Privacy Tools Community,
I know ExpressVPN doesn’t meet Privacy Tools VPN provider criteria.
And I myself am a little skeptical on some attributes regarding this service that I’ve paid for, for years now.
So, I’ll list their “pearls” and “negatives” in bullet point format list. Hopefully, you could help me draw an objective conclusion. Sometimes I get so stuck inside my head, that the ability for me to separate important from unimportant details becomes blurry or impaired.
[ comparitech[DOT]com/blog/vpn-privacy/expressvpn-server-seized-in-turkey-verifyies-no-logs-claim/ ]
– They hired PwC to do an extensive audit of their servers, code base, etc. etc.
[ expressvpn[DOT]com/blog/pwc-audits-expressvpn-servers-to-confirm-essential-privacy-protections/ ]
– Cure53 audited their browser extensions.
[ expressvpn[DOT]com/blog/browser-extension-audit-and-open-sourcing/ ]
– All their (Linux Ubuntu) VPN servers run on RAM-only, with all the write-permissions removed from their hard drives. The hard drives contain a read-only cryptographically signed image. They call this innovation ‘TrustedServer’. This also makes the software, updates, OS, etc. load an entire block at once, versus traditional server architecture, which is more like individual pieces of tetris for each individual server. This is a genius innovation. PwC also audited this claim as well, and the audit report goes into immense technical details and visual graphs as to how it works.
[ expressvpn[DOT]com/features/trustedserver ]
– They seem to have a dedicated, what they call, a Privacy Research Lab.
[ expressvpn[DOT]com/privacy-research-lab ]
– They have open-source Python-based VPN leak testing tools, available on GitHub, to test any VPN provider for leaks.
[ expressvpn[DOT]com/blog/leak-testing-tools/ ]
– They have a ‘Trust Center’, explaining in detail how they manage their systems and infrastructure from the ground up.
[ expressvpn[DOT]com/trust ]
– They use the strongest encryption schemes possible (minus the WireGuard protocol though): OpenVPN (UDP, TCP) – AES-256-GCM; SHA-512; 4096-bit RSA; Perfect Forward Secrecy: a new key is automatically negotiated every 60 minutes, regardless of whether the user ever terminates their VPN connection. They even have the OpenVPN protocol integrated on their own iOS/iPadOS app! That is NOT EASY to do with Apple’s rigorous standards. All the other iOS VPN apps, only provide the IKEv2/IPsec protocol. (----- + -----) Their speeds are FANTASTIC. With EVPN on my WRT3200ACM router, I get 90-100 Mbps download speed , and 30 Mbps upload speed using the OpenVPN-TCP protocol.
[ expressvpn[DOT]com/what-is-vpn/vpn-encryption ]
– Ideal ways of authenticating their apps: expressvpn[DOT]com/blog/expressvpn-app-authentication/
– Fantastic and excellent How-To Guides, including for Bitcoin, TAILS, TOR, Survivors of domestic violence guide, etc …AND a full eBook (available for all readers like Kindle, Apple Books, etc.) on Bitcoin, that shouldn’t even be free!: expressvpn[DOT]com/blog/expressvpn-publishes-bitcoin-security-ebook/
Their Negatives or Questions:
– When ExpressVPN launched in 2009, their site then, said they were based in Hong Kong, not the British Virgin Islands like their site says today. This can be found on Archive[DOT]org:
A few years after 2009, archives showed their site saying ExpressVPN was based in the USA. …Then suddenly after that out of the blue, and to this day, it’s the BVI.
The PwC audit report also shows them as being registered in Road Town, Tortola, BVI.
Nevertheless, they have a very de-centralized workforce with offices all over the world including Hong Kong, Toronto, Manila, London, etc: expressvpn[DOT]com/jobs
– Harold Li (a Hong Konger), the Vice President of ExpressVPN, in an interview with Kim Komando, was asked by her “how do you keep the speeds so fast?”…and his response was that alot of it is “proprietary acceleration happening behind the scenes”, which he said he can’t talk about, “secret sauce”. Maybe it’s secret, because they don’t want their competitors copying their “secret sauce”? Also, remember all their servers are Linux Ubuntu, which can be transformed into their own “signature”. Also, arguably, the most secure OS for VPN servers.
BUT, could their be sinister ways or ingredients in their “proprietary acceleration/secret sauce” for keeping the speeds fast?
Here’s the interview: youtube[DOT]com/watch?v=6C2D4mWWmW4
– They use Google Ad Services, Google Analytics, Google Tag Manager, Kissmetrics, and Facebook trackers on their website (as seen on uBlock Origin , advanced mode). They affiliate with Google for marketing.
Here’s where it get’s “juicy”:
– Their CEO and staff are not public at all.
When I ask them about this, they claim it’s to protect the company and the security of the company, as well as the safety of the staff…
When I made a bold comment years ago on one of their blog posts, the blogger “Johnny 5”, responded: “ExpressVPN staff get the same anonymity as our customers. :-)”.
– You have to sign-up with an email address (unlike Mullvad for example), even with cryptocurrency payments.
– When others have asked to have their account deleted for good, all that happened was still being able to have a password reset link sent to them, and all their invoices, etc. were still there.
– A Reddit user reported, that while using the Little Snitch app on MacOS, that the ExpressVPN macos app, was contacting random domains, even when the app wasn’t running:
This makes me all wonder if ExpressVPN STARTED in Hong Kong, by DISSIDENTS.
Not being able to show their identities, a huge focus on censorship circumvention, anarchist-flavored and anti-authoritarian content.
What are your thoughts?
I’m just really curious based on comparing and contrasting the “pros and cons” of ExpressVPN, what should I be skeptical of?
What aspects of them do really show them as dedicated and trustworthy?
Is it an incredibly sophisticated scam?
Do they simply lack modesty when it comes to their marketing tactics, but are still a trustworthy, great VPN service?
**Thank you all for your attention to these matters!