The need for privacy protections has remained a constant since ExpressVPN’s founding in 2009, but the tools, technology, and threats have all shifted and evolved. We sat down with Peter Burchhardt, one of the co-founders of ExpressVPN, to discuss the past, present, and future of digital privacy.
How would you describe the state of digital privacy when you first founded ExpressVPN?
It was definitely a very different time. In many ways, people were a lot more vulnerable—there were fewer protections available and there was less awareness about the need for those protections. Technologies like encryption and proxying, which are fundamental privacy protections today, were not widely used, making it easier for adversaries to obtain information. Today, even if you’re not taking any active measures, you’re already significantly protected by the encryption that’s on by default, such as in HTTPS connections or end-to-end encrypted messaging services like WhatsApp or iMessage.
While the protections were lacking back then, there were probably also fewer organizations trying to collect and combine and share your data, whereas now that number has likely risen a lot. And there’s rising cybercrime as the targets are becoming more lucrative, particularly as we move more of our lives online.
I think many consumers don’t think too much about the specific shifts in threats; they have a more general view. Could you explain more about how threats have changed?
Take ISPs [internet service providers] for example. In 2009, your ISP would often have access to very detailed information about your online activities and the content of your communications. If you browsed, say, a WebMD page about a specific disease, they’d see which page you visited, and perhaps be able to extrapolate a private detail about you. By 2023, the situation has improved in many ways, and for the most part ISPs can’t see as much detail thanks to encryption. They might see that you’re visiting WebMD overall but not which specific pages. And of course, with a VPN, they wouldn’t even see that you’re on WebMD at all or know anything about which sites you’re visiting or apps you’re using.
On the flip side, how data is being collected in other ways is quite concerning. The sheer volume of online activities has grown exponentially, and there are now more sophisticated techniques for linking an identity to activity data. As a result, data brokers can now build surprisingly complete profiles of individuals, typically without those people being aware or having given meaningful consent.
You also mentioned how awareness was lower in the past. What’s changed that awareness and shaped the conversation around digital privacy in recent years?
The conversation around digital privacy has evolved considerably, thanks to a steady stream of headlines about privacy-related topics. Additionally, I find it encouraging to see companies like Apple making privacy a core selling proposition for their products and services, which has helped drive change in the industry and also reflects the shift in consumer priorities.
Today, what are the most pressing challenges we face in terms of our privacy online?
I think identity management is an interesting challenge we face today in terms of online privacy. Using a VPN can significantly reduce the number of companies that can see our activities, but there are still companies that see our activities when we interact with them directly. For example, let’s say you sign up for a dating app and share personal information such as your location and hobbies, then separately register for a forum where you discuss your views on contentious topics, and also share your family details with an ancestry research website. Each company has some limited information about you. But if these companies share data amongst each other, typically via third parties acting as intermediaries, it allows them to build a very complete picture of your activities. A potential solution is to perform online activities as different identities that are difficult to link together, thereby limiting the amount of data that can be combined to create a comprehensive profile, but that’s not easy for an average person to do.
Would you say that AI plays a role in that, or is it just a buzzword?
Definitely. I think AI serves as an extension of the idea that data in the public domain will be analyzed and made available to many, and that once data is in the record, it stays there and can be used indefinitely. This reinforces the need to be cautious about managing our identities and the data linked to them.
On the flip side, to invoke another buzzword, the emergence of the metaverse might actually present opportunities on this front. Currently, privacy and anonymity doesn’t seem to be a primary theme of the metaverse yet, but I hope that it will be a place where we can have a new face or identity in a way that’s not linked to our other selves. In contrast, in the real world it’s increasingly difficult to protect the anonymity we used to enjoy in public spaces. As facial recognition technology advances and cameras become even more ubiquitous, our activities in public life will increasingly be linked to our identities via our faces. The main place we still can preserve privacy in the physical world is if you invite someone over to your home. Perhaps the metaverse can provide a safe extension of that.
Are there any misconceptions or myths surrounding online privacy that you would like to debunk for our readers?
To expand on the topic of anonymity, it is an area that is often misunderstood and is a complex topic with many nuances. It depends on being anonymous with respect to whom and at what point in time. Data that might appear to be anonymous can be de-anonymized when identities get linked, revealing sensitive information about an individual. It’s crucial to understand the limitations of anonymity and to be conscious of how our identities are used and linked online.
Finally, what are three pieces of advice you’d like to give our readers to help them stay safe online?
Be conscious of the identities you use and how you link them together. Our usernames and email addresses are often the first pieces defining an identity. I recommend using many unique email addresses, such as those provided by iCloud’s Hide My Email feature or Firefox Relay. This will help you better manage your digital presence and protect your privacy.
Additionally, having a VPN always-on is essential for addressing the fundamental design flaw in the internet that makes activity data too public. ExpressVPN has come a long way in improving service quality such that it’s become reasonable to have the service always-on. I think that’s a key way in which VPN providers can distinguish themselves.
And finally, appreciate the wild outdoors. Walking on a city street, shopping mall, or office—probably neither private nor anonymous due to cameras, Wi-Fi and Bluetooth trackers, and other monitoring or surveillance. But at least for now, the great outdoors is free from most of that and is still a sphere where we can maintain privacy, similar to the privacy we enjoy within our own homes.
Many thanks to our co-founder Peter Burchhardt for speaking with us. What other digital privacy topics would you like to hear more about from the privacy experts on our team? Let us know in the comments!