Originally published on May 29, 2019, last updated on Jun 1, 2019
This article is regularly updated to reflect the TorGuard lawsuit and ongoing developments, which are posted at the bottom.
- Update 1: TorGuard amends lawsuit after erroneously naming the wrong party
In an interesting turn of affairs, TorGuard recently announced on Twitter that it is suing NordVPN and a Canadian web hosting provider, C-Seven Media, Inc.
We have a full copy of the lawsuit that was filed in a Florida district court, which you can read here.
Why is a US VPN service in Florida (TorGuard) suing a VPN service based in Panama (NordVPN) and a Canadian web hosting provider (C-7)?
Buckle up, because this is about to get interesting!
First we’ll examine the events leading up to the lawsuit and then we’ll take a close look at the lawsuit and the specific allegations.
May 20, 2019: TorGuard alleges it was “blackmailed” by another VPN
On May 20, 2019, TorGuard published an interesting blog post where they allege the following events took place:
- An “unknown individual showed up uninvited at a staff member’s personal residence asking to speak about the VPN industry.” The TorGuard employee also received emails on a personal account from this “unknown individual” from a competing VPN service.
- During the conversation, the individual asked for a “gentleman’s agreement” to persuade a TorGuard affiliate by the name of “Tom Spark reviews” to “remove negative content from YouTube” he had published about the competing VPN service.
- Then the individual revealed he had “damaging information” about TorGuard regarding a security flaw, which would “be released” if TorGuard did not agree to the demands.
- TorGuard acknowledged the flaw, but stated the server “had not been used for installs” since January 2018 and claimed there was “no security risk” to their users.
- TorGuard then investigated the issue, which led them to believe a web hosting company was involved, and promised “pending legal action.”
In the blog post, TorGuard does not name NordVPN or the hosting company involved, but the title of the post alleges that this was an attempt at “blackmail”. Four days later, TorGuard filed the lawsuit.
May 24, 2019: TorGuard Sues NordVPN and C-7 Hosting
Just four days after the alleged “blackmail” incident, TorGuard filed a lawsuit in an Orlando, Florida (USA) district court against NordVPN and C-7 web hosting.
Here are ten important details from the lawsuit (TLDR):
- TorGuard (Data Protection Services, LLC based in Florida) is suing NordVPN (Tefincom S.A. based in Panama) and C-7 (C-Seven Media, Inc. based in Canada).
- The lawsuit opens with an attack on NordVPN for “misleading” advertising and “dishonestly” leasing IP addresses from ARIN (even though these things have nothing to do with the allegations at hand).
- TorGuard claims that NordVPN has “threatened TorGuard” with previous legal action from “General Counsel Legal Affiairs Tefincom S.A.”
- TorGuard then claims that NordVPN “orchestrated strategically timed” DDOS attacks against TorGuard’s website on Black Friday, which resulted in “significant economic and reputation damages.”
- TorGuard is seeking injunctive and equitable relief, damages “in excess of $75,000”, recovery of all profits that were lost, all legal fees associated with the case, “exemplary damages” in the amount of “twice the actual losses” incurred, and “additional relief” that the Court decides is “fair and equitable.”
- TorGuard alleges that C-7 is “affiliated with or controlled by NordVPN” and that C-7 solicited a “purchase offer” on behalf of NordVPN.
- In 2018, TorGuard contracted with C-7, which is how C-7 had access to TorGuard’s “confidential and trade secret information.”
- TorGuard alleges that this “confidential and trade secret information” was then provided to NordVPN, which was the subject of the alleged “blackmail” attempt on May 17, 2019 concerning security flaws.
- In the lawsuit, TorGuard states that NordVPN requested a “gentleman’s agreement” whereby NordVPN would not publish TorGuard’s security flaws if TorGuard could get one of their affiliates [Tom Spark reviews] to remove YouTube videos that were critical of NordVPN.
- TorGuard is demanding a jury trial and alleges that the defendants (NordVPN and C-7) violated Florida’s Computer Abuse and Data Recover Act (“CADRA”), the Florida Uniform Trade Secrets Act (“FUTSA”) and also “Tortious Interference” with regard to TorGuard’s business relationships.
Now that we’ve covered the main points of the twelve-page lawsuit, let’s examine a few more questions.
Is TorGuard throwing mud? Is the lawsuit legit?
The VPN industry is very competitive and there is a lot at stake. That might be the biggest factor in explaining all this drama we’ve seen lately, with different VPN providers openly attacking each other in various venues (online and in court).
It seems clear that TorGuard has taken a hit due to various DDOS attacks, but the lawsuit does not appear to have any smoking gun evidence linking this to NordVPN.
Another big question is whether this Orlando, Florida court has legitimate jurisdiction to hear a case against NordVPN, which is based in Panama, and C-7, which is based in Canada. Neither of these businesses has a physical presence in Florida, so perhaps the lawsuit will simply be thrown out.
