You Should Probably Stop Using ExpressVPN

Paula: Yes, that is correct. Only if you allow us to do so. That information are deleted when you close the application.

ExpressVPN is not as anonymous as you think. They still can be forced to submit logs that can de-anonymize you.

ExpressVPN is fairly reputable when it comes to logging. However, I took a look at it and had a live chat with one of their agents. Here is how it went:

Thank you for visiting ExpressVPN. How can I help you today?

Me: I have a question about your privacy policy.

Chat agent: My name is Paula and I’m here to help. Sure, go ahead.

Me: You collect connections logs, right?

Paula: No, we do not. There diagnostics logs on your application but we do not get a way to get hold of it unless you send it to us.

Me: Your privacy policy says, and I quote:

Successful connection
We collect information about whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location (but not your assigned outgoing IP address), and from which country/ISP (but not your source IP address).

So you know from which country and ISP I’m connecting from.

Paula: Yes, that is correct.

Me: So that contradicts your statement. What you are talking about is crash reports, which I’m well aware of. It’ll be fairly easy to de-anonymize me from my ISP

Paula: This information can only be gathered if supplied to us by our customers by submitting their diagnostic logs.

Me: That opt-in diagnostics logs are separate section, collected by third party apps like Crashlytics and Sentry. The other successful connection logs you collect automatically. This is clearly stated in your policy.

Isn’t it clear? You should read your policy before making a statement.

Hello? Are you still there? (She was not responding for a long time)

At last she responded

Paula: Yes, we are still collected. We’ll look into this to make it more clear. Bear with me please.

Me: OK

After a very long time and no response, I tried again

Me: It’s been a while, so you know my originating country and ISP, is that correct?

Paula: Rest assured, I don’t. We don’t have that information on our end as chat agents.

Now she is just playing with words.

Me: Well your policy says you do. “You” mean as a company. I am not meaning chat agents. You get that, right?

Paula: The information we receive is fully anonymized and cannot be tied back to individual ExpressVPN users (i.e., we do not store which user sent which data, and we do not store IP addresses).

Me: You are repeating the same passage from your page. I repeat: those are anonymous diagnostics and can be turned off. I’m talking about successful connection logs which is not anonymized. You really should talk to your superviser to clarify this

Paula: Upon activation of any ExpressVPN App, you will be asked if you would like to share these data.

Me: Yes, and those are crash reports and diagnostics, not connection logs.

Paula: We do not collect connection logs just those on the diagnostic logs.

Me: Then your privacy policy is not correct? It clearly says otherwise. It is outlined as “Successful connection”, if you can’t find it (I was getting snarky)

Paula: Yes, we were able to locate that. It is collected but remains on your computer only. The diagnostic log is not something we store on our side. It sits on your computer, not ours, and it’s a temporary file that gets deleted each time you close the app. It is for you, not us, so that if you have connection difficulties, you can send us the diagnostic log, and our chat support can analyze it to figure out where the problem is. Again, it’s not something we store, and it’s up to you if you want to share it with us or not. I think almost every VPN provider will allow customers to pull down this log file to identify problems as part of the troubleshooting process.

Me: Yes, I totally get that. So you collect the diagnostics log and crash report if I choose to share and my country+ISP which I do not choose to share. For troubleshooting.

It’s okay if you get my country and IP for troubleshooting. It just would be better if you delete those logs daily.

Now the last line gave her a new line of lie.

Paula: Yes, that is correct. Only if you allow us to do so. That information are deleted when you close the application.

Me: No, I have no control over sharing my country and ISP

My country and ISP logs gets deleted when I close the apps!! That’s unbelievable and hilarious!! I don’t think you know how the application works

Paula: I understand your sentiments and your hesitation. But this is how the app works. (She is not gonna lose this lifeline)

Me: Well thank you for your opinion, I think we have reached an impasse. Thank you for your time

So, they do store my country and ISP for troubleshooting. Apparently, they delete those from their server as soon as I close the application.

Don’t fall for VPN lies

You Should Probably Stop Using ExpressVPN

The popular privacy product’s integrity has been called into question after it was revealed that an employee had worked as a cyber-mercenary for the UAE.

Published September 24, 2021
We may earn a commission from links on this page.

For years, ExpressVPN has been one of the most popular and widely used privacy products of its kind on the market. It’s often ranked highest on top 10 VPN lists; a recent Tom’s Guide review called it the “hands-down best” VPN available. In the past, if you wanted to stay anonymous on the web, Express would’ve likely been the way to go.

