This would be a lot more helpful if they would say exactly what the problem is. “Shady” partner? Who is that? Transparency report - what is expected here? I work with people who rely on VPNs for personal safety, so I’m very interested in anything that can compromise that safety. But this article raised questions but did not answer them in a way I found useful.
I for one do not like their requirement to use a closed source VPN client just to have Wireguard support. I ditched them after trying out Mullvad and am so thankful I did. You'd have to contact chat to do basic things like change your email address. Mullvad doesn't even know my email address.
As the article has spelled out, Nord’s operations in many parts of the world, thanks to their convoluted and opaque corporate structure, makes it hard to determine which user data may be accessed by which countries' government entities or third-party companies.
Being owned by a data mining company that also owns a residential proxy service (Nord uses it for unblocking streaming services: https://hiddenrouter.com/how-is-nordvpn-unblocking-disney-it...) is also baffling. Hard to trust a data mining company with data, when they make a profit from selling user data?
Quotes like “ At the same time, we have some obligations for our investors as well -- you know, to not look like a shady company who gets lots of different requests from the FBI, et cetera” make me think the journalist probably took some liberties with a conversation the guy didn’t realise was on the record
When it comes to VPN providers you're essentially moving your traffic from your ISP to the provider itself, so it's not entirely private. If you want to be absolutely sure that no logs are kept, then you're best off running your own VPN somewhere, so you remain completely in control.
I think he meant more control of the traffic by making sure personally it won't log anything. That is high technical skillset out of reach for most users. And if you do even set that up, you will waste a lot of time maintaining. The time lost need to get compensated as he will need to pay bills...and hence he himself quit his day job and become NordVPN. Again, not many users willing to go thru that.
But can you really do that? In the end, you still use the network architecture of the VPS provider. What's preventing them from logging traffic outside of your VPS?
You also don't get the benefit of your traffic getting mixed together under the same address, since VPS providers will assign you an individual address.
Everything is a trade-off, at some point you need to trust someone. I've got a box with OVH that I use as a VPN with wireguard. I just assume that OVH aren't logging all my traffic because it would cost them money and cut into their margins.
I would never do anything illegal via that VPN though, since it would be trivial to trace it back to me. I'm sure OVH wouldn't hesitate to hand over my details if the authorities requested them. But as a privacy protection on public wifi, it works well.
When choosing a VPN, you should think about what you're trying to achieve and what you're trying to protect yourself from. Most non-tech people I know that use VPNs, use them to bypass geo-restrictions. For that purpose, these giant commercial ones are probably fine.
Sure, but if I need to trust someone, I'd rather trust a company whose reputation is staked on not giving out my data.
A VPN provider that easily bows to authorities is a VPN provider that will lose a massive portion of their user base. Some server farm probably profits very little from VPN servers, so if some government (or even some IP lawyer) knocks on their door, then they won't take the risk.
If you pay anonymously for your vpn, then the account is not tied to any identity. You would need to some additional data source for that. Either the isp, or "the same vpn ip first visited shadysite.com and then logged in on bank.com with name John Doe".
If you are paying with say your credit card, I guess the only benefit is that the vpn may have a better privacy policy and/or jurisdiction than your isp.
VPS providers (probably) aren't in the business of extracting value from my web traffic like a VPN company is. And I already have relationships with VPS providers, I don't have to "mail cash" to some company I don't really know and my privacy worries aren't that extreme: usually I either want to keep copyright strikes from going to my ISP or I'm on a sketchy free/public network somewhere and I want to go though somewhere I trust just a little bit more than that.
VPN vendors are extracting value out of your monthly subscription like anybody else. Though the shadier ones might _also_ sell any metadata (to whom?), but we're not talking about these, and selling data is not a necessary precondition to being a VPN vendor.
In reality, the only people that are really interested in knowing in aggregate and in specific where people connect to when trying to hide are governments. And they don't pay, but just put a tap somewhere and if an alarm is triggered, send a court order to get logs and data upstream. That applies for both VPN and VPS vendors. So the goal is finding someone that has as minimal logs and invoicing data as legally possible.
Why do you think VPS providers wouldn't be interested in extracting your data? Whether you use a VPN provider or a VPS provider, it's always going to depend on the company whose service you are using.
Pick a cheap, untrusted VPS provider and you're getting just as exploited as if you were using a cheap, untrusted VPN provider.
It's also trivial to map the traffic of your VPS to you, since there's a 1:1 relationship between the IP your VPS uses and your actual IP.