NordVPN’s official reply
NordVPN has provided Restore Privacy with an official statement, hot off the press on May 29, 2019:
We are aware of the lawsuit, although it is rather difficult to take it seriously. All accusations are entirely made up. TorGuard (although probably by mistake) even filed a lawsuit against some Canadian web design company which we never heard about.
We received information that led us to finding TorGuard server configuration file available on the internet. We then noticed that one of their servers was left completely unprotected and publicly accessible for anyone. It contained private keys, scripts, and a number of other extremely sensitive information, which if misused, could have caused TorGuard and their customers some serious harm.
We disclosed the vulnerability to them with the best intentions. It is a normal practice and just the right thing to do, but they decided to file a lawsuit for blackmail. We didn’t even want to make it public.
We are very much looking forward to the following process. Also, now we have no choice but to take countermeasures.
You can also find our blog post about this case right here: https://nordvpn.com/blog/torguard-lawsuit/
NordVPN’s blog post response also makes some interesting claims.
It all started when we received information that led us to finding a TorGuard server configuration file lying in the open on the internet.
The file revealed how the TorGuard service was configured, displayed private keys, and contained a bunch of other infrastructural IP addresses, including the IPs of their authentication servers and similar assets. Because the file could have been part of some outdated legacy system, we decided to verify whether it was actually an issue by trying to access some of the IPs through a regular browser.
To our surprise, we saw that one of the servers was left completely unprotected. Anyone could have accessed it by simply entering the server’s IP into the address field of their browser. The server contained a number of scripts and other sensitive information. In the wrong hands, this information could have easily been misused, possibly causing major damage to TorGuard and their customers.
The post then explains how NordVPN communicated the security problem to TorGuard’s CTO Keith Murray and TorGuard CEO Benjamin Van Pelt “without asking for anything in return” – i.e. no “blackmail” attempts. NordVPN also alleges that TorGuard may have been involved in a “defamation campaign” targeting NordVPN.
Finally, NordVPN denies the other allegations of DDOSing and unauthorized access, which they claim are “fabricated” by TorGuard.
NordVPN concludes the post by stating their intent to counter-sue:
We will immediately move to dismiss TorGuard’s libelous lawsuit, but as long as we’re on the topic: filing false and malicious lawsuits and publishing false and misleading information is against the law. Therefore, we are filing a suit of our own on the grounds of defamation and libel.
We’ll closely watch how this all plays out and update this article accordingly.
TorGuard’s second time being accused of security flaws?
For the record, this is also not the first time that TorGuard has been publicly accused of security flaws.
In 2015, VPN.ac, a VPN provider based in Romania, published an article detailing how TorGuard copied VPN.ac’s browser extension design, used VPN.ac’s API, and also implemented their browser proxy service insecurely.
As VPN.ac explained in the blog post:
It’s not only the design that’s similar, but they also use the same geo-location API server address (highlighted in the comparison image above). This is our own geo-IP API server that we’re using internally (for software, extensions etc.).
Fyi, using someone else’s API servers, as a VPN service, is a very irresponsible mistake – just terrible from a security & privacy point of view. What they do by using someone else’s servers such as our API service, essentially, is to expose all their Chrome Proxy users’ IPs to a competitor. We don’t interfere with the queries in any way, but you should be aware that a malicious competing service could make use of such opportunity to log IPs of users or even worse, redirect them or forge the JSON replies to mess-up with the extension functionality: e.g. trolling scenario where connected location will display “Fort Meade, Maryland” regardless of real gateway IP location.
VPN.ac listed other security flaws as well:
- Torguard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials;
To reproduce: add some credentials and save them > right click on extension > Inspect popup > Resources > Local Storage - Torguard gets the up-to-date list of proxy gateways over HTTP (again in clear-text); we get them over HTTPS (A+ on Qualys/mirrored results): from Torguard’s background.js, from our background.js;
The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack; - Torguard’s HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn’t provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirror 1, mirror 2 (to see the original result). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2);
Now returning to the TorGuard and NordVPN lawsuit.
Conclusion on the TorGuard and NordVPN lawsuit
Time will tell how this all plays out.
While TorGuard has previously been in the news for security flaws, NordVPN was also in the news last summer for another lawsuit involving Hola VPN.
At the end of the day, it’s a shame that VPN in-fighting is getting dragged out in such a prominent and open manner. Not only does it hurt the VPN services involved, but it also damages the credibility of the entire industry.
I’ll keep this article updated as information becomes available.
Update 1: TorGuard erroneously names the wrong party in the lawsuit
In a surprising failure of due diligence, TorGuard has officially named the wrong party in their lawsuit.
As reported by the Orlando Sentinel:
An Orlando tech company on Thursday amended a federal lawsuit because it apparently named the wrong Toronto-based defendant in the initial filing.
