The NordVPN Law Enforcement Data Request Debacle
Virtual Private Networks are tools that solely exist to protect a user’s browsing activities and sensitive information. When it comes to privacy, most VPNs claim to adopt a strict no-logging policy, which prohibits ISPs and even governments from accessing the users’ information. However, when you see this phrase: “will comply with lawful requests,” questions are bound to be asked.
VPNs cannot operate above the law. That includes none other than the reputable provider – NordVPN. According to several news articles, the VPN will now comply with information requests from law enforcement. What is this about? Does it really apply? What does NordVPN have to say about this? Find out below.
NordVPN is Trending – What’s Going On?
A VPN promises that its customers’ data will always be safe and would never end up in the hands of any external entity. However, when accused of the slightest chance to disclose data, VPNs don’t only lose their users’ trust, they also lose their reputation.
NordVPN has marketed itself as a Virtual Private Network that keeps no logs, and so far, they’ve stood tall with that claim. Shockingly, recent reports alleged that the VPN quietly changed a 2017 blog post to note that it does comply with lawful requests for data.
Such allegations may hint that NordVPN will stop fulfilling its promises to their customers and will now log user data if law enforcements are at play.
To better understand the situation, here’s the statement responsible for all the ongoing backlash:
“If a court order were issued according to laws and regulations, if it were legally binding under the jurisdiction that we operate in, and if the court were to reject our appeal, then there would be no other option but to comply. The same applies to all existing VPN companies if they operate legally. In fact, the same applies to all companies in the world.”
NordVPN clearly states that other VPN service providers facilitate illegal activities and do evil instead of doing good. That’s why they made a slight change in their blog in hopes of dissociating themselves from illegitimate VPN companies. Here’s another statement that solidifies their case:
“From day one of our operations, we have never provided any customer data to law enforcement, nor have we ever received a binding court order to log user data. We never, for a second, logged user VPN traffic, and the results of multiple audits prove that we are true to our policies.”
Technically, when a VPN assigns an independent firm to audit its logging policy, it has nothing to hide. Moreover, there’s a lot to think about before accusing NordVPN of anything. We’ll shed more light later on in the article.
Tough Case – NordVPN’s History Speaks for Itself
As mentioned, this whole NordVPN law enforcement fiasco might ruin the trust between the provider and its users. However, the provider is, without a doubt, one of the greats in the industry for many reasons.
First, it adopts a no-logging policy. In other words, even if they would receive a valid court order, they would be unable to provide any relevant information. Second, several third-party firms have audited the provider’s logging policy.
Now, the real talk begins. NordVPN, unlike most VPN providers, operates using RAM servers. This ensures that user data is never stored on a local hard drive.
In other words, NordVPN stopped renting servers from other companies. Now, all the collocated servers are wholly owned exclusively by the service.
Finally, NordVPN is one of the few companies that provide a warrant canary. This is a subtle warning that customers can see in order to be notified if the company has received any gag orders.
A warrant canary is a note on the provider’s website. If updated, this means that everything is going smoothly. If not, then that’s a warning that the provider has received some sort of subpoena.
As of January 22nd, 2022, NordVPN has received nothing of the aforementioned legal requests:
Normally, it takes about a week or so to update a warrant canary. However, we’ve been checking the provider’s website on a daily basis. Apparently, they’re changing their statement regularly. So far, these NordVPN law enforcement compliance regulations are not hitting their marks.
It Happened Before – Like Really Happened!
We know how worrying this thing is. Like you give your full trust to a VPN and then find out it’s disclosing your data to other entities.
With this provider, this whole NordVPN law enforcement predicament is just a statement, and we still don’t know if anything will come out of it. As of today, the company has received zero subpoenas, gag orders, or data collection requests.
Unfortunately, we can’t say the same about other VPN providers. A lot of top names in the industry have previously disclosed data. Take a look at some of the examples below:
- PureVPN assisted the feds in their investigation by handing over logs. While it was the right thing to do (morally), as a VPN, this should have never occurred.
- ProtonVPN helped French authorities to obtain the IP address of a French activist who was using the ProtonMail service.
- Threat actors used VPNLabs to commit serious criminal acts such as ransomware deployment and other cybercrime activities. Authorities targeted the provider’s users and infrastructure.
- IPVanish provided user-logs to authorities who were investigating a criminal case.
- HideMyAss revealed the identity of a website hacking group back in 2011.
- EarthVPN showed a connection with a hoax bomb threat call. Dutch police siezed of its servers.
Aside from the VPNs mentioned above, two providers also received legal requests but managed to overcome the situation. First, the FBI targeted none other than PIA. Thanks to the provider’s strict no-logging policy, they weren’t able to retrieve any data that links to its users’ activities online and their identities.
Moreover, Turkish authorities seized an ExpressVPN server following the assassination of Russian diplomat Andrey Karlov. However, the authorities couldn’t get their hands on anything since ExpressVPN doesn’t store usage logs as it has always promised.
NordVPN Honoring Legal Requests – Actions Speak Louder than Words
NordVPN is based in Panama, a region where no data retention laws apply. However, the provider does state that it will comply if the government issues any legal requests.
The reputable premium service has always had such information in its privacy policy. A simple change to that (adjustment) following VPNLabs’ huge scandal means little to nothing.
So far, these allegations are based on what the provider has written. When actual legal actions are taken, then and only then do we get to judge this alleged NordVPN law enforcement compliance case.
ProtonVPN didn’t log a French activist IP. It was ProtonMail itself and the person in question didn’t even use a VPN. Plus, ProtonMail offer a onion service. ProtonVPN and ProtonMail are treated differently via Swiss law. Perfect Privacy VPN (based in Swiss) got 2 server seized in The Netherlands.