Hotspot Shield VPN Full Review 2021: Narrowly Misses a Spot Among the Greats

by
Frederik Lipfert
Dr. Frederik Lipfert Founder, vpncheck
Updated on 22 Oct 2021
Frederik is a serial entrepreneur that jumped into entrepreneurship after earning his doctorate in physics. Founding and running an analytics company got him into the online privacy and security space he's now contributing to with vpncheck. Read full bio

Expert Contributions

Raeesa Essop
Raeesa Essop Network Engineer
Cassandra Mackin UI / UX Designer
Cassandra Mackin User Interface Designer
Jaosn Alexander
Jason Alexander Cybersecurity Researcher
Gillian Carrington Lawyer
Gillian Carrington Privacy & Data Protection Lawyer
Tamara Milacic
Tamara Milacic Pricing Expert
Brendan Filipovski
Brendan Filipovski Business Consultant
This review is based on the exclusive research, analyses, and tests our experts have conducted of NordVPN.

In conducting our review of Hotspot Shield, our findings tell us that this VPN service could have been among our top three best VPNs for 2021. It performs well in terms of speed and other metrics but not so much on keeping things to itself, which is what we pay VPNs to do. You know those scams where you are told you are earning money that will never be anything but numbers on a screen?

Well, when a VPN is tracking, logging, and selling customers’ information to third parties, the whole concept of a Virtual Private Network becomes an illusion, like the ‘earnings’ from those scams or like a ‘moo point.’

A ‘moo point?’ You ask bewildered (unless you watched Friends).

Yes. A moo point is like a cow’s opinion. It just doesn’t matter. It’s ‘moo.’ Hotspot Shield can ask you to trust them to keep you safe online, but that doesn’t mean you shouldespecially not when the people you are trying to hide from can see everything.

To be fair, Hotspot Shield has cleaned up its act since the complaints emerged and has actually done quite well, so much so that this review is necessary, to paint a complete picture.

Hotspot Shield is fast, reliable, and easy to use. It comes with three apps1Password, Identity Guard, and Robo Shield (the names of these apps may vary depending on geographical locations)provides round-the-clock customer support, and P2P support.

Hotspot Shield is also one of the few VPNs that work in China

In this review, we are going to examine every pertinent piece of information about Hotspot Shield’s performance and usability, so you can make an informed choice and find out if this is the one for you, as well as address the privacy and security concerns.

Hotspot Shield Features Summary

TLDR? Here are some facts to get you started on your VPN search:

  • Extensive network – The VPN boasts a large user base of 650 million users and with servers in more than 80 countries, speedy connections abound to help users unblock streaming services, download files safely, and even support torrent downloads.
  • Speed – Hotspot Shield is one of the fastest VPNs we have seen (delivering over 400Mbps over short distances and 60 Mbps on congested servers)
  • Streaming – You can use Hotspot Shield to unblock Netflix, iPlayer, Prime Video, and Disney+ streaming.
  • Security – There are three extra apps for a holistic security approach. The company is also tightening security and cleaning up its logging practices.
  • Kill Switch Capability – The automated kill switch doesn’t buckle and is certainly a welcome feature. Unfortunately, it’s only available on the Windows and Android applications.
  • Free Version – There’s a free version but it is highly monetized (targeted ads), throttled, and limited to 500MBs per day.
  • Onion over VPN (Tor) is supported, to allow extra layers of security for those who would like to keep their activities online hidden.

Next, we’ll delve into performance details, learn how to set up Hotspot Shield, and figure out if this is a good VPN for you.

Hotspot Shield: Free Version AND Free Trial?

Yes! Hotspot Shield provides a free version, with limited functionality and ads (of course), as well as a 7-day free trial of their premium VPN service. For the free trial, you can cancel your account at any time during the 7 days or get automatically signed up to a full-time premium subscription. During the free trial period, you will not be limited in any way and will be allowed access to all the features that premium users get.

There is no data cap on the 7-day trial you get, which allows you to run all sorts of tests before making a commitment. 

Hotspot Shield Performance: (Not) The Fastest of ALL VPNs?

Hotspot Shield claims to be the fastest VPN for streaming and gaming. But which platforms are we exactly talking about here and in what quality? We’ve reached out to one of our industry experts, Raeesa Essop, who has a strong background in digital signal processing to conduct detailed testing of Hotspot Shield’s overall performance.

Our Expert Review and Rating of Hotspot Shield’s Network Performance

Raeesa Essop
Raeesa Essop
Network Engineer

There were high expectations for this VPN as there were many claims around the Catapult Hydra protocol and what it could achieve. Personnel at Ookla’s Speedtest.net claimed that over short distances Hotspot Shield was more than 1.4x faster than the nearest competitor. For long distances that jumps to 2.2 times faster than the nearest competitor. They also made claims that the VPN itself could increase the download speed by up to 26%

Over the short distance test, the download speed did in fact increase. When using the South African server, the download speed increased from 44.67Mbps to 55.56Mbps. This is noteworthy, but none of the other servers exhibited this. The other servers showed the typical drop of over 50% in both download and upload speeds. Some outliers included Russia and India which showed only a 7.82 and 5.12MBps drop in download speed respectively. Some other European servers experienced less than a 25% decrease in download rates which is impressive when considering any VPN. The upload speeds were less than satisfactory for the 23 tested servers.

When testing the designated five servers over 5 different distances, the performances were better. The time of testing was earlier in the morning and the servers were at a minimum capacity of 30% and a max capacity of 41%. The upload speeds still exhibited a 60% drop but were more consistent across all of the servers. The latencies (considering distance) were acceptable for gaming over the short-distance tests. That is, they were less than 200ms. The latency never exceeded 500ms even for the instance of testing servers in different continents. This does put it above several other VPNs tested in terms of latency.

When testing the connection from the ISP to several different locations using the speed test, the VPN did fare better in comparison to just using the ISP. This indicated that using the VPN did in fact increase speed for most of the instances and was better than not using a VPN at all.

Regarding the poor upload rate, this VPN may not be suited for commercial use. However, a functionality that is suited to commercial use is the split tunneling feature. This feature worked well when tested using the browser as well as when using Wireshark.

DNS traffic was intercepted but the VPN did pass several DNS leak tests. The authentic IP was never disclosed and the fact that a VPN was being used was never detected. The streaming quality was acceptable for the casual user and the unblocking of several geo-restricted streaming platforms was easily done.

The VPN protects the user’s identity while performing better than the ISP alone for various functions. It allows the unblocking of any geo-restricted platforms and has the adequate functionality that is expected from a commercial VPN.

Based on my opinion as an Electronic and Automation Engineer, I rate Hotspot Shield VPN 7 /10.

    7
    7

    According to Raeesa, Hotspot Shield offers the lowest latencies, but loses out in terms of download and upload speeds when compared to Surfshark. Read more about the tests performed to understand how our expert reached her verdict by clicking here to navigate to the conclusion of our review. 

    Streaming

    It is worth noting that streaming services are not exactly on board with VPNs making content available to everyone like this. They have come down hard on many services over the years. However, Hotspot Shield stands out as one of the best VPNs for Netflix. Regional controls will not stand in your way when you have Hotspot Shield.

    Even so, Hotspot Shield performs as well as other top-tier VPNs when it comes to streaming and does not seem to have run into significant problems with streaming platforms. You can unblock major streaming platforms like Netflix, Hulu, Disney+, Amazon Prime Video, BBC iPlayer Twitch, HBO Max, Apple TV+, Showtime, Paramount+, Peacock, as well as new entries and lesser-known ones like Vudu, Crunchyroll, Discovery+, ESPN, ITV, AT&T TV, IPTV, Sling TV, Kodi, fuboTV, beIN Sports, Sky Go, Channel 4 UK, Zattoo, Crackle, Hotstar, Locast, M6 France on 6play, ORF, DStv Africa, CBC live, Spotify, Pandora radio and more.

    For most of these streaming platforms, you will be required to have a separate account for each one, to access the content posted there. Hotspot Shield only helps you unlock content that is geographically tied to specific locations.

    NOTE: Sometimes, you may be blocked from viewing content on one server, but then you can switch to another one. Hotspot Shield will recommend a location that works for streaming and even games. 

    A sample of how Hotspot Shield shows recommendations of the best VPN location for gaming and streaming videos

    You’d be pleased to know that if you use Kodi (the media player) for your TV or desktop, Hotspot Shield supports configuration for it.

    Torrents/torrenting

    You can use Hotspot Shield for torrenting since it supports the service with unlimited bandwidth (the upload and download speeds are excellent) and shared IP addresses. The service is recommended for use with uTorrent and BitTorrent.

    Hotspot Shield security will mask your IP address and keep P2P activities away from the prying eyes of your ISP. Compared to what other VPNs offer, Hotspot Shield stands out as a great VPN for torrents, with details included in the Help Center to aid your usage. 

    Compatibility and Servers

    Hotspot Shield is compatible with a lot of devices and platforms. As we mentioned, you can use it on Windows, macOS, Android, iOS, Fire Stick, Linux devices, and Android TVs. From what it says on their support article on Hotspot Shield’s supported devices, you can even use it on routers running FreshTomato, GL.iNet, Asuswrt, and DD-WRT.

    Hotspot Shield shows users can install VPN and connect to devicecs via Wi-Fi routers

    The site’s support page indicates that the developers of the VPN are working to make it compatible with more devices.

    When it comes to coverage, Hotspot Shield has a fleet of over 1800 servers in 80+ countries and over 35 major cities across the globe.

    We looked at the Hotspot Shield server locations available and found sufficient coverage, spanning the Americans, Europe, Asia Pacific, the Middle East, and Africa. The network is incredibly reliable, even when connected to servers far away from your actual physical location.

    Hotspot Shield VPN has 1800+ servers in 80+ countries including 35+ cities

    Since ISPs can tell when you are using a VPN to route traffic, it is always a comfort to know that a VPN provider has obfuscated servers, which keep the eyes of your ISP away from your activity. Hotspot Shield provides this by default, enhancing the level of security.

    On the Hotspot Shield network, users get access to the provider’s private DNS server, over a fully encrypted connection to avoid information logging when you’re online.

    Hotspot Shield does not provide a dedicated/static IP to users. They are, instead, connected to the most suitable IP address available at the time of making a connection. 

    Locations

    Hotspot Shield has servers in over 80 countries. ExpressVPN provides about 94 countries in comparison, meaning Hotspot Shield’s network is extensive enough. Sadly, there are no RAM-only servers in the network. Only hardware servers are used and only 90% of the server fleet is physically located where it appears to be on a map. 

    The Best VPN for Spoofing?

    The more servers a VPN has, the easier it is to spoof your location, and speeds become significantly improved if you connect to a nearby server.

    The variety provided by Hotspot Shield is commendable. It has servers in four African countries and across South America, locations that most VPN providers tend to ignore.

    Hotspot Shield Premium dashboard shows a map of the server location you can connect to in Middle East and Africa Hotspot Shield Premium dashboard shows a map of the server location you can connect to Americas

    In addition to that, Hotspot Shield has a presence in countries under repressive regimes like Turkey, Russia, China, and Vietnam. At 1,800+ servers in total, Hotspot Shield has a respectable network server density. In comparison to a heavy hitter like CyberGhost though, which has over 6,800 servers, Hotspot Shield is a rookie but it sure can punch above its weight comfortably.

    The VPN is not very clear on how much of its network of servers is composed of virtual servers that only appear to be somewhere even if they are not. It is important that people know what they are being offered and Hotspot Shield says that only 90% of the servers are physically located where they appear to be on a map. 

