Around the 9th of January 2019, NordVPN launched and started promoting a TV ad that showcased a “Watch Dogs” kind of scenario, where a person stepped into a train and its details quickly became available for everyone to see.
The person in cause, apparently named ‘John Smith’, started oversharing his private information with everyone who shared the ride and were in the same train, ranging from his name, Credit Card details, passwords, you get the picture.
At some point he even takes a selfie with a computer-generated character that has no face, while hinting that he’s being “best friends” with a hacker.
While you might have a hunch where this is going (especially if you know who promotes it), it’s worth mentioning that the ad actually targeted public WiFi networks and how connecting to them can leave all your sensitive information out in the open just like that.
You can watch the ad below:
Well, the situation seemed to be a bit too much Orwellian for some users to digest and they started filing complaints against it, claiming that the ad exaggerates the risks users face whenever connecting to a public WiFi network without their (NordVPN) service.
According to ASA | CAP, there have been nine users who complained that the ad was misleading in terms of how insecure public WiFi networks can be without proper security solutions like a VPN.
Naturally, NordVPN couldn’t stay silent and came with a rebuttal, claiming that just because a website is HTTPS-protected, it doesn’t mean that your data is completely safe while you’re at it. They offered an example of such a situation, where some phishing websites were, indeed, HTTPS-protected, but that only meant that data sent between the website and whoever was connected to it was encrypted and couldn’t be ‘sniffed’ by third-parties and not that the website was legitimate.
They claimed that simply using HTTPS doesn’t hide your real location, provide you with protection of your privacy or bypass Internet censorship (although censorship wasn’t exactly the point of this commercial) and that public networks are an ideal spot for stealing personal data, MiTM (Man-in-The-Middle) or Evil Twin attacks, eavesdropping and the such.
Furthermore, NordVPN stated that the tone of the ad was a humorous one that didn’t mean to patronize by claiming that people who are’t using their service willingly hand out their personal data and that the contents of the ad shouldn’t be taken literally.
However, ASA | CAP decided that although NordVPN makes a valid point about Internet security and the risks associated with connecting to a public WiFi without additional layers of protection, the ad is misleading in creating the impression that public WiFi networks are inherently insecure and their users are at significant risk of data theft, when clearly it is not the case.
“Advertisements must not materially mislead or be likely to do so.”
“Broadcasters must hold documentary evidence to prove claims that the audience is likely to regard as objective and that are capable of objective substantiation. The ASA may regard claims as misleading in the absence of adequate substantiation.”
The verdict was that the ad must not be displayed again in its current form and Tefincom SA t/a NordVPN were told not to exaggerate the risks of data theft whenever one’s not using their services.