Update: This statement was originally issued September 15. A more extensive statement on Daniel Gericke is now available.
ExpressVPN is aware of the Deferred Prosecution Agreement (DPA) disclosed by the U.S. Government today that names one of our employees, Daniel Gericke. For absence of doubt, a DPA means the parties were not prosecuted and instead signed an agreement with the government.
We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.
Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats. Our product and infrastructure have already benefited from that understanding in better securing user data.
We were confident at the time and continue to be confident now in Daniel’s desire and ability to contribute to our mission of enabling users to better protect their privacy and security. He has demonstrated nothing but professionalism and commitment to advancing our ability to keep user data safe and private. Our trust in Daniel remains strong.
Of course, we do not rely on trust in our employees alone to protect our users. We have robust systems and security controls in place in all our systems or products. We also engage and provide significant access to many independent third parties to conduct audits, security assessments, and penetration tests on our systems and products.
BACKGROUND INFORMATION: DANIEL GERICKE’S WORK HISTORY
Daniel’s cybersecurity career began in network engineering for the US military, and his subsequent career included government contracting working for companies like Lockheed Martin, URS [now AECOM], and Cyberpoint, which ultimately led him to his work in the UAE.
Daniel’s background also included four years working as a contractor for the Defense Health Agency managing computer networks in Department of Defense hospitals. Daniel never worked in a US intelligence agency.
Daniel’s work in the UAE with Cyberpoint was based on know-how gained via open source communities and technology conferences, not knowledge or exposure to military intelligence exploitation of computer systems. His job responsibilities never included target selection.
Cyberpoint was a US company providing intelligence services to the UAE government with the approval of the US government. At Cyberpoint and later at DarkMatter, Daniel’s understanding was that he was continuing his work in the furtherance of US government interests and to enhance the national security for the UAE, an American ally.
While acting as a contractor, Daniel was focused on integrating systems using open source tools and frameworks. Local UAE government staff handled targeting and selection for mobile device exploitation systems, not Daniel.
Daniel left his intelligence-related work in November 2018 and continued contracting through DarkMatter as an IT Expert managing servers and data centers. Daniel ceased contracting and left the UAE to join ExpressVPN in December 2019.
Note: With regards to the DPA, Daniel has not admitted guilt, nor will he be convicted of any crime.