A shocking lawsuit has recently been made public with allegations involving major players in the VPN industry.
The copyright infringement lawsuit (trial info) involves Tesonet and Luminati Networks, which are believed to be the parent companies behind NordVPN and HolaVPN, respectively. The allegations within the lawsuit raise serious questions about NordVPN and whether it is in the business of reselling user bandwidth through a proxy service operated by Tesonet in Lithuania – exactly like Hola was caught doing a few years ago.
While both NordVPN and HolaVPN are well-known in the VPN industry – for different reasons – the companies allegedly behind these VPN providers – Tesonet and Luminati Networks – are less recognizable. The text of the lawsuit, however, clearly explains the relationship between these different entities:
Prior to and separate from the technology at issue in this case, Hola provided a virtual private network (“VPN”) service called HolaVPN. Between November 2015 and June 2018, Hola, had a business relationship with Tesonet related to HolaVPN and Tesonet’s VPN service called NordVPN. [Paragraph 13]
Hola has subsequently changed its name to Luminati Ltd., before changing its name to Luminati Networks Ltd., the Plaintiff in this action. [Paragraph 10]
We can therefore conclude, based on Luminati’s allegations in the lawsuit, that Tesonet is the company behind NordVPN. Furthermore, HolaVPN had a working business relationship with NordVPN lasting nearly three years – only recently ending in June 2018. The exact nature of this “business relationship” is not stated in the complaint.
Why is Luminati Networks (Israel) suing Tesonet (Lithuania) through an Eastern Texas District Court?
The case centers around allegations that Tesonet is infringing on US patents that belong to Hola (Luminati), hence the jurisdiction in Texas. The complaint further clarifies the issue as follows:
On May 22, 2017, during a meeting between Hola Chief Executive Officer Ofer Vilenski and Tesonet co-founder Tomas Okmanas, Mr. Okmanas informed Mr. Vilenski that Tesonet was thinking about entering into the residential proxy business. Mr. Vilenski informed Mr. Okmanas that Luminati has patents in this field and sent an email to Mr. Okmanas that same day confirming that Luminati would send a letter identifying Luminati’s intellectual property in this field. [Paragraph 14]
… the OxyLabs residential proxy network is based upon numerous user devices, each of which is a client device identifiable over the Internet by an IP address… these user devices become part of the network through the execution of Tesonet code embedded in applications downloaded by that devices user. [Paragraph 19]
Now where have we heard this before?
The reselling of users’ bandwidth on their devices is precisely what caused backlash that was widely reported three years ago.
This previous botnet scandal with Hola came to light with a blog post by the owner of 8chan claiming that devices controlled through the Luminati network were DDOSing 8chan as part of a botnet. We also discussed this in the free VPN guide – showing how HolaVPN users comprised the “business proxy” network, which the parent company marketed to third parties.
It’s important to note that all of this occurs without the knowledge of the end-user who installed the VPN app. Once Luminati’s software gets installed on a particular device, its owner has zero control over how Luminati’s “business proxy” customers choose to exploit the device and internet connection. See adios-hola.org for a discussion about the dangers and risks of using HolaVPN.
Luminati markets its residential proxy network via luminati.io.
What about Tesonet?
According to the lawsuit:
… Tesonet offers large-scale web data extraction products and services under the OxyLabs brand. https://oxylabs.io/ … this includes a residential proxy network with ten million residential IP addresses from more than 180 countries. https://oxylabs.io/ [Paragraph 18]
You can see this on the oxylabs.io website:
Just like with Luminati, Oxylabs also operates a large proxy network of residential IPs.
Online accusations fly
While some are skeptical, because the accusations originated from a rival VPN provider (Private Internet Access), there are many connections that have been verified by Proton staff.
When the accusations surfaced about their connection to Tesonet, Proton first claimed:
We used Tesonet as a local partner before we had an official Lithuanian subsidiary, and rented office space from them. We don’t share employees, infrastructure, etc.
However, as you can see in their own words below, Proton’s story continued to change and contradict their original assertions as more evidence came out. Here are three noteworthy allegations with sources and responses from Proton:
- ProtonVPN’s Android APK has a certificate signed by Tesonet (source & source)
- Proton response #1: “That was an error made during the time Tesonet was doing our HR which we are attempting to correct.” (source)
- Proton response #2: Proton later claimed that this was due to their employee who was employed through Tesonet. “As Algirdas was formally employed through Tesonet, he put Tesonet into the cert, and nobody noticed it until recently.” (source)
- Proton response #3: “the ProtonVPN Android keystore mistakenly lists Tesonet as the organization name, since our Android developer was at that time formally employed through Tesonet.” (source)
- Proton response #4: “the app isn’t signed by Tesonet, but rather our keystore mentions Tesonet” (source)
- The current CEO of Tesonet (Darius Bereika) is also the Director for ProtonVPN LT, UAB in Lithuania, with both Tesonet and ProtonVPN sharing the same address (source, source, & source)
- Note: Right after these accusations surfaced, the name of ProtonVPN LT, UAB, with Tesonet’s CEO as the director, was changed to Cyber Alliance UAB (before & after). When questioned about this on reddit, Proton alleged that the recent name change was another “mistake” – the timing of which happened to coincide perfectly with these allegations.
