factually

Keep Factually independent

Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.

Loading...Time left: ...
Loading...Goal: $500

Fact check: Is HMA VPN handing over information with a bad actor having access to a government email or Kodex via subpoena or EDR a worry?

Checked on August 23, 2025

1. Summary of the results

Based on the analyses, HMA VPN presents a complex privacy picture with significant contradictions between their current claims and historical actions.

Current No-Logging Policy Claims:

  • HMA VPN maintains they operate under a certified no-logging policy that has been independently audited by VerSprite, a third-party cybersecurity consulting firm [1] [2]
  • They claim to not collect, record, or see user data such as IP addresses, DNS queries, activity, connection timestamps, or data transferred [3]
  • However, they do collect some anonymous data for troubleshooting, including the day of connection, general time, and amount of data transmitted, which is stored for 35 days before deletion [3] [4]

Historical Controversies and Concerns:

  • HMA's parent company Avast has had significant privacy issues, including selling user data, which raises serious questions about HMA's ability to protect user information [4]
  • The LulzSec fiasco represents a major historical incident where HMA's practices came under scrutiny [4] [5]
  • A 2016 Reddit case documented a user receiving threatening notices from HMA regarding alleged illegal file sharing, suggesting the company may have been logging user activity and cooperating with law enforcement at that time [6]

2. Missing context/alternative viewpoints

The original question lacks several critical pieces of context that significantly impact the risk assessment:

Historical Cooperation with Authorities:

  • The analyses reveal that HMA has a documented history of cooperating with law enforcement, as evidenced by the LulzSec incident and user reports from 2016 [4] [6]
  • Government entities and law enforcement agencies would benefit from VPN providers maintaining some level of data collection or cooperation capabilities, even if minimal

Corporate Structure Risks:

  • Avast, HMA's parent company, has been involved in data selling scandals, which creates additional risk vectors beyond HMA's direct policies [4] [5]
  • Corporate shareholders and data brokers benefit financially when VPN companies maintain data collection practices under the guise of "anonymous" or "minimal" logging

Technical Infrastructure Concerns:

  • HMA uses virtual servers, which may pose additional security risks not mentioned in the original question [5]
  • Cloud service providers and hosting companies benefit when VPN providers use virtual infrastructure that may be subject to different jurisdictional requirements

Jurisdictional Considerations:

  • HMA's decision to pull servers from Hong Kong due to security legislation demonstrates how geopolitical factors can force VPN providers to make operational changes that affect user privacy [7]

3. Potential misinformation/bias in the original statement

The original question contains implicit assumptions that may not reflect the complete risk picture:

Oversimplified Risk Assessment:

  • The question assumes that subpoenas and EDR (Endpoint Detection and Response) are the primary threat vectors, but ignores the broader corporate structure risks and historical cooperation patterns documented in the analyses
  • HMA's parent company Avast's data selling practices represent a more significant systemic risk than individual subpoenas [4]

Missing Historical Context:

  • The question fails to acknowledge HMA's documented history of cooperation with authorities, including the LulzSec case and user reports of threatening notices for alleged illegal activities [4] [6]
  • Law enforcement agencies and government entities have successfully obtained cooperation from HMA in the past, making current "no-log" claims potentially misleading

Technical Misunderstanding:

  • The question doesn't address that HMA still collects "anonymous" data including connection times and bandwidth usage, which could potentially be correlated with other data sources to identify users [3] [4]
  • Data aggregation companies and surveillance entities benefit when users believe "anonymous" data collection is truly anonymous, when it may be correlatable with other datasets

The analyses suggest that concerns about HMA VPN cooperating with authorities are well-founded based on historical precedent, despite their current no-logging policy claims and third-party audit.

Want to dive deeper?
What is HMA VPN's policy on responding to government subpoenas?
Can HMA VPN protect user data from bad actors with access to government emails?
How does HMA VPN's logging policy impact user anonymity in case of a subpoena?
What is the difference between HMA VPN's response to EDR requests versus traditional subpoenas?
Has HMA VPN ever been involved in a high-profile case involving government data requests?
About
Blog
Contact
FAQ
Terms
Privacy
Manage data