Additionally IP lawyers may have much more success in threatening litigation to get your provider to rat you out. The provider would get little reward from not doing that, since harboring torrenters is probably not their main business.
>Why do you think VPS providers wouldn't be interested in extracting your data? Whether you use a VPN provider or a VPS provider, it's always going to depend on the company whose service you are using.
The presumption is that the business of VPN providers is fully based on providing privacy, giving them a strong perverse incentive to abuse their access to this information and for whichever purposes. Plus, their whole infrastructure is orientated towards providing VPN services, with their own software, making the effort involved in collecting their customers' data and behaviour much smaller and more scalable.
VPS providers, on the other hand are in the business of offering hosting. What software their customer chooses to use on their VPS, and for what purpose, is anyone's guess. While the VPS provider could technically log and exploit the incoming and outgoing traffic from customers who happen to be running VPN software on their VPS, the effort involved in handling the myriad of bespoke VPN setups used by such a small proportion of their customers would be utterly pointless.
What purpose would this information be uniquely useful for? I don't think ad networks have some exceptional interest in what you torrented or what porn sites you visit.
If you're implying that they'd do something illegal like blackmail, then I don't think that would be a wise course of action for a company to take. VPN companies are, in the worst case, still limited by TLS. So the amount of blackmail material is pretty small,meaning they would be taking a massive risk for very little reward.
A VPS server can easily log your connections. All they'd need to log are incoming packets to your VPS, and the destination address of outgoing packets from your VPS. No need to concern themselves with what software you are using under the hood.
I don't really believe any mainstream paid VPN provider would do this. What I'm arguing is that, if you do worry they may do this, a VPS is a safer bet as it's much less likely that the provider will even bother.
For an analogy, if your motivation for using physical storage space was to hide your stuff from prying eyes, but were legitimately concerned that a business may have an economic or political incentive to take a peek, what would be a safer bet? Would it be to use a business specialising in storage, that uses standard storage modules all in the same location, and who knows most of its customers are interested in hiding their objects? Or would it be to rent an apartment from an estate agent that rents out all sorts of property for any number of purposes?
I keep reading this argument but it’s not at all why people like me use a VPN.
It’s trivial to pinpoint my location just based on IP. Setup a cloudflare worker and dump the request object, it gets very close, down to giving you the rough zip code area. Using something like NordVPN (even with a server in the same country I’m in) changes my IP proximity to something much more broad.
Then in cafes and public networks where I absolutely don’t trust the network
There's tons of rumours around Vilnius tech scene about how Tesonet works. Namely they hire younger devs, give little remote work opportunities and generally push them a lot (kinda fair). I've also heard their engineers say "there are still ways around" to get proxies which to me just sounds like they are simply hacking residential routers.
Finally, they keep providing service to a Russian market.
>is a great option for casual VPN users who just want to unblock content
Honestly that is all you should ever use these VPN services for. Convenient access to blocked content (or flip to a different region to access alternative content).
Sure your own VPS running WireGuard or OpenVPN is better but that isn't as easy as just picking a different country on a pretty map in an app to get access to a show on BBC iPlayer or Netflix a second later.
Nord, Express, etc. are close to worthless from a privacy aspect but they're very convenient for watching blocked content and that is all anyone should use them for.
If you want/need privacy because you're on a network you don't trust (hotel, airport, whatever) then your own VPS and WireGuard are what you should be looking into. If you trust you home ISP and have decent bandwidth (both ways) you can easily run your own WireGuard server on pretty much anything from home and just connect into that so cost is pretty much zero.
With american ISPs (specially mobile ones) moving more into tracking and advertising I think you can still get a privacy boost from using a reputable VPN. If you want to access things that are banned or illegal in your country (either for free-speech or piracy reasons) using a VPN will definitely help with that too. I'm definetly aware that I'm just moving trust from my ISP to the VPN, but most ISPs do not even consider privacy as a selling-point or a feature, while a reputable VPN often will.
So far I haven't seen anything about mullvad that makes me doubt them.
I'd say that cloud service providers serving billion dollar contracts definitely have much more at stake with regards to confidentiality.
This is in contrast to whatever unaccountable colocation provider and residential IP botnet swarm a typical consumer VPN provider would rely on.
AWS Lightsail costs the same as a consumer VPN service while also giving you always-on compute and storage for sync and long-running jobs.
