VPNs are going mainstream, and so are their trust issues
Virtual private networks have become a cornerstone of personal security online. What are their makers really selling?
At the former site of a Soviet-era sock factory in Vilnius, the old-world capital of Lithuania, NordSec BV's new headquarters is rising in a clatter of construction workers and scaffolding. Soon the startup's roughly 2,000 employees will gather near the remains of a brick smokestack for basketball and rooftop barbecues at a sleek complex that wouldn't look out of place in San Francisco.
When co-founders Tom Okman and Eimantas Sabaliauskas invested in the factory property four years ago, it was still making hosiery. Now the sign at the bus stop out front reads Vienaragiu, the Lithuanian word for "unicorn." The Silicon Valley-style conspicuousness is new for Okman and Sabaliauskas, who spent close to a decade developing NordSec and its principal brand, Nord Security, while keeping a low profile. It's also a little unusual for a company that is, after all, in the privacy business.
If you've heard of Nord, that's probably because of its virtual private network software, NordVPN. By design, VPNs hide what you're looking at online, and where you're looking from, by routing traffic through an encrypted "tunnel" to other servers around the world. Subscriptions start at $3.29 a month, and NordVPN's app filters users' web activity through roughly 5,500 servers in 60 countries. Someone browsing in Vilnius might appear, to websites and ad trackers, to be sitting in Miami, Osaka, São Paulo or any of the almost 100 other cities where the company keeps hardware. Depending on whom you ask, VPNs offer much-needed privacy and freedom from snooping corporations and governments, or simply a way to stream Netflix or ESPN+ in places where they're blacked out.
Reasons for VPN Use
Share of US and UK users
Even some common uses for VPNs are legally dubious, so the companies that run them have traditionally maintained complex, variably sketchy data policies and chains of ownership. The industry's leaders, however, are no longer shying away from the public eye. When I sit down with Okman, Nord's co-chief executive officer, at a steakhouse near the old sock factory in November, he's just returned from speaking at Web Summit, the big tech conference in Lisbon, and is preparing for his second trip to the annual World Economic Forum in Davos, Switzerland. A few years ago, the Davos crowd didn't know what a VPN was. "Now everyone does," Okman says.
The week we met, Time named NordVPN one of the best inventions of 2022, describing it as an essential security tool. Instagram posts from the musician Drake have shown NordVPN open on his MacBook while he gambles online, and federal prosecutors recently caught disgraced FTX co-founder Sam Bankman-Fried using a VPN while on bail. (A lawyer for Bankman-Fried, who's been charged with fraud and is prohibited from using certain encrypted software, said he was using it to watch the Super Bowl at his parents' house.) According to Top10VPN .com, a review site that tracks industry data, Russian interest in VPNs rose by more than 1,000% after President Vladimir Putin invaded Ukraine last year and blocked domestic access to Facebook and Twitter. About a month later, Nord Security raised $100 million in venture capital at a $1.6 billion valuation, ostensibly making it the world's most valuable VPN startup. Nord won't disclose its current financials, but Okman says it has more active subscribers than its closest competitor, Kape Technologies Plc, which reports more than 7 million paying customers and has a market value of $1.5 billion.
Along with Kape's ExpressVPN, Nord has become the face of a market that's been trying to go mainstream and distance itself from geekier or less reputable competitors with names like Faceless.me, Hotspot Shield and HideMyAss. So far, Nord and Kape have been able to keep growing despite fresh competition from companies with far deeper pockets, including Apple Inc., which offers a VPN variant called Private Relay, and Google, which integrated its own VPN into its Pixel smartphones last fall. "I'm not sure you'd want to use a Google VPN for privacy," Okman says, noting the search giant's dependence on targeted ads. (Google has said its VPN can't link network traffic with a user's identity.)
Some researchers warn that no VPN should be seen as a guarantee of privacy. Roya Ensafi, an assistant professor of computer science at the University of Michigan who studies the field, says she and her colleagues have found that VPN makers oversell how much security they provide. An internet service provider, let alone the Pentagon or Putin, can figure out who's using a VPN based on internet patterns or traffic leaks. In some cases, it's possible for a malicious ISP or state to temporarily interrupt a VPN connection and expose sensitive personal information while its encrypted tunnel is closed off. "Almost every obfuscation implemented for VPNs that we studied is embarrassingly ineffective," Ensafi says. Some VPNs have also been caught harvesting user data for market research, hiding ties to China or storing traffic logs. In 2017 the Wall Street Journal reported that Onavo Protect, a free VPN run by Facebook Inc., was monitoring how often users accessed competing social media services. (Facebook, which said it was clear about what information it was collecting, shuttered Onavo 18 months later.)