    Hotspot Shield Design and User Experience: Clean, Yet Intimidating

    We’ve been through how it performs and we’ve seen that there’s a lot that we can, potentially, do with Hotspot Shield. But, more importantly, will it even work properly on your device? Will you cringe every time you see a poorly-designed user interface, which we see all too often recently, or is it so pleasing that it will make you want to use Hotspot Shield out of pure joy? Let’s find out from the UI/UX expert!

    Our Expert Review and Rating of Hotspot Shield’s UI/UX Design

    Cassandra Mackin UI / UX Designer
    Cassandra Mackin
    User Interface Designer

    Hotspot Shield VPN has excellent quick-connect options but is a bit slower to connect than other VPNs. Likewise, it uses more jargon and unique verbiage than I’d like and doesn’t have accessibility options at all, except when using native notifications and permissions, which are controlled by the OS and not the app.

    Hotspot Shield Premium dashboard shows a map of the server location you're connected to, the network name, peak speeds, and data used

    The design itself is minimalistic and clean. There is a ton of white or black space (website and app, respectively), and their hover and button-press effects really make the app and website easy to navigate. 

    The color palette is a bit lacking, but that’s not necessarily a bad thing… Blue is just overused a bit on their site, especially on pages with lots of links.

    Settings and information are where you would expect them to be, with the exception of extra apps, which are located in the menu option that looks like an upload icon (see the image). 

    If you click the hamburger menu in the app, it expands the menu so you can see the words next to each icon. This is great for those who don’t know standard icons and for those of us who have never seen a Suite icon look quite like… that.

    Hotspot Shield VPN uses native notifications and they go away quickly, so they’re not obtrusive. They follow your native OS notification settings when it comes to appearing over full-screen apps, games, and movies. Likewise, it’s very easy to jump on VPN and they have automatic connect options.

    It has great support articles for when you’re feeling lost. They get major bonus points for having a great free VPN option.

    The biggest markdowns came from:
    (a) not adhering to accessibility standards in terms of font size options, color differentiation, etc., especially on their website,
    (b) not having P2P server options,
    (c) not having quick Check for Updates or Update Now options in the app menus,
    (d) using too much jargon, unique words, and uncommon icons, and
    (e) being a bit slow to connect.

    Based on my opinion as a User Experience and User Interface Designer, I rate Hotspot Shield VPN's user interface and user experience at a 7 / 10.

      7
      7

      But wait, there’s more! You can find our UI/UX expert’s research in the conclusion of our review. We promise it’ll be worth taking a minute, or several, to read.

      Device Compatibilities

      Hotspot Shield is compatible with most devices and provides dedicated apps for Android, iOS, Windows, macOS, some Linux distributions, and even Amazon Fire TV

      • Android and iOS

      Even though the Android version seems to be better than the iOS version, both apps need some upgrades. Android users of Hotspot Shield can enable a kill switch, which protects traffic. iOS users don’t have that or the automatic connection when they turn on their devices.

      Both versions are missing features. For instance, they both don’t support the IKEv2 protocol.

      It is not easy to connect to a server that is optimal for your location on both apps. It has been a while since they had any updates and we can’t say for sure when this will change.  

      To be fair though, both apps have what you need to connect to the internet safely so, at bare minimums, they do what they should. Note that you can run Hotspot Shield only on Android 5.0 and later, and iOS 12.0 and later.

      • Windows, Mac, and Linux

      On Windows and Mac, Hotspot Shield has a very clear and accessible dashboard. Navigation is simple, with options for just about everything you want a VPN to have. Clicking on ‘Connect to VPN’ will have you online and secure in 2-3 seconds (this is a faster connection than many of its peers).

      After you connect, you will see, to your left, the options. They include:

      • The home button
      • Speed test
      • Account
      • Aura’s apps (in premium)
      • An ‘About Us’ page
      • Support
      • Settings

      Hotspot Shield Premium dashboard shows a map of the server location you're connected to, the network name, peak speeds, and data used

      With these, you can navigate to anything you need.

      The interface itself is visually superb, displaying the server location, latency, IP address, transfer speed, load times, local network, and data usage. The information is not overwhelming and can be taken in with just one look.

      If you are a versatile user familiar with tech, you will find the more technical side of Hotspot Shield in the settings. Even new users won’t have trouble turning features on or off. In settings, you have options like automated connections when on public networks or exclusions for the traffic you don’t want.  

      To connect on Linux Ubuntu, Debian, CentOS, and Fedora, you will need to use a command-line procedure outlined in their guide on how to install Hotspot Shield VPN on Linux

      • TV

      The setup on this one is easy if you have an Android TV since you can get it from the Google Play Store. On an Amazon Fire Stick, which you will find in the Amazon store, download it and log in. After that, all you need to do is open it and connect it to the location of your choice. 

      A Features Review of Compatible Platforms

      Do your devices work with Hotspot Shield? Fortunately, we are going to tell you which kinds of devices are actually compatible with the VPN. This includes PC platforms, mobile platforms, TV platforms, routers, and browsers. 

      Platform Supported Version (or higher)
      Windows 3.11, NT 4.0, XP. All windows desktops and laptops running Windows 7 or later are supported.
      Mac All Mac desktops running Mac OS X 10.12 or later are supported. This includes MacBook Air, MacBook, and MacBook Pro. Also supported are the iMac, Mac Pro, and Mac mini.
      Linux All Linux devices, boxes, etc. are supported, including Debian 8.04, Ubuntu 16.04, Fedora 12.7
      iOS All devices running iOS 11 or later are supported. They include the iPhone, iPad, iPad Mini, and iPod Touch.
      Android All Android OS 5.0 tables and phones with VPN support can run the appropriate app versions of the VPN.
      Chrome Hotspot Shield VPN for Chrome is available for Chrome version 40 and later.
      Firefox Hotspot Shield VPN for Firefox is available for Chrome version 40 and later.
      Safari Not supported
      Microsoft Edge Hotspot Shield VPN for Microsoft Edge is available for Chrome version 40 and later.
      Routers FreshTomato, DD-WRT, Asuswrt, and GL.iNet

      Additional Notes About the Platforms

      • Some of the routers will need more than the Hotspot Shield app to run. Manual installation guides are provided to aid in the process.
      • The Kill Switch feature is available and can be turned on and off on Windows and Android. On iOS, however, there is only an ‘insecure connections’ notification when you are connected to an insecure network, so you can manually turn it off. There is no kill switch in the browser extensions for any platforms.
      • Split-tunneling is available through the SmartVPN feature on Windows and Android. It is not clear if the same feature is available on any of the other listed platforms and devices.
      • There is a ‘Connect’ button when you launch the app on any device for quick connectivity with one click or tap.

      Typically, Hotspot Shield is provided to users with additional software. Though the names of the services could differ depending on geographical location, they consist of an antivirus, a spam call blocker, and a password manager.

      How to Use a VPN With Browser Extensions

      The formula is the same for most VPNs. A Chrome extension is provided for Hotspot Shield, which can be used on other browsers built using Chromium. They include Vivaldi, Brave, Edge, Epic Privacy, Torch, Comodo Dragon, and more.

      A simple search for the Hotspot Shield extension will show you results for Chrome Web Store, where the extension is found.

      Usability

      The first time you open the app after installation, this is what you’ll see:

      Hotspot Shield Premium Connect ot VPN dashboard

      It is easy enough to connect to the VPN. You just click on the big button, which looks like this when connected:

      Hotspot Shield Premium dashboard shows a map of the server location you're connected to, the network name, peak speeds, and data used

      This is the home dashboard. It shows you information about the location of the server you’re connected to on a map, where it is on the map, your network name, the peak speeds, and data used while connected to the VPN. To disconnect from it, click on the blue button with a white square.

      On the left, you have icons to navigate to various settings and information:

      Hotspot Shield includes a speed test tool, access to your account details, information about Aura (the parent company of HSS), information about this VPN, access to support, and settings.

      Once in the settings, this is what you’ll see:

      Hotspot Shield Settings dashboard general options: Start on launch, Start minimized, Auto-connect, Notifications option, Connection quality feedback

      From here, you can change settings to whatever is convenient for you, check out advanced settings, and learn how to navigate with shortcuts, among other features. They are well-labeled and easy to use since turning them on or off simply takes one click.

      Security: It’s Complicated.

      Security is where Hotspot Shield seems to hit a snag, but we are going to make it simple to understand. The thing about cybersecurity is that there are many factors that influence how “secure” or how “safe” a VPN is—and this also depends on what you’re planning to do with your VPN! We know our stuff when it comes to VPNs, but nothing will be better than an overview from a real cybersecurity professional. So, we interviewed Jason Alexander, an industry expert, to get the whole picture when considering the security aspect of a virtual private network.

      Our Expert Review and Rating of Hotspot Shield’s Security

      Jaosn Alexander
      Jason Alexander
      Cybersecurity Researcher

      People that desire a high level of privacy or anonymity and people seeking to bypass surveillance or censorship may be better off with a different solution due to a few concerns:

      Aura – The current owner is a US based company
      This may be a privacy concern as the US government is a founding party of international systemic agency surveillance (Five eyes, 14 eyes etc). Keep in mind that in many cases international agency collaboration is the only way bad guys get caught.

      Hotspot Shield state they do not log VPN traffic; However, this is contentious
      Any US company that provides a VPN is arguably (‘most likely’ in my opinion) legally obliged to log all data usage just like ISPs. In addition, the history of data collection for Hotspot Shield has been murky. 

      The Chrome browser plugin has known privacy leaks.
      In our testing the browser plugin failed WebRTC Leak tests.
      Note: The current desktop client passed DNS leak and other leak tests without incident.

      Default Closed Source VPN algorithm
      Hotspot Shields’ VPN performs very well speed wise, and the code has been audited by multiple parties; however security is less certain as it is closed source.

      **IKEv2 (IPSec) has recently been added to Hotspot Shield and may be available under ‘Settings, Protocols (New)’ – however this section did not always show reliably in testing. (Support suggested to updating to a more recent build). 

      Hotspot Shields’ IKEv2 implementation presumably uses Open Source OpenVPN Code, however without auditing rights this cannot be confirmed. 

      There is a history of two serious vulnerabilities
      Two vulnerabilities is not a lot; for such a long time period. It is most likely there have been far more vulnerabilities that are not known or published as Hotspot Shield is reportedly based off Open VPN’s code (which has had a larger history of vulnerabilities). The team response to a 2020 incident was swift.

      In 2020 a vulnerability was found that can allow important system files to be overwritten and remote privilege execution (ie: Possibly admin access even if the VPN is run as a standard user). In 2018 a bug resulted in Hotspot Shield divulging sensitive information (machine, VPN connection & details and real IP Address).

       

      Conclusion

      If you need a VPN you can trust to keep you private and anonymous Hotspot Shields’ recent addition of allowing IPSec to be chosen is an improvement; however they are still hamstrung by US ownership, murky privacy, usage of Google for DNS, and closed source concerns. Also the history of vulnerabilities is wonderfully short – but both are very serious.

      I cannot recommend Hotspot Shield where security, anonymity or privacy is critical. In my opinion as a Cybersecurity Specialist, I rate Hotspot Shield VPN’s effective security for those that require anonymity or privacy at 4 / 10. This could be improved by a 3rd party logging and privacy audit, and making a stronger commitment around secure coding practices. Unfortunately even with these improvements, the limitation of operating within the ‘surveillance eyes’ means there will always be better options.

