​Inside a VPN service: How NordVPN conducts the business of Internet privacy

Now that American ISPs have been granted new freedoms to monetize and spy on their users, there's a renewed interest in VPNs. Who are these VPN providers and why should you trust them? Let's find out.
Written by David Gewirtz, Senior Contributing Editor

Video: Are we too paranoid, or not paranoid enough?

With the demise of net neutrality protections, American ISPs have been given more freedom to profit from their customers' data streams. Some users may be distressed to learn that their own network providers are spying on them and sharing their personal information and interests with advertisers and other profit-motivated parties.

Add to that the need to protect Wi-Fi communication while away from the office or home, as well as to keep other public Wi-Fi users from tapping your transmissions, and it's easy to understand the increasing interest in VPNs. If you're interested yourself, check out our extensive research on the best VPN.

VPNs (or virtual private networks) encrypt and encapsulate communication between your computer and the internet. Want to learn more? See What is a VPN and why do you need one?

Read also: How to choose the VPN that's right for you

I've been digging deep into many of the most popular VPN providers. But the more I've explored these companies, the more I've become curious. These small companies (for they're almost all relatively small -- at least compared to giants like Google and Facebook) have an outsized level of responsibility for the protection of their customers.

We caught up with Marty P. Kamden, CMO of NordVPN, which operates more than 4,000 servers in 62 countries. Oddly enough, given its Nordic-sounding name, NordVPN is headquartered in Panama, not Norway.

ZDNet: Let's start with the obvious. You're based out of Panama, but your name and logo calls to mind the Nordic countries. Can you explain?

NordVPN: The NordVPN name was inspired by Nordic ideals of confidence, trust, and innovation. It reflects how we value our customers' freedom of choice, how we strive to be innovative with our technology, and the way we work.

Why Panama?

Panama is a bit of a different story. We knew that, above everything else, privacy would be our primary focus; therefore, we needed to find a privacy-friendly location to start our service from, and Panama was a perfect fit. The country doesn't have mandatory data retention laws, does not participate in the '5 eyes' or '14 eyes' treaties, does not censor or surveil the internet.

Privacy is a huge issue with VPN users. You've previously said you log no user or connection data. But does that mean you log no data whatsoever from a user's interaction through your service?

In order for someone to use our service, we require an active email address, and we need to have access to the billing information, as it is necessary to manage subscriptions and refunds. Other than that, our apps collect anonymous aggregated usage statistics to improve our customer experience, and that's about it.

What happens when a government makes a request or a demand? Even if you can't deliver granular connections data, what happens if a government demands your customer list?

There has never been a case of any government demanding the full list of our customers. It's hard to imagine reasonable grounds for such demand. We are obliged to answer by the laws we operate under, but even if a Panamanian court order were issued, we could only confirm whether a particular email address was used to purchase our service. Because of our no-logs policy and server configuration, information on individual customer's internet activity cannot be retained.

This is a question one of my Twitter followers asked me to ask you. For some people, secure, log-free VPN is a matter of life or death. So, even if you say you don't keep any logs or log data, how can a user be absolutely sure that's true? Do you have any sort of independent auditing or human rights groups checking on that promise?

For this particular purpose, our service has not yet been audited independently. However, we ourselves are constantly checking and validating the effectiveness and security of our setup. Needless to say, independent audit is a sensitive project, which requires thorough consideration and research, and yet, we will most likely get our service audited in the future.

That being said, the VPN market is almost entirely based on trust -- people make their purchase decisions based on the reputation of the service. We worked hard to become one of the market leaders. Going against our privacy policy, storing or recording anything would put our service in danger and eradicate everything we've worked so hard to achieve, so we will never take that risk. We are confident about our policies and configuration and will gladly provide our service to those who seek protection.

Your site lists 4,205 servers in 62 countries. How does that infrastructure really work? Do you have physical facilities in each of those countries? Are you renting access to another vendor's hardware?

We rent dedicated, bare-metal servers from carefully selected server providers with the condition to configure them all by ourselves. We install OS and set everything up in a way that no data is being stored or recorded.

Do you have dedicated comms lines between those countries?

We don't have dedicated communication lines -- no consumer VPN does. All traffic between a user and a VPN server is encrypted anyway, and even if intercepted, wouldn't be any use.

Do you offer language-specific clients for, say, Spanish, Russian, and Chinese?

Our mobile apps are translated into Spanish, German, and Chinese languages. In the future, however, the number of translations will certainly increase. We are now researching different markets and setting priorities on which languages we should add next.

How do you handle VPN operations and privacy in countries that restrict VPN usage? Russia, for example, banned VPN usage except from approved providers. VPN usage in the UAE could put you in jail. China only allows certain vendors. Yet, you have 22 servers in Russia, four in the UAE, and none in China. Can you explain how you offer VPN in countries where it's essentially banned, how users should think about it, and what risks your company is facing by offering these services?

In order to get a full view of subject in question, let's split the case into two separate parts: One will cover the methodology on how we deploy our servers; another will cover the VPN as a service itself.

The first one is actually quite simple. We always use the same approach. We reach out to a server provider and state our requirements. If the server provider is fine with what we need, we rent the server and start with the configuration. The drill is always the same regardless of the country, its laws or attitude towards the VPN services. From the security perspective, our users will be provided with the same benefits whether the server they connect to is located in Switzerland, the US, or UAE. Choosing the preferred one is all up to them.

