cannot be peer-reviewed by independent security experts.

We typically recommend OpenVPN as the most reliable and trustworthy VPN protocol. OpenVPN is fast, secure, and open-source, so anyone can inspect the code for bugs or improvements.

In the case of Hydra VPN, Hotspot Shield claims the code is evaluated by experts from some of the world’s largest security companies, including BitDefender and McAfee. These companies use Hotspot Shield’s Software Development Kit (SDK) to offer VPN services within their apps.

This means that although the code isn’t publicly available, its functionality and security has been evaluated. If you trust these companies you can extend that trust to Hotspot Shield, if you don’t trust them then it’s probably better to go with an alternative.

Though fast and secure, it’s surprising that Hotspot Shield doesn’t offer at least a few other popular VPN tunneling protocols for situations in which their own protocol simply isn’t the best option.

IP, DNS, & WebRTC leaks

We tested Hotspot Shield’s desktop client, mobile applications and browser extensions for data leaks. Security is about more than just the protocol in use – it has to be used properly, particularly when it comes to leaks that might reveal your identity.

We didn’t record any IP, DNS, or WebRTC leaks during our tests of the premium and free desktop and mobile applications. Our real IP address and location in the UK remained hidden, which means the VPN was protecting our identity.

The VPN doesn’t support IPv6 traffic, so if your ISP supplies you with an IPv6 address your personal data may leak. In order to prevent this you should disable IPv6 on whatever device you’re using. This isn’t ideal, but there are a handful of VPNs that support IPv6, including Perfect Privacy.

While the desktop and mobile apps didn’t leak any of our private information, both the Chrome extension and the Firefox add-on suffered from vulnerabilities. The Chrome extension leaked DNS requests and the Firefox add-on leaked WebRTC requests – even with the WebRTC leak blocking feature enabled.

This means that your ISP can still see the websites you visit when you’re connected to the Chrome extension, and your true IP address and location is exposed when you use the Firefox extension.

Many other VPNs have had WebRTC issues with Firefox recently due to the version 73.0 update, however there’s an easy fix for WebRTC leaks that you can take to protect yourself. The chrome DNS leak is harder to resolve, so we don’t recommend downloading it.

Trackers, malware, and permissions

It’s not enough to know how a VPN encrypts your data – it’s also important to know if it installs any unexpected extras on your device, including malware and trackers.

We used the εxodus tool to find out how many trackers and permissions Hotspot Shield’s Android app uses, and were pretty shocked by the results.

The app’s code contains seven trackers, which is more than the average for a top VPN. These trackers include:

• Adjust
• Bugsnag
• Google Ads
• Google CrashLytics
• Google Firebase Analytics
• Kochava
• MixPanel

Most of these trackers let Hotspot Shield know how users are interacting and engaging with the app. This helps produce marketing analytics profiles and also identifies how users respond to issues like crashes.

While this may aid app performance and usability it’s by no means ideal for privacy. After all, VPNs are able to function well without trackers – for example Astrill’s code contains zero.

The tool also found 13 device permissions. These grant the app access to view your network and WiFi connections, retrieve running apps, and prevent your phone from sleeping, amongst others. None of these are particularly concerning permissions.

We also put the Hotspot Shield .exe download file through two different virus and malware scanners to be sure it’s safe to use. Fortunately, we found that Hotspot Shield doesn’t contain any viruses.

We tested Hotspot Shield’s apps to check how the service works with popular streaming services like Netflix, BBC iPlayer, Disney+ and Hulu.

Hotspot Shield used to be a reliable VPN for US Netflix, but it no longer unblocks the American library, and most other Netflix regions. The only Netflix content it’s now able to access is India.

It’s the same for Hotspot Shield Free, which prevents you from accessing Netflix with a paywall prompting you to upgrade to the premium subscription.

Hotspot Shield works with Disney+ and BBC iPlayer

Hotspot Shield Elite is one of the best VPNs for unblocking Disney+.

And after several months of not working with BBC iPlayer, the VPN now beats the BBC’s VPN blocks. You can now watch all your favorite British TV shows hassle-free through the UK server.

We also tested Hotspot Shield Elite with Amazon Prime Video, Hulu and HBO Max, and we were able to unblock all of them.

Hotspot Shield openly endorses P2P activity unlike some of its competitors. For example, TunnelBear VPN keeps its torrenting policy a near-secret on the website despite permitting it on every server.

Fast upload speeds, a VPN kill switch (unavailable for Mac users), and effective DNS leak protection all make Hotspot Shield Elite a good VPN for torrenting. The VPN masks your IP address, hiding your P2P activity from your ISP.

You can also torrent on any supported device or platform, but unfortunately you can’t use Hotspot Shield with Kodi.

That doesn’t mean that you should rush to use Hotspot Shield for torrenting, though.

Hotspot Shield’s lack of transparency over its proprietary VPN protocol means we can’t guarantee it as the safest option for P2P. The company’s logging policy isn’t the most privacy-friendly, either.

While it’s likely that Hotspot Shield Elite is a safe choice for users looking for safe P2P activity, there are far more secure VPNs for torrenting with stronger privacy policies.

Hotspot Shield isn’t the most reliable VPN for use in China and other high censorship countries, especially when compared to other VPNs such as VPN.AC.

In our recent tests from our Shanghai server, the VPN has worked less than 15% of the time in the last 3 months. As such, we suggest using a more effective VPN for China, instead.

With servers all over the world and lightning fast speeds, Hotspot Shield is an attractive option for those in other high-censorship countries like Iran and Russia.

Remember that Hotspot Shield’s website is blocked and its apps de-listed from web stores in China. Make sure you download the appropriate software before you travel.

Hotspot Shield’s around-the-clock live chat support is by far the best way to get your queries addressed and problems solved.

However, you have to subscribe to a Hotspot Shield Elite account before you can benefit from live chat.

That makes asking simple questions before you purchase a subscription a little harder than you’d expect. There is email support, but it’s quite limited, and even then some queries are restricted to premium subscribers.

You should be able to find answers to basic questions in the knowledge base and FAQs section, which is fairly comprehensive and simple to navigate. Once you’re a paying customer, you can access live chat support directly from the Hotspot Shield app, or via your account on the Hotspot Shield website.

The applications also display popular questions within the interface so you don’t have to navigate to the Hotspot Shield website. You can get advice here quickly, and if that doesn’t help, a contact button will open your browser at the Live Chat page for personalized assistance.

Thankfully, responses are well-informed and timely.