      For general purpose usage I rate it at 7/10. In short if you are mostly consuming media you don’t have much to worry about. If you take advantage of the extra features of the paid subscription such as the password manager, you may strongly bolster your overall effective security (many risks come from poor password management).

        7
        7

        Read more about Jason Alexander’s expert review and research at the bottom of this review!

        Hotspot Shield Privacy Issues

        To begin with, its logging policies have been questionable in the past and we were interested to see if any of that had changed. The reason why Hotspot Shield comes under fire on the privacy issues is because of a 2016 analysis of privacy and security risks of Android VPN apps, which shed some light on the company’s activities, some of which undermined privacy greatly. In 2017, a complaint of a similar nature to what was in the report was filed with the Federal Trade Commission (FTC) by the Center for Democracy and Technology.

        Privacy breach complaint filed against Hotspot Shield can be found on Center for Democracy & Technology or CDT's website

        In the beginning, this product was owned by a Swiss-based company called Anchor-Free. In 2019, however, Hotspot Shield became part of a new company called Pango, which was later bought by a US-based company called Aura.

        Most VPNs have their headquarters outside of countries belonging to the Five Eyes alliance, of which the US is a member, and use that as a selling point for their services. Since Aura is US-based, it stands to reason that users would be wary about the implied international intelligence collection the alliance is tasked with.

        To be fair, the Five Eyes alliance is only a threat if a company keeps logs, which is why Hotspot Shield came under fire for its logging policies, with accusations that it may have been collecting data that could identify users.

        What did Hotspot Shield do About the Privacy issues?

        Since the issues came to light, the company has been working hard to clean up its privacy policies and now claims that it doesn’t log IP addresses at all. However, it is worth noting that the company logs the real IP address when users are connected, which it then deletes at the end of each session.

        The VPN also logs:

        • Email address and username
        • Your unique Mobile ID number
        • Hardware model
        • The device OS
        • Language
        • “Network information”

        There’s something about the vagueness of words like “network information” that security experts do not like. In addition to that, we would not recommend the free version of Hotspot Shield, since it may share the following information with third-party advertisers:

        • Your city-level location
        • Wireless carrier
        • IMEI number (unique mobile ID)
        • Unique advertising ID
        •  MAC address

        On the free version, the kind of information collected is enough to identify you as an individual, making it all but useless as a VPN.

        So, what kind of Hotspot Shield security can premium users expect?

        Hotspot Shield Premium user settings show 3 protocol options: Automatic, Hydra, and iKEvs(IPSec)

        1.       The Catapult Hydra Protocol

        For a name as cool-sounding as that, you’d think you’re getting all the bang your buck can muster… and, you will be. However, some users prefer the inherent security that comes with open-source security solutions that are open to review, instead of proprietary protocols like Catapult Hydra.

        However, if you are looking to feel safe, the protocol is used by McAfee, Bitdefender, and other brands that are firmly in the business of privacy. To be honest, the Catapult Hydra Protocol brings some kick to the performance of this VPN. 

        2.       Encryption

        Hotspot Shield’s security is inspired by the SDP (software-defined perimeter) model, developed originally by the US Department of Defense. It supports both 128-Bit AES and 256-bit AES encryption. The VPN uses 128-bit AES encryption as the standard.

        On the website’s support pages, the VPN mentioned the fun fact that it would take nearly 14 billion years to crack 128-bit AES encryption with current computer capabilities. What they don’t mention is that this fun fact doesn’t matter if you just open the door to advertisers and governments. 

        3.       The Kill Switch

        This feature works on Android and Windows to stop your internet connection if the VPN loses connection. The feature is enabled by default when you install the VPN. You can switch it on and off in Settings> Advanced.

        4.       Auto-Protect

        Are you worried about connecting to public Wi-Fi and getting your stuff stolen? Well, Hotspot Shield has your back and will connect automatically when you connect to public networks.

        5.       IP Leak Prevention

        Hotspot Shield has a built-in DNS leak protection feature. It is enabled by default but can be turned on or off by the user.

        Hotspot Shield Premium user settings show 3 advanced options: Kill switch, Auto-protect, and Prevent IP leak

        While testing for leaks, we learned that the VPN does not guarantee leak protection for IPv6 or WebRTC. From what we could find out from existing users, sometimes, there are IPv6 leaks and sometimes it works just fine. To be on the safe side, if you are paranoid about that kind of thing, you can disable IPv6 and WebRTC.

        6.       Smart VPN

        This feature is a fairly new addition to Hotspot Shield. It is a split tunneling option that can help you bypass the VPN for some apps and websites that you do not want to be affected by the perceived locations you pick for your other activities.

         

        Did we come down too hard on Hotspot Shield for its security faults of the past?

        You have to be able to trust a VPN service and ,since this Hotspot Shield broke that trust, we have to be thorough. By all indications, it seems that a lot has changed for the better since the complaints were filed and the VPN changed ownership.

        Hotspot Shield Reliability: Can We Trust Hotspot Shield as a Company to Have our Back?

        A VPN, such as Hotspot Shield in this case, can be relatively secure for general purpose uses that include browsing, streaming, torrenting, gaming, etc. In other words, you may be protected from hackers trying to intercept your sensitive information. However, what about the VPN company themselves? Can we trust them with our data? And what data do they actually have on us? A Regulatory Lawyer, Gillian Carrington, gave us her professional opinion on what logs are kept by Hotspot Shield as a company, as well as a few pros and cons of their Privacy Policy.

        Our Expert Rating and Review of Hotspot Shield’s Data Privacy Policy

        Gillian Carrington Lawyer
        Gillian Carrington
        Privacy & Data Protection Lawyer

        This is a very good, but not perfect, Privacy Policy which mainly follows the international data protection standards pertaining to such policies.  

        The positive aspects of the privacy policy include (i) complying with the data minimization and purpose limitation principles, with minimal data retention (ii) communicating in a clear, intelligible, and transparent manner, (iii) providing a breakdown across the product portfolio about what is collected and when, (iv) effective access and numerous opt-outs for consumers, (v) stating upfront with that it uses ID verification (an area of growing concern to data privacy professionals on both sides of the Atlantic),  (vi) excellent transparency around ARCO ++ rights and data transfers, (vii) providing a workable “superset” of GDPR/CCPA and (viii) an easy and accessible structure.

        Areas that could be improved include (i) the cookies and other tracking technologies policy which is not designed to produce specific, informed and granular consent, (ii) little transparency around the identities of third party providers with whom the company shares data, (iii) an insufficient explanation of how legitimate interest works and how a user may object to it and (iv) a corporate structure which may confuse a lay reader.

        As a Regulatory Lawyer, I rate Hotspot Shield's privacy 8.5 / 10.

          8.5
          8.5

          Read more on what our Legal expert found when she analyzed Hotspot Shield’s Privacy Policy in the conclusion of this review. 

          This sounds good and all, but what about their customer support? Can you trust them to be there after you’ve purchased a subscription?

          Support

          For new users, Hotspot Shield has tutorials and a detailed FAQ section. The material is accessible to everyone, including users of the free version. Premium users can make use of the 24/7 live chat feature and the option to send an email using the form in the support section of the website. 

          Hotspot Shield Support Center form to fill up the details of your issue

          The live chat feature uses a chatbot, which can be frustrating when you have a complex problem a chatbot can’t figure out. The email system is much better if you have a query that isn’t as straightforward as an FAQ. The chatbot can be bypassed if you tell it you want to speak to an actual person. 

          Hotspot Shield Chat Bot replying to your queries

          The email option (support@hotspotshield.com) is much better since it doesn’t use bots. Talking to real people for support is a great option and Hotspot Shield does not seem to have trouble answering questions. The customer service representatives are knowledgeable and friendly, which makes walking you through challenges an easy task.

          Hotspot Shield’s Business Structure

          A VPN is, after all, a service. So it makes sense that a company owns it and relies on profits earned. Trusting someone with your personal data, and your money, while you know absolutely nothing about them sounds scary. That is why we’ve asked a Business Consultant to give us some insights into Hotspot Shield’s background, operations, and more.

          Our Expert Review and Rating of Hotspot Shield's Business Structure

          Tamara Milacic
          Tamara Milacic
          Pricing Expert

          Hotspot Shield is a well-established VPN provider that has been ranked as the World’s Fastest VPN for streaming and gaming. Initially founded as the second company among two entrepreneurs, they benefited from being an early entrant in the VPN industry in 2008. They had a third co-founder, with a background in Geography, join them a few months after founding the operating company. While none of the founders had extensive technical experience prior to starting the operating company AnchorFree in 2005, they did get two rounds of funding in 2006 and 2008 totaling almost $11M prior to the launch of the Hotspot Shield VPN product. This support would’ve allowed them to invest in the expertise they needed. Currently, the operating company still has around 68% of its staff in engineering or IT departments. They have a distributed team that is based in the US, Ukraine, Switzerland, and India but their headquarters still remain in California, where the company was initially founded.

          In 2018, the operating company changed its name from AnchorFree to Pango Inc. Pango holds 5+ trademarks, including Hotspot Shield, in the internet security and VPN space. HotSpot Shield is now offered as both a standalone VPN service and as part of an internet security bundle directly on the Pango website. As a result of this, and its early entrance into the market, HotSpot Shield has had over 650 million downloads. 

          Also in 2018, Pango completed a $295M private equity round that was led by WndrCo, which invested aggressively in the space and another company called Aura the following year. Inevitably, less than 2 years later, in 2020, Aura acquired Pango for an undisclosed amount. 

          Aura is based out of Boston Massachusetts and was founded by an IT entrepreneur named Hari Ravinchandran who still remains the CEO today. His experience spans 20+ years as a founder and CEO of multiple firms in the internet space. While the original founders of HotSpot Shield are no longer part of the company, operating as a subsidiary of Aura Company means that Hotspot Shield now gets the benefit of being part of an even bigger internet security and privacy company network. 

          Based on my opinion as a business consultant I rate Hotspot Shield business as 8 / 10.

            8
            8

            To find out more about Hotspot Shield as a for-profit organization, please see our expert’s review in the conclusion.

            Hotspot Shield Pricing: Decent Value (With a Few Minor Setbacks)

            To validate our review of Hotspot Shield’s pricing plans, we’ve had an Economist, Brendan Filipovski, provide his professional opinion. 

            Our Expert Review and Rating of Hotspot Shield’s Pricing

            Brendan Filipovski
            Brendan Filipovski
            Business Consultant

            Hotspot Shield provides a free basic service. This is a great option for occasional users or for users who want to try the basic features. It does have reduced speed and a data limit but this is to be expected for a free service. Hotpot also offers a 45 money-back guarantee for its Premium services. 

            It offers two premium (paid) plans with generous speeds and data limits. The Premium plan is a good value because it includes extra features like virus and malware protection, spam blocking, a password manager, and secure document storage. But it is only available for one unique user (albeit across five devices).

            The Premium Family plan allows up to five unique users (with five devices each) and is cost-effective for large families but you do lose the extra features like virus protection, a password manager, etc.

            The monthly price relative to other VPN providers is on the high side. The percentage discount with an annual subscription is similar to other providers. There are no two or three-year subscriptions with accompanying discounts available directly from Hotspot’s website but they are offered via some affiliate partners and represent a sizable discount that is comparable to price-leader such as Surfshark. It is thus worth searching around for details.

