ExpressVPN & Privacy Tools

Privacy Tools Community,

I know ExpressVPN doesn’t meet Privacy Tools VPN provider criteria.
And I myself am a little skeptical on some attributes regarding this service that I’ve paid for, for years now.

So, I’ll list their “pearls” and “negatives” in bullet point format list. Hopefully, you could help me draw an objective conclusion. Sometimes I get so stuck inside my head, that the ability for me to separate important from unimportant details becomes blurry or impaired.

Their Pearls:

– Their “no-logs” claim and Privacy Policy were put to the ULTIMATE test, due to a devastating assassination of the Turkish ambassador on December 2016. Authorities raided the data center in Turkey that had the (Linux Ubuntu) server operated by Express, and seized it, and was entirely useless to uniquely identify any user who connected to that server.
[ comparitech[DOT]com/blog/vpn-privacy/expressvpn-server-seized-in-turkey-verifyies-no-logs-claim/ ]

– They hired PwC to do an extensive audit of their servers, code base, etc. etc.
[ expressvpn[DOT]com/blog/pwc-audits-expressvpn-servers-to-confirm-essential-privacy-protections/ ]

– Cure53 audited their browser extensions.
[ expressvpn[DOT]com/blog/browser-extension-audit-and-open-sourcing/ ]

– All their (Linux Ubuntu) VPN servers run on RAM-only, with all the write-permissions removed from their hard drives. The hard drives contain a read-only cryptographically signed image. They call this innovation ‘TrustedServer’. This also makes the software, updates, OS, etc. load an entire block at once, versus traditional server architecture, which is more like individual pieces of tetris for each individual server. This is a genius innovation. PwC also audited this claim as well, and the audit report goes into immense technical details and visual graphs as to how it works.
[ expressvpn[DOT]com/features/trustedserver ]

– They seem to have a dedicated, what they call, a Privacy Research Lab.
[ expressvpn[DOT]com/privacy-research-lab ]

– They have open-source Python-based VPN leak testing tools, available on GitHub, to test any VPN provider for leaks.
[ expressvpn[DOT]com/blog/leak-testing-tools/ ]

– They have a ‘Trust Center’, explaining in detail how they manage their systems and infrastructure from the ground up.
[ expressvpn[DOT]com/trust ]

– They use the strongest encryption schemes possible (minus the WireGuard protocol though): OpenVPN (UDP, TCP) – AES-256-GCM; SHA-512; 4096-bit RSA; Perfect Forward Secrecy: a new key is automatically negotiated every 60 minutes, regardless of whether the user ever terminates their VPN connection. They even have the OpenVPN protocol integrated on their own iOS/iPadOS app! That is NOT EASY to do with Apple’s rigorous standards. All the other iOS VPN apps, only provide the IKEv2/IPsec protocol. (----- + -----) Their speeds are FANTASTIC. With EVPN on my WRT3200ACM router, I get 90-100 Mbps download speed , and 30 Mbps upload speed using the OpenVPN-TCP protocol.
[ expressvpn[DOT]com/what-is-vpn/vpn-encryption ]

– Ideal ways of authenticating their apps: expressvpn[DOT]com/blog/expressvpn-app-authentication/

– Fantastic and excellent How-To Guides, including for Bitcoin, TAILS, TOR, Survivors of domestic violence guide, etc …AND a full eBook (available for all readers like Kindle, Apple Books, etc.) on Bitcoin, that shouldn’t even be free!: expressvpn[DOT]com/blog/expressvpn-publishes-bitcoin-security-ebook/

Their Negatives or Questions:

– When ExpressVPN launched in 2009, their site then, said they were based in Hong Kong, not the British Virgin Islands like their site says today. This can be found on Archive[DOT]org:

A few years after 2009, archives showed their site saying ExpressVPN was based in the USA. …Then suddenly after that out of the blue, and to this day, it’s the BVI.

The PwC audit report also shows them as being registered in Road Town, Tortola, BVI.

Nevertheless, they have a very de-centralized workforce with offices all over the world including Hong Kong, Toronto, Manila, London, etc: expressvpn[DOT]com/jobs

– Harold Li (a Hong Konger), the Vice President of ExpressVPN, in an interview with Kim Komando, was asked by her “how do you keep the speeds so fast?”…and his response was that alot of it is “proprietary acceleration happening behind the scenes”, which he said he can’t talk about, “secret sauce”. Maybe it’s secret, because they don’t want their competitors copying their “secret sauce”? Also, remember all their servers are Linux Ubuntu, which can be transformed into their own “signature”. Also, arguably, the most secure OS for VPN servers.
BUT, could their be sinister ways or ingredients in their “proprietary acceleration/secret sauce” for keeping the speeds fast?

