Hotspot Shield, established in 2005, has undergone numerous transformations over the years, including multiple changes in ownership. These shifts have ultimately benefited the VPN service, which will be explored in this review.
Features Overview
- Rating: 4/5
- Price: $7.99 – $12.99 per month
- Refund Period: 30 days
- Headquarters: Switzerland
- Devices per License: 10
- Servers: 1,800
- Server Locations: 127 locations across 85 countries, including the USA, Canada, the UK, Australia, New Zealand, Japan, France, and Germany
- Streaming Sites Unblocked: Netflix, BBC iPlayer, NBC
- Supports Torrenting: Yes
- Data Logging: No
- Customer Support: 24/7
Company Evolution
Hotspot Shield was originally developed by AnchorFree, Inc. in 2005. The company, headquartered in Redwood City, California, rebranded as Pango Group in 2019. At the same time, its European division, AnchorFree GmbH, was renamed to Pango GmbH. The UK division, AnchorFree Ltd, retained its original name.
Pango rebranded Hotspot Shield as Pango Hotspot Shield, integrating it with additional privacy services such as Robo Shield (an automated call blocker), 1Password (a password manager), and Identity Guard (an identity protection service). This bundle is now marketed under the Aura brand following Aura’s acquisition of Pango in July 2020. Aura also acquired other Pango assets, including Identity Defense, and incorporated Intrusta antivirus/malware protection into Pango’s offerings. Aura’s portfolio also includes Touch VPN and identity protection brands PrivacyMate and FigLeaf.
Pango Group owns several other VPN services, including Ultra VPN, VPN 360, and Betternet VPN. In October 2021, the company acquired Comparitech, a technology review website focused on VPN reviews, through its AnchorFree Ltd subsidiary. Another VPN review site, ProPrivacy, was acquired in February 2022.
It is worth noting that Aura is a brand under Intersections, Inc., which appears as the copyright owner on the Hotspot Shield website. The terms of service refer to Intersections LLC doing business as Aura, while the privacy policy mentions Intersections LLC doing business as Pango. Intersections, Inc. is owned by WC SACD One Parent, Inc., which is jointly held by WndrCo, General Catalyst, and iSubscribed.
Privacy and Security
Hotspot Shield has faced criticism in the past regarding privacy concerns. In August 2016, a study by the Commonwealth Scientific and Industrial Research Organization (CSIRO) revealed that Hotspot Shield’s VPN service inserted affiliate codes on retail websites and injected its own advertisements into user browsers. This led to negative privacy rankings for Hotspot Shield’s sister service, Betternet.
In August 2017, the Center for Democracy and Technology reported Hotspot Shield’s free VPN to the Federal Trade Commission for sharing user data with advertisers without disclosure. Additionally, in 2018, it was discovered that the app leaked location information.
Hotspot Shield’s Terms of Service state that advertising is injected into web pages processed by the free version of the service, but this practice is not applied to the paid version.
Legal Considerations
Hotspot Shield is based in Virginia, USA, a location that presents potential legal challenges due to the tendency of US government agencies to pressure VPN services into compliance with activity tracking requirements. This positioning also exposes the service to potential legal action from US copyright attorneys, particularly relevant for users engaged in P2P file sharing networks.
The critical issue in such legal matters revolves around whether the VPN retains activity logs. If records are maintained, copyright lawyers can potentially trace activities back to an individual through connection records. Historically, Hotspot Shield claimed that IP addresses were not considered personally identifiable information (PII), which raised concerns about privacy. However, the company has since revised its stance, now including IP addresses within its definition of PII, thereby strengthening its privacy policy.
Hotspot Shield has demonstrated resilience and adaptability through various ownership changes and company rebrands. Despite past privacy issues, recent updates to its privacy policy and features reflect ongoing efforts to enhance user security and privacy.
Network Address Translation (NAT)
VPNs provide dual layers of protection, concealing both the identities and activities of their users. One key aspect of this protection is IP address substitution, which can be implemented in several ways. Hotspot Shield, for instance, employs shared IP addresses for this purpose.