Let's say some Hollywood lawyer finds the IP address of your Amazon VPN in the list of seeders for some big movie torrent. They send a threatening legal letter to Amazon. Will Amazon forward them your contact information? Will they lock your AWS account?
So this has happened to me. On holiday, hotel surprisingly had a decent firewall in place to block torrenting, used my personal server to download a tv series.
Had a copyright notice and warning email within 6 hours. Deleted the content and they were happy. Learnt my lesson not to try that again.
Can't speak to AWS, but I used a dedicated box at another US-based provider as a seedbox for nearly two decades.
When they received a DMCA complaint they didn't provide our information and generally just didn't seem to care as long as we provided the bare minimum of ass-covering for them. We'd get a ticket opened against our account with a copy of the notice, reply "We've identified one of our users operating in violation of our TOS and have banned the offending user. All copyrighted materials referenced have been deleted." and they'd close the ticket every time.
I imagine if this was more than a once-every-three-to-six-months kinda thing the support burden would have had them drop us as a customer, but at no point did they share our information or did any rights-holder take it further.
Mullvad does not use residential IP botnets. They also own at least 150-ish of their 800 servers, and the rest are rented. 45 of their servers also run diskless: https://mullvad.net/en/blog/2022/1/12/diskless-infrastructur.... If you still don't trust their datacenters a multi-hop will probably hide your actual traffic source.
Having a stable, unchanging, unique IP (that is also tied to your identity via billing, etc.) for all of your traffic (like you would with a VPS VPN) is terrible for privacy and the cloud provider will often give out your info for any legal or governmental request.
The confidentiality required by businesses with billion dollar contracts is far removed from the confidentiality required by a VPN user. Do you think Ebay or Uber would care that their web traffic can be linked to them?
Even in the low stakes situation of a lawyer going after you for torrenting, I see a high risk of a cloud provider giving out your information. They'd just have to reveal who rented your VPS instance.
Not only would companies not care about discretion when it comes to catching torrenters, they especially would not care for confidentiality about who rented their infrastructure.
They serve competitor workloads as well, I'd say they there is a huge incentive for cloud providers to put in backdoors if they could get away with it. They are deeply entrenched in rigid processes and rigorous compliance audits.
If torrenting is the basis of your risk profile, seedboxes are a lot more safer.
But you don't need a backdoor. Log incoming and outgoing traffic from a VPS and you'll have all the information you need to deanonymize you.
This is something that they will probably do as a policy, simply because "AWS used for torrenting, storing and seeding CP" is a headline that can do far more damage to their business than some logging ever will.
> I'm definetly aware that I'm just moving trust from my ISP to the VPN, but most ISPs do not even consider privacy as a selling-point or a feature, while a reputable VPN often will.
This. However the critical point is that VPN providers are virtual, so there is in theory infinite competition; ISPs are an oligopoly in every country, so there is no real competition - If you don't like something about your ISP, like selling your metadata, it's usually tough shit because the other few will follow knowing there is no real competition and seeing a way to extract more money.
How safe and secure are the default settings of hosting a WireGuard or OpenVPN server?
I think that is the other side of it: You might have to know what you are doing, to get to similar security of a professional service. Trust is of course its own issue, as you are sort of hinting at, but I think it needs to be stated, that maybe not everyone is able to securely run their own VPN, depending on how hard it is to make it secure.
How is your own VPS + WireGuard better for privacy? You're exchanging one IP (from your ISP) for another IP (from your VPS provider), both of which are directly attributable to you.
In terms of just masking your source address from services that you actively chose to connect to, a self-hosted VPN may reduce your traceability for many – going from potentially many source addresses (your home ISP's range if they use NAT, your mobile provider's range as the almost certainly have you behind CGNAT, and any wireless networks you pass through if you use public networks) to a single fixed address.
But for other details, more significant in many use cases, a private VPN wins because you are protecting your activity from being viewed by those potentially untrusted networks.
Of course once traffic leaves your VPN it is once again at the mercy of the wider Internet between there and the destination sites & services, so use secure transports like HTTPS where-ever possible even over the VPN.
It all depends on what your threat model actually is.
In fact the advertised “access different media” use case isn't addressing an active threat at all, it is about gaining access to something rather than protecting you from someone/something.
This is very simple: if you believe VPN is a safety for protecting your privacy and your data, you don't want to put all of that in the hands of someone who will submit not to governments; not to a tribunal... but to a mere Twitter account with 95 followers.