Okman says that PricewaterhouseCoopers AG has audited its no-logs policy and that having an extra layer of encryption is better than the alternative. "If you want to be secure online, you have to use a VPN," he says. Nord has protections against traffic leaks and has developed companion software, including a password manager, an encrypted cloud storage service and a malware scanner. When asked about legally gray uses for VPNs, Okman mostly acts shocked, shocked to find that gambling—or illicit streaming and the like—is going on in here. He's aware of bad actors in the industry but insists that Nord is operating aboveboard. "We've never been hiding in the Cayman Islands or anywhere," Okman says. (A Nord spokesperson says NordVPN is registered in Panama because that country's laws don't require companies to retain user data.)
As Nord expands, it's facing pushback from states peeved about VPNs enabling access to restricted media, as well as from content providers trying to stop overseas binge-watching of US-only streaming services such as Hulu LLC. But perhaps its biggest challenge will be convincing average customers that VPNs are safe and necessary. Jack Wilson, who researched VPN vulnerabilities at Scotland's Abertay University, says all a VPN really does is "transfer trust" over your browsing from an ISP to a far-flung startup with nebulous oversight. "It boils down to: Who do you trust more?" Wilson says.
The first VPNs emerged in the 1990s as a way for corporate employees to work from home. Microsoft Corp.'s product-incubation head Gurdeep Pall, who was part of a team credited with creating an early VPN for Windows 95, recalls the idea of remote logins to an office network being so novel that he struggled to find more than a dozen early adopters for a dial-up precursor. "The first few months, only like 13 of the 16 modems would light up," Pall says. As broadband replaced dial-up, though, VPNs caught on as a security measure among tech companies, banks and hospitals.
A parallel VPN ecosystem blossomed around hackers seeking entertainment. Jovan Petrovic, employee No. 1 at HideMyAss, which grew popular in the late aughts and featured a logo of a donkey dressed as a secret agent, says it became "a game of hide-and-seek" with governments and companies like Netflix Inc. to enable access to georestricted websites as they blocked the generic IP addresses VPNs give users to shield activity. He clarifies that VPNs were never some holy product. "It's all about torrenting, streaming and, you know, porn," he says, laughing.
It was around this time that Okman and Sabaliauskas first encountered VPNs. They were born during Lithuania's final years under Soviet occupation and fell in love with the computers that soon arrived from the West. They met in a chatroom circa 1999 and spent years bonding over the finer points of system networking. They met in person once Sabaliauskas went to study information technologies at university in Vilnius, Okman's hometown, in 2002. After graduating, Sabaliauskas joined a marketing company focused on web ads and search engine optimisation, while Okman worked for one of Lithuania's biggest ISPs. "He was basically taking cables to people's homes and connecting them to the internet," Sabaliauskas says.
The pair were constantly dreaming up business ventures and even established a startup incubator called Tesonet, though it didn't incubate much until 2012, when they created what would become NordVPN. They'd been using corporate VPNs at work and thought they could build something superior. Renting servers for about $50 a month in Germany, they hacked together a basic system with an open-source VPN protocol, followed by rudimentary PC and Mac programs. For the first couple of years, at least, customers had to know a lot about network configurations. "It was a mess," says former product manager Justinas Jakunas, who joined in 2014. "It was too geeky. But people were still using it." Instead of raising money from venture firms, Nord charged its few thousand users around $8 a month (or less) and slowly expanded its staff and server base. Okman was obsessed with speed and reliability, so the company's engineers tried to keep enough servers on hand so that none was ever using more than 30% of its bandwidth.
