Is ExpressVPN Safe & Trustworthy? Windscribe Investigates

Last week, we kicked off the Windscribe Exposé series with Graham's closer look at the face of independent browsers, Mozilla. If you haven't checked out that already, I recommend you do so, as you might be as shocked as I was to discover some truths behind the company.

I'm using this 2nd installment to start taking a closer look at the VPN industry. We already have the VPN Relationship Map – another must-read if you ask me – but we want to really highlight some of the messed up things that go on in this industry.

So, naturally, I thought I'd start at the top, with one of the most well-known VPNs in the world – ExpressVPN. This is partly because of their fame but also because they recently had some controversy over a long-standing bug leaking user data; let's get to it!

ExpressVPN Controversy #1: The DNS Leak Issue

The most recent issue ExpressVPN has faced was the uncovering of a bug in their Split Tunnelling feature on their Windows platforms. Split Tunnelling – a feature all VPNs should have, in our opinion – allows users to selectively direct traffic from different apps through either their ISP or the VPN infrastructure. This gives much more granular control over your VPN usage and also allows you to still use apps that tend to break when using a VPN.

Now, imagine you're using this feature, and you're directing sensitive traffic through your VPN to keep it protected. All is well, you think to yourself, and your data is safe. Except, the bug in the software is causing your DNS requests to be directed through your ISP, leaving you not just exposed, but wholly ignorant of the fact.

Now, whilst this is a bug and thus not (or at least incredibly unlikely to be) a malicious controversy, it's a pretty notable mistake – especially considering this bug went undiscovered for almost 2 years. You'd think with all the money ExpressVPN has behind it, they'd invest in better debugging and QA, right?

Where is ExpressVPN located?

When ExpressVPN first set up shop back in 2009, it was openly based in Hong Kong. They claimed this let them benefit from “uncensored and unrestricted Internet access to the outside world.” A year later, they stopped broadcasting this fact, seemingly realizing that it was not the best publicity, given how tightly connected China is to Hong Kong. Instead, they registered themselves as from the British Virgin Islands, declaring themselves “outside the 14 Eyes” - a big plus for many privacy-conscious individuals looking for a VPN.

ExpressVPN Chengbao

The thing is, when you scratch beneath the surface, it seemed that they hadn't relocated at all. They still had offices and staff in Hong Kong, and they even appeared to share an office building with a company called Chengbao (later Network Guard), who have suspected Chinese government links. If that's not enough of a suspicious connection, they even share staff members.

The worrying part about all this is that the Chinese government is one of, if not the premier national body that stands in opposition to a free and open internet. They are notorious for tracking and controlling information and activities on the internet, and they crack down hard on VPNs. So, ExpressVPN operating from Hong Kong, out of offices shared with a company with suspected Chinese government links, is a big red flag.

ExpressVPN Controversy #2: The Hiring of Daniel Gericke

In one of the single biggest controversies surrounding the company, Express hired Daniel Gericke as the new CIO in 2019. Gericke was a cyberespionage expert who formerly worked as a U.S Intelligence operative with a portfolio full of, well... Not things that a privacy-focused VPN company really should be looking for. They claimed that working with experts in breaking encryption would help them improve their defenses, but people weren't really buying it.

The big stinker, though, was when it came to light that Gericke had been charged for his involvement in something called Project Raven, a UAE operation that saw him and his fellow operatives hack into US computer networks and provide “sophisticated cyber intrusion tools” at the behest of the UAE government.

This kind of activity is antithetical to any VPN serious about the Right to Privacy and security on the internet, so Express naturally got absolutely blasted for it. They went hard on damage control and they have managed to keep it out of the general public's knowledge fairly well, but it leaves a bad taste in the mouth. Gericke no longer works at the company but, for a lot of people, the damage is already done.

Kape Technologies: ExpressVPN's New Owner

On the same day of Gericke's settlement, Express was bought by a company called Kape Technologies. Kape, formerly a malware company called Crossrider, owns several VPNs and other companies. Honestly, it has enough of its own controversies, from Mossad links to assassination attempts on the owner, that we could dedicate an entire article to it - which, of course, we will be doing with our very next exposé, so check in next week for Graham's piece!

👉 Read our exposé of Kape Technologies

Suffice it to say that it doesn't reflect well on Express, especially when it was so closely associated with the Gericke controversy.

ExpressVPN's Audit by PwC: Doesn't Inspire Confidence

Finally, I want to make a note about Pricewaterhouse Cooper (PwC), one of the largest auditing firms in the world. Express brags about how their privacy audits were done by PwC but for anyone that does a little bit of digging on them, they don't exactly give one confidence.

PwC has had multiple fines for audit failings - including “serious breaches” - in their time and are currently embroiled in a huge scandal with the Australian Government, who allege PwC used confidential information about tax avoidance legislation to gain new business. So they have a track record of both incompetence and greed.

I don't know about you, but when a firm like that tells me that a company is for sure secure and private bro, trust me, I tend to take that with enough salt to be declared an existential threat to the global slug population.

Besides, although audits are useful, we find it far more important for transparency to be open source.

Conclusion: Is ExpressVPN Secure?

It might be easy to think we're just looking to trash talk our competitors with this kind of exposé piece – after all, Express VPN is one of the most well-known names in the industry – but the honest truth is we believe all VPNs should be passionate about privacy and security and should make decisions based on that. We believe that no company should be above reproach and by highlighting the shady practices in the industry, we are doing our bit to keep that industry in check.

We also absolutely invite others to call us out if we ever lose our way. As it stands, we're confident you'll see us as the real deal but, again, no company should ever be above reproach.

If you're an Express customer that may suddenly be feeling uneasy about their VPN of choice, then I invite you to make the switch to a company that, believe it or not, actually gives a shit.