Each VPN server maintains a pool of IP addresses. When a user connects, the server assigns one of these addresses to the connection. Regardless of where the user’s applications need to reach, the VPN app directs all traffic through the VPN server.
Internet traffic is divided into packets, each of which contains a header with source and destination IP addresses. With an active VPN connection, the VPN server receives all incoming packets from the user, forwarding them to their intended destination, typically a web server. The server modifies the source IP address in the packet header to the one assigned to the user for the session. Consequently, responses are directed back to the VPN server using this IP address.
To ensure that incoming packets are forwarded to the correct user—given that the VPN server services multiple users simultaneously—the VPN system uses a lookup table. This table maps the real IP addresses to the substituted IP addresses for each user. This process is known as Network Address Translation (NAT).
When a user disconnects from the VPN, the NAT table entry for that session is deleted, and the IP address is returned to the pool for reuse.
Activity Logging
Activity logs may be generated at the end of a VPN session if the VPN server archives the NAT table entry before deletion. This entry includes the user’s IP address, the substituted IP address, and timestamps marking the start and end of the session. Such information could potentially be used by copyright lawyers to trace user activities and initiate legal actions for unauthorized downloads.
Therefore, it is crucial to understand whether a VPN provider retains IP addresses. While Hotspot Shield previously avoided specifying IP addresses as personal data, it now explicitly states that it does not retain user data. This assures customers that their internet connections remain anonymized.
Despite past concerns regarding Hotspot Shield’s practices, the company has since improved its policies. Its current activity logging practices are comparable to those of other reputable VPN services.
Hotspot Shield VPN Protocols
In addition to IP address substitution, VPNs offer protection for internet connections through protocols. These protocols are sets of procedures that secure the communication between the user’s device and the VPN server. While various VPN protocols exist, AnchorFree has developed its proprietary protocol, Hydra. Details on Hydra’s operation are limited, but it is claimed to be nearly 2.5 times faster than OpenVPN, the leading VPN protocol.
Originally known as Catapult Hydra, this protocol is similar to OpenVPN, employing a two-phase encryption approach. The primary encryption method used is a symmetric key system, where the same key encrypts and decrypts messages. The key’s value is critical as it determines the encryption’s security level. Hotspot Shield uses the Advanced Encryption Standard (AES) with a 256-bit key, denoted as AES-256, which is considered highly secure.
However, Hydra’s proprietary nature means its specifics remain confidential. In contrast, protocols like OpenVPN and WireGuard are open-source, making their encryption methods publicly known. Despite this, knowledge of the encryption formula is insufficient without the key.
Hotspot Shield also offers the IKEv2/IPsec combination as an alternative protocol. This low-level protocol (IPsec) is close to networking processes and relies on IKEv2 for encryption key management. IKEv2/IPsec is efficient and often preferred for mobile devices due to its minimal impact on battery life.
Hotspot Shield DNS Leak Protection
A VPN server functions as a proxy, masking your computer’s IP address when sending internet traffic to a web server. The VPN service ensures that your traffic reaches the VPN server.
The Hotspot Shield app on your device acts as an intermediary, establishing a “tunnel” to the selected VPN server through an authentication process involving public key encryption. In this system, a key pair—an encryption key and a decryption key—are related but distinct. The encryption key can be public, while the decryption key remains private.
The VPN app uses the server’s public key to encrypt a challenge. If the server responds correctly, it proves its identity by possessing the corresponding decryption key. The server then uses the client’s public keys to securely transmit the AES encryption key. Both parties then use AES to encrypt traffic within the tunnel.
The VPN app intercepts and encrypts all outgoing traffic, including packet headers. Routers need to read the headers to determine the destination IP address, so the VPN app encapsulates the encrypted packet within another packet addressed to the VPN server.
The VPN server extracts and decrypts the inner packet, revealing the original destination address, and replaces it with a substitute IP address before forwarding it. Responses are encrypted and returned to the VPN app, which decrypts them and delivers them to the original requesting application.
