Originally published on May 29, 2019, last updated on Jun 1, 2019
This article is regularly updated to reflect the TorGuard lawsuit and ongoing developments, which are posted at the bottom.
- Update 1: TorGuard amends lawsuit after erroneously naming the wrong party
In an interesting turn of affairs, TorGuard recently announced on Twitter that it is suing NordVPN and a Canadian web hosting provider, C-Seven Media, Inc.
We have a full copy of the lawsuit that was filed in a Florida district court, which you can read here.
Why is a US VPN service in Florida (TorGuard) suing a VPN service based in Panama (NordVPN) and a Canadian web hosting provider (C-7)?
Buckle up, because this is about to get interesting!
First we’ll examine the events leading up to the lawsuit and then we’ll take a close look at the lawsuit and the specific allegations.
May 20, 2019: TorGuard alleges it was “blackmailed” by another VPN
On May 20, 2019, TorGuard published an interesting blog post where they allege the following events took place:
- An “unknown individual showed up uninvited at a staff member’s personal residence asking to speak about the VPN industry.” The TorGuard employee also received emails on a personal account from this “unknown individual” from a competing VPN service.
- During the conversation, the individual asked for a “gentleman’s agreement” to persuade a TorGuard affiliate by the name of “Tom Spark reviews” to “remove negative content from YouTube” he had published about the competing VPN service.
- Then the individual revealed he had “damaging information” about TorGuard regarding a security flaw, which would “be released” if TorGuard did not agree to the demands.
- TorGuard acknowledged the flaw, but stated the server “had not been used for installs” since January 2018 and claimed there was “no security risk” to their users.
- TorGuard then investigated the issue, which led them to believe a web hosting company was involved, and promised “pending legal action.”
In the blog post, TorGuard does not name NordVPN or the hosting company involved, but the title of the post alleges that this was an attempt at “blackmail”. Four days later, TorGuard filed the lawsuit.
May 24, 2019: TorGuard Sues NordVPN and C-7 Hosting
Just four days after the alleged “blackmail” incident, TorGuard filed a lawsuit in an Orlando, Florida (USA) district court against NordVPN and C-7 web hosting.
Here are ten important details from the lawsuit (TLDR):
- TorGuard (Data Protection Services, LLC based in Florida) is suing NordVPN (Tefincom S.A. based in Panama) and C-7 (C-Seven Media, Inc. based in Canada).
- The lawsuit opens with an attack on NordVPN for “misleading” advertising and “dishonestly” leasing IP addresses from ARIN (even though these things have nothing to do with the allegations at hand).
- TorGuard claims that NordVPN has “threatened TorGuard” with previous legal action from “General Counsel Legal Affiairs Tefincom S.A.”
- TorGuard then claims that NordVPN “orchestrated strategically timed” DDOS attacks against TorGuard’s website on Black Friday, which resulted in “significant economic and reputation damages.”
- TorGuard is seeking injunctive and equitable relief, damages “in excess of $75,000”, recovery of all profits that were lost, all legal fees associated with the case, “exemplary damages” in the amount of “twice the actual losses” incurred, and “additional relief” that the Court decides is “fair and equitable.”
- TorGuard alleges that C-7 is “affiliated with or controlled by NordVPN” and that C-7 solicited a “purchase offer” on behalf of NordVPN.
- In 2018, TorGuard contracted with C-7, which is how C-7 had access to TorGuard’s “confidential and trade secret information.”
- TorGuard alleges that this “confidential and trade secret information” was then provided to NordVPN, which was the subject of the alleged “blackmail” attempt on May 17, 2019 concerning security flaws.
- In the lawsuit, TorGuard states that NordVPN requested a “gentleman’s agreement” whereby NordVPN would not publish TorGuard’s security flaws if TorGuard could get one of their affiliates [Tom Spark reviews] to remove YouTube videos that were critical of NordVPN.
- TorGuard is demanding a jury trial and alleges that the defendants (NordVPN and C-7) violated Florida’s Computer Abuse and Data Recover Act (“CADRA”), the Florida Uniform Trade Secrets Act (“FUTSA”) and also “Tortious Interference” with regard to TorGuard’s business relationships.
Now that we’ve covered the main points of the twelve-page lawsuit, let’s examine a few more questions.
Is TorGuard throwing mud? Is the lawsuit legit?
The VPN industry is very competitive and there is a lot at stake. That might be the biggest factor in explaining all this drama we’ve seen lately, with different VPN providers openly attacking each other in various venues (online and in court).
It seems clear that TorGuard has taken a hit due to various DDOS attacks, but the lawsuit does not appear to have any smoking gun evidence linking this to NordVPN.
Another big question is whether this Orlando, Florida court has legitimate jurisdiction to hear a case against NordVPN, which is based in Panama, and C-7, which is based in Canada. Neither of these businesses has a physical presence in Florida, so perhaps the lawsuit will simply be thrown out.
NordVPN’s official reply
NordVPN has provided Restore Privacy with an official statement, hot off the press on May 29, 2019:
We are aware of the lawsuit, although it is rather difficult to take it seriously. All accusations are entirely made up. TorGuard (although probably by mistake) even filed a lawsuit against some Canadian web design company which we never heard about.
