The Silicon Valley-style conspicuousness is new for Okman and Sabaliauskas, who spent close to a decade developing NordSec and its principal brand, Nord Security, while keeping a low profile. It is also a little unusual for a company that is, after all, in the privacy business.

Subscriptions start at US$3.29 a month, and NordVPN’s app filters users’ web activity through roughly 5,500 servers in 60 countries.

Harsher punishment proposed for China’s VPN providers

Someone browsing using Vilnius might appear, to websites and ad trackers, to be sitting in Miami, Osaka, Sao Paulo or any of the almost 100 other cities where the company keeps hardware.

Even some common uses for VPNs are legally dubious, so the companies that run them have traditionally maintained complex, variably sketchy data policies and chains of ownership.

Industry leaders, however, are no longer shying away from the public eye. When I sit down with Okman, Nord’s co-CEO, at a steakhouse near the factory in November, he has just returned from speaking at Web Summit, the tech conference in Lisbon, Portugal, and is preparing for his second trip to the annual World Economic Forum, in Davos, Switzerland.

A few years ago, the Davos crowd did not know what a VPN was. “Now everyone does,” Okman says.

The week we meet, Time magazine named NordVPN one of the best inventions of 2022, describing it as an essential security tool. Instagram posts from the musician Drake have shown NordVPN open on his MacBook, and federal prosecutors recently caught disgraced FTX co-founder Sam Bankman-Fried using a VPN while on bail.

About a month later, Nord Security raised US$100 million in venture capital at a US$1.6 billion valuation, ostensibly making it the world’s most valuable VPN start-up.

Nord will not disclose its current financials, but Okman says it has more active subscribers than its closest competitor, Kape Technologies, which reports more than 7 million paying customers and has a market value of US$1.5 billion.

So far, Nord and Kape have been able to keep growing despite fresh competition from companies with far deeper pockets, including Apple, which offers a VPN variant called Private Relay, and Google, which integrated its own VPN into its Pixel smartphones last autumn.

“I’m not sure you’d want to use a Google VPN for privacy,” Okman says, noting the search giant’s dependence on targeted ads. Google says its VPN cannot link network traffic with a user’s identity.

Some researchers warn that no VPN should be seen as a guarantee of privacy. Roya Ensafi, an assistant professor of computer science at the University of Michigan who studies the field, says she and her colleagues have found that VPN makers oversell how much security they provide.

An internet service provider (ISP), not to mention the Pentagon or Putin, can figure out who is using a VPN based on internet patterns or traffic leaks. In some cases, it is possible for a malicious ISP or state to temporarily interrupt a VPN connection and expose sensitive personal information while its encrypted tunnel is closed off.

“Almost every obfuscation implemented for VPNs that we studied is embarrassingly ineffective,” Ensafi says. Some VPNs have also been caught harvesting user data for market research, hiding ties to China or storing traffic logs.

In 2017, The Wall Street Journal reported that Onavo Protect, a free VPN run by Facebook, was monitoring how often users accessed competing social media services. Facebook, which said it was clear about what information it was collecting, closed Onavo 18 months later.

Okman says that PwC has audited its no-logs policy and that having an extra layer of encryption is better than the alternative. “If you want to be secure online, you have to use a VPN,” he says.

Nord has protections against traffic leaks and has developed companion software, including a password manager, an encrypted cloud storage service and a malware scanner. When asked about legally grey uses for VPNs, Okman mostly acts shocked, shocked to find that gambling – or illicit streaming and the like – is going on in here.

He is aware of bad actors in the industry but insists that Nord is operating above board. “We’ve never been hiding in the Cayman Islands or anywhere,” he says. A Nord representative says NordVPN is registered in Panama because that country’s laws do not require companies to retain user data.

Russian hackers exploiting VPNs against hundreds of organisations, US says

As Nord expands, it is facing resistance from states peeved about VPNs enabling access to restricted media, as well as from content providers trying to stop overseas binge-watching of United States-only streaming services such as Hulu. But perhaps its biggest challenge will be convincing average customers that VPNs are safe and necessary.

Jack Wilson, who researched VPN vulnerabilities at Scotland’s Abertay University, says all a VPN really does is “transfer trust” over your browsing from an ISP to a far-flung start-up with nebulous oversight. “It boils down to: who do you trust more?” Wilson says.

The first VPNs emerged in the 1990s as a way for corporate employees to work from home. Microsoft’s product-incubation head Gurdeep Pall, who was part of a team credited with creating an early VPN for Windows 95, recalls the idea of remote logins to an office network being so novel that he struggled to find more than a dozen early adopters for a dial-up precursor.

