• Engineering a solution with OpenBoundary
  • Breaking the false binary of privacy
  • Open source and industry collaboration
  • Engineering a solution with OpenBoundary
  • Breaking the false binary of privacy
  • Open source and industry collaboration

How we engineered a way to restrict child sexual abuse material without looking at your data

ExpressVPN news 04.03.2026 3 mins
Sonja Raath
Written by Sonja Raath
Pete Membrey
Reviewed by Pete Membrey
Marnie Spicer
Edited by Marnie Spicer
ExpressVPN x IWF header image

Our new partnership with the Internet Watch Foundation (IWF) proves that strong encryption and targeted CSAM prevention can coexist through careful DNS engineering.

For years, the fundamental operating principle of the VPN industry has been absolute neutrality. We built our infrastructure to move encrypted data securely from one point to another without looking inside the packets or logging user activity. That strict adherence to a neutral network has been essential for protecting dissidents, journalists, and everyday internet users from mass surveillance. However, we recognized that our commitment to privacy doesn’t require us to turn a blind eye to the specific distribution of child sexual abuse material. We realized we could engineer a way to actively reject these dedicated CSAM domains while keeping our foundational promises of encryption and anonymity completely intact.

Today, we’re proud to announce a major step forward in this mission with the launch of our “Not on My Network” initiative. We’ve partnered closely with the nonprofit Internet Watch Foundation (IWF) to systematically restrict access to all known dedicated CSAM domains across our entire global server network. This project represents a maturation of our security philosophy, proving that a privacy company can take a definitive stance against the worst network abuse. We’re drawing a hard line to ensure that our infrastructure is never used to facilitate or access dedicated exploitation material identified by IWF.

“We’ve partnered closely with the IWF to restrict access to all known dedicated child sexual abuse material (CSAM) domains across our entire global server network.”

Engineering a solution with OpenBoundary

The engine driving this new initiative is a server-level technology we developed called OpenBoundary. Rather than relying on client-side scanning, OpenBoundary operates entirely at the DNS level. When a connection request is made, our secure resolvers check the domain against a verified, highly targeted list provided by the experts at the IWF. If the requested destination is flagged as a dedicated CSAM domain, the connection is instantly dropped at the network boundary. This precise mechanism means we never break your encryption, we never perform deep packet inspection, and our strict no-logs policy remains completely uncompromised.

ExpressVPN open on laptop computer with OpenBoundary shield logo in background

Breaking the false binary of privacy

This deployment strikes at the heart of a long-standing debate within the cybersecurity community. Pete Membrey, our Chief Research Officer, has been a driving force behind this architectural shift. “The privacy debate has been falsely framed as a binary choice between protecting encryption and weakening it for safety,” Membrey explains. “Privacy infrastructure does not have to carry everything indiscriminately. With careful engineering, protection and privacy can actually reinforce one another.” His core thesis proves that we can build robust user protection without sacrificing absolute network confidentiality.

The experts leading the fight against digital exploitation agree that this technical approach represents a vital breakthrough. Kerry Smith, the CEO of the IWF, directly challenges the assumption that safety must come at the expense of anonymity. “This innovative approach shows it’s possible for ExpressVPN to balance its commitment to online child safety and online privacy,” Smith explains. By collaborating to build these precise DNS-level guardrails, we’re demonstrating that a secure internet can also be a fundamentally responsible one.

OpenBoundary shield logo for ExpressVPN technology

Open source and industry collaboration

We firmly believe that protecting the internet from abuse should never be treated as a proprietary competitive advantage. To that end, we will be open-sourcing the underlying code for OpenBoundary alongside a comprehensive technical whitepaper that details its network architecture. We’re actively inviting other VPN providers, internet service providers, and cloud platforms to adopt this technology and join the “Not on My Network” initiative. We’re thrilled that CyberGhost VPN and Private Internet Access have already stepped forward to join us in this critical industry-wide effort.

 

Take the first step to protect yourself online. Try ExpressVPN risk-free.

Get ExpressVPN
Content Promo ExpressVPN for Teams
Sonja Raath

Sonja Raath

I like hashtags because they look like waffles, my puns intended, and watching videos of unusual animal friendships. Not necessarily in that order.

  • RELATED POST
  • More from the author
Not on My Network: ExpressVPN restricts IWF-identified child sexual abuse domains
Not on My Network: ExpressVPN restricts IWF-identified child sexual abuse domains
Marnie Spicer 04.03.2026 3 mins
Introducing the Identity Defender app: New features, one dedicated home
Introducing the Identity Defender app: New features, one dedicated home
Sonja Raath 26.02.2026 6 mins
ExpressVPN partners with Meta Quest, introduces industry-first hybrid VPN browser extension
ExpressVPN partners with Meta Quest, introduces industry-first hybrid VPN browser extension
Marnie Spicer 19.02.2026 2 mins
One extension, two ways to stay protected online
One extension, two ways to stay protected online
Sonja Raath 19.02.2026 3 mins
What authorities asked us for in the second half of 2025
What authorities asked us for in the second half of 2025
Sonja Raath 12.02.2026 3 mins
Introducing the Identity Defender app: New features, one dedicated home
Introducing the Identity Defender app: New features, one dedicated home
Sonja Raath 26.02.2026 6 mins
One extension, two ways to stay protected online
One extension, two ways to stay protected online
Sonja Raath 19.02.2026 3 mins
What authorities asked us for in the second half of 2025
What authorities asked us for in the second half of 2025
Sonja Raath 12.02.2026 3 mins
Security audits & ISO certifications: How we're building a complete trust model
Security audits & ISO certifications: How we're building a complete trust model
Sonja Raath 12.02.2026 4 mins
Local pricing, global access: ExpressVPN rolls out local currencies for privacy suite
Local pricing, global access: ExpressVPN rolls out local currencies for privacy suite
Sonja Raath 10.02.2026 3 mins
Introducing ExpressMailGuard: Email privacy, built for how the internet actually works
Introducing ExpressMailGuard: Email privacy, built for how the internet actually works
Sonja Raath 05.02.2026 6 mins
Meet ExpressKeys, a new home for your passwords
Meet ExpressKeys, a new home for your passwords
Sonja Raath 05.02.2026 4 mins

ExpressVPN is proudly supporting

Get Started