In 2015, Nord topped 10,000 customers and added an iPhone app, followed by an Android counterpart the next year. The mobile interface was much more intuitive, with a map of Nord's roughly 500 servers and a one-click button that connected users to whichever one was currently fastest. Nord and other VPN startups benefited from customers' growing fears about data mining. One industry accelerant was the Trump administration. In 2017 the White House overturned a rule that would have required ISPs to ask for consent to share or sell customers' browsing histories for marketing purposes. Sabaliauskas says Nord's US user base nearly quadrupled soon afterwards: "We put up a photo of Donald Trump as our employee of the month."
As it gained market share, Nord added more clever privacy features, including an encryption system that routes traffic through two servers instead of one. But its competition with ExpressVPN has largely been an old-fashioned marketing fight, albeit one that Okman says involves some 15,000 YouTube influencers. Kazimieras Celiesius, a former Nord developer, says the company's ad campaigns for years were aimed at customers with little to no technical expertise. "I call it the grandma segment," Celiesius says. "Grandma saw it on TV, she bought it, and she doesn't even know how to turn it on." Some ads promised "military-grade encryption" and said "your data will never be compromised with NordVPN"—promises a Consumer Reports study found misleading. Darius Skuncikas, a former user-retention leader at Nord, says a common subject in meetings was how to ensure customer access to streaming services over its VPN. "If we saw huge cancellations, the first question was 'Does Netflix work?' " he recalls. A NordVPN spokesperson says that it uses an encryption standard approved by the US National Security Agency and that the aim of its marketing is to communicate technical features to everyday consumers with easy-to-understand words.
VPN makers have also won customer trust through deals with affiliate marketers, including VPN-ranking sites. Many of these sites, which receive referral fees for VPN subscriptions purchased through their links, have said their editorial decisions are free from commercial pressures. "We got emails from these reviewers saying, 'Hi, guys, No. 5 spot is now for sale if you give us a certain amount of money,' " says Jan Jonsson, the CEO of Mullvad VPN AB, a Nord competitor. Simon Migliano, the research head for Top10VPN.com—which asserts that it's independently owned and that referral commissions don't affect its reviews—says some ranking services are quietly owned by the VPN brands themselves. He calls that "a massive credibility problem."
Celiesius suggests it's an open secret in the industry that Cybernews, a top VPN review site on Google's search results, has ties to Okman and Sabaliauskas's Tesonet incubator. Cybernews ranks NordVPN and two other VPNs in Tesonet's portfolio, Surfshark and Atlas, as the industry's best three services. A Nord spokesperson acknowledges that Tesonet has worked closely for years with Cybernews's owner, Adtech LT UAB, and invested in a new umbrella company of the site in October. Cybernews chief editor Jurgita Lapienyte says her team "adheres to core principles of journalism" and that their analysis is "in no way influenced by the company's business goals."
It's impossible for customers to figure out which VPNs to trust. They can't visit a data centre to check that a provider's servers are properly safeguarded, nor can they inspect Nord's code to make sure it's keeping their web traffic hidden. In 2019 reports surfaced that Nord infrastructure at a Finnish data centre had been compromised the previous year, sparking headlines about a potential breach of web traffic logs—data on subscribers that Nord says it doesn't collect. Okman dismisses those reports as conspiracy theories, stressing that the incident affected only one server out of thousands and that his company later removed all hard drives from its servers to ensure that it physically could not log customers' traffic. "For us, it would be super f---ing stupid to collect logs," he says.
In September 2021, UK-based Kape, which had already bought VPN brands including CyberGhost and Private Internet Access, agreed to acquire ExpressVPN for $936 million. This should have been a sign of the industry's growth, but instead, it raised more questions about its legitimacy. Before 2016, when Kape was called Crossrider, its products enabled other developers to inject ads into users' PCs. It could only ask customers to trust that it had changed. "Kape has moved on from those times," says ExpressVPN Vice President Harold Li.
Okman starts his day before dawn, running through Vilnius's cobblestone streets. He usually logs around 60 miles a week, training for Ironman competitions and, lately, a marathon at the North Pole. He's equally single-minded at the office, where he's prone to firing off Slack messages a word at a time, flooding employees' phones with notifications. The team's current priority is persuading customers to keep its VPN running 24/7. The more the customers keep the VPN on, the more likely they are to renew their $4 or so monthly subscriptions, which Okman says can turn an 80% profit. Users log off Nord for a variety of reasons, whether because server speeds slow down or because they've concluded that their web surfing simply doesn't need VPN protection.
