Update: On 19 June, judge Carlos E. Mendoza decided to dismiss the complaint without prejudice.

On 30 May 2019, Data Protection Services, LLC, the company behind the famous TorGuard VPN service, filed a legal complaint against NordVPN’s Tefincom S.A. and a Toronto-based hosting service provider, Collective 7. The complaint levels several accusations at NordVPN and Collective 7, including an alleged DDoS attack against the TorGuard website on Black Friday, wrongfully obtaining confidential business information, and using said information to blackmail TorGuard.

While the allegations in the legal complaint are serious indeed, it is unclear whether TorGuard has evidence to back them up, or whether the case even belongs in the federal Florida district court where it was filed.

NordVPN responds to the complaint

Late last week, NordVPN issued a statement about the lawsuit on their blog, calling all accusations “fabricated.”

According to the statement by NordVPN, the confidential information referred to in the lawsuit was a TorGuard server configuration file, which was “lying in the open on the internet,” rather than wrongfully obtained from an ex-service provider of TorGuard (Collective 7). They then approached TorGuard and had a group conversation with company CTO Keith Murray and CEO Benjamin Van Pelt via an end-to-end encrypted messaging platform.

NordVPN claim to have contacted TorGuard in good faith and (contrary to the allegations by TorGuard) didn’t ask for anything in return “despite the fact that we could have publicly published our findings as security research, and despite the fact that we have a strong basis to believe that TorGuard has been running a year-long baseless defamation campaign against our company.”

Alhough the statement doesn’t elaborate on the defamation campaign, it seems reasonable to assume that this refers to events we covered in an article in September of last year.

The crux of TorGuard’s lawsuit

The blackmail allegation in TorGuard’s complaint hinges on their ability to prove that NordVPN had received the server configuration file from Collective 7 – the second defendant named in the document.

According to the complaint, Collection 7, an Ontario, Canada-based company, used to provide hosting services to TorGuard. They allege that Collective 7 “is now owned or controlled by NordVPN,” and has provided TorGuard’s competitor confidential information, which was then used for blackmail.

This allegation seems to be based on the fact that the CTO of Collective 7 had previously told TorGuard that “he had a “direct relationship” with the owners of NordVPN, as well as soliciting TorGuard with a potential purchase offer of TorGuard” (on behalf of NordVPN). While troubling if true, this would hardly qualify as proof that NordVPN wrongfully obtained confidential information from Collective 7.

NordVPN is yet to comment on their relationship with Collection 7, likely because TorGuard’s lawyers had originally mistakenly named an unrelated Canadian company, C-7, in their lawsuit.

Update: Judge dismisses complaint

On 19 June 2019, judge Carlos E. Mendoza dismissed TorGuard’s complaint because the plaintiff twice failed to prove jurisdiction. The TorGuard legal team relied on Florida’s long-arm statute to prove jurisdiction over the Panama-based Tefincom S.A. The judge decided that TorGuard’s case failed to meet the requirements of the statute.

The complaint was dismissed without prejudice, meaning Data Protection Services, LLC can bring the case again if they choose to.