We find it deeply regrettable that the news of the past few days regarding Daniel Gericke has created concerns among our users and given some cause to question our commitment to our core values. To be completely clear, as much as we value Daniel’s expertise and how it has helped us to protect customers, we do not condone Project Raven. The surveillance it represents is completely antithetical to our mission.
ExpressVPN stands firmly on the side of a more free, secure, and private internet, and we can’t do it without the support of our customers and the broader internet community.
While we are confident that our commitment to this mission is unwavering, we understand that actions speak louder than words. To begin with, we’ll be increasing the cadence of our existing third-party audits to annually recertify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs. This is just a first step, and we will continue to strive to earn your trust.
At the same time, while we in no way wish to diminish the sincerity of the concerns we’ve heard, we want to reassure you that we have considered them extensively and do not share them. To help you understand how we can be so confident, we need to share with you exactly how Daniel fits into our mission as a company, past, present, and future.
From the beginning, ExpressVPN has been absolutely committed to the privacy of our customers and the security of our operations. This manifests itself in everything we do, from our groundbreaking TrustedServer system to the extensive steps we take to prevent anyone from injecting malware into our apps. We know that we are asking our customers to trust us, and we never take that trust for granted. That is why we voluntarily open our systems up for scrutiny by outside auditors on a regular basis (as when PwC conducted a thorough review of our TrustedServer technology and Privacy Policy compliance), and it’s why we make even something as critical as our purpose-built Lightway protocol freely available (and reviewable) as open-source software.
When we hired Daniel in December 2019, we knew his background: 20 years in cybersecurity, first with the U.S. military and various government contractors, then with a U.S. company providing counter-terrorism intelligence services to the U.S. and its ally, the U.A.E., and finally with a U.A.E. company doing the same work. We did not know the details of any classified activities, nor of any investigation prior to its resolution this month. But we did know what we had built here at ExpressVPN: a company where every system and process is hardened and designed to minimize risks of all kinds, both external and internal.
Some may ask: How could we willingly invite someone with Daniel’s past into our midst? For us, the answer is clear: We are protecting our customers.
To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.
Before his arrival, we already had robust protections built into our operations that would prevent tampering or damage from within. Though he earned our trust, we have never been solely reliant on that trust; instead, we rely on our controls. (Just one example: In line with our adherence to the principle of least privilege, no one who is not responsible for maintaining or pushing changes to VPN servers has the necessary permissions to do so—not Daniel, not our co-founders, nor anyone else without the need.)
Since Daniel joined us, he has performed exactly the function that we hired him to do: He has consistently and continuously strengthened and reinforced the systems that allow us to deliver privacy and security to millions of people.
How we protect against threats, internal and external
All companies and organizations, and the people that they serve, face threats from both inside and outside. It’s essential to have trust in your internal team members, but it’s also essential to be clear-eyed about the potential risks they may introduce through errors, malice, or poor decision-making.
ExpressVPN has built robust protections against internal threats and installed them throughout our company and systems. Two key examples are our TrustedServer technology and app build verification system.
The TrustedServer technology that we developed and run our VPN servers on gives us a very high degree of confidence that only our intended software is ever running on any of our VPN servers. By operating entirely in RAM, the servers are effectively “read-only,” and when booting up, they cryptographically verify that they are running only the software that one of only a few authorized ExpressVPN engineers have signed using physical YubiKeys. The May 2019 independent audit of TrustedServer by PwC explored these claims, including documentation of the technical details of how we require one authorized employee to submit a change, and another authorized employee to review and approve the change.
That audit also evaluated how the software that runs on our servers uses the strategy of “reproducible builds” to let us notice attempts at tampering with the process of going from source-code to compiled software. These systems were in place before Daniel joined ExpressVPN. Having such high confidence in the integrity of what’s running on our VPN servers thus makes us confident that our Privacy Policy is true: We don’t log what our customers do with our service, we have put many systems and processes in place to make sure it stays that way, and it is exceedingly unlikely for any single person to be able to change that.
For the apps that we distribute to our customers, our second independent audit by PwC described how we apply very similar techniques to ensure the integrity of that software to protect it from insider threats. Our rigorous build verification procedure significantly reduces the risk of unauthorized modifications to our software, including the injection of malware. This includes the requirement that all code changes be cryptographically signed by the developer using a unique hardware key protected with a passphrase and then approved by an authorized person different from the individual who made the change. It also includes automated audits of changes, with alerts for unexpected changes, which are followed up in person.
Industry transparency and independent audits
We have also led the charge for greater transparency throughout the VPN industry. This is particularly critical to the public, as it’s not simple or straightforward to assess the security of a VPN service without direct access to its servers and code—and there’s no doubt that not all VPNs are built the same. That’s why we’ve published audits of TrustedServer, our Privacy Policy compliance, our build verification system, and more—and will continue to conduct and publish independent audits and reviews on a regular basis.
Our commitment to security and transparency also extends beyond our company and product. We worked with the ioXt Alliance to expand its security certification to cover VPN apps, helping to set and formalize industry standards. In helping to found the VPN Trust Initiative, we have helped bring clearer standards and greater transparency across the entire VPN landscape. And we’ve made positive contributions to the privacy and security of other companies with which we interact.
Beyond the published reports, it is an ongoing part of our work to invite auditors, penetration testers, and other third parties to evaluate and stress-test our systems. We have been running a bug bounty program since 2016. That was internally managed until 2020, when we transitioned to using BugCrowd instead. Moving to BugCrowd encouraged even more researchers to look at our apps and make them safer for our users. It also encouraged greater transparency, since all bugs and their respective fixes can be publicly disclosed and published on BugCrowd’s website. Daniel was the key person in our company in pushing for such transparency and setting up the BugCrowd program.
What an expert on offense has delivered
As we’ve noted, Daniel’s background and expertise made him extremely qualified to help enhance our service’s privacy and security protections. And indeed, since he joined our team, he has significantly strengthened the security of our systems and products in many ways, direct and indirect. For example, under Daniel’s leadership, ExpressVPN has built a powerful Security Operations Center and one of the strongest internal offensive security “red teams” in not just the VPN industry, but in cybersecurity more broadly. We’ve published a more detailed view of exactly how in a separate post.
We understand the concerns and questions that have been raised, and we always welcome scrutiny. Open conversation, transparency, and robust feedback are fundamental to building the ongoing relationship of trust necessary for successful consumer cybersecurity. We hope this blog post has helped shed light on why we believe that we provide the most rigorous privacy and security protections in the industry, and how, by applying his background and expertise, Daniel has been central in helping ExpressVPN protect our customers.