Rising industry scrutiny is teaching VPN users that they aren't immune to phishing attacks or other scams. If you're logged into Gmail, Google can monitor your activity even with an anonymised IP address. Nord keeps your email address and billing info on file, and there are ways of triangulating a user's identity. "Device fingerprinting," for example, cross-references metadata such as the size of your screen and the version of Chrome you're using.
NordVPN's app now features a malware scanner and dark-web monitor to guard against suspicious sites and downloads and to track exposures in data breaches. Nord has also introduced NordPass, a subscription password manager, plus an $8-a-month encrypted cloud service. When I arrive at Okman's office, which he shares with Sabaliauskas and two fellow execs, they're whiteboarding code for NordLayer, an encrypted networking system designed to give mom and pop businesses a lower-cost version of the kind of expensive firewall protection Palo Alto Networks Inc. provides Fortune 500 companies.
Another new product is Incogni. Developed by Surfshark, a VPN Nord merged with in 2022, it automates the removal of personal data from hundreds of data brokers that operate inscrutably online. "If you try to do it yourself, it takes months," says Surfshark founder Vytautas Kaziukonis, sitting beneath a security camera in his office that he's tilted toward the wall for privacy. "We do the work for you."
While Nord is focused on diversifying its product lineup, VPN revenue represents the vast majority of its sales. When Okman shows me his smartphone app, I see his NordVPN subscription is active through September 2050. But unlike a decade ago, when accessing your bank account from a motel's Wi-Fi portal might've been risky, these days more banking websites and browsers offer encrypted connections by default.
The rest of the industry seems to be similarly incorporating VPNs into broader security packages. HideMyAss, which has rebranded as HMA, is now owned by the parent of anti-malware brands Avast and Norton. Google is marketing its VPN as a cybersecurity enhancement rather than a tool to bypass geographic web restrictions. Antivirus companies such as S.C. Bitdefender Srl and McAfee LLC offer their own VPNs. ExpressVPN's Li compares VPNs to an ADT-like monitoring hub that provides safety and peace of mind—but that doesn't free you from having to lock your doors. "A home security system might have an ad that says, 'Protect your home from intruders,' or 'Protect your valuables,' " Li says. "It doesn't have an asterisk that says, 'If there's a fire, your home security system is not going to save your valuables.' " Birgir Már Ragnarsson, managing partner at Novator Partners LLP, which led Nord's $100 million financing round in April 2022, says VPNs on their own are now a commodity: "You can't just get a VPN and be secure with everything. That's why we have different products."
But if there's one product Nord swears it's not selling, it's illicit access to streaming services. Okman tells me the company is not optimising to evade Netflix blockages, and, in any case, he reminds me that Nord doesn't even know if its users are streaming stuff, because servers don't collect logs. He says that Nord has never received complaints from Netflix and that it tries to make such services function only so subscribers don't have to turn off VPNs when they're at home watching TV. "The reality is 90% of our customers connect domestically," he says, meaning if they were avoiding georestrictions, they'd presumably connect to a server in a different country. (Netflix declined to comment.)
The explanation sounds a little funny, not least because the Peacocks and YouTube TVs of the world appear engaged in constant whack-a-mole with VPN IP addresses to prevent unauthorised streaming. VPN review sites and Reddit threads are full of tips on how to game the platforms. In the US, for one, it's easy to use a VPN to switch to servers in different states to sidestep regional blackouts on ESPN+ for hockey games. (An ESPN spokesperson says the company takes protecting intellectual property seriously and has the technology to identify suspicious activity.) When I bump into Cyril Polac, NordVPN's country manager for France, the first insight he shares about the market is related to live sports: "Formula One, in France, will be broadcasted by a specific private channel that will be extremely expensive, while you will find the same exact sport broadcasted for free in Belgium."
When I relay this to Okman, he's unfazed. "We're not denying that's a use case," he says. "It's just not our focus."
