Paying for a privacy protection is like popping into a roadside strip joint because you want a satisfying lunch buffet -- a risky move that's best made with your eyes open.because you want top-tier
Nevermind theand oblique third-party operation chains you've got to trust from far too many commercial . Between the US' participation in international intelligence-sharing rings, its comparative lack of domestic data privacy protections, and its government's vast authority to silently surveil you -- there's no way to know what's going on behind the curtain. So why would anyone pay for a US VPN? Simple: Pure, naked speed.
Editors' note, Feb. 9, 2022: The VPN industry has undergone significant change in the past few months, with all three of our top VPN choices announcing major changes in corporate ownership. In December, ExpressVPN announced that it had officially joined Kape Technologies, a company that already owns several other VPNs and has raised privacy concerns in the past. In February, NordVPN and Surfshark announced the two companies were merging, though they'll continue to operate autonomously. We're in the process of reevaluating all of our top picks in light of these changes. We will update our reviews and, if necessary, our rankings to account for this new competitive landscape.
- Among the fastest VPNs we've tested
- Streaming media-friendly
- Strong platform compatibility
- Excessive user data collection
- Lack of independent audits
- More expensive than faster competitor
Enter Hotspot Shield VPN. Its TLS-based Hydra Catapult protocol, US jurisdiction, 128-bit AES encryption support, and large percentage of virtual servers might strip away my trust in its privacy protections -- but I'm not here for the buffet, and those questionable components are exactly what give this service its core prowess. As of May 2021, it's the, effortlessly delivers on smooth-streaming media, and can dance between server connections without missing a beat, no matter how many interruptions you throw at it.
Be warned, however. As thrilling as its speeds are, spending time with Hotspot is going to leave your wallet a little lighter than you might prefer.
- Average speed loss: 26%
- Number of servers: 3,200
- Number of server locations: 82
- Number of IP addresses: Unknown
I ran speed tests using Hotspot Shield over two days with dynamic IP addresses on both Windows and Apple devices. Internet speeds in the US vary by state and provider so, with any speed test, results are going to rely on your local infrastructure. Hyperfast internet service will yield higher test speed results.
That's one reason I'm more interested in testing the amount of speed lost (which for most VPNs is typically half or more) across both high-speed and slower connection types, and in using tools such as speedtest.net to even out the playing field. Most VPNs cut your speed by half or more. In the case of Hotspot Shield, only about 26% of average internet speed was lost. That average includes both the superfast speeds recorded for nearby servers, and the sluggish speeds recorded for the more distant servers.
There's no denying this VPN is fast. A 26% speed loss puts it in second place in our, falling behind -- which lost just 16.9% of its speed the last time I tested it -- and knocking down to third place with a 51.8% speed loss at last measurement.
If my tests were solely based on connections to servers in the UK, we'd have a new speed champion: Speed loss on London connections was under 8%, with a satisfying 230 Mbps average download speed and a peak speed test of 349 Mbps. Gaming, torrenting, browsing, streaming -- speed-dependent services won't be slowed down for Hotspot Shield users in the UK.
As usual with European connection speeds, high scores in France were balanced by low scores in Germany for an average of 203 Mbps. US speeds peaked at 348 Mbps, but averaged just 183 Mbps overall. Although Singapore speeds reached a peak of 270 Mbps, their average was just 167 Mbps due to wild swings in speeds, where HotSpot's overall slowest score of 30 Mbps was clocked. Singapore tested ahead of Australian, however, where speeds struggled at an average 142 Mbps. Overall non-VPN speeds averaged about 250 Mbps.
If all you're looking for in a VPN is something lightning fast to help you easily stream your home country's content on, or while traveling abroad, Hotspot is going to give you exactly what you're looking for.
- Jurisdiction: US
- Encryption: AES-128 and AES-256
- Leaks: IPv6 potentially visible on certain platforms
- Pain points: Excessive logging, lack of audits, closed source protocol
Hotspot uses its closed-source, proprietary Catapult Hydra protocol. While the protocol is a core component of its incredible speeds, it's still not made available for public audits like its open source alternative protocol, OpenVPN. Although Hotspot touts the use of its protocol by big names in security like McAfee, that appeal to authority isn't much of an argument against greater transparency.
While a 2018 review from AV-Test gave Hotspot high marks, there's no real way to tell what's going on under the hood of its protocol, and giving the public more third-party audits is a necessary step to bring Hotspot up to speed with routinely audited VPNs like TunnelBear.
As recently as April 2021, review site vpnMentor discovered a DNS leak in Hotspot Shield's plug-in for Google Chrome. Hotspot acknowledged the issue at the time in a statement.
"The vulnerabilities they reported were present only in the free Chrome plug-in," the company said in a statement. "Neither mobile nor desktop users of the Hotspot Shield app were affected by these vulnerabilities. We appreciate and commend vpnMentor's initiative to improve the security of consumer VPN applications."
On its website, however, Hotspot maintains that certain DNS leaks are a matter of crossed-purposes between its product and testing sites.