            The Twingate business service which is pitched as being superior to a VPN is charged per user and is a reasonable rate for business clients. Rates for enterprise clients can be negotiated.

            The range of payment methods is standard. No bitcoin payment.

            Based on my opinion as a business consultant I rate Hotspot Shield 7 / 10. The Premium plan has nice extra features but it is a shame that none of these are extended to the Premium Family plan. Speed and data are however not affected. Enterprise users face a typical set of plans, including room for negotiation for bigger customers. And the free basic plan is a nice touch for the occasional or novice user.

              7
              7

              If you would like to know more about how our expert came to the above conclusion, see their complete review in our conclusion!

              Pricing Plans

              Hotspot Shield offers a monthly plan and a yearly plan. For the yearly plan, the Premium package ends up costing $7.99 a month and $11.99 a month for Premium Family. The yearly plan is cheaper than the monthly one, as most VPN plans tend to be. There is also a free plan. The free plan is not worth much, considering the information collected on it (which can identify you) and the fact that it is paid for by ads.

              The monthly plan is for users who aren’t planning to use the VPN for long or only use it periodically. The rates for Hotspot Shield’s monthly plan are $12.99 per month for Premium and $19.99 per month for Premium Family. 

              In addition to the VPN, you also get a spam call blocker and a password manager. 

              These additional services bundled into the VPN are different in some places. For instance, where we saw ‘Password Manager,’ some people get 1Password. For users outside Canada and the US, the spam call blocker is replaced by Hiya. 

              With the premium subscription, you are allowed to connect up to five simultaneous connections, with no limits on data. For the Premium Family package, you can connect up to 25 devices across five-member accounts. Naturally, the latter option costs a little more.

              Extra Features

              • The Catapult Hydra Protocol is an added advantage for users since it significantly improves speeds compared to other VPNs that use open-source options.
              • The free version provides users with a data limit of 500MB per day, where others like TunnelBear provide the same for a whole month.
              • You get split-tunneling by domain, in addition to the solid services bundle.

              Detailed Conclusion: Here’s What Our Experts Found

              Performance Review - Raeesa Essop

              Test Suites

              • Check if DNS queries are intercepted and changed.

              ISP configuration: 

              Primary Server: SYS-192.168.0.1

              Secondary server: IAfrica-2 ZA –  196.7.142.132

              Tertiary server: MTN-2 ZA – 209.212.97.1

              Namebench was used to run a benchmark test assessing the available ISP DNS servers. It indicated that the ISP was not intercepting and redirecting outgoing DNS requests.

              No reports of NXDOMAIN hijacking turned up from the Namebench test. This was further tested with a dig test on an IP address where no DNS server is running. Just to test if any false results occurred. There was no response. This indicates no interception/falsified results for the ISP.

              VPN – Server Chosen: United States

              Namebench was used to assess the VPN assigned DNS, which indicated that the server was indeed intercepting traffic:

              Namebench used to the VPN assigned DNS

              The dig command was used to check if a DNS lookup to an authoritative nameserver produced an authoritative reply. It did not reproduce an authoritative reply. This displays DNS interceptions:
              This displays DNS interceptionsThe dig command was used to further indicate falsified results when requesting a non-existent host, rather than the response merely timing out. If the user makes any typos when searching for a URL, the VPN will most likely display some type of advert, etc. 

              Some non-existent domain names were used and adverts to purchase these pop-ups rather than the typical timeout message. They were all from Register.it

              • Check if the certificate presented on HTTPS queries is the correct one.

              Curl/gitbash was used to make requests. The certificate details of 4 popular websites were queried with both the ISP and VPN.

              Certificate details were compared between the two results for each website and by manually checking certificate details. These details include ‘issuer’, start and expiration dates, and the CN.

              All certificate information matched.

              • Check if running HTTPS queries against a collection of websites, by using different VPNs, yields different HTTP responses. 

              Websites used:

              • Facebook.com
              • Paypal.com
              • YouTube.com
              • Netflix.com, Etsy.com
              • Amazon.com

              Curl/gitbash was used to make HTTP requests.

              Response headers were used for comparison.

              Observations:

              For 3 websites, there were several ‘set-cookie’ headers that weren’t present when using the ISP. The ‘set-cookie’ headers that involved language and location would correctly reflect the VPN exit node chosen.

              Some headers that used location and language (apart from the ‘set-cookie’ ones) would reflect the correct location. That is the same one as the exit node chosen.

              PayPal and Facebook had security policies that were not present when using the ISP. Nothing out of the ordinary or suspicious was observed.

              • Compare information from inside and outside the VPN from the same DNS server and compare the answer.

              Google Public DNS-2 (8.8.4.4) was used when testing the ISP and VPN performance.

              The ISP setup stated above was deemed the fastest.

              Google Public DNS-2 (8.8.4.4) was used when testing the ISP and VPN performance

              Performance was not enhanced for the ISP according to the Namebench test that was run again. No DNS interception took place.

              The Namebench test done for the VPN using the public DNS server still exhibited the same results. DNS intercepts were still taking place. This was further confirmed using the dig and nslookup tests.

              Infrastructure

              • How many servers?

               1,800+ servers in 80+ countries — including 35+ cities around the world

              •   How many servers in which geography (country and continent)?

              Servers in:

              16 countries in North and South America (27 cities in the USA, 4 cities in Canada)

              48 countries in Europe (2 cities in the UK, 2 cities in Spain, 3 cities in Italy, 2 cities in France)

              28 countries in the Asia Pacific (6 different cities in Australia)

              7 countries in the Middle East and Africa

              •  What type of servers?

              Hotspot Shield uses a mixture of virtual and physical servers. Actual server details such as OS or any hardware specs were not found. They are also not open about which servers are virtual and physical.

              • What technology stack (e.g., what programming languages and technologies are used in running the VPN infrastructure)?

              Hotspot Shield has created their very own VPN protocol referred to as ‘Catapult Hydra’. It claims that this proprietary protocol is what increases the download speed over long distances. Ookla Speedtest even claims that the speeds were increased by over 26% when using this protocol. It may in fact be the most noteworthy thing about this VPN.

              They also offer the option of using the IKEv2/IPsec VPN protocol.

              • In which data centers are the servers hosted? How is the distribution of server hosting (e.g., is it clustered, meaning almost all servers with one data center provider, or is it spread out using a multitude of server providers in a country)?

              The majority of countries that have servers have only one location associated. US and Australia have several locations. These were checked to see what data centers/cloud solutions/IT infrastructure/colocation etc. were being used (checked using IPlocation.net and Domain Tools).

              US Servers:

              • Atlanta – Quadranet Enterprises LLC
              • Boston – Charles River Operation
              • Charlotte – h4y Technologies LLC
              • Chicago – Eonix Corporation
              • Columbus – Madeit Inc.
              • Dallas – Maxihost LLC
              • Denver – Sharktec
              • Houston – The Optimal Link Corporation
              • Indianapolis – Unlimited Net LLC
              • Kansas City – Wholesale Internet Inc.
              • Las Vegas – Vegasnap LLC
              • Los Angeles – Maxihost LLC
              • Miami – Quadranet Enterprises LLC
              • New Jersey – Gthost
              • New York – 24 Shells

              Australia Servers:

              • Adelaide – Intergrid Group Pty Ltd
              • Brisbane – Intergrid Group Pty Ltd
              • Melbourne – Intergrid Group Pty Ltd
              • Perth – Intergrid Group Pty Ltd
              • Sydney – Maxihost LLC (possibly a virtual server)

              There are quite a variety of providers across the United States. Australia is more homogeneous using mostly Intergrid Group Pty Ltd.

              Speed & Connectivity

              •  Perform speed tests for 23 different VPN exit nodes while connecting to the “best & fastest” Speedtest server.

              Base speed (ISP):

              Perform speed tests for 23 different VPN exit nodes

              The protocol chosen was: Hydra

              Connection: single 

              City Country Ping [ms] Download [Mbps] Upload [Mbps]
              New York City USA 235 11.57 13.19
              Berlin Germany 186 14.74 18.03
              Tokyo Japan 414 13.99 10.31
              London UK 194 8.43 8.53
              Paris France 177 26.52 20.69
              Rio de Janeiro Brazil 355 4.07 11.68
              Toronto Canada 255 22.63 15.59
              Lisbon Portugal 215 31.32 14.77
              Rome Italy 192 25.53 18.35
              Seoul South Korea 323 17.45 9.89
              Madrid Spain 198 32.89 18.03
              Sydney Australia 431 17.15 9.58
              Jakarta Indonesia 330 17.87 12.31
              Istanbul Turkey 222 24.73 7.72
              Moscow Russia 218 36.85 16.48
              Mexico City Mexico 315 14.15 14.42
              Riyadh Saudi Arabia N/a N/a N/a
              Helsinki Finland 311 10.78 14.65
              Mumbai India 299 39.55 10.26
              Abu Dhabi UAE 298 25.17 13.79
              Kuala Lumpur Malaysia 350 13.62 11.90
              Pretoria South Africa 4 55.56 54.98
              Riga Latvia 201 18.43 4.18

              USA

              Hotspot Shield VPN Speedtest USA
              Germany

              Hotspot Shield VPN Speedtest GermanyJapan

              Hotspot Shield VPN Speedtest JapanUnited Kingdom

              Hotspot Shield VPN Speedtest UKFrance

              Hotspot Shield VPN Speedtest FranceBrazil

              Hotspot Shield VPN Speedtest Brazil
              Canada

              Hotspot Shield VPN Speedtest CanandaPortugal

              Hotspot Shield VPN Speedtest PortugalItaly

              Hotspot Shield VPN Speedtest Italy
              South Korea

              Hotspot Shield VPN Speedtest South KoreaSpain

              Hotspot Shield VPN Speedtest SpainAustralia

              Hotspot Shield VPN Speedtest Australia
              Indonesia

              Hotspot Shield VPN Speedtest IndonesiaTurkey

              Hotspot Shield VPN Speedtest TurkeyRussia

              Hotspot Shield VPN Speedtest RussiaMexico

              Hotspot Shield VPN Speedtest MexicoIndia

              Hotspot Shield VPN Speedtest IndiaUnited Arab Emirates

              Hotspot Shield VPN Speedtest UAEMalaysia

              Hotspot Shield VPN Speedtest UAESouth Africa

              Hotspot Shield VPN Speedtest South Africa

              Latvia

              Hotspot Shield VPN Speedtest Latvia

              • Speed test performance for 5 different servers ( one close to the VPN server, one in the next big city, one at the other side of the country, one in another major city on another continent, pick another interesting one). Ping, Download, Upload? Any surprises?

              Most of the servers at any given time were at 30-40% capacity.

              UK Server (Gaming optimized server)

              Server Ping[ms] Download [Mbps] Upload [Mbps]
              London(optimized server)

              193

              3.5

              20.16

              Leicester

              198

              3.2

              22.15

              Glasgow

              290

              4.04

              27.12

              Sao Paulo

              372

              3.09

              20.02

              Auckland

              487

              3.44

              22.50

              Italy server

              Perugia(optimised server)

              193

              12.84

              20.57

              Rome

              213

              11.07

              19.35

              Milan

              196

              15.19 20.85
              Maputo

              391

              9.77

              18.59

              Mumbai

              331 10.97

              20.96

              Spain Server

              Igualada

              214

              7.76

              19.83

              Madrid

              224

              7.5

              20.30

              Gibraltar

              238

              5.79

              19.20

              Nuuk

              298

              5.37

              19.15

              Bogota

              384

              4.70

              20.55

              France Server

              Paris

              178

              4.91

              23.13

              Lyon

              194

              22.33

              23.53

              Marseille

              200

              34.05

              23.19

              Nairobi

              357

              35.41

              23.55

              Bangkok

              401

              13.49

              18.02

              Latvia

              Riga

              203

              30.46

              23.41

              Ludza

              208

              42.33

              11.55

              Liepaja

              207

              43.34

              23.12

              Roodepoort

              340

              32.65

              24.30

              Okinawa

              420

              28.21

              23.20

              Most of the servers exhibited an increase in latency with an increase in distance. Three out of the five tested servers had better upload rates than download rates. These rates oscillated at the same value over the five different locations. The download rates for these servers were on average 17-50% of the upload rates.