Hotspot Shield IP Leak Protection
Hotspot Shield offers robust IP leak protection through its tunnel technology, which prevents your Internet Service Provider (ISP) from logging your online activities. This is crucial for privacy, as such records can be used by copyright lawyers to trace and pursue torrent users, and by law enforcement agencies for surveillance. The VPN tunnel ensures that only traffic between your device and the VPN server is visible to your ISP, concealing the actual destinations you connect to.
However, if your VPN connection drops, subsequent traffic will be exposed, and your ISP will resume logging your online activity. This issue is known as an IP leak, as it reveals the IP addresses of the servers you connect to.
To address this, Hotspot Shield includes a Kill Switch feature. When activated, this feature controls all internet access through the VPN tunnel. Should the VPN connection be interrupted, all internet access is halted until the connection is re-established. This mechanism ensures you are promptly aware of any connectivity issues and can restore the VPN service to maintain privacy.
Hotspot Shield DNS Leak Protection
Web addresses in your browser are not understood by routers; they rely on IP addresses. Thus, your browser needs to resolve web addresses to IP addresses through the Domain Name System (DNS), a vast, globally distributed database. ISPs often use DNS resolvers to speed up this process, which involves storing recent IP address queries. While this service enhances speed, it also poses privacy risks, as ISPs can potentially log your activities and restrict access to specific websites.
Hotspot Shield protects DNS queries through encryption. Unlike some VPN services, such as CyberGhost and Surfshark, which tunnel DNS queries, Hotspot Shield encrypts them so that they cannot be blocked or logged by your ISP. This ensures that your DNS queries are kept confidential.
Hotspot Shield Virtual Locations
Hotspot Shield uses the term “virtual locations” to describe its VPN server locations, which can be somewhat ambiguous. The primary function of a VPN is to mask your real location by connecting you to a server in another country. For instance, connecting to a server in France will make it appear as though you are browsing from there, providing a virtual location distinct from your actual one.
VPNs can achieve this in two ways. The most common method is operating servers in specific locations. For example, selecting Paris as your location connects you to a server physically situated in Paris, thereby making it appear as though you are browsing from there.
Alternatively, the term “virtual location” can imply that the server is not physically in the stated location but instead in a different place. For instance, a VPN provider might use a server in Chicago but assign it IP addresses associated with Paris. Users selecting Paris are thus connected to the Chicago server, which presents itself as being in Paris.
Hotspot Shield lists 85 countries for its server locations, but only 20 of these are actual physical servers; the remainder are virtual locations. This practice, while common in the VPN industry, is transparently handled by many VPN providers like ExpressVPN and NordVPN, which differentiate between real and virtual servers in their listings. This approach is particularly prevalent in countries with stringent VPN regulations, allowing providers to circumvent local restrictions while maintaining service quality.
Website Blocking
The ability to bypass geographic restrictions is a key feature of VPNs. Many websites, including news, gambling, and streaming services, restrict access based on the user’s location. High-quality VPNs excel at evading these location-based restrictions, but not all services are equally effective.
We tested Hotspot Shield to evaluate its capability to access a variety of major video streaming sites across borders. Here are the results:
Service Testing
- Netflix: Functioned correctly in the USA, the UK, France, Norway, and Japan.
- Disney+: Operated successfully in the USA, but failed in the UK, France, Norway, and Japan.
- BBC iPlayer: Confirmed to work.
- ITV Hub: Confirmed to work.
- Channel 4: Confirmed to work.
- ABC: Did not work.
- NBC: Confirmed to work.
Pricing
Hotspot Shield offers three subscription tiers:
- Basic: Free with access to a single server location in the USA.
- Premium: Full Hotspot Shield service with support for up to five simultaneous connections. Users can install the app on multiple devices, but only five can be connected at any given time.
- Premium Family: Provides five Premium licenses, allowing up to 25 simultaneous connections (5 x 5).
Both the Premium and Premium Family editions are available under two payment plans: a month-to-month plan and an annual plan.
- Premium: $12.99 per month or $95.99 per year ($7.99 per month).
- Premium Family: $19.99 per month or $143.88 per year ($11.99 per month).