“The first few months, only like 13 of the 16 modems would light up,” Pall says. As broadband replaced dial-up, though, VPNs caught on as a security measure among tech companies, banks and hospitals.

A parallel VPN ecosystem blossomed around hackers seeking entertainment. Jovan Petrovic, employee No 1 at HideMyA**, which grew popular in the late aughts and featured a logo of a donkey dressed as a secret agent, says it became “a game of hide-and-seek” with governments and companies such as Netflix to enable access to geo-restricted websites as they blocked the generic IP addresses VPNs give users to shield activity.

He clarifies that VPNs were never some holy product. “It’s all about torrenting, streaming and, you know, porn,” he says, laughing.

It was around this time that Sabaliauskas and Okman first encountered VPNs.

They met in person when Sabaliauskas went to study information technologies at university in Vilnius, Okman’s hometown, in 2002. After graduating, Sabaliauskas joined a marketing company focused on web ads and search engine optimisation, while Okman worked for one of Lithuania’s biggest ISPs. “He was basically taking cables to people’s homes and connecting them to the internet,” Sabaliauskas says.

The pair were constantly dreaming up ventures and even established a start-up incubator called Tesonet, though it did not incubate much until 2012, when they created what would become NordVPN. They had been using corporate VPNs at work and thought they could build something superior.

Renting servers for US$50 a month in Germany, they hacked together a basic system with an open-source VPN protocol, followed by rudimentary PC and Mac programs. For the first couple of years, at least, customers had to know a lot about network configurations.

Banned in China but Instagram the key to reaching its big spenders

“It was a mess,” says former product manager Justinas Jakunas, who joined in 2014. “It was too geeky. But people were still using it.” Instead of raising money from venture firms, Nord charged its few thousand users US$8 a month (or less) and slowly expanded its staff and server base.

Okman was obsessed with speed and reliability, so the company’s engineers tried to keep enough servers on hand so that none was ever using more than 30 per cent of its bandwidth.

In 2015, Nord topped 10,000 customers and added an iPhone app, followed by an Android counterpart the next year. The mobile interface was much more intuitive, with a map of Nord’s roughly 500 servers and a one-click button that connected users to whichever one was currently fastest. Nord and other VPN start-ups benefited from customers’ growing fears about data mining.

As it gained market share, Nord added more clever privacy features, including an encryption system that routes traffic through two servers instead of one. But its competition with ExpressVPN has largely been an old-fashioned marketing fight, albeit one that Okman says involves some 15,000 YouTube influencers.

Kazimieras Celiesius, a former Nord developer, says the company’s ad campaigns for years were aimed at customers with little to no technical expertise.

“I call it the grandma segment,” Celiesius says. “Grandma saw it on TV, she bought it, and she doesn’t even know how to turn it on.” Some ads promised “military-grade encryption” and said “your data will never be compromised with NordVPN” – promises a Consumer Reports study found misleading.

Darius Skuncikas, a former user-retention leader at Nord, says a common subject in meetings was how to ensure customer access to streaming services over its VPN. “If we saw huge cancellations, the first question was, ‘Does Netflix work?’,” he recalls.

A NordVPN representative says that it uses an encryption standard approved by the US National Security Agency and that the aim of its marketing is to communicate technical features to everyday consumers with easy-to-understand words.

VPN makers have also won customer trust through deals with affiliate marketers, including VPN-ranking sites. Many of these sites, which receive referral fees for VPN subscriptions bought through their links, have said their editorial decisions are free from commercial pressures.

Free VPN apps exposed unsecured user data, researchers say

“We got emails from these reviewers saying, ‘Hi, guys, No 5 spot is now for sale if you give us a certain amount of money,’” says Jan Jonsson, the CEO of Mullvad VPN, a Nord competitor.

Simon Migliano, the research head for Top10VPN.com – which asserts that it is independently owned and that referral commissions do not affect its reviews – says some ranking services are quietly owned by the VPN brands themselves. He calls that “a massive credibility problem”.

Celiesius suggests it is an open secret in the industry that Cybernews, a top VPN review site on Google’s search results, has ties to Okman and Sabaliauskas’ Tesonet incubator. Cybernews ranks NordVPN and two other VPNs in Tesonet’s portfolio, Surfshark and Atlas, as the industry’s best three services.

A Nord representative acknowledges that Tesonet has worked closely for years with Cybernews’ owner, Adtech LT UAB, and invested in a new umbrella company of the site in October. Cybernews chief editor Jurgita Lapienyte says her team “adheres to core principles of journalism” and that their analysis is “in no way influenced by the company’s business goals”.

It is impossible for customers to figure out which VPNs to trust. They cannot visit a data centre to check that a provider’s servers are properly safeguarded, nor can they inspect Nord’s code to make sure it is keeping their web traffic hidden.