              The Latvian server had above-average upload rates when compared to the other servers. It was at a capacity of 31% at the time of testing.

              The optimized servers (as chosen by Ookla) didn’t always perform the best. Perhaps the shared IP of the server shows a location that is slightly different from the actual location of the server. However, the latency was always lowest when using the optimized server which would indicate it is the closest available one.

              • Check the traceroutes for these tested servers.

              All traceroute tests used ‘google.com’ to check the route of the traffic.

              Routing locations were determined using IP lookup

              ISP used 10 hops with a maximum of 33ms per hop.

              • UK Server: 9 hops with ping latency on average being 190 ms.
              • Italy Server: 15 hops with ping latency on average being 220ms.
              • Spain Server: 9 hops with ping latency on average being 220ms.
              • France Server: 15 hops with ping latency on average being 200ms.
              • Latvia Server: 9 hops with ping latency on average being 180ms.

              The majority of the nodes did not respond. Most timed out giving little information as to the location of the routed traffic. There is no firewall active on the base PC and the ISP shows information at every node. This might be due to the protocol being used. However, the VPN doesn’t allow for a different protocol to be used/tested.

              • If there are special setups like double hop VPNs, how do they perform?

              The VPN has few extra features. The most noteworthy aspect to test would be the Hydra Protocol. This protocol was chosen by default and all tests were already run using it. 

              When trying to use the IKEv2(IPsec) protocol, none of the servers were able to connect. They would show an error message and remain disconnected. This is a new feature that they offer and may need a few iterations before it works properly.

              There are designated servers for streaming, gaming and browsing. 

              The US server for browsing had poor performance when compared to the other American servers available.

              The streaming server did not have a good download rate as would be expected of a server dedicated to this purpose. It showed a rate of 2.98Mbps. This was at a server capacity of 41%.

              The gaming server did not have a latency of less than 200ms which may make a lot of games unfeasible to play if the user is in the same location as the tester.

              The split tunneling feature worked seamlessly when tested for several local websites that will often block international traffic.

              Experience Impact

              • Are you able to watch the streams in the following quality?

              YouTube

              Quality Able to Watch Extended Buffering Buffering [s]

              8K

              Yes Yes

              3-5 seconds

              4K

              Yes Yes

              3-5 seconds

              1080p Yes

              No

              N/A

              720p Yes

              No

              N/A

              Netflix

              Quality Able to Watch Extended Buffering Buffering [s]

              8K

              N/A N/A

              N/A

              4K

              Yes No

              N/A

              1080p

              Yes No

              N/A

              720p

              Yes No

              N/A

               

               

              Wire-Level Privacy Performance

              • What VPN protocol is in use?

              Catapult Hydra was the selected protocol, but it is not open-source. The protocols that were used would not come up as this unique protocol but maybe as other ones that Hydra is based on/makes use of.

              Some of the protocols that showed up were TCP, UDP, SSDP, and TLSv1.2.

              • Can you see any traffic not being transmitted via the VPN tunnel?

              No, as the split tunneling feature was turned off.

              •   Can you see any DNS traffic in the packet capture?

              No.

               

              Using the website Browserleaks

              Using the website Browserleaks, answer the following questions. Take screenshots and highlight out of the ordinary results.

              • Does your IP location information match the requested VPN location?

              Yes.

              IP Address Lookup on Browserleaks

              • What is your connection type? 

              Residential.

              • Are there any IPv6 Leaks? 

              No IPv6 leaks detected.

              • Are there any DNS leaks? 

              There were no DNS leaks to the local ISP. However, a vast list of all DNS servers in several locations was detected.

              Checking DNS leaks Test

              • Are there any WebRTC leaks? 

              No, the actual IP was not disclosed. It oddly showed an IP related to Switzerland, however.

              WebRTC leaks test

              Design - Cassandra Mackin

              Design

              • What’s the Design Style? 

              Flat with Skeuomorphism shapes, e.g., a shield for the logo. Icons are flat and minimalistic outlines. 

              • What feeling does the design convey? 

              Very serious and simple. There is very little color.

              •  What’s the color scheme, i.e., primary colors, secondary colors, hexacodes?

              Mostly #ffffff (white) and #141414 (dark gray, nearly black), with accents of #2ca2f7 (bright blue) and #8e8e8e (gray). Most buttons are #8e8e8e (gray) and then #ffffff (white) on hover, or black with white and #2ca2f7 (bright blue) accents… These secondary buttons change the white to #8e8e8e (gray) and the #2ca2f7 (bright blue) to #148cfc (dark bright blue) on hover. 

              “New” labels are #40b267 (green) and toggles are either black outlined in gray and white (off) or #2fa6f8 (bright blue) outlined in black (on). ‘Premium’ labels are #2fa6f8 (bright blue), and icons are the same blue with accents of white and darker blues, namely #073579 and #1370f5. The logo again uses the #2fa6f8 (bright blue) for the shield, with a circle of various colors on top.

              • When did the VPN introduce the current design of the software? 

              The website design was updated between September 14 and September 17, 2020. They also had a Black Friday / Cyber Monday sale design which was up from about 9 am on November 26, 2020, to December 1, 2020.

              • Does the current design use native interface components (Buttons, Navbars, Tabbars, Navigation, etc.) for each operating system, iOS14, Android 11, macOS Big Sur, Windows 10? Or is it some hybrid cross-platform software with its unique interface components?

              Hotspot Shield has its own design that it uses across all systems. The exceptions are system pop-ups, e.g., permissions and notifications, and Preferences in macOS, which uses the native macOS design with Hotspot Shield VPN’s color scheme.

              • Are there any other design observations you’ve made?

              The design is very minimalistic, with lots of white space even in the icons. It uses very few colors, mostly just gray tones and blues. They do use quite a bit of jargon without explaining, and they have their own terms for things, which further complicates an already complicated process for the non-tech-savvy user. 

              They don’t have a manual ‘check for updates’ button, so if you installed through the Microsoft or App store, you have to go into store settings to manually update and/or turn on auto-updates.

              User Actions Based On Operating Systems

              Criteria

              iOS Android MacOS Windows

              Linux

              How long does the app take to load (in seconds)?

              4

              4 5 6

              0 (Terminal)

              Is there an auto-connect option?

              No

              Yes Yes Yes

              No

              Is there a button to connect to the fastest VPN server?

              They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’.

              No. The first time you use “hotspotshield connect” in Terminal, it’ll connect to the ‘closest, optimal server’. This command will then always connect you to the most recent server you’ve specified.

              Is there a button to connect to the nearest VPN server? They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. No. The first time you use “hotspotshield connect” in Terminal, it’ll connect to the ‘closest, optimal server’. This command will then always connect you to the most recent server you’ve specified.
              Is there a one-click quick connect option? Yes Yes Yes Yes No, type “hotspotshield connect” in Terminal.
              How many clicks/taps to connect to a recent server? 1 1 1 1 Type “hotspotshield connect” in Terminal
              How many clicks/taps to connect to a server in another country? 3 3 3 3 Disconnect in Terminal, then type “hotspotshield connect [country code]” in Terminal, replacing [country code] with the code you need. You can find them by typing “hotspotshield locations” in Terminal.
              How many clicks/taps to connect to a gaming server? 3 3 3, you can search for gaming in their server section or click into the US or UK and choose ‘gaming’. 3, you can search for gaming in their server section or click into the US or UK and choose ‘gaming’. N/A, you can only connect by location on Linux.
              How many clicks/taps to connect to a p2p (torrent) server? Not native, must manually find and select. Not native, must manually find and select. Not native, must manually find and select. Not native, must manually find and select. N/A, you can only connect by location on Linux.

              User Actions Based on Browsers & Router

              Name Chrome Firefox Router
              How long does the app take to load (in seconds)? 0 0 n/a
              Is there an auto-connect option? Yes, through Configuration (top-right of extension app), Browser Settings, Auto protection, you can choose to protect when you go to certain sites. Yes, through Configuration (top-right of add-on app), Browser Settings, Auto protection, you can choose to protect when you go to certain sites. Always connected until you login to router settings and deactivate.
              Is there a button to connect to the fastest VPN server? They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. No, you must choose your server location manually from the Hotspot Shield Account page, then download the config file and redo credentials in your router settings whenever you want to switch servers.
              Is there a button to connect to the nearest VPN server? They automatically select the ‘closest, optimal server’. They automatically select the ‘closest, optimal server’. No, you must choose your server location manually from the Hotspot Shield Account page, then download the config file and redo credentials in your router settings whenever you want to switch servers.
              Is there a one-click quick connect option? Yes Yes n/a, always connected
              How many clicks/taps to connect to a recent server? 1 1 n/a, always connected
              How many clicks/taps to connect to a server in another country? 4 4 You have to login to your Hotspot Shield account and go into router settings, then choose a server, download the config, login to your router, and create the new VPN client profile whenever you want to switch servers.
              How many clicks/taps to connect to a gaming server? N/A, only a few server options are present in the extension. N/A, only a few server options are present in the extension. N/A, only a few server options are present for the router VPN.
              How many clicks/taps to connect to a p2p (torrent) server? N/A, only a few server options are present in the extension. N/A, only a few server options are present in the extension. N/A, only a few server options are present for the router VPN.

              Overall User Experience and Accessibility

              • Does the app offer support for vision-impaired people, meaning does it support the accessibility features provided by the operating system, like increasing font sizes, inverting colors, etc.? Is the software set up correctly to support screen-reading for blind people?

              Font size does not change with system settings and there is not an option in the app settings. Their notification texts do get larger with the system though, which is a plus. Windows Narrator does not work except with actual text links in the app, so it’s not helpful here. 