As far as I am concerned, I judge a company as a block, any of its employees/teams/departments speaks for the whole company, end of the story. And for the topic we're discussing, the company easily caves in and is weak so I am not going to rely on them for anything related to privacy or safeguarding data.
Privacy and where someone advertises are dramatically different things. If they'd handed over data to those twitter accounts I'd agree with you.
This kind of thing I think pushes the needle the other way. It shows a company extremely concerned about their image, when their core argument is about trust and privacy.
In my opinion, the most shady thing about NordVPN is their marketing. There is ALWAYS a "great discount" of about 70% off, and it expires in 9 hours and 39 minutes. Always.
I am a NordVPN customer, but not for privacy, only for access to content in different regions.
I don't know of any other VPN company that has a no-log policy and has been audited to prove that. If anybody else has a recommendation that meets these conditions, I'd be glad to hear it.
I used PIA before, and I left after I learned that they were sold to a dodgy guy whose previous company installed malware. The situation with NordVPN seems confusing, but no major red flag such as that one. I would not recommend PIA anymore.
Similarly to the others who replied to you, Mullvad have had audits done to "prove it" (but even so, they can change infrastructure from the audit easily).
NordVPN is a surprisingly slick product for casual users. I use it to access websites for work that block foreign users. The Mac and Android apps are well done and remove the friction of using a VPN. It's not like the old days of fly-by-night VPNs you have to configure yourself.
But as useful as it might be for casual users, I think you'd be crazy to trust a large commercial VPN service to anonymize yourself if you are worried about being tracked by a nation-state actor or hiding serious crimes or something like that. No large business is going to protect you if they get sufficient pressure from a government that threatens their existence.
I am a NordVPN subscriber. I have found some 'location' issues while using their software. Using something like iplocation.net will show the correct location. However, one of my clients uses search.arin.net as part of their security, which then flags the location as 'out of country'. This is because arin uses the whois location instead of the physical location. In this case, it came back as Panama instead of USA. The client had to baseline my connection to avoid it continually raising that error. Connecting through my dedicated IP address always does that. Connecting through another IP address might or might not.
These "VPN" services should be called Virtual ISPs (VISP services). They're not a VPN in the classic sense of extending a private IP address space (like 10.0.0.0/8) over the internet. They can do anything a physical ISP can do with your traffic.
If you trust the VISP service to protect your privacy more than your physical ISP, they might be useful for privacy. Otherwise they're harmful to privacy, and only useful for getting around region locks.
Hm, do I trust a company whose entire reputation is staked on keeping my data private, and who've been audited numerous times, as well as tested in court?
Or do I test my ISP, who absolutely doesn't care about my privacy and would give up my data at a moment's notice?
As long as you've researched your VPN provider, there's almost no reason to trust your ISP over them.
I have been reliably informed by someone who has spent too much time building up credit on private torrent sites that downloading torrents is often slow through NordVPN.
Also, NordVPN does not support incoming connections to a listening port, so commonly can't download from two thirds of the seeds on a torrent. It is not unusual for there to be one to five seeders on a torrent, none with a port open for incoming connections, so people behind many commercial VPN's can't download the torrent.
There are other VPNs that support incoming connections, such as Mullvad, which are much more effective for torrents, if the users makes the effort to configure it.
These days I use Tailscale + any random VPS I can rent for a while in the region I'm interested (usually DO, sometimes others). The setup is easy (for me): create VPS, install tailscale, cut+paste the setup command, done. Then in the Tailscale app just pick your new exit node, all done.
76 comments
[ 1465 ms ] story [ 2604 ms ] threadhttps://news.ycombinator.com/item?id=31896120
The way it worked is by using using their service you'd actually reciprocally share your IP.
Thats dodgy on multiple levels.
Traffic coming from your IP would be mixed up with unrelated traffic
I'm sure that notion will keep the FBI from raiding your home when that unrelated traffic turns out to be involved in something illicit.
Being owned by a data mining company that also owns a residential proxy service (Nord uses it for unblocking streaming services: https://hiddenrouter.com/how-is-nordvpn-unblocking-disney-it...) is also baffling. Hard to trust a data mining company with data, when they make a profit from selling user data?
Other VPN providers like PIA have released transparency reports that contain requests from state, federal, and foreign law enforcement: https://www.privateinternetaccess.com/blog/private-internet-...
Nord’s own employee said they don’t want to publish transparency reports out of “obligations” to their investors.
