They even have a non-free option that eliminates the VPN as a proxy feature.
"Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wifi (not on cellular)). This makes Hola the first VPN service without underlying operational costs. Although Hola doesn�t need to pay for bandwidth, we still need to pay the engineers who create, maintain and keep improving the free Hola service. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand). This is what allows us to keep Hola free for our users. Users who want to enjoy the Hola network without contributing their idle resources can do so by joining the Hola premium service for $5 per month (or $45 per year)."
The Luminati angle is new, but the fact that free Hola users are used as peers or exit nodes is common knowledge among better informed users. I've warned others of that fact in the past myself.
Of course, I imagine most users are not so well informed.
Indeed, I knew for a while too, but I let it go so long as all posts were made by humans.
But selling an API at $20/GB (bandwidth you pay $0 for) to flood message boards and scrape search engines from random people's IPs without their consent is horribly unethical in my opinion.
Edited to add: I also see it as a breach of trust in the original agreement, even if you were fully informed that by installing Hola you become an exit node. Originally you were an exit node for other humans, and this was reasonably "secure" due to the fact that Hola hadn't been reverse engineered yet. But when Hola released the first party flood/scrape API Luminati they changed the agreement after the fact, even if they didn't have to change the EULA to permit this.
Not do downplay this issue, but wouldn't one simply assume it works this way.
I mean, how else would it work, Hola operating their own proxies and giving all of that infrastructure and bandwidth away for free?
Of course it would be P2P and would turn the user into a supplier of data and bandwidth to others. This basic model has been in use for "illegal" content for well over a decade now.
Now how they exploit that bandwidth is a different matter. Conflating those two is what will give you the "meh" reaction.
Also, "accusing" Hola of being unethical because it has no recognizable signature is another red herring. Of course it hasn't, otherwise it would get blocked by the geotarded services it is supposed to unblock. It's not an evil feature in itself.
The Luminati exploitation angle is the issue. Everything else about Hola is either transparant or at least pretty damn obvious.
I agree with most of what you said. When you're downloading proxy/vpn software like this, it's either P2P (and you're sharing your own resources) or it's centralized. They could make this clearer in the blurb to download the software, but they don't hide this fact and in fact make it clear from their FAQs and pricing pages.
But the Luminati angle is nothing different. It would make abusing the proxy network easier (from a technical perspective) but it's nothing you couldn't do with Hola alone. Luminati is just API access to Hola along with expensive pricing and a screening interview with sales staff. You could hack your own API out of only Hola if you really wanted.
The real story is that last time I checked, all their US exit nodes come from Digital Ocean, which is hardly worth $20/GB (should be more like $5/TB). I guess they don't have a lot of US users.
Agree that free proxies aren't free. But how many people would know about proxies. For most of the people if a content is country blocked, a google search and first or second link click solution will end up with hola installed, no more question asked. I think we should do better than "Don't use if you don't know" argument.
> As you can see, there is no mention of Luminati, or the underlying mechanics at all.
They didn't write "Luminati" but they wrote this:
"Hola and Hola premium are free for private, non-commercial use. For a commercial license to Hola please contact [...]. Your commercial license will provide you with these additional features: Hola For business: License to use Hola for commercial purposes.
Automation: developer API that enable controlling the routing of your HTTP requests via software.
Allow many concurrent sessions.
High bandwidth/high request rate with multiple IPs.
More precise resolution of exit node IP.
Faster changing of IP.
Engineering technical support."
"Typical VPNs need to maintain servers in various countries and to route your traffic through those servers in order to change your IP. This is very expensive. Hola is a network of peers that help each other to access sites, thereby eliminating the need for servers, and thus operating without costs."
It looks like they clarified their story, not changed it? It did say that it uses idle resources collaboratively...I'm not really trying to argue, just wondering if it was really that deceptive. I had never heard of them until this post.
> It did say that it uses idle resources collaboratively
So does Folding@Home. So does tor onion routing (relay node). Nowhere did it say outside of the EULA that they are using all their users as exit nodes.
They failed to specify which "resources". It's indefensible, and people would have fallen for this cover up had Google not archived it.
I see this Hola thing get upvoted all the time on reddit as a way to watch region-locked videos. Pretty disgusting that they've tricked millions into installing their software without informing them of all the illegal activities that could be funnled through their IP.
Even if they had said it all along in their FAQ, it's still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola's site and reads their FAQ either before or after installing the Hola malware extension. No ordinary person will ever do this.
What happens is that someone who has already installed Hola, and who is ignorant by design as to what the extension actually does, tells a friend about Hola; the friend installs it, sees the expected functionality, is unaware of the malicious functionality, and the pyramid of ignorance continues to grow after he tells his own friends about how great Hola is.
These few sentences written in the sidebar here [1] are all that at least 7,102,584 of Hola's victims ever saw (judging by the install count for this malicious Chrome extension):
Access websites blocked in your country, company or school with Hola! Hola is free and easy to use!
FREE and secure VPN. Access websites blocked or censored in your country, company or school and stream media with the free Hola Unblocker VPN proxy service.
Hola is a free and ad-free VPN proxy service that provides a faster and more open Internet.
At no point do they attempt to make it clear in the slightest that they turn your browser into a for-profit bot net node, nor that your own browser becomes a proxy for others. In all venues where Hola expects 99.9% of interested parties to see their product pitch, they intentionally convey the false impression that they personally own their own VPN proxy backends.
