ExpressVPN Tackles Trust Issues in the World of VPNs

article by Maria Perinic
November 21, 2018

Designed to give the world access to the internet in a safe and free environment, over recent years, some VPN companies have come in for a bit of a beating. Even some of the big names in VPNs have had to defend their actions against accusations of stealing data from their clients and reselling users’ bandwidth without their knowledge. In an effort to address some of these concerns, ExpressVPN has teamed up with the Center for Democracy and Technology (CDT)  to initiate a type of nutritional guide for VPNs.

The initiative is aimed at empowering consumers by giving them the opportunity to make more informed decisions. A little like how you may choose one breakfast cereal over another depending on how much protein and carbohydrate they contain, ExpressVPN say ‘Signals of A Trustworthy VPN’ will give consumers the knowledge and guidance they need to evaluate the dependability of a VPN before entrusting them with their online security and privacy.

Although it may sound like just another opportunity for ExpressVPN to blow their own trumpet, it’s not. Implemented by the CDT, a non-profit organization dedicated to preserving “the user-controlled nature of the internet and champion freedom of expression”, the list of questions is designed to reveal each VPN service’s commitment to their customers’ privacy. CDT met with four other VPNs as well as ExpressVPN to create questions specifically related to their data logging and security practices, as well as their corporate accountability.

Signaling Safety and Security

The CDT’s initiative encompasses both the user and the supplier, empowering the user to make a knowledgeable choice when it comes to choosing a VPN service, and giving VPNs the opportunity to reveal the relevance and transparency of their product. The CDT hope to raise the bar across the entire industry in an effort to eliminate some of the more nefarious high jinks taking place in the world of cybersecurity. A recent study of the top 100 VPN services revealed that over a quarter of them log files such as your location, bandwidth data and IP address, which could expose personal information and lead to the identification of the user.

While some VPN services like Private Internet Access and ExpressVPN have had their day in court, allowing them to prove that do not retain any logs relating to their customers’ internet activities, not every reliable VPN has had that opportunity. Since the launch of the CDT initiative last month, however, five VPN companies have responded to and published their answers to the ‘Signals of A Trustworthy VPN’ questions.

As the internet becomes an increasingly central part of most people’s lives, so we expose ourselves to more and more cyber threats. Online shopping and banking can make us particularly vulnerable which is why increasing numbers of internet users are looking to a VPN for protection. Unfortunately, with a few giving VPNs a bad name through their dishonesty, the main motivation behind the ‘Signals of A Trustworthy VPN’ initiative is to boost the users’ trust in the industry and give them peace of mind when carrying out private and professional activities online.

The questions are aimed at revealing how a VPN handles its customers’ data and ensuring that no private information about their consumers is ever shared or sold without the customer’s knowledge.

A Question of Trust

The first set of questions deal with the public face of the company and is designed to make the company transparent in terms of who runs it and who owns it. Given the recent legal squabbling surrounding the alleged relationship between NordVPN, ProtonVPN and the data mining company Tesonet. Although NordVPN has confirmed that it is not owned by Tesonet, the rumors haven’t done the VPN service’s reputation any favors.

As there are VPNs out there that are owned by social media sites like Facebook and even adult sites like PornHub, you can see why there may be a conflict of interest. Does Facebook really want to protect your privacy, or are they simply looking for another way to improve their own standing? Knowing who’s in charge is as important as knowing who’s in the driver’s seat before you accept a lift.

In their response to this question, ExpressVPN clearly stated that the company is owned by Express VPN International Limited and all its staff work only on ExpressVPN, thereby ensuring no leakage of information to other rival companies. Concise and transparent, just the way we like it.

Remaining on the theme of company identity and ownership, the CDT has also targeted review sites that are owned by the VPN service. Obviously, no one wants to read an “impartial” review, only to find that it was funded by the VPN service itself and is therefore biased in favor of the product.

The last question relating to corporate responsibility deals with how the company actually makes money. According to CDT, the reason for including this question was to reveal those VPNs that may be diversifying and making money through alternative means, such as selling user information or reselling bandwidth. ExpressVPN’s response confirmed that they only make money from consumer subscriptions and “never sell user information or utilize the information that customers provide to us for any purpose other than operating the VPN service”.