You mean on a VPS that you also rented from someone else, therefore essentially moving your traffic from your ISP to...?
You also don't get the benefit of your traffic getting mixed together under the same address, since VPS providers will assign you an individual address.
I would never do anything illegal via that VPN though, since it would be trivial to trace it back to me. I'm sure OVH wouldn't hesitate to hand over my details if the authorities requested them. But as a privacy protection on public wifi, it works well.
When choosing a VPN, you should think about what you're trying to achieve and what you're trying to protect yourself from. Most non-tech people I know that use VPNs, use them to bypass geo-restrictions. For that purpose, these giant commercial ones are probably fine.
A VPN provider that easily bows to authorities is a VPN provider that will lose a massive portion of their user base. Some server farm probably profits very little from VPN servers, so if some government (or even some IP lawyer) knocks on their door, then they won't take the risk.
If you are paying with say your credit card, I guess the only benefit is that the vpn may have a better privacy policy and/or jurisdiction than your isp.
Because you need to give your name and credit card data to get a VPS, and in the end you're still sending encrypted data through someone's network.
VPN vendors are extracting value out of your monthly subscription like anybody else. Though the shadier ones might _also_ sell any metadata (to whom?), but we're not talking about these, and selling data is not a necessary precondition to being a VPN vendor.
In reality, the only people that are really interested in knowing in aggregate and in specific where people connect to when trying to hide are governments. And they don't pay, but just put a tap somewhere and if an alarm is triggered, send a court order to get logs and data upstream. That applies for both VPN and VPS vendors. So the goal is finding someone that has as minimal logs and invoicing data as legally possible.
Pick a cheap, untrusted VPS provider and you're getting just as exploited as if you were using a cheap, untrusted VPN provider.
It's also trivial to map the traffic of your VPS to you, since there's a 1:1 relationship between the IP your VPS uses and your actual IP.
Additionally IP lawyers may have much more success in threatening litigation to get your provider to rat you out. The provider would get little reward from not doing that, since harboring torrenters is probably not their main business.
The presumption is that the business of VPN providers is fully based on providing privacy, giving them a strong perverse incentive to abuse their access to this information and for whichever purposes. Plus, their whole infrastructure is orientated towards providing VPN services, with their own software, making the effort involved in collecting their customers' data and behaviour much smaller and more scalable.
VPS providers, on the other hand are in the business of offering hosting. What software their customer chooses to use on their VPS, and for what purpose, is anyone's guess. While the VPS provider could technically log and exploit the incoming and outgoing traffic from customers who happen to be running VPN software on their VPS, the effort involved in handling the myriad of bespoke VPN setups used by such a small proportion of their customers would be utterly pointless.
If you're implying that they'd do something illegal like blackmail, then I don't think that would be a wise course of action for a company to take. VPN companies are, in the worst case, still limited by TLS. So the amount of blackmail material is pretty small,meaning they would be taking a massive risk for very little reward.
A VPS server can easily log your connections. All they'd need to log are incoming packets to your VPS, and the destination address of outgoing packets from your VPS. No need to concern themselves with what software you are using under the hood.
For an analogy, if your motivation for using physical storage space was to hide your stuff from prying eyes, but were legitimately concerned that a business may have an economic or political incentive to take a peek, what would be a safer bet? Would it be to use a business specialising in storage, that uses standard storage modules all in the same location, and who knows most of its customers are interested in hiding their objects? Or would it be to rent an apartment from an estate agent that rents out all sorts of property for any number of purposes?
It’s trivial to pinpoint my location just based on IP. Setup a cloudflare worker and dump the request object, it gets very close, down to giving you the rough zip code area. Using something like NordVPN (even with a server in the same country I’m in) changes my IP proximity to something much more broad.
Then in cafes and public networks where I absolutely don’t trust the network
Finally, they keep providing service to a Russian market.
Honestly that is all you should ever use these VPN services for. Convenient access to blocked content (or flip to a different region to access alternative content).
Sure your own VPS running WireGuard or OpenVPN is better but that isn't as easy as just picking a different country on a pretty map in an app to get access to a show on BBC iPlayer or Netflix a second later.
Nord, Express, etc. are close to worthless from a privacy aspect but they're very convenient for watching blocked content and that is all anyone should use them for.
If you want/need privacy because you're on a network you don't trust (hotel, airport, whatever) then your own VPS and WireGuard are what you should be looking into. If you trust you home ISP and have decent bandwidth (both ways) you can easily run your own WireGuard server on pretty much anything from home and just connect into that so cost is pretty much zero.