Netflix Passwords, ChatGPT Can’t Detect AI, and No More CoTweets | Editor Picks
Share this Video
Asus Zenbook 14X OLED Space Edition Review
May 4, 2022
Warning! Microsoft Wants ChatGPT to Control Robots Next
February 23, 2023

However, all of this has been called into question following the revelation that ExpressVPN Chief Information Officer Daniel Gericke previously worked as a hacker-for-hire at DarkMatter—a cybersecurity firm based in the United Arab Emirates. Between 2016 and 2019, Gericke helped to hack systems and devices all over the world as part of “ Project Raven ,” a secretive operation designed to help the UAE monarchy track and surveil critics of its regime, including activists, journalists, and some individuals based in the U.S.

Advertisement

Gericke and two other former U.S. intelligence operatives recently faced federal charges for their involvement in “Raven” but managed to reach deferred prosecution agreements with the government, allowing them to pay fines to avoid jail-time, while also agreeing to certain terms.

If the idea of an ex-spy helping a Middle Eastern government hack U.S. computers is disturbing to you, don’t worry—you’re not alone. T he news of Gericke’s employment with the company has rightfully startled customers of ExpressVPN and led to a torrent of online criticism . Express initially tried to quell concerns about their executive’s ties to “Raven” by weirdly admitting that they knew “key facts” ab out his prior employment when they hired him and were pretty much fine with it. This strategy didn’t really pan out for them. They subsequently published a more extensive statement , noting that they did “not condone” Project Raven” as the “surveillance it represents is completely antithetical to our mission.” They also promised to increase third-party audits as a method to sustain compliance with their own privacy policy .

Advertisement
Advertisement

However, in their remarks, the company ultimately stuck by Gericke. The company explained it like this:

Some may ask: How could we willingly invite someone with Daniel’s past into our midst? For us, the answer is clear: We are protecting our customers.

To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.

Advertisement

Whether you buy this argument or not, it could be argued that once that seasoned veteran winds up in federal court, things might have to be reassessed a little. Reuters reports that he is still employed with the company.

Ultimately, these calming words do not seem to have soothed everybody. Not only are the company’s customers riled up, but so are its employees. At a recent virtual meeting, ExpressVPN employees apparently aired their grievances about the recent turn of events, not pausing to mince words.

Advertisement

“This episode has eroded consumer’s trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?” said one.

“To find out such news of the people we work closely with everyday through an online article was absolutely distasteful. Why weren’t we given a heads up? Isn’t transparency and respect our core values?” another person reportedly asked .

Advertisement

Other recent events have caused some to question ExpressVPN’s direction. The company was recently purchased by Kape Technologies, an Israeli technology firm with a controversial past . Formerly known as CrossRider, the company was renamed in 2018 after it got a little too much publicity for, as CNET recently put it , being the “notorious creator of some pernicious data-huffing ad-ware.” Since then, it has been on an apparent rebranding effort accompanied by a privacy product buying spree . In recent years, the firm has procured the VPNs CyberGhost, Zenmate, and Private Internet Access, and purchased ExpressVPN for $936 million earlier this month.

Some of the key figures associated with Kape have also raised eyebrows. A majority share of the company is owned by Teddy Sagi, an Israeli billionaire who, in the 1990s, pled guilty to charges related to bribery and market manipulation and subsequently spent a short stint behind bars. Businesses connected to Sagi were also unearthed in the Panama Papers , the multi-terabyte leak which showed the intricate network of shell companies and tax havens used by world leaders and businesses. The company’s previous CEO and co-founder, Koby Menachemi, is also an Israeli ex-intelligence officer who served in Unit 8200 , the notorious cyber (read: hacking) wing of the Israel Defense Forces. Menachemi left the company in 2016.

Advertisement

At the very least, ExpressVPN owes its users a more extensive transparency report on why it hired Gericke. However, given everything that’s come out, it’s probably not out of the question for some customers to up and quit the company’s services altogether.

When you consider the prominence of ExpressVPN, the episode also raises questions about just how secure the VPN industry is overall: How common is it for those on the furthest, flintiest edges of the surveillance industry to turn around and work for companies dedicated to protecting privacy? While you would like to hope the answer is “not very common,” the largely unregulated, walled-off nature of the privacy industry makes it impossible to tell. We reached out to ExpressVPN for comment and will update this story if they get back to us.