"Hotspot Shield does not leak when making DNS requests. We encrypt the DNS request and that prevents DNS leaks. It's true that some online websites that detect DNS leaks indicate that there may be a leak with our VPN. These websites come to this wrong conclusion because the DNS request is not going through the VPN tunnel and don't check that the request is encrypted," the site says.
While testing Hotspot with a default configuration Windows machine, my IPv6 was exposed while my IPv4 was not. On a Mac, this wasn't a problem. Windows users should make sure they've disabled IPv6 on their machines (it's enabled by default on Windows) before using HotSpot. While you're at it, enable Hotspot's kill switch in its settings menu before using it (it's disabled by default). On Windows machines, you can find your IPv6 options under your Wi-Fi Properties menu, in the Networking tab.
The 2021 incident was preceded by another privacy scandal in 2018, when a researcher found Hotspot leaking information about users' Wi-Fi networks. Hotspot's response was offered once the vulnerability was fixed.
In 2017 Hotspot was hit with an FTC complaint for allegedly over-the-top privacy violations in serving ads. Carnegie Mellon University researchers found the company not only had a baked-in backdoor used to secretly sell data to third-party advertising networks, but it also employed five different tracking libraries, and actually redirected user traffic to secret servers.
When the story broke, Hotspot's then-parent company, AnchorFree, denied the researchers' findings in an email to Ars Technica: "We never redirect our users' traffic to any third-party resources instead of the websites they intended to visit. The free version of our Hotspot Shield solution openly and clearly states that it is funded by ads, however, we intercept no traffic with neither the free nor the premium version of our solutions."
AnchorFree went on to offer annual transparency reports, although their value is still up to the reader.
Another privacy issue is that we don't know which of Hotspot's servers are virtual and which are bare metal (or physical), and we don't know where each of these servers are located. While they can potentially create more speed for a service, virtual servers are generally considered less secure than bare metal. That's why you've seen top-tier privacy players like ExpressVPN (save for two virtual servers), Surfshark andmove to 100% RAM-only servers in the recent past.
Of course, if you're a VPN company that likes to collect user activity data, moving to RAM-only servers could make that a lot harder. And Hotspot collects a lot of data.
Although says Hotspot's current parent company "does not record your VPN browsing activities in any way that can be associated back to you," Hotspot currently collects way more user data than any VPN should. And while Hotspot claims that data is anonymized, it's .
Hotspot collects anonymized data on which domains you access and keeps this particular data for at least a month. It also collects device hashes which can be used to identify specific devices and match it with any other data those devices collect if the hash is compromised. Other kinds of device-specific information Hotspot gathers include what type of browser and device you're using, what settings and operating systems, along with your ISP and network information.
It's common for some VPNs to collect some version of your connection timestamp data. What's not common, however, is for a VPN to retain your data for a seemingly undefined amount of time. Along with data on the duration of your VPN sessions, the amount of bandwidth you consume and your billing and payment information, Hotspot also collects your location information.
If you're using the free version of its product, it shares that location information -- along with even more finite data, including your MAC address and specific phone identifier -- with advertising companies.
I don't need a free lunch if I'm on the menu. Thanks, but no thanks.
I reached out to Hotspot with questions about all of these issues -- the lack of third-party audits, the gathering of sensitive user data to share with advertisers, the length of time certain data is retained, and whether Hotspot has any plans to go 100% RAM-only with its server fleet. If they get back to me, I'll update you.
- Usability: Clean, easy interface
- Platforms: Windows, Android, MacOS, iOS, Linux, Amazon Fire TV
- Price: $8 per month or $95.88 billed annually. Month-to-month plan at $13
- Number of simultaneous connections: Five
You're not looking at a great bargain here for the overall product. Offering just 500 MB of data use, Hotspot's free version is an eye roll of a bait-and-switch, with unacceptable data privacy practices to boot. (, unless it's a free trial of a trusted service.)
The premium product goes for $8 a month, but really it's $95.88, billed yearly. Or you can go month-to-month for $13. That's limited to just five device connections, though. You get 25 device connections under the Family plan, which comes with five member accounts and costs $143.88, billed yearly. The month-to-month version is $20. Both come with a 45-day money-back guarantee.
Compare that to Surfshark, which beat Hotspot on both privacy and speed. Surfshark's premium product costs just $57.76 for two years of service, compared to Hotspot's one year, likewise has a 30-day guarantee, and covers not just five devices but an unlimited number. Its month-to-month option is roughly the same as Hotspot, at $13.
Although it's a popular VPN, Hotspot just isn't cutting it for me, and it would have to step up to the plate on industry fundamentals before I could recommend it to anyone -- even as a speed-only product. For the high price it's charging, customers have every right to expect Hotspot to have third-party audits, RAM-disk servers and transparency on its virtual server locations, zero user data transmission to advertisers, and logging policies in line with industry leaders.
Until then, I recommend passing on Hotspot and giving it a chance to refocus its priorities.