Skeletons in the Closet

The next section of ‘Signals of A Trustworthy VPN’ initiative is aimed at demonstrating whether a VPNs purported commitment to online privacy is all it’s cracked up to be. The questions relate to each company’s no-logging policy; their protocol for dealing with requests for information from law enforcement agencies; how they ensure customer data remains protected against unauthorized access; and what additional controls are in place to protect user information. Despite publicizing their no-logging policy, some VPNs have a pile of skeletons in their closets, including users’ names, email addresses and how you paid for your subscription. Quite how that equates to a policy of no logging is anyone’s guess.

As the CDT asserts, VPN provides effectively take the place of an ISP and can, therefore, access information pertaining to a user’s network traffic and online activities. While expansive no-logging claims are made by many VPNs, these often mask their real logging practices, making it confusing for the consumer.

Furthermore, the definition of a log is rather vague and, while some VPNs may claim to keep no logs of a user’s activity if they are keeping track of your connection information and metadata, they still have plenty of information that they could potentially share about your online conduct.

Fortunately, ExpressVPN and others have come clean about exactly what information they do or don’t collect and how long they store it for. According to ExpressVPN’s response on the CDT website, no network or browsing activity data is ever even allowed to hit a disk, while their “private, zero-knowledge DNS” ensures they cannot possess any such data and therefore cannot share it.

Safe Passage

The final section of the CDT’s questionnaire deals with security breaches and highlights research from ArsTechnica a couple of years ago that suggested, “If the objective is to limit exposure to mass surveillance from governments, a VPN is likely not adequate”. Of course, over the past two years, data security has evolved and the occurrence of data leakage has reduced as a result. However, not every VPN was created equal and, according to a recent article in The Daily Dot, some have really got to up the ante if they’re going to stop Chrome extension and DNS leaks.

Leaks are a fundamental breakdown in service delivery and the most serious could leave thousands of users’ IP addresses suddenly unveiled. Not only does ExpressVPN provide open-source leak testings tools which enable the user to check leak-proofing claims for themselves, but they have also implemented a “bug bounty” program, encouraging third parties to report any vulnerabilities they may encounter while using the VPN. If you find something particularly juicy, they may even pay you for it!

These aren’t the only measures ExpressVPN have in place that correspond to the recommendations of the CDT, running frequent tests to ensure their encryption codes are working effectively and their service is free of security vulnerabilities. Although they don’t appear to have undertaken an independent security audit, like TunnelBear VPN did last year, ExpressVPN performs regular audits to ensure the system is working efficiently and complies with company policy.

A Matter of Trust

Not only have ExpressVPN revealed all their cards on the CDT website, but they have also gone even further in their pursuit of gaining their users’ trust by setting up a Trust Center on their website. In simple language, ExpressVPN is using this page to illustrate their commitment to customer privacy and how they implement that obligation with innovations in both their hardware and software.

ExpressVPN highlight the following four areas in which they dedicate themselves to privacy and security:

1. Compromise – ensuring their system is as difficult to compromise as possible by introducing state-of-the-art security features, like a “moat filled with bloodthirsty crocodiles”.

2. Damage control – minimizing the effect a system breach has on the users by restricting the amount of information even the most ingenious cybercriminal has access to.

3. Time – reducing the time the system is compromised to a minimum, making a hacker’s time spent in the system as short as possible.

4. Validation – a systematic endorsement of the above by the constant checking and rechecking of their system’s security features so they can stay ahead of the cybercrime game.

Expressing Themselves

ExpressVPN’s willingness to engage in the CDT’s initiative and its forward-thinking approach to the problems of security, privacy, and trust indicate that ExpressVPN is committed to providing a without compromise. By associating itself with a non-profit company that is dedicated to keeping the internet open, free and innovative, ExpressVPN proves their worth as a reputable VPN provider.

Although ExpressVPN isn’t the only company to work with the CDT to prove their transparency and commitment to user security, its enthusiasm for the project is reiterated in its development of the Trust Center. With the latest technological developments at their fingertips, paired with an unparalleled dedication to user privacy and security, ExpressVPN has established themselves as a reliable VPN service that’s willing to go the extra mile for its customers.