All paid plans come with a 45-day money-back guarantee. Payment options include credit cards (Visa, Mastercard, American Express, Diners Club, JCB, or Discover) or PayPal. Cryptocurrency payments are not accepted. Subscriptions can be purchased through the Hotspot Shield mobile app, available on Google Play or the Apple App Store, though payment through Google Play or Apple Pay is not supported.
A 7-day free trial of the Premium edition is available; however, it automatically transitions to a monthly payment plan after the trial period. For those considering a long-term commitment, opting for the annual plan is recommended. To avoid automatic renewal, ensure to cancel the service before the trial ends.
Installation Instructions
1. To access the 7-day free trial of Hotspot Shield, provide your email address and credit card details. A purchase commitment is required prior to initiating the trial. However, you may cancel the service before the trial period ends to avoid charges.
After navigating away from this page, you will need to set up your account by entering a password.
You will then gain access to the Download page.
2. Select the “Get” button for Hotspot Shield VPN to download the installer. Click on the “Download” button on the subsequent screen. Once the download is complete, run the installer and follow the prompts through the installation process.
3. Upon completion, the application will display a series of service highlights before presenting the main screen. Your credentials will be pre-filled, eliminating the need for a separate sign-in.
4. The main screen displays your data usage for the day and the last connected server. By default, the app will automatically reconnect to the last used server.
Click the arrowhead in the Virtual Location box to view the list of available server locations.
5. The server list displays countries with Hotspot Shield servers, with multiple locations available in some countries. Select a country to drill down to specific city-level options.
A “Connect” link will appear when you hover over a server location. Click this link to establish a VPN connection to the chosen location.
6. Once connected, the main screen will provide comprehensive information about the VPN connection.
7. The first panel on the main screen features a world map indicating the current VPN location. You can change this location at any time by clicking the arrowhead next to the current location name.
In the lower-left panel, the Latency number reflects the Roundtrip Time as reported by Ping.
8. To access the settings menu, click the bolt symbol at the bottom of the left menu strip. Navigate to the “Protocols” tab to view available VPN protocol options.
9. Go to the “Advanced” tab to locate the Kill Switch option. Enabling this feature will block internet traffic if the VPN is not active. This functionality is available only if the VPN app is running. To ensure the app launches automatically with your operating system, go to the “General” tab and activate the “Start on Launch” option.
10. Click the house symbol at the top of the menu strip to return to the main screen of the app. To disconnect the VPN, click the blue button at the bottom of the screen.
Speed Tests
The VPN application features its own speed report. However, our connection speed tests were conducted independently using Meter.net. These tests were performed while connected to the Three network in the UK, with the VPN protocol set to Hydra. Each test was conducted three times, and the median result was used for the final report.
To establish a performance baseline, we first tested the connection to a nearby server without the VPN enabled. The results were as follows:
- Download Speed: 10.47 Mbps
- Upload Speed: 2.89 Mbps
We then performed a speed test using a generic United Kingdom server location, connecting to the same test server as before. The results indicated:
- Download Speed: 11.60 Mbps (a slight improvement over the unprotected connection)
- Upload Speed: 2.22 Mbps (a slight decrease compared to the unprotected connection)
Long-distance connections are inherently slower due to the increased distance and additional routers through which data packets must travel. In a test conducted without the VPN, connecting to Sydney, Australia, the results were:
- Download Speed: 2.00 Mbps
- Upload Speed: 0.17 Mbps
Subsequently, we activated the Hotspot Shield service, using the London VPN server, and connected to the same test server in Sydney. The results showed:
- Download Speed: 4.72 Mbps (more than double the speed observed without the VPN)
- Upload Speed: 0.29 Mbps
It may seem counterintuitive that a VPN could enhance connection speeds, as encryption typically introduces overhead that should slow down transfers. However, telecommunications companies often enter into agreements with global counterparts to carry traffic, which can include conditions such as speed limits that reduce costs. Therefore, the improved performance observed in these tests suggests that Hotspot Shield benefits from more favorable peering agreements with long-distance carriers compared to the ISP used in these tests.