- There was also a claim in the Hacker News thread that Proton was using IP address blocks that belong to Tesonet.
- Proton response #1: “Turns out there was a plan to use Tesonet infra in Switzerland for this before we built our own infra in the Zurich area. What’s interesting is that they weren’t removed in RIPE when we decided to use our own infra instead, and this definitely needs to be corrected.” (source)
- Proton response #2: “Some of the IPs we use in ProtonVPN’s global network might be acquired or leased from Tesonet or Radix” (source)
- Proton response #3: “we don’t use Tesonet IPs and never have” (source)
As these responses show, Proton has had a tough time getting their official story straight. However, they tried to put the issue to rest with this reddit post, which they ended up locking in order to prevent any more comments or questions.
Reactions to these allegations have been mixed. While some users see these issues as red flags and cause to jump ship, others have disregarded the allegations as a “smear campaign” from competing VPN services.
ProtonVPN and NordVPN have also argued this line of defense on social media – see this response from ProtonVPN and also NordVPN’s response. ProtonVPN, in particular, has repeatedly called out Private Internet Access (PIA) as the culprit behind these allegations.
So is everything just a smear campaign to spread FUD (fear, uncertainty, and doubt) about rival VPN services?
PIA may well be working to harm the reputation of NordVPN and ProtonVPN, but that does not explain why Hola is suing the makers of NordVPN. This lawsuit doesn’t appear to have anything to do with Private Internet Access.
In conclusion, Luminati is suing Tesonet for doing the very thing that caused privacy-conscious users to abandon HolaVPN years ago: reselling users’ bandwidth.
But we must make something clear: there is no proof or allegation that the NordVPN app itself – or ProtonVPN for that matter – resells users’ bandwidth. While the lawsuit directly mentions NordVPN, Tesonet may well have embedded the software that enables the residential proxy network in apps other than NordVPN.
Nonetheless, the fact remains that Tesonet is clearly involved in the same business that brought scandal to Hola – and is being sued by Luminati for doing just that. This is likely to be of concern to anyone considering these related VPN providers as a solution for internet privacy and security.
ProtonVPN has been active on reddit in responding to these allegations.
Since this article was first published, NordVPN has provided additional clarification, which is included in the section below.
Update with additional information
Update 1: NordVPN has responded to the lawsuit and has offered to do a third-party audit to verify their “no logs” claims.
Update 2: There seems to be lots of confusion as to exactly who is suing who and why – confusion that could easily be cleared up if people simply read the lawsuit. Many different blogs have come out with various stories and explanations after I published this article, but they are furthering adding to the confusion by not getting the facts straight.
Comparitech even published an article where they incorrectly asserted that NordVPN was being sued for being a “botnet”. Then they attempted to “prove” that NordVPN is not being used as a botnet by analyzing traffic with Wireshark – even though nobody claimed this. As I clearly stated in the conclusion above, there is no proof or allegation that NordVPN is a botnet reselling user bandwidth – nobody is claiming that.
The lawsuit alleges Tesonet is infringing on Luminati’s patents for proxy network data extraction software (used with HolaVPN). This patent infringement likely has nothing to do with NordVPN, but rather, other apps that Tesonet may be using the code on. However, the lawsuit is still relevant for two main reasons:
- It establishes the connection between NordVPN and Tesonet.
- It illustrates that Tesonet (the parent company) is involved in a Hola-like business practices involving proxy networks and data scraping – but not necessarily with NordVPN. (This is also abundantly clear by simply examining the company, its business offerings, and its website.)
To hopefully clear up some confusion, here are a few points to once again emphasize:
- NordVPN is not being sued by anyone. The lawsuit was filed against Tesonet – a large tech company based in Lithuania.
- Nobody is alleging that NordVPN clients are being used in a “botnet” (and this would be easy to verify with Wireshark).
- NordVPN’s jurisdiction is still in Panama, even if all employees are not working in Panama. (Note: corporations are simply a legal entity to protect businesses and their customers.)
- The lawsuit was filed in a Texas jurisdiction known for “patent trolls” – but this does not change the two main points illustrated above. The “patent troll” accusation is only relevant to the question of whether Tesonet is indeed stealing Luminati’s technology – nothing else.
- NordVPN will be conducting an independent, third-party audit to verify their “no logs” claims, which they estimate will be done in the next few months.
Update 3: I have received numerous emails asking if NordVPN is still recommended. This update will address that question (and hopefully be the last update).
Despite all of the rumors flying around online, there does not appear to be any verifiable issues with NordVPN itself. The controversy with the lawsuit and charges of “data scraping” are exclusive to Tesonet – not NordVPN.
As noted above, NordVPN still operates from the jurisdiction of Panama, which is a good location for privacy (outside of 14 Eyes). While NordVPN does have verifiable links to Tesonet in Lithuania, it is indeed under Panama jurisdiction and is legally its own entity. NordVPN has a no logs policy and has never been found to be providing information to third parties or state agencies.
Judged on its own, NordVPN performed well in the latest update to the NordVPN review – better than in previous reviews. It was temporarily removed from the best VPN list while I investigated these issues. Even though NordVPN remains well regarded in the privacy community, the ultimate question of trust is something only you can decide.
Update 4: The NordVPN audit has been completed and they are verified to be “no logs” – discussed further in the no logs VPN guide.
Last updated December 4, 2018