Okman dismisses those reports as conspiracy theories, stressing that the incident affected only one server out of thousands and that his company later removed all hard drives from its servers to ensure that it physically could not log customers’ traffic. “For us, it would be super f***ing stupid to collect logs,” he says.

In September 2021, Britain-based Kape, which had already bought VPN brands including CyberGhost and Private Internet Access, agreed to acquire ExpressVPN for US$936 million. This should have been a sign of the industry’s growth, but instead it raised more questions about its legitimacy.

Before 2016, when Kape was called Crossrider, its products enabled other developers to inject ads into users’ PCs. It could only ask customers to trust that it had changed. “Kape has moved on from those times,” says ExpressVPN vice-president Harold Li.

Okman starts his day before dawn, running through Vilnius’ cobblestone streets. He usually logs around 100km (62 miles) a week, training for Ironman competitions and, lately, a marathon at the North Pole. He is equally single-minded at the office, where he is prone to firing off Slack messages a word at a time, flooding employees’ phones with notifications.

The team’s current priority is persuading customers to keep its VPN running 24/7. The more the customers keep the VPN on, the more likely they are to renew their US$4 or so monthly subscriptions, which Okman says can turn an 80 per cent profit. Users log off Nord for a variety of reasons, whether because server speeds slow down or because they have concluded that their web surfing simply does not require VPN protection.

Rising industry scrutiny is teaching VPN users that they are not immune to phishing attacks or other scams. If you are logged into Gmail, Google can monitor your activity even with an anonymised IP address.

Nord keeps your email address and billing information on file, and there are ways of triangulating a user’s identity. “Device fingerprinting”, for example, cross-references metadata such as the size of your screen and the version of Chrome you are using.

NordVPN’s app now features a malware scanner and dark-web monitor to guard against suspicious sites and downloads and to track exposures in data breaches. Nord has also introduced NordPass, a subscription password manager, plus an US$8-a-month encrypted cloud service.

When I arrive at Okman’s office, which he shares with Sabaliauskas and two fellow executives, they are whiteboarding code for NordLayer, an encrypted networking system designed to give family-run businesses a lower-cost version of the kind of expensive firewall protection Palo Alto Networks provides Fortune 500 companies.

Another new product is Incogni. Developed by Surfshark, a VPN Nord merged with in 2022, it automates the removal of personal data from hundreds of data brokers that operate inscrutably online.

“If you try to do it yourself, it takes months,” says Surfshark founder Vytautas Kaziukonis, sitting beneath a security camera in his office that he has tilted towards the wall for privacy. “We do the work for you.”

While Nord is focused on diversifying its product line-up, VPN revenue represents the vast majority of its sales. When Okman shows me his smartphone app, I see his NordVPN subscription is active through to September 2050.

But unlike a decade ago, when accessing your bank account from a motel’s Wi-fi portal might have been risky, these days more banking websites and browsers offer encrypted connections by default.

Chinese Nobel Prize winner Mo Yan turns to ChatGPT to beat writer’s block

ExpressVPN’s Li likens VPNs to a home-security system monitoring hub that provides safety and peace of mind – but that does not free you from having to lock your doors. “A home-security system might have an ad that says, ‘Protect your home from intruders’, or ‘Protect your valuables’,” Li says. “It doesn’t have an asterisk that says, ‘If there’s a fire, your home-security system is not going to save your valuables.’”

Birgir Mar Ragnarsson, managing partner at Novator Partners, which led Nord’s US$100 million financing round in April 2022, says VPNs are now a commodity: “You cannot just get a VPN and be secure with everything. That’s why we have different products.”

But if there is one product Nord swears it is not sell­ing, it is illicit access to streaming services. Okman tells me the company is not optimising to evade Netflix blockages and, in any case, he reminds me that Nord does not even know if its users are streaming stuff, because servers do not collect logs.

He says that Nord has never received complaints from Netflix and that it tries to make such services function only so subscribers do not have to turn off VPNs when they are at home watching television. “The reality is 90 per cent of our customers connect domestically,” he says, meaning if they were avoiding geo-restrictions, they would presumably connect to a server in a different country. Netflix declined to comment.

The explanation sounds a little funny, not least because the YouTube TVs of the world appear engaged in constant whack-a-mole with VPN IP addresses to prevent unauthorised streaming. VPN review sites and Reddit threads are full of tips on how to game the platforms.

In the US, for one, it is easy to use a VPN to switch to servers in different states to sidestep regional blackouts on ESPN+ for hockey games. An ESPN representative says the company takes protecting intellectual property seriously and has technology to identify suspicious activity.