Read also: Best mobile VPN (2022)

Meanwhile, the VPN service and its use is subjective to the customer. NordVPN itself operates and answers by the laws of Panama. We do believe in free and unrestricted internet to anyone and if the technology we provide works in countries under the government's censorship; we are not obliged to change that.

Coming back to privacy again, if you offer VPN service in a country, doesn't that make you, at least somewhat, subject to that nation's disclosure laws? And doesn't that open users up for possible gaps in privacy or, in some nations' cases, providing information or complying with court-ordered gag orders for tapping connections? Do you maintain any sort of privacy warrant canary to indicate the presence of a national security letter or similar?

We do provide a warrant canary, and yes, a small chance for a server provider to be compelled to log does exist. However, that would not be of much use either. We provide shared IP addresses, which means that all data entering a server from different customers around the world is encrypted, and all exiting traffic is provided with the same IP address.

Therefore, linking specific internet activity to a specific IP address becomes very complicated. And to eliminate even the slightest possibility of a correlation attack, we provide Double VPN servers. If a customer connects to a Double VPN server, the entry node might know the customer's IP address but does not know the website they are trying to access. The exit node will decrypt the traffic, but it will all be coming from the entry server with the server's IP address.

Talk to us about protocols. There are many different protocols, and some VPN providers also have their own private protocols. What do users have to know about protocols, is there any one best choice, and why?

Users should be aware of the protocols that are known to be insecure. Moreover, the same protocol can use different ciphers, so it is something worth checking as well. For example, the OpenVPN protocol, amongst others, can use AES-256bit - CBC encryption or AES-BLOWFISH, which is known to be vulnerable to certain attacks.

Read also: The 14 best web hosting services

We do not recommend using the PPTP or L2TP protocols to transfer any sensitive data as these are known as unsafe to use.

To conclude, there are lots of different VPN protocols as well as cipher suites, each having their pros and cons. Our apps use protocols that have been approved for encryption of top secret documents by governments from all over the world.

Even if you don't log data, a hacked network could provide a point for data capture. With all the nation-state hacking out there, a VPN service is a very high-value target in terms of capturing data that might otherwise go hidden. What steps are you taking to prevent hackers from gaining a foothold into your network?

Let's start by saying that the encryption we use has never been broken, and with the current technology brute-forcing it would be next to impossible. Moreover, we hire highly trained specialists and regularly checking for any possible flaws and vulnerabilities, so governments would probably look for less expensive and easier ways to get the information they need.

Read also: The 4 best VPN services for iPhone and iPad in 2022

Yes, no one is protected from zero-day vulnerabilities. However, our specialists follow the latest industry standards and working hard ensure that the top level security practices are being used.

VPNs are incredibly valuable for human rights and to allow people to protect themselves from spying, whether it's as a dissident in a repressive nation or an individual protecting themselves from some sort of discrimination or stalking. But what about those users who are conducting illegal activities? At the low end of that chain might be a user watching a sports event in a blacked-out area, but at the worst case, it's terrorists hiding their tracks. Beyond just a strongly-worded terms of service, how do you prevent your service from enabling evil-doing?

Looking from a global scale, we provide a cyber-security service. Our user polls show, that more than 80 percent of our customers are using NordVPN to protect themselves from cyber threats and privacy violations. Others -- to bypass censorship and restrictions. With an additional features like CyberSec or SmartPlay, we have become an all around security suite that can be compared with an ISP. Unfortunately, every ISP is providing service to all different kinds of people.

Having a no-logs policy is the only way for us to be able to maintain the highest privacy and security standards. The problem is that there is no middle ground here. It is either tracking all of our customers in hopes of preventing 0.01 percent from abusing our service, or protecting everyone equally without knowing the purpose our service is being used for.

A corollary to the previous question is that if you do have unsavory customers who you don't notice, doesn't that open up your service (and those of your competitors) to the active interest of law enforcement and national security investigations. How do you deal with that?

As I have mentioned before, our service doesn't maintain any logs of our customers' activity. That means that even if an official court order were issued and we were asked to give out any information on our customers, there would be nothing to provide. We could only confirm or deny the fact of the existence of such email address in our database.

Many businesses provide VPN services via their own servers. What sorts of services do you offer small businesses that go beyond what you offer consumers?

Our business service features include centralized billing, user administration, dedicated account manager, priority support 24/7, license transferability option, dedicated IP per user or per group, dedicated VPN server deployment, and other features. Small and medium businesses quite often lack infrastructural know-how and use outdated or insecure protocols, which leads to system security holes. Meanwhile, we can provide companies with a top-level service

The best VPN services: Our 10 favorite vendors for protecting your privacy

Previous and related coverage

Take home along: How a VPN can help travelers connect wherever they go

It can be difficult to access your home Internet services and resources when you travel out of the country. Here are six ways a virtual private network can help.

How to use a VPN to protect your internet privacy

A virtual private network can go a long way to make sure that neither your ISP, nor anyone else, can snoop on what you do on the internet.

World Cup 2018: Traveling to Russia? Here's what you need to know

Russia has some very restrictive cybersecurity laws, especially when it comes to VPN use. Here's what you need to know to avoid trouble.

Air-gapping the planet: How to travel safely in digitally scary places

If you're considering traveling to one of the many countries that has a dubious relationship with digital privacy, you'll need to protect yourself. While the standard advice is a VPN, David Gewirtz takes you a few steps deeper into the murky cloak and dagger world of digital tradecraft.

Editorial standards