Here’s the interview: youtube[DOT]com/watch?v=6C2D4mWWmW4

– They use Google Ad Services, Google Analytics, Google Tag Manager, Kissmetrics, and Facebook trackers on their website (as seen on uBlock Origin , advanced mode). They affiliate with Google for marketing.

– None of their apps are open source. A lot of JavaScript that’s proprietary (their site, their apps, etc.).
Here’s where it get’s “juicy”:
In regards to this, I noticed one evening my MacBook’s CPU was going HAYWIRE! Above the touch bar, it was super HOT. I got on the Mac’s Activity Monitor, and the 50-70% CPU usage was coming from the Firefox Web content Process, and the ONLY tab opened on Firefox was the ExpressVPN website ; with Safari it was 30-40% CPU for the Safari Webcontent process with just ExpressVPN website open, one tab. …I called Apple support, and did screen share. We were doing this for over an hour, and he’d have me kill the webcontent process, and it always crashed the tab with the ExpressVPN website. Now here’s the other thing, when JAVASCRIPT via uBlock was disabled, the CPU for the same web content processes went back down to very low and normal. It was when the JavaScript of the ExpressVPN site was active, then it was eating massive amounts of CPU resources. This Apple Advisor, told me that this could be a sign of rouge JS, and was also told that the JS could see my entire browser (not screen) and it’s other tabs, potentially. The Apple Advisor had me engage in their 24/7 live chat, and that’s ALWAYS when the CPU consistently PEAKED at it’s highest. He had me do this multiple times. I mention this issue to ExpressVPN via their live chat, and now, the CPU is normal with the ExpressVPN site and it’s webcontent process on the activity montior…WHAT could THIS mean? O_o

– Their CEO and staff are not public at all.
When I ask them about this, they claim it’s to protect the company and the security of the company, as well as the safety of the staff…
When I made a bold comment years ago on one of their blog posts, the blogger “Johnny 5”, responded: “ExpressVPN staff get the same anonymity as our customers. :-)”.

– You have to sign-up with an email address (unlike Mullvad for example), even with cryptocurrency payments.

– When others have asked to have their account deleted for good, all that happened was still being able to have a password reset link sent to them, and all their invoices, etc. were still there.

– A Reddit user reported, that while using the Little Snitch app on MacOS, that the ExpressVPN macos app, was contacting random domains, even when the app wasn’t running:

ExpressVPN’s explanation:

No it’s not spying on you. Here’s what’s happening:

-The app tries to call home to an ExpressVPN API to discover the set of available VPN infrastructure.

-Your firewall is rejecting those requests, and as a result the app fails to call home via its standard method. This is quite similar to what happens when customers use the apps in countries with censorship. ISPs there also block the app’s attempts to call home, thus trying to prevent customers from using ExpressVPN.

-The app has features to let it handle such situations.

-You can see those features in action as the app is trying other domains, testing just how much your firewall is blocking.

We’ve previously published some more info in our troubleshooting section under “Why do ExpressVPN apps occasionally contact domains I don’t recognize?”

In general, this relates to censorship-avoidance. A user on a network without censorship (or a firewall acting as such) shouldn’t see these features in action. In your case here, the app is behaving as expected given the trouble the firewall is subjecting it to, and it’s definitely not spying on you. We put a lot of effort into making sure we’re consistently following our privacy policy.

This makes me all wonder if ExpressVPN STARTED in Hong Kong, by DISSIDENTS.
Not being able to show their identities, a huge focus on censorship circumvention, anarchist-flavored and anti-authoritarian content.

  • What are your thoughts?

  • I’m just really curious based on comparing and contrasting the “pros and cons” of ExpressVPN, what should I be skeptical of?

  • What aspects of them do really show them as dedicated and trustworthy?

  • Is it an incredibly sophisticated scam?

  • Do they simply lack modesty when it comes to their marketing tactics, but are still a trustworthy, great VPN service?