              The website isn’t accessible at all for people who are colorblind or have poor vision. Much of their text is on photo backgrounds and blends into the back, as with this:

               

              User Experience Based On Operating Systems

              Questions iOS Android MacOS Windows Linux
              What are the steps to installing the software and connecting to the VPN for the first time? Search in App Store, click Get. Open app, scroll through prompts, then either click Proceed with Basic or Sign In/Create Account. Click the power icon to connect, then Allow, Allow. Search in Play Store or text yourself a link from Account. Click Install. Open app, sign in, click power icon to connect. Click OK. Download for Mac, open the file, go through basic install. Open the app and click the power icon to connect. Download from the Account page. Click Install, then scroll through and click the checkmark or click ‘Skip’ in the top left. Click the power icon to connect. Click Linux from the account page, then choose the type of file you need and download. Follow the detailed instructions here:  install Hotspot Shield via Terminal/sudo.
              How many minutes to connect the first time? 3 1 2 4 6
              What’s the start-up time of the software? (In seconds) 4 4 5 6 10-20, have to type in the code in Terminal
              What’s the least amount of clicks/taps that’s necessary to connect to a VPN server? 1 1 1 1 n/a, must type into Terminal
              Do I need a subscription to connect or is there a trial or free version? There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. On mobile, it also has ads. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. On mobile, it also has ads. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. You need Premium.
              Is there a free version? There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. On mobile, it also has ads. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. On mobile, it also has ads. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. You need Premium.
              What’s necessary to sign up for a subscription? What are the steps? How long does the overall process take? From the app home page, click Get Premium, choose a plan, then confirm using the iOS options (double-click power button, face verification, etc.). It takes less than a minute. From the app home page, click Get Premium, choose a plan, then Subscribe and confirm with Google Play. It takes less than a minute. From the app home page, click Upgrade, choose a plan, enter your payment info and click Subscribe OR click the Paypal tab, the yellow Paypal button, login if needed, and confirm through Paypal. Alternatively, you can subscribe through the app store. It takes about 3 minutes online and 2 minutes through the app store. From the app home page, click Upgrade, choose a plan, enter your payment info and click Subscribe OR click the Paypal tab, the yellow Paypal button, login if needed, and confirm through Paypal. It takes about 3 minutes. Go to Hotspot Shield VPN’s website and login. Click Upgrade Now in the top banner, choose a plan, choose a payment method and enter your info, then click Continue. Takes about 3 minutes.
              What types of notifications are there? Are they obtrusive/too much? There are no notifications, just a tiny ‘VPN’ indicator next to the wifi symbol. There is a static notification in the notification bar when you are connected to VPN. It’s not obtrusive. Connected/disconnected to VPN using MacOS’ default notification settings. They only last a few seconds and are unobtrusive, but do make noise if you have that turned on in your Mac preferences. Connected/disconnected to VPN. They only last a few seconds and are unobtrusive, but do make noise if you have that turned on in your Windows settings. None.
              Are there automatic software updates? Yes, through the App Store settings. Go to your iPhone/iPad Settings, App Store, and toggle App Updates to On. Yes, through the Play Store. Yes. If you installed via the App Store, the app will follow your Apple Account App Store settings. Go to Preferences/Settings depending on your OS, App Store, and toggle App Updates to On. If you installed via the website, it will install updates automatically. Yes. If you installed via the Microsoft Store, the app will follow your Windows settings. Go to Microsoft Store, Settings, App updates, and set Update apps automatically to On. If you installed via the website, it will install updates automatically. No, you must update via Terminal using “sudo apt update -y” and then “sudo apt upgrade -y” for the .deb package or “sudo dnf upgrade -y” for the .rpm package.

               

              User Experience Based On Browsers & Router

              Questions Chrome Firefox Router
              What are the steps to installing the software and connecting to the VPN for the first time? The extension isn’t on the account page, but is on the Chrome extension for Hotspot Shield VPN. Click Add to Chrome, Add extension, then open from the extension menu in the toolbar. Cycle through the options and click Done. Click the power icon to connect or open the menu and sign in to get your premium benefits. The extension isn’t on the account page, but is available as a Hotspot Shield Free VPN Firefox Browser Add-On. Click Add to Firefox, Add, then choose whether or not to allow it to run in Private windows. Open the add-on via the toolbar and scroll through to finish installing. Click the power icon to connect or open the menu and sign in to get your premium benefits. On the Account page, click Router. Choose a VPN location, click Download File. The installation will depend on your router, but in general, go to your router settings login page (usually 192.168.1.1) and login, then go to Advanced Settings, VPN, and add a profile to your VPN client list. Use the username and password from the Hotspot Shield page where you downloaded the VPN config file, and then upload that .ovpn file. Once it’s on the VPN server list you just need to click activate.
              How many minutes to connect the first time? 2-3 2 10
              What’s the start-up time of the software? (In seconds) 0 0 n/a
              What’s the least amount of clicks/taps that’s necessary to connect to a VPN server? 1 1 n/a, you’re always using VPN unless you go into router settings and disable it
              Do I need a subscription to connect or is there a trial or free version? There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. You need Premium.
              Is there a free version? There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. There is a 7-day free trial of premium and a 45-day money-back guarantee. There is a free version with limits on speed, daily data, number of devices, virtual locations, tech support, and only SD streaming. You need Premium.
              What’s necessary to sign up for a subscription? What are the steps? How long does the overall process take? Click the extension icon, then Upgrade to Hotspot Shield Premium. Choose your plan and enter your payment info. Click Continue. Takes about 2 minutes. Click the add-on icon, then Upgrade to Hotspot Shield Premium. Choose your plan and enter your payment info. Click Continue. Takes about 2 minutes. Go to Hotspot Shield VPN’s website and login. Click Upgrade Now in the top banner, choose a plan, choose a payment method and enter your info, then click Continue. Once you’re setup you’ll still need to setup your router, but getting a subscription should only take a couple of minutes.
              What types of notifications are there? Are they obtrusive/too much? There was a pop-up asking me to sign-in to a proxy, but I just closed it and everything worked fine. When not signed into Premium, there is an ad to upgrade and download the Windows app. There is an option to toggle on/off notifications in the Settings. None popped up for me, but there is an option to toggle on/off notifications in the Settings. n/a
              Are there automatic software updates? There is no documentation stating that there are or are not automatic updates. There is no documentation stating that there are or are not automatic updates. No.

              Security Protocols & Authentication - Jason Martin Alexander

              The queries for this section have been sent via email to the vendor. They have replied promptly via chat and email on the simpler queries, and referred other matters to their developers.

              Protocol & Authentication

              • How does Hotspot Shield protect authentication credentials? What’s the default authentication protocol?

              The website states their proprietary development is based on OpenVPN (TLS) and follows NIST recommendations. Support states they also support OpenVPN on routers.
              (05:40:02 AM) David M.: OpenVPN is still supported, this is the protocol we use to connect routers with our services.

              • What kind of authentication is supported? What’s the default authentication method?

              Password or QR Code

              • What network protocols are supported (UDP vs TCP)?

              TCP, UDP (and ICMP at minimum).

              TCP, UDP (and ICMP at minimum)

              Source: Direct Test

              C:\SysOp\Apps\IPerf>iperf3 -c speedtest-iperf-akl.vetta.online -u -p 5205
              Connecting to host speedtest-iperf-akl.vetta.online, port 5205
              [  4] local 172.31.244.228 port 63275 connected to 163.47.131.253 port 5205
              [ ID] Interval           Transfer     Bandwidth       Total Datagrams
              [  4]   0.00-1.00   sec   144 KBytes  1.18 Mbits/sec  18
              [  4]   1.00-2.00   sec   136 KBytes  1.12 Mbits/sec  17
              [  4]   2.00-3.00   sec   120 KBytes   984 Kbits/sec  15
              [  4]   3.00-4.00   sec   120 KBytes   982 Kbits/sec  15
              [  4]   4.00-5.00   sec   136 KBytes  1.12 Mbits/sec  17
              [  4]   5.00-6.00   sec   112 KBytes   918 Kbits/sec  14
              [  4]   6.00-7.00   sec   128 KBytes  1.05 Mbits/sec  16
              [  4]   7.00-8.00   sec   136 KBytes  1.11 Mbits/sec  17
              [  4]   8.00-9.00   sec   136 KBytes  1.11 Mbits/sec  17
              [  4]   9.00-10.00  sec   120 KBytes   984 Kbits/sec  15
              – – – – – – – – – – – – – – – – – – – – – – – – –
              [ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
              [  4]   0.00-10.00  sec  1.26 MBytes  1.06 Mbits/sec  4.618 ms  0/160 (0%)
              [  4] Sent 160 datagrams

              iperf Done.

              C:\SysOp\Apps\IPerf>

               

              • What VPN protocols are supported by Hotspot Shield? 

              “Catapult Hybrid” 

              • What is the default protocol for the VPN?

              Purportedly based on OpenVPN with AES 128 default

              • Is the VPN protocol open source or closed source?

              Closed Source and ‘Open Source’ options (The IPSec VPN code is not available for public review).

              Excerpt from the website regarding Hotspot Shield’s proprietary Hydra VPN protocol: 

              “Updated: June 28, 2021 20:38 

              In short, yes. Your VPN connection is very secure and private, whether you use Hotspot Shield Basic or Premium. 

              Our proprietary VPN protocol, Hydra, which is based on OpenVPN, uses standard, proven Transport Layer Security (TLS) based on NIST recommendations to establish a secure client-server connections and encrypt the payload. 

              The handshake is a standard TLS 1.2 and no protocol downgrade is allowed. It uses RSA certificates with 2048 bit key for server authentication and Elliptic Curve Diffie-Hellman algorithm (ECDHE) for Ephemeral Key Exchange. 

              Ephemeral in this case means that encryption keys are generated for every user session and erased from memory when the session is over. 

              Our steadfast security, inspired by the software defined perimeter (SDP) model pioneered by the US Department of Defense, supports both 128-bit AES and 256-bit AES encryption, and we use 128-bit AES encryption as a standard. 

              Fun fact: it would take nearly 14 billion years to decrypt 128-bit AES encryption at current computer power. To put that into perspective, that’s about 3X the age of our Solar System (~4.5 billion years old), or as long as the Universe has existed (~14 billion years old).”

              Excerpt from Hotspot Shield’s website:

              Catapult Hydra security code is evaluated by 3rd party security experts from more than 60% of the world’s largest security companies that use our SDK to provide VPN services to their users.”

              •  If it is closed source, who is the vendor and are they considered a tier-one vendor?

               Not in my opinion.

              • Has an RFC been published for the protocol? What’s the RFC number?

              N/A.

              • Is the VPN protocol using the latest protocol version?

              N/A.

              • What is the release date of the protocol in use?

              N/A.

              •  Is there an IEEE implementation standard for the protocol?

              N/A.

              •  Is the protocol listed on the iana.org website?

              Not at the time of review.

              • Does this protocol have any known vulnerabilities or Active CVE?

              N/A. Nothing is currently known, but the product itself has a history. See “Has the VPN provider been exploited in the past” below.

              •  Does the VPN support multi-hop?

              Support of Multi-hop VPN capabilities is not listed. An inquiry has been sent to support (20/07/2021). The VPN CAN run through Tor.

              Analysis

              • Can you see any traffic not transmitted via the VPN tunnel (if not Split-Tunneling)?

              No.

              • Can you see any DNS traffic in the packet capture?

              Not when the VPN is enabled.

              • Where is your DNS traffic going to?

              Google (8.8.8.8)

              Note: Additional tests appeared reasonable (dnsleak.com, ipleak.net, DNS leak test)

              Additional Questions

              • Has the VPN provider been exploited in the past?  

              No published exploits, but proof of concept exploitation is available for the 2020 version of the app (Source: CVE-2020-17365 – Hotspot Shield VPN New Privilege Escalation Vulnerability). Given the popularity of the service, real-life zero-day exploitation is probably a fair expectation

              Note: Quick initial response, and reasonably timely fix.

              Further investigation into vulnerabilities reveals a total of 2x major, and 3x minor as detailed below.

              APPENDIX A: CVE Search & History Results Summary

              Hotspot Shield Security Vulnerabilities

              2020Payload Evaluation: Remote privilege escalation, serious breach of intended privacy

              Details: Hotspot Shield VPN New Privilege Escalation Vulnerability

              2018Payload Evaluation: sensitive information divulgence, serious breach of intended privacy

              Details:
              Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.

