You joined a botnet if you use this VPN service
It’s dastardly brilliant.
Users of the virtual private network Hola got more than they bargained for when they signed up for accounts. When they enrolled in the popular free Israel-based VPN service—presumably to conceal their IP addresses to circumvent Internet restrictions abroad, or to evade eavesdroppers—they actually inadvertently enlisted their devices in a robot army.
Did I say free? Not quite. The service boasts 46 million users on its website—with 7 million using it through Google’s Chrome browser alone. But by installing Hola, these people also allowed their connections to be sold to users of another paid service, Luminati (owned by Hola’s parent company, Hola Networks), which originally marketed itself as an anonymizing network like the Tor browser—a service that obscures Internet traffic by routing it through a series of volunteer-operated nodes.
The difference? The provenance of Luminati’s nodes—which number more than 9 million, according to its site—are far from explicit. First off, the Luminati site makes no mention of Hola. And prior to Wednesday, the Hola site made no mention of Luminati. Instead, there was a feigned disclosure—an overly generous description on this author’s part, to be sure—tucked away on the site’s FAQ page that Vice Motherboard staff writer Lorenzo Franceschi-Bicchierai says he was directed to by the company’s co-founder, Ofer Vilenski: “if you would like to use Hola for commercial use contact us at firstname.lastname@example.org for a quote.” Mum on Luminati.
Now that dubious clause has been made a little clearer:
Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand). This is what allows us to keep Hola free for our users. Users who want to enjoy the Hola network without contributing their idle resources can do so by joining the Hola premium service for $5 per month (or $45 per year).
The shady link between Luminati and Hola came to light after a spammer known as “Bui” used Luminati’s service to disrupt the the popular online image board 8chan earlier this week. (His account has since been terminated, Vilenski told Motherboard.) Frederick Brennan, the administrator of the forum, revealed the connection in a post on his site:
When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this. On the other hand, with the Tor onion router, users must specifically opt in to be exit nodes and are aware that completely anonymous traffic can pass through their connections, which means they should be ready for abuse reports for child porn, spam, copyrighted content and other ills that come with the territory.
In this case, Bui abused the Luminati network—in other words, he abused unwitting Hola users’ Internet connections—in order to pummel Brennan’s site with spam.
Reddit users have been debating the ethicality of Hola’s practices—and discussing how to uninstall the program, and what VPN alternatives exist—since the news came out. After making the announcement, Brennan also entered the fray to clear up how Hola and Luminati had only updated their websites in response to his post.
Vilenski acknowledged his company’s equivocation. “Are 100 percent of users aware that they are on a peer-to-peer network and what it means?” he told Motherboard. “The answer is no. Not because we’re covering it, trying not to show them—because we are telling them about it—but because most of them just don’t care, they want a good service, it works well and it doesn’t screw them up.”
In fact, there’s a bigger lesson to draw from the illumination of Hola and Luminati about how the Internet economy of “free” services works. It really is true: If you’re not paying, assume you’re the product.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.