Hola's founder has confirmed the popular VPN Chrome extension sells its users' bandwidth in order to cover the cost of offering its free service -- resulting in a vast botnet-for-sale network.
Reported this week by TorrentFreak, the media exposure of Hola's internal operations came to light after 8chan message board operator Fredrick Brennan posted a scathing message about the service, claiming Hola users' computers have been harnessed and used within a botnet to attack his website.
Israel-based Hola is a popular virtual private network (VPN) provider used by roughly 46 million users worldwide to make tracking their internet activity more difficult to track. The service is available in both a free and premium version.
The free option routes traffic through other users of the free service, whereas the premium, paid-for alternative acts as a standard VPN. As resources are pooled between users, a free option is possible -- but users must allow their Hola computers to contribute bandwidth and resources to Hola, which also powers the premium Luminati service.
Brennan claims Hola is responsible for several denial-of-service (DoS) attacks launched against 8chan in the past week -- as the way Hola operates allows user computers to act as a conduit for these attacks -- but without the knowledge of Hola extension users. Following his investigation into the DoS attacks, the forum controller said:
"Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io.
When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP.
This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this."
Brennan says that the Luminati botnet, consisting of over "9,761,015 exit nodes," was used to send thousands of legitimate-looking POST requests to 8chan's post.php in 30 seconds, which crashed the website.
"The only silver lining is their greed: they charge $20/GB to use lines that cost them nothing, their software simply mooches off of the unfortunate users who have installed the proprietary Hola software.," Brennan writes. "Hola is the most unethical VPN I have ever seen."
Speaking to the publication, Hola founder Ofer Vilenski admitted that the bandwidth of users of the free Hola service is sold commercially -- but says this has always been the agreement when signing up for the free version of the VPN service. When asked about the use of user resources, Vilenski simply said the system was laid out in Hola's FAQs. When asked about Brennan's accusations, the executive said:
"8chan was hit with an attack from a hacker with the handle of BUI. This person then wrote about how he used the Luminati commercial VPN network to hack 8chan. He could have used any commercial VPN network, but chose to do so with ours.
If 8chan was harmed, then a reasonable course of action would be to obtain a court order for information and we can release the contact information of this user so that they can further pursue the damages with him."
Within Hola's recently updated FAQ, the company explains the reasoning behind scraping idle resources and bandwidth of user computers:
"Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wifi (not on cellular)).
This makes Hola the first VPN service without underlying operational costs. Although Hola doesn't need to pay for bandwidth, we still need to pay the engineers who create, maintain and keep improving the free Hola service."
If something is free, there is often a catch. Unless you're happy contributing your bandwidth in order to use VPN services, it may be worth spending the few dollars a month VPNs generally cost. There are plenty of options on the market, but it is always worth reading fine details before you install extensions or services which go beyond basic browsing functions.