THE VPN TRUST INITIATIVE (VTI): NordVPN and ExpressVPN - Contradictions, misleading advertising, and exploitable resources

General
,
1

Greetings, community. While researching NordVPN on its official website, I came across the “VPN Trust Initiative.”

Source: VTI Members – The VPN Trust Initiative (VTI)

The argument at first glance is as follows: The VPN Trust Initiative (VTI) is powered by an industry-led coalition of leading VPN providers committed to advancing privacy, security, and responsible innovation. Our members don’t just operate VPN services—they actively shape the future of the VPN industry through transparency, trust, and ethical standards.

The word “committed” appears, implying that all members (NordVPN, ExpressVPN, etc.) that are part of this group are committed to protecting the privacy of all users of their services, even if their policies and terms of service don’t explicitly state this.

Analyzing NordVPN’s terms and conditions (I’m going straight to the most serious or highest-level information possible), I found the following (“Privacy Policy”):

  1. It is important that you use our Services and Websites carefully and responsibly — if your actions violate someone else’s privacy, rights, or any applicable laws, the responsibility lies with you and you alone. Nord is not liable for any consequences resulting from your unlawful, intentional, or careless actions, or for events that go beyond what Nord could reasonably control or foresee.
  2. We take your data security very seriously, using a number of protective measures to keep your personal information safe.

→ The first issue is that NordVPN is easily exploited. They don’t distinguish between decent and malicious users. Someone could go to jail for being innocent, and if this happens, NordVPN is fully responsible and will bear all the consequences, despite their denials. The second issue concerns privacy. They claim to take it “very seriously,” but they collect far too much information when you use their app: country, time zone, etc. This information can be exploited. In both cases, NordVPN argues in its terms (points 9 and 10) that they are not responsible for situations beyond their control. However, the membership system, as described above, is a commitment they are obligated to fulfill at all times, regardless of the points in their terms.

Now, applying the same method to NordVPN, I continue with ExpressVPN:

  1. Aggregate Sum of Data Transferred (in MB): We collect information regarding the total sum of data transferred by a given user. Although we provide unlimited data transfer, if we notice that a single user pushes more traffic than thousands of others combined, thereby affecting the quality of Services for other ExpressVPN users, we may contact that user for an explanation.

→ If ExpressVPN claims to collect bandwidth data and then notifies the user, it means it can identify the individual much more easily than can be proven (according to their arguments), despite their claim of not “keeping logs” according to their policies. However, this can be exploited and used for such purposes. Their typical terms of service regarding limitations (points 12 and 13) are very common, but they also assume full responsibility for all users of their VPN service, as NordVPN argues. There is one more thing, in their privacy policies, the word “commit” appears, which indicates that it is contrary to their limitations and responsibilities if they do not comply in external situations and at the highest level.

ExpressVPN’s misleading advertising on the homepage states: World’s #1 VPN. If this were true, they would have to prove it with genuine and irrefutable actions; they will fail.

Direct rebuttal: By belonging to the “VTI” group, these two “companies” assume a mandatory commitment to protect all users regardless of the consequences, and this contradicts their terms of service regarding limitations and responsibilities. Furthermore, the exaggerated records reveal much more than just an obligation; are they willing to go to jail to cover for a real criminal?

Result: Investigation concluded. Will they be able to alter the “documents” to make them more logical based on reality itself? Time will reveal the truth.

Observe how AdGuard behaves; this reveals more than meets the eye in the VPN industry: The behavior of the company AdGuard

1 Like
2

The problem at large with these companies (And others) who claim they care about privacy and whatnot is what they mean by privacy in the first place. They see privacy differently than Mullvad or Proton or IVPN. That’s obvious. Then clearly it means these people are saying the right things but don’t quite ensure of it as they ought to because they can clearly do more and better.

3

The whole initiative is a joke. Its a few big VPN companies listing out multiples VPNs that they own to boost the membership, to make it seem legitimate.

Ivacy, Pure VPN - same company
Nord, Surfshark - same company
IP Vanish, WLVPN, StrongVPN, Ziff Davis - same company

Thats basically half their membership owned by 3 companies. Those were just the relations that were easy to find.

2 Likes
4

I’m liking ProtonVPN and its Secure Cure feature; it feels good, and NetShield has good blocking capabilities. I’ve used IVPN and Mullvad before; they have potential, but it would be good if IVPN released more frequent updates for mobile devices.

5

Here are the official websites where you can find more information about these so-called “products”:

1. IpVanish, StrongVPN…

Source: Cybersecurity - Ziff Davis

2. ExpressVPN, PIAvpn, etc.

Source: Our Brands

3. Betternet, Hotspot Shield, Financial Shield, Privacy Shield, Medical Shield, Touch VPN, Robo Shield, Ultra AV, Ultra VPN, and VPN 360.

Source: Aura.com

My questions arise:

  • What could be hidden that isn’t explicit or implicit…?
  • Could this be a single, massive data collection and mass surveillance network? If so, why, how, and for what purpose, etc.?
  • Are there dangerous activities that haven’t come to light?

My suspicions are growing.

1 Like
6

DIRECT CONTACT WITH NORDVPN SUPPORT AND THEIR RESPONSE

It’s clear that this response answers many questions without going into exhaustive detail; however, here is my message and NordVPN’s response:

Message sent

Hello. I have a few questions, and I’d appreciate it if you could answer them honestly:

1. What does the VPN Trust Initiative (VTI) mean to you and its members? Would you like to see Mullvad VPN, for example, join the list of members?

