HMA was recently singled out for using the username ESnowden in an advertisement for their app. Of course, that name references Edward Snowden, the former NSA contractor who is now in exile in Russia after having leaked essentially everything about the NSA’s illegal spying activities.
The article pointed out that HMA had turned over the records of Cody Kretsinger, a hacker affiliated with the group LulzSec. It assigned to this fact an ironic label, given that HMA did not keep his usage anonymous and provided information that, no doubt, led to him getting in legal hot water.
The article also points out that HMA does log and retain for two to three months personally identifiable information, including the server you connect to, the IP address you used and the amount of data that you uploaded and downloaded, as well as a time stamp. This is pretty standard policy for VPN providers and one that HMA is entirely transparent about.
The idea that VPN services can protect users who might face some trouble is not new. It’s a familiar line for advertising and, in fact, it’s true, in some cases. There has to be a bit of realism when these providers are criticized for handing over information, however.
Using username ESnowden
The Internet may be worldwide, but where the provider is located does dictate which laws they are subject to. Any US provider can be required to hand over information with a subpoena. Any provider in the UK can be required to do so under their law, as well, and so forth for any other provider. Some users do use jurisdictional layering; getting service in Russia, for instance, where the provider is not likely to care at all about US subpoenas and probably gets a good laugh out of them.
More than That
One also has to be realistic regarding what the person expects to be protected. If you accidentally download something copyrighted, it’s not likely that the VPN provider is going to turn over information. However, if you’re engaging in high crimes, such as treason, corporate espionage, certain types of pornography, hacking private servers and so forth, it’s not realistic to expect a VPN provider to protect you from the consequences of that. These are businesses, not people you can pay to become accomplices in felony crimes.
Consider what you’re doing on your VPN service. If you’re just protecting your privacy, the companies will help you to do that. If you’re committing serious crimes, however, you can neither expect, nor particularly deserve, the protection of any VPN provider, and HMA not only didn’t have much of a choice in this matter, but had no ethical obligation to protect a user who was using their network to commit crimes.