It’s been a difficult week for ExpressVPN. First it announced that it has been sold to Kape Technologies, then news broke that its CIO, Daniel Gericke, had been charged with breaking hacking laws while he worked for the UAE on Project Raven, prior to joining the VPN company.
The latter has caused more grief than the former, but what does it all mean if you're an ExpressVPN customer? What if you were thinking of signing up? Should you still use its VPN service? Here's what you need to know.
Who is Kape Technologies?
Kape is ExpressVPN's new parent company. It already owns CyberGhost, Private Internet Access, and ZenMate - three other well-known VPN services. It also owns antivirus company Intego and various other security and privacy concerns.
Kape used to be called Crossrider and the primary reason for the name change was to try and disassociate itself from its rather despicable past in which it created browser extensions and ‘ad tech products’ – better known as adware. This software allowed third-party developers to hijack web browsers and redirect users to adverts and collect their personal data. That's the opposite of what you'd want as a VPN or antivirus customer.
According to Kape, it no longer produces adware and now has a complete focus on consumer security products. Yet it still has products such as Restoro among its brands, a PC optimisation tool which borrows from the older Reimage tool, which had a very poor reputation.
Restoro’s isn’t much better. Some antivirus engines flag it as malware while others see it simply as a PUP – potentially unwanted program. Its website makes some misleading claims about being certified by McAfee and Norton, while user reviews complain of poor customer service and a poor product.
How does this affect ExpressVPN?
Theoretically, it makes very little difference at all. The company already operates a zero-logs policy (and has been audited multiple times to confirm it does) and went further to have its apps checked out to ensure that no-one could inject malware into them.
So, ExpressVPN doesn't know what you're doing while you use its service and doesn't record any information about when or how long you used it.
Just ahead of the official announcement of the sale to Kape, a spokesperson for ExpressVPN gave us a heads-up on the news saying “ExpressVPN will continue to operate day-to-day as an independent service, with its existing global team and leadership, including its two co-founders and co-CEOs. We’ll continue to maintain our strong privacy commitments to our users, including our policy of not collecting any activity or connection logs, and our established practice of independent third-party audits.”
Cyberghost, PIA, and ZenMate also operate as independent companies.
However, dig into Cyberghost’s website and you’ll find that it reserves the right to share personal data with Kape. Because Kape is a UK-based company, any disputes are handled under English law. It’s the same situation for ZenMate users. It’s a bit different with PIA, because that’s based in the US and that’s already a privacy-unfavourable jurisdiction.
The UK is one of the five-eyes and a jurisdiction to avoid when choosing a VPN. But Cyberghost says that this actually protects customers: English law complies with GDPR and, in terms of jurisdiction for information requests for the VPN service, it still falls under Romanian law (because that’s where Cyberghost is based) which is much more privacy friendly.
Again, remember that there is no recorded information about your activity – the sites you visit, the files you download – because of the zero-logs policy. So the only personal data is the information ExpressVPN holds about your account, such as your name, email address and potentially payment details.
What about Daniel Gericke?
It's ExpressVPN's CIO's past that has most people worried. Gericke worked on Project Raven, which was designed to help the UAE spy on its enemies, and he was charged with breaking US hacking laws along with two other former US intelligence operatives.
ExpressVPN says it knew most of Gericke’s background before hiring him in 2019 and it was because of his background that he was hired.
In a blog post aimed at allaying customer fears, the company added that, “We did not know the details of any classified activities, nor of any investigation prior to its resolution this month.”
“We find it deeply regrettable that the news of the past few days regarding Daniel Gericke has created concerns among our users and given some cause to question our commitment to our core values. To be completely clear, as much as we value Daniel’s expertise and how it has helped us to protect customers, we do not condone Project Raven. The surveillance it represents is completely antithetical to our mission.”
“Some may ask: How could we willingly invite someone with Daniel’s past into our midst? For us, the answer is clear: We are protecting our customers.”
“To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.”
TL;DR: ExpressVPN has full confidence in Gericke and says that its systems are designed so that even if he did go rogue, he wouldn’t have the permissions to make any changes to the VPN servers.
Not everyone is as confident. Edward Snowden pulled no punches in his tweet:
If you're an ExpressVPN customer, you shouldn't be. https://t.co/l8us92W0BQ— Edward Snowden (@Snowden) September 16, 2021
But he offered no further explanation as to why, linking only to Joseph Menn's tweet.
So is it safe to use ExpressVPN?
The fundamental question you need to ask before using any VPN service is whether you trust the company you’re giving all your data to.
Remember that a VPN routes all internet traffic from your device (if not all then at least some of it) through an internet server before going on to its final destination.
Although it’s encrypted, that’s only until it arrives on the server. It’s decrypted before being sent to Amazon, Netflix or whichever website you’re visiting.
Some traffic will remain encrypted because it would have been anyway, regardless of whether you used a VPN or not, but some won’t. Are you sure your VPN provider can’t see that data, that it doesn’t store it and won’t share it?
And this leads to another question: why do you need a VPN?
And ExpressVPN will sort that out for you just fine – albeit at a price that's higher than its rivals. But then again, it's also better than most of those rivals at unblocking stuff.
On the other hand, if you can’t afford for your data to fall into the wrong hands, you’d better be damn sure that the VPN you use is as secure as it’s claimed to be.
VPN providers tend to make vastly overblown claims. You’ll commonly see that a VPN will make you anonymous online (it doesn’t) and that it’s the fastest and most secure out there.
So, if there can be a clear-cut answer to all this, that's it. No VPN can offer 100% protection, including ExpressVPN. Maybe you’ll choose to continue using it, maybe you’ll decide now’s the time to switch providers.
Just remember that if your life depends upon the privacy and security you get from a VPN, it’s doubtful that any consumer-focused service is up to the job.