Aside from all of that, hiding an explanation of your malware's behavior in the FAQ on some website no one ever sees doesn't suddenly transform it into normal, respectable software. Malware is malware, and bot nets are bot nets.
This is yet another criminal enterprise allowed to flourish and fester simply because Google refuses to police browser extensions in the Chrome web store.
Google runs what I assume must be the largest de facto Universal XSS exploit breeding ground in the world (Chrome extensions in the Chrome web store), and yet they refuse to police its contents.
Here's a recent example. I run AdSense on my site, and it kept running the same ad for an atrocious web game that a 10 year old could have made as their first programming project. I eventually saw the exact same ad running on another site, so I clicked it there in order to avoid the absurd rule that clicking ads on your own site gets you banned from AdSense. (Why don't they just silently discard those clicks, since they know they are from the publisher?) Clicking the ad took me to a page which did not have a game at all; it just falsely claimed you could play a game if you installed their malware browser extension, which it immediately prompted me to install [2]. The extension actually has nothing whatsoever to do with games. It doesn't enable you to play a game at all, anywhere. All it does is replace ads across the entire web with ads from its own ad network for the remainder of the lifetime of that computer. The extension has millions of installs and probably causes Google to lose seven figures per year in AdSense revenue due to so many AdSense ads being replaced with ads from another network. I also think it's funny that ads were being run on my site for the specific purpose of installing malware that would replace the ads and destroy the ad revenue for the very same site that helped it get installed in the first place. I reported this extension three times using the official report forms for the directly relevant teams at Google (even explaining in detail how it damages their own AdSense platform, so unlike a typical consumer complaint, this was actually affecting their profits and they should listen for once), and I was consistently ignored.
I'm not sure I understand your logic here. They've come up with a clever way to create a sustainable, free vpn service, with the ability to easily opt-out for a still reasonable price. All the while clearly stating how it all works in their FAQ.
To play devil's advocate: isn't this kind of a good thing for privacy though? If everyone routed everyone else's stuff, it will decouple the notion that IP = person.
Although the service seems shady, if everyone did this wouldn't it be for the better? (albeit at cost of slower connections)
Sure, except for the poor soul that was looking for some anonymity, and now has the FBI knocking on her door with a mandate, because a shady service that didn't disclose what it was doing to your connection.
Decoupling IP from people won't happen anytime soon. It's better for law enforcement to just go, seize everything, and deal with the false positives later.
See the long list of "suggestions" for people interested in running their own tor exit node [1]. This is not something you should even think about doing from your personal home, mixed with your own traffic. It's asking for trouble.
You can already decouple the notion that IP = person if you look at public wifi hotspots, where one IP address will typically correspond to hundreds or even thousands of devices owned by the customers of the hotspot's owner (like a Starbucks or McDonald's location) plus (depending on the setup and whether or not the hotspot is on a separate WAN connection) the company's own machines.
This, come to think of it, sounds like a more ideal approach to creating exit nodes (whether for Tor, a more traditional VPN, etc.). Some low-profile innocuous-looking wall wart - perhaps with USB ports to double as a USB charging station, or some other "clever" disguise - could really be an "exit-node-in-a-box", relaying Tor users through public wifi hotspots in restaurants, hospitals, etc. I reckon this will be more prevalent if any jurisdictions start doing silly things like holding people liable for what their computers emit when they run exit nodes (or - worse - ban Tor, VPNs, etc. outright).
It provides plausible deniability. It wasn't me, it was Hola.
The issue is there's no informed consent. Outside of /r/netsec, /r/techsupport and HN etc, there probably aren't people who know how Hola works and what the implications are.
You can bet the majority of Hola users don't know what a MITM attack is. I'd wager more than half wouldn't know what a bot net is, or what an exit node is.
I'm not sure that plausible deniability has much value if, say, a user's ISP has a policy of suspending accounts that attract too many complaints about copyright, hacking, spam, etc. The account itself is a nuisance to them, regardless of whose fault it is.
You're right, it would be good for privacy if we can convince the courts that users installing the software are not responsible for the traffic of other users. I'm afraid this argument will fall on deaf ears.
That's exactly the point, people hosting tor exit nodes are very aware of the risk they're taking. Hola users aren't.
Most people use Hola to watch internet shows not available in their country. Or, for example, some people use Hola to watch southparkstudios from Sweden, because it's freely available there, but in the US it requires hulu plus.
I'm on a college campus, I am always peeking at people's screens in the library and I'll see the little Hola flame in their navbar. I even saw it on a CS grad student's browser once before class.
I'm sure people do all kinds of things. My question is, do the people running exit nodes actually get in legal trouble for traffic that happens to transit their routers? It seems to be an accepted bit of folk wisdom that they do, but I cannot find many actual, documented cases where it has actually happened. This leaves me wondering whether the widely-assumed legal risk is real or just an urban legend.
They even have a non-free option that eliminates the VPN as a proxy feature.
"Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wifi (not on cellular)). This makes Hola the first VPN service without underlying operational costs. Although Hola doesn�t need to pay for bandwidth, we still need to pay the engineers who create, maintain and keep improving the free Hola service. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand). This is what allows us to keep Hola free for our users. Users who want to enjoy the Hola network without contributing their idle resources can do so by joining the Hola premium service for $5 per month (or $45 per year)."