When I bump into Cyril Polac, NordVPN’s country manager for France, the first insight he shares about the market is related to live sports: “Formula One, in France, will be broadcasted by a specific private channel that will be extremely expensive, while you will find the same sport broadcasted for free in Belgium.”

When I relay this to Okman, he is unfazed. “We’re not denying that’s a use case,” he says. “It’s just not our focus.”

Over the past couple of years, Nord and other VPNs have been at loggerheads with Roskomnadzor, Russia’s federal communications agency. “They asked to ‘give us the encryption keys’, and we did not,” Okman recalls. Instead, the company terminated its contracts with local data centres and had its servers shredded in early 2019.

A similar pattern is playing out as governments seek more control over the open internet. Last summer, a new data retention law in India forced NordVPN to turn off its servers there, and the company’s website has long been blocked in mainland China. Meanwhile, as social unrest and geopolitical issues erupt in Iran, Sri Lanka, Turkey and other places, data shows demand for VPNs continues to surge.

Yet when I ask whether these affected populations are downloading NordVPN, Okman says no. Instead, they tend to rush to free VPNs, which, though less secure and possibly dodgy, can grant swift access to Twitter and the BBC. Nord does offer free VPN access on a case-by-case basis to at-risk reporters and dissidents, but Okman says the company cannot open the service to the masses.

“Our servers would explode,” he says. Sabaliauskas says they briefly considered implementing a free VPN programme for Russian citizens but were advised by Ukrainian officials that they likely would not use it for organising protests but rather for surfing the web like they did before the war. “We chose not to participate in this,” he says.

As Okman steers the conversation away from geopolitics and back to humdrum cyberthreats – “My mum was, like, ‘Oh my God, I got this email. Is this a scam?’” – it becomes clear Edward Snowden types are not Nord’s target demographic. About 40 per cent of its sales are in the US, followed by other democratic markets including Australia and Britain.

In an earlier phone call, Okman shared conflicting views on Nord’s higher purpose. “We are not upsetting governments. We’re not doing anything aggressive,” he said. At another point, though, he said that protecting journalists and freedom fighters is core to his mission and that Nord works closely with Access Now, a digital rights organisation.

But Natalia Krapiva, a lawyer for the group that advises activists on choosing security tools, says she usually recommends VPNs from Mullvad, Proton and TunnelBear, rather than Nord.

“There’s not necessarily anything bad with it, but we haven’t had enough understanding of their security audits,” she says. Even those behind her recommended products warn that they are no cure-all. “If you’re Snowden, you have a threat model that is pretty high and the NSA on the other side – a VPN doesn’t help at all,” Mullvad’s Jonsson says.

That Nord seems more focused on building some New-Age Norton than disrupting the Kremlin’s internet censorship is surprising, especially given that Okman was born when the Soviets were still imprisoning Lithuanian dissidents and that Sabaliauskas’ parents “were always saying it was such a terrible time and that we can never go f***ing back there”, he tells me.

Okman, though, says he does not draw a connection between that history and their development of tools that could potentially thwart authoritarian regimes from raising more digital Iron Curtains.

It is possible Okman is playing down this use case to avoid kicking the hornet’s nest, but he does sound more motivated to expand Nord into a global brand and build Vilnius into a tech hub, which is arguably a different kind of protest against Moscow.

“You have all these people who grew up in the middle of a big transition – getting the Soviets out. It’s dead poor,” says Thomas Plantenga, CEO of e-commerce company Vinted, the country’s only other unicorn. “And you have these bright people like Tomas [Okman] and Eimantas [Sabaliauskas] who are full of energy and just want to prove you can build stuff from Lithuania.”

I hear a similar sentiment from Ausrine Armonaite, Lithuania’s minister of the economy and innovation, whose office is across from the Soviet station where the KGB used to spy on phone and radio communications. She focuses on the home-grown entrepreneurship Nord symbolises instead of how VPNs can play a role in geopolitics.

Ditto Remigijus Simasius, who served as mayor of Vilnius until last month. He has an enormous banner hanging outside his window that reads, “Putin, The Hague is waiting for you”, yet spends much of our conversation pitching the country’s thriving tech sector.

Still, the more aggressive internet censors become, the more they will bring attention to VPNs and, by extension, Nord’s products.

When NetBlocks, a widely followed tracker of web interferences, tweeted that Jordan was restricting access to TikTok, it recommended Surfshark to circumvent the ban. NetBlocks founder Alp Toker clarifies that this endorsement was part of a sponsorship and that his platform does not compare VPNs. And when Italy barred access to ChatGPT in late March, Cybernews wrote an article about the best VPNs for unblocking the chatbot.

It ranked NordVPN No 1.