              CVE List

              NVD Vulnerability Search Results – Hotspot Shield 

              NVD – CVE-2020-17365

              NVD – CVE-2018-6460

              Additional CVEs noted here: 3 Popular VPN Services Are Leaking Your IP Address 

              CVE-2018-7879, CVE-2018-7878, CVE-2018-7880

              A few other web hits come up, these may be spurious as NOT noted in NIST, and Mitre.Org lists reservations only (CVE-2018-7879)

              CVE History (Web Search Sample)

              NVD – CVE-2018-6460

              Hotspot Shield VPN New Privilege Escalation Vulnerability

              Hotspot Shield Has Patched A Serious Vulnerability In Its Windows Client | Techradar

              Vulnerability Summary for the Week of January 29, 2018 | CISA

              Hotspot Shield Vulnerability Statistics

              A Flaw In Hotspot Shield Can Expose VPN Users’ Locations | ZDNet

              3 Popular VPN Services Are Leaking Your IP Address

              •   Does Hotspot Shield have a No Logging policy?

              Hotspot Shield advertises a No Logging Policy; this is generally considered to be ineffective as the Privacy Policy is invasive.

              Have they been audited by a 3rd party confirming this? If they do log, what’s the retention policy?

              N/A – although some other reviews mention 3 Years retention (A retention period regarding collected and sold data was not found in Aura’s Privacy Policy).

              •  Does Hotspot Shield have a canary on the website? 

              Nothing specific was found. The company would be vulnerable as US-based.

              •  Is Hotspot Shield based in one of the following locations UK, USA, or EU? If they are, are they compliant (e.g., GDPR, CCPA)?

              Based in the US. The website links to parent operator Aura who state CCPA compliance.

              Sources:  

              Aura Digital Security: Consumers may not sell their personal information

              CDT’s Complaint To The FTC On Hotspot Shield VPN

              •  Can you purchase a VPN subscription anonymously?

              No.

              • What personal information must you provide to purchase a subscription or begin a free trial? 

              Email & Paypal or credit card is required for the paid version (no crypto etc). Not needed for a free trial.

              Source: Order placed at the time of testing

              Note: The website requests the same for the free trial, however, you can bypass that requirement by simply downloading and installing. The parent company states “Please note that we do not require users to create accounts in order to use the free versions of our VPN products.”

              Source: Aura Digital Security: Consumers may not sell their personal information

              • Can multifactor authentication be implemented?

               No. The only reference to multi-factor is about suggestions on keeping safe: What is the Identity Scan feature of Hotspot Shield? Factor reveals more results, but nothing related to service/app.

              • What is the level of encryption used?

              AES 128 or 256 is offered. 128 is the default.

              • What encryption cipher is used? 

              AES.

              •  Do the VPN apps have kill switches, in case the VPN connection drops?

              Yes (on Windows and Android only).

              •  In what country is Hotspot Shield located?

              The US.

              • What is the likelihood of Hotspot Shield sharing data with governments?

              Very Likely.

              • What data does Hotspot Shield collect on VPN users?

              Reportedly data collection and ‘sale’ applies to free users only:

              Identifiers (such as advertising identifiers and cookies)

              Internet or other network or device activity (such as what Aura app you’re using);

              Approximate geolocation information (city-level location data)

              Source:Aura Digital Security: Consumers may not sell their personal information

              • Does Hotspot Shield share any customer data with third parties? 

              Yes. Collect and sell as per above.

              Minor Update 20/07/2021:

              When attempting to switch VPN protocols on 20/07/2021 approx 22:00 Hrs AEST, the ‘Protocols New’ section was NO LONGER available in the UI. The version remains the same. In fact, the only difference so far as I recall is the the VM was shut down and turned on a day or so later. After rebooting, it showed up again. A query has been sent to support about this, and they suggested ‘updating’, however the provided executable was older than the running build. In other words, the feature is still in beta.

              Data Privacy Protection - Gillian Carrington

              Jurisdiction

              • Where is Hotspot Shield headquartered?

              Hotspot Shield is the trading name of the Aura Group. The principal companies in the Group are Pango Inc., headquartered in Redwood, CA, USA, and Pango GmbH, headquartered in Stans, Switzerland. 

              Other companies in the group include Intersections Inc., Get Aura Inc., Betternet LLC and Touch VPN Inc. Depending on which Hotspot services are used, the relevant entity for data protection may be any one of those companies or their corporate affiliates.

              • How does the company’s location influence the privacy of its customers?

              Hotspot has chosen locations primarily in the USA and Switzerland. In federal terms, the USA is not a good data privacy jurisdiction, as confirmed by the CJEU in the Schrems cases. The CLOUD Act problem continues to trouble in Europe. 

              However, California was the pioneer of states legislating for data protection and has at the time of writing probably the most advanced data protection for individuals in the USA. Switzerland has the benefit of an adequacy decision from the European Commission. 

              The Swiss data protection law currently in force is somewhat old-fashioned as it was modeled on the European data protection legislation preceding the GDPR. The Swiss government has brought forward draft legislation that, if passed, will align the law more closely with the GDPR and introduce an element of data localization. 

              In general terms, it seems that Hotspot has opted for jurisdictions with open data protection.

              •  Is the jurisdiction of the country where Hotspot Shield is located known for working/not working with law enforcement?

              California is a developed jurisdiction with a good record for working with law enforcement. Switzerland is also a developed jurisdiction and a signatory to most of the main international treaties governing law enforcement. 

              Swiss banking secrecy has been in decline since 2018 when the country began sharing financial account data cross-border in support of a crackdown on tax evasion. Nonetheless, the level of secrecy relating to Swiss bank accounts is still greater than in many other jurisdictions.

              • Are there international laws in place to provide data outside of the country?

              The USA is a signatory to a large number of international treaties and instruments, both global and regional. Full details are available on the State Department’s website and include treaties such as:

              1. UN Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (1988);
              2. UN Convention for the Suppression of the Financing of Terrorism (1999);
              3. UN Convention Against Transnational Organized Crime (2000); and
              4. UN Convention Against Corruption (2003);
              5. Budapest Convention on Cybercrime (2004).

              Switzerland is a member of the Council of Europe and a signatory to the Council treaties and conventions governing mutual legal assistance. It is also a signatory to other international treaties such as:

              1. UN Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (1988);
              2. UN Convention for the Suppression of the Financing of Terrorism (1999);
              3. UN Convention Against Transnational Organized Crime (2000); and
              4. UN Convention Against Corruption, 2003.

              Privacy Policy

              • How current is Hotspot Shield’s privacy policy?

              June 8, 2021.

              • How frequently is their privacy policy being updated?

              From time to time”, to comply with changes in laws, industry standards, and business practices.

              • When was Hotspot Shield’s privacy policy last updated?

              June 8, 2021.

              •  Does Hotspot Shield inform its customers (e.g., via email) when the privacy policy gets updated?

              The company will also provide advance notice of any changes materially affecting users’ privacy rights by email or through the services it provides.

              • What identifiable personal information is being collected (according to the privacy policy)?

              The company has different data collection points for different products. The company also has a policy of not collecting information showing that their VPN services were accessed over a VPN. Common to all are the following:

              1. Email address, name, username, password; for identity protection products also Social Security number
              2. Payment information including billing name, billing address, payment instrument.
              3. Identity verification information e.g., email address, telephone number (some products only)
              4. Cookie-related data
              5. Communication optimization data (tracking data, possibly the user’s operating system)
              6. Communications and submissions when communicating with the company
              7. Usage information
              8. Device information
              9. Diagnostics information
              10. Imprecise location information based on the user’s isp address
              11. Third-party referral information
              12. Third-party account details (e.g. Google and Microsoft accounts, bank accounts, social media accounts) where the organization holding the account may send some personal details to the company
              13. Third-party threat information may contain personal data on an incidental basis
              14. Third-party business customers may submit personal data from others (note: Hotspot Shield sees itself as a data processor with regard to its business customers)
              15.  Third-party monitoring information.

              Depending on the service selected, Aura Identity Protection users may be asked to provide a wide range of personal data, both for themselves and their families, including minors if enrolled in a Family Plan. 

              Information such as date of birth, passport numbers, geolocation, social media access, photographs, information about social media contacts, financial transactions, credit reports, and details of the user’s children. In the USA, this information may be shared with law enforcement agencies.

              The following are additionally collected from Aura Antivirus users (note that there is some information sharing with third-party providers in relation to security and diagnostics information):

              1. IP address and geolocation
              2. Administrative information such as license key numbers
              3. Device information such as IP address, browser, operating system, device ID
              4. Security information such as executable files is identified as malware
              5. Diagnostics information 

              The following are additionally collected from Roboshield users (in the USA, this information may be shared with law enforcement agencies):

              1. Caller IDs
              2. Network routing information
              3. Dates and times of calls, including calls blocked by the user
              4. Device information such as IP address, browser, operating system
              5. Enhanced caller IDs, call labels
              6. User address book information (if access is granted) 

              For VPN Product Users, the company has a strict policy that VPN products do not store any information about what any specific user browsed or accessed through a VPN connection. IP addresses are not logged. When a VPN connection is initiated, the user’s IP address is collected, immediately encrypted, and deleted at the end of the session.

              For Betternet Safe Shopping, online shopping and usage data are collected as well as URLs of websites visited when not interacting with Betternet. These data are not associated with the user’s personal data. Cookies are set when using Betternet.

              For Figleaf users, additionally, certain usage data is collected such as OS, browser version, or frequency of use. There are two Figleaf settings enabling the user to choose whether to share device ID.

              •  Is any identifiable personal information shared with any of Hotspot Shield’s partners, data processors, or similar?

              Information shared relates to payment processing, email automation, website and app diagnostics, analytics, delivering marketing and advertising content, security, and research (“sanitized”), investment or acquisition, compliance with the law, and prevention of fraud. 

              Identified third-party providers include Google and Microsoft. Where a user has chosen free Hotspot Shield services, the company allows advertising. While the company does not share any personal information with the advertisers, they may be able to access certain information using SDKs.

              • Is any identifiable personal information mandatory to purchase a subscription and use the VPN service?

              It depends on the product. In general, an email address is required for account creation purposes and payment data for payment processing purposes. Some products may require identity verification information and/or Social Security Numbers.

              • Is Hotspot Shield’s privacy policy GDPR compliant?

              Not quite, but very nearly.

              •  If personal data is being collected, what justification in accordance with GDPR is being given for the collection of identifiable personal information?

              The company’s legitimate interest, to provide the services contracted for, user consent, and to comply with the law.

              •  Is Hotspot Shield’s privacy policy CCPA compliant?

              Near enough.

              • Does the privacy policy address “logging” of identifiable personal information? (Logging Policy)

              Yes.

              •  Are access logs being kept?

              Yes.

              Terms of Service

              • Are there any VPN use cases/types of traffic (Torrenting, Tor Network, etc.) not allowed?

              Hotspot prohibits the following uses:

              “(a) use the Software or the Service for any fraudulent, harassing or abusive purpose, or so as to damage or cause risk to our business, reputation, employees, subscribers, facilities, or to any person;

              (b) rent, lease, loan, sell, resell, sublicense, distribute or otherwise transfer the Service, the Software or any Materials (as defined in Section 10, below);

              (c) delete the copyright or other proprietary rights on the Software or the Service;

              (d) use the Software or the Service for any illegal purpose, or in violation of any local, state, national, or international law;

              (e) use the Service or the Software for any commercial use, it being understood that the Software and the Service is for personal, non-commercial use only;

              (f) use the Software or the Service if you are not Eligible;

              (g) remove, circumvent, disable, damage or otherwise interfere with security-related features of the Software or the Service, features that prevent or restrict use or copying of the Software, or features that enforce limitations on the use of the Service;

              (h) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code of the Service or the Software or any part thereof, except to the extent that such restriction is expressly prohibited by applicable law;

              (i) modify, adapt, translate or create derivative works based upon the Software or the Service or any part thereof; or

              (j) Intentionally interfere with or damage operation of the Service, by any means, including uploading or otherwise disseminating viruses, adware, spyware, worms, or other malicious code.”