**Thank you all for your attention to these matters! :slight_smile:


when i saw pros i was like wow im gonna try it but after read cons i feel like cons is more worse than pros. (thats my point of view)


Esmail EL BoB,

Lol. ExpressVPN is an enigmatic bundle of contradictions, huh? :grinning:

Can you explain in detail as to why the cons killed the pros in your perspective?

  • Which of the cons did you find to be the most disturbing?

  • Since that assassination happened, and it really proved their no-log policy on their servers…could they be doing nefarious and shady things with other methods, despite their servers being secure? If so, what possibilities come to your mind?

  • Do you think their way to circumvent censorship (contacting, without sending any data, random domains) as clever, or suspicious?

  • What could be the reasons for ExpressVPN not having their headquarters office location public, not having their CEO, UX designers, engineers names, short bio’s, pictures public?

  • What could be the REAL reason ExpressVPN is operating that’s classified? Could they do what they say they do, but also do something else too that they wouldnt want the public to ever know about?

  • How could they fake being based in the BVI, when Pricewaterhouse Coopers audit report, has their company ExpressVPN being an “ExpressVPN International Limited” company in Road Town, Tortola, British Virgin Islands? PwC is VERY reputable and well known.
    —Here’s the FULL audit report, only available to customers on their account page. It’s a PDF file, and signed by two of the heads at PwC at the end of the report. I uploaded it to share with the Privacy Tools community (via Firefox Send):

  • What could be some possible ways they created their “secret sauce” for their “proprietary acceleration happening behind the scenes”, as Harold Li said in that Kim Komando podcast interview?

Such an odd contrast between the pros and cons, an enigmatic cyber dissonance.

They use Google
None of their apps are open source
Their CEO and staff are not public at all
You have to sign-up with an email address
cant delete my account
it connect to random domains

get users data ?

suspicious, because i cant be sure its really them

afraid of something for sure but not sure yet if its bad or good (like afraid to get arrested or afraid from their users themselves)

i not get it, lol

idk thats why i make me get more afraid from them

what you exactly mean again ?

use easy words next time

ExpressVPN is a brand, and it doesn’t need any justification for its high-quality services, Whether its security, streaming, gaming, or speed ExpressVPN takes al.l the awards. However, you can find alot of unbiased ExpresssVPN reviews they all are recommending ExpressVPN. Becasue there is no flow in ExpressVPN, accept a high price. It is one of the recommend privacy tools.

By the way the website you are linking to sets Google Chrome SECOND as a PRIVATE browser. LOL, do you really trust such ‘unbiased’ reviews?

Just read that browser’s article, I think all the browsers keep some logs, But I think they are expert they know why to google chrome must be on no 2. However, I am following Reviewsed for last 1 year, and I have read almost every article of the blog, but I don’t see any favoritism, so I don’t think that they list google chrome on 2 because of money of anything else, What do you say?

@Alexander Thanks for the great post. While ExpressVPN seems to be technically proficient and having somewhat proven “no logs” policy, they don’t seem to take privacy seriously. Lack of openness, closed source applications (a major source of distrust for me), using third party trackers and suspicious Javascript on their site (a bunch of hypocrisy, like spitting on privacy) and requiring email address when registering are all privacy setbacks.

I like the criteria used by and I strongly recommend everyone to read it when choosing a VPN provider.

Some less common privacy features that I appreciate about VPN providers:
– Email address or other such information is not required, or even not accepted. Username is auto-generated for you.
– The website of the service can be used entirely without Javascript (I haven’t yet seen any provider fulfilling this)
– Cash is actually accepted as a method of payment. Many cryptocurrencies can be surprisingly non-private, either by design, or due to how one has to buy the cryptocurrency. Cash in an envelope is almost foolproof.
– Full IPv6 support. It’s 2020, there should be no need or reason for “IPv6 leak protection”.
– Weak protocols such as PPTP are NOT supported.
– Good configuration options and guides for different systems

Yes, they do need justification. Its their job to earn their users trust.
Trust is when you can be sure that someone or something is going to capitalize on your best interests.
How can you be sure with ExpressVPN being one of the least transparent VPNs on the market?

Thank you! Sorry for the delayed response.
I feel what you mean.

Could you explain some potentially malicious things the JS could be doing within the closed source code of their apps?

Also, could you email me at alexander.brooks1 @ ProtonMail . Com ? It’d be nice to talk about things like this, especially in this isolated time.