TorGuard, which offers clients virtual private networks, or VPNs, had accused a company called C-7 of obtaining its trade secrets illegally and then using that information in a blackmail scheme.
However, when attorneys for C-7 reached out to TorGuard’s legal team to learn more, they discovered that TorGuard had incorrectly named their company in the suit.
The amended filing now names Collective 7 Inc., also located in Toronto, as the defendant.
Oops!
Looks like someone failed to do the necessary due diligence before filing a major lawsuit in district court.
It’s a serious rabbithole one enters if they decide to research the VPN scene. The amount of scummy behaviour exhibited is gobsmacking at times. I applaud your dexterity, Sven. Chapeau bas!
It’s also quite crazy how much money NordVPN is able to throw around for marketing. I was at my mother’s house last week setting up a new router for her (old one was ISP issued garbage) and tested speeds by installing the Speedtest app on her iPhone. There was a little VPN tab at the bottom, and guess what? Yup, NordVPN again. I heard they even run ads on TV in some regions. If true, these guys either have a gigantic customer base, or they’re bankrolled by some nefarious money laundering or shadow banking cartel.
I have a question. Could anyone benefit by having the VPN sites fighting with each other. Think about that for a minute. I bet you will all come up with the answer I did
Well yeah, when VPNA fights with VPNB, then VPNC sits in the background and enjoys the show, right?
I use NordVPN and when I saw the tittle I got a little concerned because this is the 2nd time I heard about something “bad” about their practices in the past couple of months. After reading the whole article, I feel like this lawsuit is an attention-seeking incompetent company looking make their name heard by trying to damage someone else reputation. Regardless, I’ll stay neutral and keep track of the development in the future. This might not affect me directly, but I’ll wouldn’t support a company with “shaddy” tactics like these if it turns out to be true.
I’m reading the accusations on Reddit. Whatever you do please don’t stop writing reviews. I have learned so much from your posts and reviews. Who cares if you work for a VPN service. I’ve tried others and did my limited testing, and in the past three months I’ve been with Nord VPN my advertisements, and junk mail has decreased 94%. Once again continue your reviews.
Hi Kaffeguy, thanks for the encouragement, but just for clarification, I don’t work for anyone. Restore Privacy is 100% independent, with no paid reviews, no paid rankings, no paid content, no sponsorships, and no stake/interest in any of the products/services on the site. This is also explained in the mission page, as well as how the site makes money.
Ok, TLTR.
I don’t understand what the issue is here for consumers? The VPN providers can do things out and I don’t care unless it affects the users/customers.
Sven, please explain why this of any interest to us?
Well, two large VPNs suing each other over “blackmail” allegations is big news, but I see your point, it doesn’t directly affect end users per se…
You are saying it right, but they need it as part of marketing. 🙂
The law on trade secrets vs patents is radically different. Trade secrets while having some means to defend against, in effect forgo conventional legal protections afforded by copyright and patent.
—
If C-SEVEN is bound to NordVPN that could have impact on the practicality of dragging one or both to Florida. There are also potentially crimes that laws all 3 countries can’t just ignore.
—
I for one would like to see it go to court, in hope that some truth be found and if warranted, proper punishments. Alas, if there is any stable ground for TorGuard to stand on, things will perhaps simply end with some sort of out of court settlement and no truth to be learned from any of it — other than what drama people and their money pursuits can cause.
—
The whole who blogs the best and loudest, points the most fingers sideshow is all a disgrace along with it’s actors.
Wow, great eye opening article at what a disaster Torguards security team is at their 1 job. I am watching Tom Sparks review on vpn affiliates, and it doesnt surprise me that the reason why it seems everyone is pushing Nord these days on youtube is simply because they have the most payout to the pusher, not necessarily that the product Nord is that good. I mean atleast its not HideMyAss or PureVPN, or others. Tom mentioned AirVPN which is great, but why is PIA left out i wonder. I know this website has some bias against PIA or atleast their customer service record, but maybe im just imagining things. In any case, i am glad these things are coming out in the open.
Hi Tim, you said “I know this website has some bias against PIA or atleast their customer service record”. Actually with the latest PIA review update, I’ve found PIA to have made many improvements in the past year, including improved support response times.
I think you’re mistaken. I see NordVPN being pushed heavily online by review sites like VPN Mentor, but as far as Youtube and other online sites go, IP Vanish is the one most everyone is promoting especially if it’s a Kodi site.
I wouldn’t go near IP Vanish as I feel they can’t be trusted with your security and their “no log” policy.
Ugh more VPN drama.
Rather than attacking each other, why don’t VPNs just focus on improving their service and doing a good job? Seriously, this is getting old.
…because a lie goes twice around the world while the truth is still getting it’s boots on.
As long as enough people believe their accusation & do not carry out any due diligence & maybe sign up for a company that is a “victim” of another “monopoly” company, that’s all that matters.