So far I haven't seen anything about mullvad that makes me doubt them.
AWS Lightsail costs the same as a consumer VPN service while also giving you always-on compute and storage for sync and long-running jobs.
Had a copyright notice and warning email within 6 hours. Deleted the content and they were happy. Learnt my lesson not to try that again.
Wasn't AWS but a reasonably big vps provider.
When they received a DMCA complaint they didn't provide our information and generally just didn't seem to care as long as we provided the bare minimum of ass-covering for them. We'd get a ticket opened against our account with a copy of the notice, reply "We've identified one of our users operating in violation of our TOS and have banned the offending user. All copyrighted materials referenced have been deleted." and they'd close the ticket every time.
I imagine if this was more than a once-every-three-to-six-months kinda thing the support burden would have had them drop us as a customer, but at no point did they share our information or did any rights-holder take it further.
Having a stable, unchanging, unique IP (that is also tied to your identity via billing, etc.) for all of your traffic (like you would with a VPS VPN) is terrible for privacy and the cloud provider will often give out your info for any legal or governmental request.
Even in the low stakes situation of a lawyer going after you for torrenting, I see a high risk of a cloud provider giving out your information. They'd just have to reveal who rented your VPS instance.
Not only would companies not care about discretion when it comes to catching torrenters, they especially would not care for confidentiality about who rented their infrastructure.
If torrenting is the basis of your risk profile, seedboxes are a lot more safer.
This is something that they will probably do as a policy, simply because "AWS used for torrenting, storing and seeding CP" is a headline that can do far more damage to their business than some logging ever will.
This. However the critical point is that VPN providers are virtual, so there is in theory infinite competition; ISPs are an oligopoly in every country, so there is no real competition - If you don't like something about your ISP, like selling your metadata, it's usually tough shit because the other few will follow knowing there is no real competition and seeing a way to extract more money.
I think that is the other side of it: You might have to know what you are doing, to get to similar security of a professional service. Trust is of course its own issue, as you are sort of hinting at, but I think it needs to be stated, that maybe not everyone is able to securely run their own VPN, depending on how hard it is to make it secure.
But for other details, more significant in many use cases, a private VPN wins because you are protecting your activity from being viewed by those potentially untrusted networks.
Of course once traffic leaves your VPN it is once again at the mercy of the wider Internet between there and the destination sites & services, so use secure transports like HTTPS where-ever possible even over the VPN.
It all depends on what your threat model actually is.
In fact the advertised “access different media” use case isn't addressing an active threat at all, it is about gaining access to something rather than protecting you from someone/something.
Or probably not.
As far as I am concerned, I judge a company as a block, any of its employees/teams/departments speaks for the whole company, end of the story. And for the topic we're discussing, the company easily caves in and is weak so I am not going to rely on them for anything related to privacy or safeguarding data.
This kind of thing I think pushes the needle the other way. It shows a company extremely concerned about their image, when their core argument is about trust and privacy.
I need to change some stuff on my bank accounts in another country and I can't just go there so I need to use it once or twice just for that.
I am a NordVPN customer, but not for privacy, only for access to content in different regions.
It's one of the main reasons I like Mullvad. One price, month-to-month, no 'discount' for paying for multiple years at a time, no shady sales tactics.
Source: https://protonvpn.com/blog/no-logs-audit/
Their last audit was published in June 22, 2022: https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found...
But as useful as it might be for casual users, I think you'd be crazy to trust a large commercial VPN service to anonymize yourself if you are worried about being tracked by a nation-state actor or hiding serious crimes or something like that. No large business is going to protect you if they get sufficient pressure from a government that threatens their existence.
If you trust the VISP service to protect your privacy more than your physical ISP, they might be useful for privacy. Otherwise they're harmful to privacy, and only useful for getting around region locks.
Or do I test my ISP, who absolutely doesn't care about my privacy and would give up my data at a moment's notice?
As long as you've researched your VPN provider, there's almost no reason to trust your ISP over them.
Also, NordVPN does not support incoming connections to a listening port, so commonly can't download from two thirds of the seeds on a torrent. It is not unusual for there to be one to five seeders on a torrent, none with a port open for incoming connections, so people behind many commercial VPN's can't download the torrent.
There are other VPNs that support incoming connections, such as Mullvad, which are much more effective for torrents, if the users makes the effort to configure it.