Over the past couple of years, Nord and other VPNs have been at loggerheads with Roskomnadzor, Russia's federal communications agency. "They asked to 'give us the encryption keys,' and we didn't," Okman recalls. Instead, the company terminated its contracts with local data centres and had its servers shredded in early 2019. Russians could still connect to NordVPN via non-Russian servers, but in September 2021, Roskomnadzor announced it was barring access to NordVPN, ExpressVPN and other services, implying they were contributing to the distribution of drugs and child pornography online. Russia's invasion of Ukraine commenced six months later.
A similar pattern is playing out as governments seek more control over the open internet. Last summer, a new data retention law in India forced NordVPN to shutter its servers there, and the company's website has long been blocked in mainland China. Meanwhile, as social unrest and geopolitical issues erupt in Iran, Sri Lanka, Turkey and other places, data show demand for VPNs continues to surge.
Yet when I ask whether these affected populations are downloading NordVPN, Okman says no. Instead, they tend to rush to free VPNs, which, though less secure and possibly dodgy, can grant swift access to Twitter and the BBC. Nord does offer free VPN access on a case-by-case basis to at-risk reporters and dissidents, but Okman says the company can't open the service to the masses. "Our servers would explode," he says. Sabaliauskas says they briefly considered implementing a free VPN program for Russian citizens but were advised by Ukrainian officials that they likely wouldn't use it for organising protests but rather for surfing the web like they did before the war. "We chose not to participate in this," he says.
As Okman steers the conversation away from geopolitics and back to humdrum cyberthreats—"My mom was, like, 'Oh my God, I got this email. Is this a scam?' "—it becomes clear Edward Snowden types aren't Nord's target demographic. About 40% of its sales are in the US, followed by other democratic markets including Australia and the UK.
In an earlier phone call, Okman shared conflicting views on Nord's higher purpose. "We are not upsetting governments. We're not doing anything aggressive," he said. At another point, though, he said that protecting journalists and freedom fighters is core to his mission and that Nord works closely with Access Now, a digital rights organisation.
But Natalia Krapiva, a lawyer for the group that advises activists on choosing security tools, says she usually recommends VPNs from Mullvad, Proton and TunnelBear, rather than Nord. "There's not necessarily anything bad with it, but we haven't had enough understanding of their security audits," she says. Even those behind her recommended products warn that they're no panacea. "If you're Snowden, you have a threat model that's pretty high and the NSA on the other side—a VPN doesn't help at all," Mullvad's Jonsson says.
That Nord seems more focused on building some new-age Norton than disrupting the Kremlin's internet censorship is surprising, especially given that Okman was born when the Soviets were still imprisoning Lithuanian dissidents and that Sabaliauskas's parents "were always saying it was such a terrible time and that we can never go f---ing back there," he tells me. Okman, though, says he doesn't draw a connection between that history and their development of tools that could potentially thwart authoritarian regimes from raising more digital Iron Curtains.
It's possible Okman is playing down this use case to avoid kicking the hornet's nest, but he does sound more motivated to expand Nord into a global brand and build Vilnius into a tech hub, which is arguably a different kind of protest against Moscow. "You have all these people who grew up in the middle of a big transition—getting the Soviets out. It's dead poor," says Thomas Plantenga, CEO of e-commerce company Vinted, the country's only other unicorn. "And you have these bright people like Tomas [Okman] and Eimantas [Sabaliauskas] who are full of energy and just want to prove you can build stuff from Lithuania."
I hear a similar sentiment from Ausrine Armonaite, Lithuania's minister of the economy and innovation, whose office is across from the Soviet station where the KGB used to spy on phone and radio communications. She focuses on the homegrown entrepreneurship Nord symbolises instead of how VPNs can play a role in geopolitics. Ditto Vilnius mayor Remigijus Simasius, who has an enormous banner hanging outside his window that reads, "Putin, the Hague is waiting for you," yet spends much of our conversation pitching the country's thriving tech sector.
Still, the more aggressive internet censors become, the more they'll bring attention to VPNs and, by extension, Nord's products. When NetBlocks, a widely followed tracker of web interferences, tweeted that Jordan was restricting access to TikTok, it recommended Surfshark to circumvent the ban. (Founder Alp Toker clarifies that this endorsement was part of a sponsorship and that NetBlocks doesn't compare VPNs.) And when Italy barred access to ChatGPT in late March, Cybernews wrote an article about the best VPNs for unblocking the chatbot. It ranked NordVPN No. 1.