2. Do all servers have real, artificial, or merely apparent DDoS protection?

3. Is it true that the privacy policy, where the word “seriously” appears, contradicts the limitations and responsibilities in the terms of service? Would it be prudent for the documents (both) to be aligned and for there to be fewer logs? Because according to the privacy policy, you keep a lot of logs—I need an explanation.

4. Do you have plans to develop your own completely unique and powerful protocol that isn’t WireGuard, etc.?

5. What is the main reason you have so many servers? Why, and what are the benefits for all users?

I look forward to your response.

Best regards.

Message received

Hello, Dany,

Thank you for your letter.

NordVPN strictly keeps no logs of your activity online.

That means we do not track the time or duration of the online session, and neither do we keep logs of IP addresses or servers used, websites visited, or files downloaded.

In other words, none of your private data is logged or saved at any time.

We do collect personal data like your email address and payment details to provide our Services. You may also voluntarily give us your data in situations that don’t involve using our products, such as when you agree to accept cookies on our Website or participate in a promotional campaign. In all cases, we only collect and use the bare minimum of information needed. You can read more about it here: https://my.nordaccount.com/legal/privacy-policy/.

Additionally, application diagnostic logs have nothing to do with our strict no-logs policy. We do not track our users’ activity online in any way. Also, application logs can be obtained only by the app user, not us. They’re used to troubleshoot connectivity issues when a user themselves sends their application’s diagnostics log to us. Additionally, these logs do not show any traffic requests towards the internet; they only show errors and initiated connection attempts to VPN servers to detect at which step the connection issue occurs.

We have our own protocol, which is NordLynx. NordLynx is the technology that we built around the WireGuard® VPN protocol. It lets you experience WireGuard’s speed benefits without compromising your privacy. You can find more information about NordLynx in >this blog post<.

These articles cover how to enable NordLynx on various operating systems:

Windows - https://support.nordvpn.com/hc/en-us/articles/19919637268625
macOS - https://support.nordvpn.com/hc/en-us/articles/19925285940497
iOS - https://support.nordvpn.com/hc/en-us/articles/20459436694801
Android - https://support.nordvpn.com/hc/en-us/articles/20465306064145
Linux - https://support.nordvpn.com/hc/en-us/articles/20398711101329

Furthermore, our servers are protected with the best real technologies to prevent DDoS.

The main reason NordVPN has a large number of servers is to ensure better performance, reliability, and accessibility for all users. Having many servers allows us to:

  • Distribute user traffic efficiently, preventing overcrowding and maintaining fast speeds;

  • Provide stable and reliable connections, even during peak usage times;

  • Offer a wide range of locations worldwide, so users can connect to servers closer to them or access region-specific content;

  • Improve security and resilience, as traffic can be rerouted if any server experiences issues.

NordVPN servers protect your IP address and hide your true location in 60+ Countries worldwide. Also, you can choose from more than 5000+ Servers.

Together with the members of the Internet Infrastructure Coalition (i2Coalition), NordVPN co-founded the VPN Trust Initiative (VTI), a program that shapes the rules for transparent and privacy-focused VPNs.

Together, we launched the VPN Trust Seal accreditation, which is basically a gold star for VPNs that proves they meet the highest standards in security, privacy, transparency, and social responsibility.

Why does this matter? Because as the VPN industry grows, trust is more important than ever. Everyone deserves a secure and open internet, backed by providers who actually do what they say. And we’re here to help set that standard.

-> The support response highlights some of the following issues:

  • The VTI group is not trustworthy; there’s a reason why Mullvad’s provider, for example, isn’t part of this group. VTI sets the standards, but they forget that independence matters—it shouldn’t be a simple copy-and-paste job, or in other words, a clone or something similar to a clone.
  • The response regarding DDoS protection is basic, with no substantiation from the company and no proof of its validity.
  • And regarding the privacy policy… it’s very basic, but it doesn’t address the core of the question I asked.

The questions I asked earlier still stand; something isn’t right here—it’s too suspicious.

End.

7

The one thing that made me finally switch away from NordVPN is their over-reliance on Google services and api’s. Their iOS app is constantly pinging Google servers for some reason, and hell, even their website uses doubleclick/googletagmanager. It just made me feel uneasy.

I’m not calling purposeful foul play or anything, but when users are wanting the bare minimum of privacy, it seems to me that continually telling Google our IP’s as we switch VPN servers around is not what people really want.

8

What you really need to ask yourself is the following:

1. Are they hiding something behind the pretty facade?

2. Is pure quality more important, or is the number of people using the service?

3. Do I seek to trust blindly, or do I use deep reasoning—even if it takes longer to make an accurate decision—by questioning the information I receive from outside sources and not letting myself be guided by emotions?

4. Is there a discrepancy between their words, actions, and what they claim?

5. Are there emerging complexities—not yet patterns—that could later lead to an unexpected surprise?

6. Are there simple to complex patterns with other types of industries, whether similar, identical, or superior?

7. Do their actions demonstrate true quality, or is it merely a facade designed to deceive, manipulate, etc.?

Here is a short list that will help you immensely in these times. It is difficult to put into practice but not impossible, and it requires practice, patience, and self-control. The decision is yours.

1 Like
VPN Infrastructure Exposed: Who Really Runs Your VPN