A TV ad for NordVPN seen on 9 January 2019. The ad began with a man walking down a train cubicle. Text on screen appeared that stated “Name: John Smith”. A man’s voice then said, “Look it’s me, giving out my credit card details.” The ad then showed the man handing his credit card to passengers on the train. On-screen text appeared that stated “Credit card number 1143 0569 7821 9901. CVV/CVC 987”. The ad then cut to another shot of the man showing other passengers his phone. The man’s voice said, “Sharing my password with strangers.” On-screen text stated “Password: John123”. The ad then cut to a shot of the man taking a photo of himself with a computer generated character. The man’s voice said, “Being hackers’ best friend.” The ad then cut to the man looking down the corridor of the carriage as three computer generated characters walked towards him. The man’s voice then said, “Your sensitive online data is just as open to snoopers on public WiFi.” The man then pulled out his phone, which showed his security details again. The voice said, “Connect to Nord VPN. Help protect your privacy and enjoy advanced internet security.” On-screen text stated “Advanced security. 6 devices. 30-day money-back guarantee.” The ad cut to show the computer generated characters disappear as the man appeared to use the NordVPN app on his phone.
Nine complainants challenged whether the ad exaggerated the extent to which users were at risk from data theft without their service.
Tefincom SA t/a NordVPN said that while data accessed via HTTPS-protected sites were encrypted, there still were security concerns about the use of public networks. They quoted a news report about HTTPS protected phishing sites which stated the "https://" part of a web address (otherwise known as “Secure Sockets Layer” or SSL) only indicated that the data transmitted between a user’s browser and the website had been encrypted and could not be read by third parties. However, they stated that did not mean the site was legitimate, nor was it any proof that the site had been security-hardened against intrusion from hackers.
NordVPN said that while HTTPS encrypted information, it did not disguise location, offer any privacy protection nor provide any defence against internet censorship like a VPN did. They said that while a website may be secure and use HTTPS protection, personal data may be vulnerable if a network connection wasn’t secure. They said most public WiFi hotspots were considered insecure since the majority had very primitive security parameters and non-existent or very weak passwords available to everyone.
NordVPN said public networks offered many opportunities for personal data thefts, which included Evil Twin and MiTM attacks and eavesdropping on WiFi network connections. They said that almost half of phishing sites had signed SSL certificates and Nord VPN’s CyberSec filter protected a user against visiting those sites regardless of whether HTTPS was used or not.
NordVPN said that a VPN encrypted all user’s Internet traffic upon leaving a device. They said traffic would then be routed through an encrypted tunnel and sent to a VPN server along with thousands of other people making many different requests at the same time. They said this meant private data was secured from the device to a VPN server and upon exit was further protected by the SSL if the destination website used HTTPS. They argued, therefore, that NordVPN made it virtually impossible for others to access/intercept user data while the traffic was travelling from the device to the destination website and protected private data when using the Internet on both private and public networks.
Clearcast said they did not believe the ad exaggerated the extent to which users were at risk from data theft without their service. They said the ad was a humorous creative device to convey to viewers that public WiFi networks were not secure and for those looking to do harm it would be easier for them to access data without NordVPN.
Clearcast said they were given substantiation by NordVPN that stated the app created a tunnel around the internet to protect data when it travelled from the user to its destination. They said the app provided its users with a new IP address within which to hide their own address, thus their data was hidden in an encrypted package on its way to a Nord VPN server. They said upon reaching the server the data was decrypted, which they understood was safe and secure.
Clearcast said the ads visuals were not to be taken literally and the use of humour (the man smiling and willingly handing out credit cards and taking selfies with hackers) was used to add to the creative effect of the ad. They said by use of the word “snoopers” the ad did not imply that without NordVPN users were willingly handing out their sensitive data to random strangers. They said “snoopers”, seen as pixelated characters in the ad, referred to hackers and tech-savvy people who aimed to gain access to sensitive data.
Clearcast said they asked the advertiser to include the word “help” in the claim “helps protect your privacy and enjoy advanced internet security”, to temper the claim and ensure that consumers were not misled into thinking that internet security was completely safe. They said there were no absolute claims about the product. They believed the product would go a long way to achieving security on public WiFi and that consumers would understand the app significantly improved the protection of their private data.
The ASA noted that the ad showed the character “John Smith” walking around a train, handing out personal information including credit card details and passwords to passengers while he stated he was “being hackers’ best friend”. The character then said “Your sensitive online data is just as open to snoopers on public WiFi”. Based on that, we considered consumers would understand that use of public WiFi connections would make them immediately vulnerable to hacking or phishing attempts by virtue of using those connections. Therefore NordVPN needed to demonstrate that using public networks posed such a risk.
With regards to the software, we acknowledged that the product was designed to add an additional layer of encryption beyond the HTTPS encryption which already existed on public WiFi connections to provide greater security from threats on public networks.
We noted the explanations from NordVPN and Clearcast that public networks presented security risks and that the use of HTTPS encryption, which was noticeable from the use of a padlock in a user’s internet browser, did not in all circumstances indicate that a connection was completely secure.
However, while we acknowledged that such data threats could exist we considered the overwhelming impression created by the ad was that public networks were inherently insecure and that access to them was akin to handing out security information voluntarily. As acknowledged by NordVPN, we understood that HTTPS did provide encryption to protect user data so therefore, while data threats existed, data was protected by a significant layer of security.
Therefore, because the ad created the impression that users were at significant risk from data theft, when that was not the case, we concluded it was misleading.
The ad breached BCAP Code rules 3.1 3.1 Advertisements must not materially mislead or be likely to do so. (Misleading advertising) and 3.9 3.9 Broadcasters must hold documentary evidence to prove claims that the audience is likely to regard as objective and that are capable of objective substantiation. The ASA may regard claims as misleading in the absence of adequate substantiation. (Substantiation).
The ad must not appear again in its current form. We told Tefincom SA t/a NordVPN not to exaggerate the risk of data theft without using their service.