We received information that led us to finding TorGuard server configuration file available on the internet. We then noticed that one of their servers was left completely unprotected and publicly accessible for anyone. It contained private keys, scripts, and a number of other extremely sensitive information, which if misused, could have caused TorGuard and their customers some serious harm.
We disclosed the vulnerability to them with the best intentions. It is a normal practice and just the right thing to do, but they decided to file a lawsuit for blackmail. We didn’t even want to make it public.
We are very much looking forward to the following process. Also, now we have no choice but to take countermeasures.
You can also find our blog post about this case right here: https://nordvpn.com/blog/torguard-lawsuit/
NordVPN’s blog post response also makes some interesting claims.
It all started when we received information that led us to finding a TorGuard server configuration file lying in the open on the internet.
The file revealed how the TorGuard service was configured, displayed private keys, and contained a bunch of other infrastructural IP addresses, including the IPs of their authentication servers and similar assets. Because the file could have been part of some outdated legacy system, we decided to verify whether it was actually an issue by trying to access some of the IPs through a regular browser.
To our surprise, we saw that one of the servers was left completely unprotected. Anyone could have accessed it by simply entering the server’s IP into the address field of their browser. The server contained a number of scripts and other sensitive information. In the wrong hands, this information could have easily been misused, possibly causing major damage to TorGuard and their customers.
The post then explains how NordVPN communicated the security problem to TorGuard’s CTO Keith Murray and TorGuard CEO Benjamin Van Pelt “without asking for anything in return” – i.e. no “blackmail” attempts. NordVPN also alleges that TorGuard may have been involved in a “defamation campaign” targeting NordVPN.
Finally, NordVPN denies the other allegations of DDOSing and unauthorized access, which they claim are “fabricated” by TorGuard.
NordVPN concludes the post by stating their intent to counter-sue:
We will immediately move to dismiss TorGuard’s libelous lawsuit, but as long as we’re on the topic: filing false and malicious lawsuits and publishing false and misleading information is against the law. Therefore, we are filing a suit of our own on the grounds of defamation and libel.
We’ll closely watch how this all plays out and update this article accordingly.
TorGuard’s second time being accused of security flaws?
For the record, this is also not the first time that TorGuard has been publicly accused of security flaws.
In 2015, VPN.ac, a VPN provider based in Romania, published an article detailing how TorGuard copied VPN.ac’s browser extension design, used VPN.ac’s API, and also implemented their browser proxy service insecurely.
As VPN.ac explained in the blog post:
It’s not only the design that’s similar, but they also use the same geo-location API server address (highlighted in the comparison image above). This is our own geo-IP API server that we’re using internally (for software, extensions etc.).
Fyi, using someone else’s API servers, as a VPN service, is a very irresponsible mistake – just terrible from a security & privacy point of view. What they do by using someone else’s servers such as our API service, essentially, is to expose all their Chrome Proxy users’ IPs to a competitor. We don’t interfere with the queries in any way, but you should be aware that a malicious competing service could make use of such opportunity to log IPs of users or even worse, redirect them or forge the JSON replies to mess-up with the extension functionality: e.g. trolling scenario where connected location will display “Fort Meade, Maryland” regardless of real gateway IP location.
VPN.ac listed other security flaws as well:
- Torguard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials;
To reproduce: add some credentials and save them > right click on extension > Inspect popup > Resources > Local Storage
- Torguard gets the up-to-date list of proxy gateways over HTTP (again in clear-text); we get them over HTTPS (A+ on Qualys/mirrored results): from Torguard’s background.js, from our background.js;
The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack;
- Torguard’s HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn’t provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirror 1, mirror 2 (to see the original result). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2);
Now returning to the TorGuard and NordVPN lawsuit.
Conclusion on the TorGuard and NordVPN lawsuit
Time will tell how this all plays out.
While TorGuard has previously been in the news for security flaws, NordVPN was also in the news last summer for another lawsuit involving Hola VPN.
At the end of the day, it’s a shame that VPN in-fighting is getting dragged out in such a prominent and open manner. Not only does it hurt the VPN services involved, but it also damages the credibility of the entire industry.
I’ll keep this article updated as information becomes available.
Update 1: TorGuard erroneously names the wrong party in the lawsuit
In a surprising failure of due diligence, TorGuard has officially named the wrong party in their lawsuit.
As reported by the Orlando Sentinel:
An Orlando tech company on Thursday amended a federal lawsuit because it apparently named the wrong Toronto-based defendant in the initial filing.
TorGuard, which offers clients virtual private networks, or VPNs, had accused a company called C-7 of obtaining its trade secrets illegally and then using that information in a blackmail scheme.
However, when attorneys for C-7 reached out to TorGuard’s legal team to learn more, they discovered that TorGuard had incorrectly named their company in the suit.
The amended filing now names Collective 7 Inc., also located in Toronto, as the defendant.
Looks like someone failed to do the necessary due diligence before filing a major lawsuit in district court.