UPDATE 1/20: NordVPN says nothing has changed with its approach to user privacy. The company merely wanted to distance itself from shady VPN services such as VPNLabs.net, which was shut down for allegedly serving cybercriminals.
“The sole reason we made the change in our blog post was to dissociate ourselves from bad actors. The wording was prone to misinterpretation and we wanted to be clear about how we operate,” the company said.
On Thursday, NordVPN published a new blog post that explained under what circumstances it would comply with a law enforcement information request. The company first emphasized NordVPN’s existing commitments to safeguarding user data.
“From day one of our operations, we have never provided any customer data to law enforcement, nor have we ever received a binding court order to log user data. We never, for a second, logged user VPN traffic, and the results of multiple audits prove that we are true to our policies,” the company said.
In the event the company does receive information requests from a law enforcement agency, NordVPN says it “would do everything to legally challenge them.”
“However, if a court order were issued according to laws and regulations, if it were legally binding under the jurisdiction that we operate in, and if the court were to reject our appeal, then there would be no other option but to comply. The same applies to all existing VPN companies if they operate legally. In fact, the same applies to all companies in the world,” NordVPN said.
“Some people think that VPNs can somehow operate above the law and no matter what, they will never comply with lawful requests issued by a court. It simply isn’t accurate,” the company added. “Truly legitimate and reputable companies will always operate within the law. That is important to understand.”
The customer information NordVPN could hand over to law enforcement agencies would also be limited to payment data and email address. “It is in no way related to user traffic,” due to the company’s zero-logging policy of VPN activities, NordVPN said.
NordVPN is clarifying that it will comply with information requests from international law enforcement after publishing a blog post in 2017 saying that it wouldn’t.
The company pointed out the change to PCMag on Wednesday, a day after Europol announced it had shut down a separate VPN provider called VPNLabs.net for allegedly facilitating cybercrime. In the same announcement, Europol implied VPNLab.net had refused to cooperate with authorities, which led to the takedown.
“We will comply with lawful requests as long as they are delivered according to all the laws and regulations,” NordVPN says. “We are a company that protects the security and privacy of our customers, but we operate according to laws and regulations.”
The statement is notably different from what NordVPN wrote in a 2017 blog post when addressing how the company handled warrants and subpoenas from government agencies.
“NordVPN operates under the jurisdiction of Panama and will not comply with requests from foreign governments and law enforcement agencies,” the company said at the time.
However, it seems NordVPN edited the original blog post on Wednesday to change the phrasing. The post now reads: “NordVPN operates under the jurisdiction of Panama and will only comply with requests from foreign governments and law enforcement agencies if these requests are delivered according to laws and regulations.”
Recommended by Our Editors
The blog post before the change.
The blog post after the alteration.
But perhaps the most startling change is how NordVPN now says it can log a user’s VPN activity under a law enforcement request.
“We are 100% committed to our zero-logs policy – to ensure users’ ultimate privacy and security, we never log their activity unless ordered by a court in an appropriate, legal way,” the blog post now reads.
“We carefully review each request to make sure it satisfies laws applicable to our company, laws of requesting country, international norms and our internal policies,” the company notes.
Despite the change, NordVPN’s real-time “warrant canary” says the company has never received national security letters, gag orders, or warrants from government organizations demanding user information. It has also long maintained it would have little information to give law enforcement anyway, citing NordVPN’s policy of never logging customer VPN activity.
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.