              Leaks

              • Have there been any known instances where Hotspot Shield has provided a government with customer information or data?

              None identified. Although the company provides contact details for government agencies, it is clear that it does not have any data worth sharing with third parties.

              • Have there been any leaks of customer information or data?

              A few years ago, Hotspot Shield suffered from a bug leaking user data. Since then, an incident has been reported of leakage of a real IP address via the Android app. 

               In August 2017, privacy advocate Center for Democracy and Technology (CDT) issued formal charges to the Federal Trade Commission (FTC) against Hotspot Shield for allegedly intercepting and redirecting user data to partner websites including advertising firms.

              Business Structure - Tamara Milacic

              Company Background

              •  What’s the operating company name (trading name) behind Hotspot Shield?

              Initially, AnchorFree, Inc. As of 2018, it trades under Pango Inc. Pango was acquired by Aura Company in 2020.

              • When was Hotspot Shield founded?

              AnchorFree was founded in 2005. It released Hotspot Shield in 2008.

              •  Where was it founded?

              Menlo Park, California, United States.

              • Where is Hotspot Shield’s headquarter located today?

                Menlo Park, California, United States.

              • Is it known if Hotspot Shield’s employees are working remotely? What percentage of the workforce is distributed?

              The Pango employees are distributed across the US, Ukraine, India, and Switzerland. However, the office locations are listed as in the US and Switzerland. The assumption is that the remainder of the employees may work remotely.

              •  Who were the founders of Hotspot Shield?

              David Gorodyansky, Eugene Malobrodsky, and Peter Hoag co-founded AnchorFree. 

              • What are/were their functions in the company?

              David Gorodyansky was CEO until 2019. Eugene Malobrodsky was CTO from 2005 to 2014 and then Chief Strategy Officer until he left the company in 2020. Peter Hoag was a Board member and COO from 2006 to 2018.

              •    Are the founders still running the company?

              No.

              •   What were the backgrounds of the founders? Did they have any relevant expertise to found this company?

              David Gorodyansky: Bachelor’s Degree in Business from the San Jose State School of Business. He co-founded, with Eugene Malobrodsky, one company prior to AnchorFree called Intelligent Buying Inc, which is no longer in operation. Prior to that, he worked for one year as a Strategy Consultant. Overall 4 years of experience prior to founding AnchorFree.

              Eugene Malobrodsky: Bachelor’s Degree in Marketing from the University of San Francisco. He worked as an engineer, IT manager, and Director of Sales between 1997-2002. He then co-founded Intelligent Buying Inc with David. He had 8 overall years of experience prior to founding AnchorFree.

              Peter Hoag: Ph.D. in Geography from the University of Michigan. He was in the Marine Corps for 6 years. He then worked as a Faculty member at the University of Toronto. He co-founded a technology company called Cardinal Technologies between 1992 and 1995. He was also a Vice President in IT at Visa and a Product Manager at Remedy Inc. His experience spanned decades prior to joining AchorFree in 2006.

              • Do they own more than one VPN? If so, what are the names of the other VPNs?

              Yes – Pango Inc owns Betternet (HexaTech), VPN 360, and Fireshield.

              Trademarks

              • Does Hotspot Shield own any trademarks? What are the trademarks and registration numbers? In which categories are the trademarks registered?

              Hotspot Shield in itself does not own any trademarks. All trademarks, including the one for Hotspot Shield, are owned by the operating company Pango Inc.

               

              Trademark Registration Number Category
              Anchorfree 4225414 US:

              100 Miscellaneous

              101 Advertising and business

              102 Insurance and financial

              International:

              35 – advertising

              Betternet 4892495 US:

              100 Miscellaneous

              101 Advertising and business

              104 Communication

              International:

              38 – telecommunications

              Hotspot Shield 5294805 US:

              21 Electrical apparatus, machines and supplies

              23 Cutlery, machinery, and tools and parts thereof

              26 Measuring and scientific appliances

              36 Musical instruments and supplies

              38 Prints and publications

              International:

              009 – Scientific, nautical, surveying, electric, photographic, cinematographic, optical, weighing, measuring, signaling, checking (supervision), life-saving, and teaching apparatus and instruments

              VPN360 5620570 US:

              21 Electrical apparatus, machines, and supplies

              23 Cutlery, machinery, and tools and parts thereof

              26 Measuring and scientific appliances

              36 Musical instruments and supplies

              38 Prints and publications

              International:

              009 – Scientific, nautical, surveying, electric, photographic, cinematographic, optical, weighing, measuring, signaling, checking (supervision), life-saving, and teaching apparatus and instruments

              Robo Shield 6137129 US:

              21 Electrical apparatus, machines, and supplies

              23 Cutlery, machinery, and tools and parts thereof

              26 Measuring and scientific appliances

              36 Musical instruments and supplies

              38 Prints and publications

              International:

              009 – Scientific, nautical, surveying, electric, photographic, cinematographic, optical, weighing, measuring, signaling, checking (supervision), life-saving, and teaching apparatus and instruments

                

              Financing

              • How is/was the company funded? 

              AnchorFree was founded with and had 4 VC-backed rounds.

              ○ If externally funded, how much money was raised? How many rounds of funding? When was the last funding?

              $387.6M has been raised in 4 rounds so far. The last one was in 2018 for $295M.

              • Who owns the company now? 

              Pango was acquired by Aura Company in 2020.

              •  If it’s now owned by another company (Holding Company, HoldCo), what is the mission of HoldCo?

              Aura is a mission-driven digital security company dedicated to creating a safer internet.

              •  Does Aura own other companies? Any in the privacy/security tech space? 
              1. Figleaf – digital security and privacy across all devices by enabling users to anonymize their data
              2. Privacy Mate – monitors and prevents the collection, sale, and widespread dissemination of private personal information

              Status

              •  How many people work at OpCo?

              Pango Inc.:

              Crunch base numbers – 101-250

              LinkedIn numbers – 201-500

              Business Model

              • What is the business model? 

              Hotspot Shield has a SaaS model. Likewise, its operating company, Pango, sells Hotspot Shield along with 3 other services (password manager, identity theft shield, and robocall blocker) on a subscription basis as well.

              •  Who are Hotspot Shield’s target customers? 

              Hotspot Shield offers VPN subscription services to private individuals and businesses. For businesses, their offer focuses on SMEs.

              •     Is any financial information about the company’s performance public?

              No. There are estimates of $10M annual revenue but that doesn’t seem reliable.

              •       Is the company profitable? If so, since when? How much?

              N/A

              History

              •  Was there ever an exit event for the company? Sale or IPO?

                      At which stage of funding?

              At the 4th stage of funding, Pango Inc was sold to Aura Company.

                      What was its valuation at exit?

              The Aura purchase was for an undisclosed amount.

              • How has it developed since then (employees, revenue, user growth)?

              N/A

              •    Is anything else known?

              N/A

              Company Structure

              • What does the company structure look like? 

              Aura company owns Pango. Pango is the operating company of Hotspot Shield.

              •  Are there multiple companies (specific marketing or sales entities or similar)?

              No.

              •  Where are these companies’ headquarters located?

              Hotspot Shield – Menlo Park, California, United States

              Pango – Redwood City, California, United States

              Aura Company – Burlington, Massachusetts, United States

              •   Who are the beneficial owners of these companies? How much do they own? 

              There is public information about the investors in Aura Company but not about the ultimate owners.

              Aura is funded by 4 investors – Warburg Pincus, General Catalyst, Green Bay Ventures, and WndrCo. WndrCo was also an investor in Pango before it was sold to Aura Company.

              Aura Company Structure

              Pricing- Brendan Filipovski

              Personal/Professional/Family Plans

              •  What Hotspot Shield subscription plans are available (features, limits, subscription length) and how expensive are they? What are the discounts on them? What are the savings in opting for a long-term subscription?

              Hotspot Shield offers three plans: Basic, Premium, and Premium Family.

              The Basic plan is free but only offers one device connection for one unique user, one virtual location, a 500MB daily limit, and a 2Mbps connection speed. Streaming and gaming are restricted.

              Premium is $12.99 a month or $7.99 a month with an annual subscription (a 38% discount). It offers five device connections for one unique user, 115+ locations, 1Gbps speed, and unlimited daily data. There are no restrictions on streaming and gaming. It also includes virus and malware protection, a password manager, and secure document storage.

              Premium Family is $19.99 a month or $11.99 a month with an annual subscription (a 40% discount). It offers five device connections each for five unique users. 115+ locations, 1Gbps speed, and unlimited daily data. There are no restrictions on streaming and gaming. There is no virus and malware protection, a password manager, or secure document storage.

              • Are there additional plans, like premium or family plans available? What are the details?

               See above

              •   Where can you buy a Hotspot Shield subscription?

              Website, iOS, and Android.

              •     Does Hotspot Shield charge the same in all countries it’s available in or does the price depend on country or currency?

              Same across five different countries.

              • What payment methods are available for purchasing a Hotspot Shield VPN subscription?

              Visa, Mastercard, AMEX, JCB, Discover, Diners, and Paypal.

              •  Is there an option to pay for Hotspot Shield anonymously?

              No

              • Under what circumstances will they release a user’s billing info/ID to third parties?

              If you tell them to or you give permission to a service, to your company if it is a company account, affiliate and third-party service providers (e.g., payment providers), and to comply with a legal process and the law.

              •  Does Hotspot Shield offer a free trial period? How long does it last?

              No, but it does offer a free limited feature service.

              • Does Hotspot Shield offer a money-back guarantee? For how long?

              Yes, a 45-day money-back guarantee.

              •   How does the cancellation policy work?

              Through Contact Support via an online submission form.

              •  Does the VPN offer any bundles that include the VPN? What is included in the bundles? What are the available plans?

              The Premium offer includes antivirus and malware protection, a password manager, and secure document storage.

              Through Hotspot’s parent Aura’s site, you can purchase digital security, identify theft, and fraud protection that includes Wi-Fi security VPN.

              Enterprise Plans

              • Are team/enterprise plans available? Do they offer additional features over the standard plans?

              Pango, which is the company behind Hotspot Shield, offers a business VPN service called Twingate.

               It claims to be a secure connection service for companies that use the cloud which is better than a normal VPN. No public gateways.

              •  What costs are involved? What payment plans are available?

              $6 per user per month for teams. $5 per month per user a month with an annual subscription.

               $12 per user per month for a business. $10 per month per user a month with an annual subscription. Custom rates for enterprises.

              •    What are the limits (minimum number of users/seats, etc.)?

              Teams: Up to 50 users, 5 devices per user, and 5 remote networks.

              Business:  Up to 150 users, 5 devices per user, and 10 remote networks.

              Enterprise: Unlimited users, unlimited devices per user, and unlimited remote networks.

              •  What permission/admin settings are available for remote users?

              Control user access at the network and resource level for Enterprise users.

              vpncheck ExpressVPN Offer