Welcome to the ExpressVPN Privacy Research Lab
Not all VPNs are made equal, particularly when it comes to privacy and security. While using a VPN is often as simple as tapping a button, there’s a lot of work needed behind the scenes to ensure your connection protects you online. A great VPN is constantly investigating threats to its users’ privacy and security and improving its service to protect them.
Our mission at ExpressVPN’s Privacy Research Lab is to bring that level of scrutiny to every piece of software we ship to customers. We have engineers working daily to investigate a range of scenarios that could impact user privacy and security.
To help you better understand the privacy and security advances the Lab is making, as well as help the VPN industry as a whole improve on these fronts, we’ve developed a library of case studies for the types of potential leaks that ExpressVPN’s research has identified and protected users from, as well as directions and Leak Testing Tools that enable customers and third parties to verify our own or other VPN providers’ claims independently. The tools are open-source, maintained by ExpressVPN, and open for anyone to use and contribute to.
Leaks and leakproofing: What makes for a good, secure VPN?
Let’s start with the basics. To protect your privacy and security, a VPN should, among other things:
- hide your browsing activity and app data from your ISP,
- hide your IP addresses from the websites and apps that you use,
- ensure all DNS requests are encrypted and only sent to the VPN provider’s DNS servers, and
- ensure all your network traffic is encrypted to prevent hackers or other third parties from viewing its contents.
Ideally, a VPN should do all of these things consistently from the instant you turn it on up until the moment you choose to turn it off, whether that’s for a few minutes, several hours, or even days at a time.
In reality, however, not all VPNs are able to accomplish this. There are some scenarios—such as when your device unexpectedly disconnects from the VPN server—where your private information might be exposed, if only for a moment. We call this a leak.
One way to measure the quality of a VPN is by counting these leaks across all possible scenarios where a VPN might leak. The best VPN is the one with the fewest leaks.
Case studies: What are some scenarios where a VPN might leak?
Here’s a quick overview of some situations where your personal information could become vulnerable even while using a VPN:
- Your device loses connection to the network
- The VPN server suddenly becomes unavailable
- Your device switches from Wi-Fi to a cellular data network
- Your BitTorrent client tries to send some traffic outside the VPN tunnel
- WebRTC allows a third party to request your true IP address
ExpressVPN takes great care to prevent leaks in all of these scenarios and more. But how can we be sure? More importantly, how can you be sure?
The case studies below provide in-depth investigations into each scenario, explaining how they could impact your privacy and security, as well as outlining how you can use the ExpressVPN Leak Testing Tools to evaluate your VPN’s effectiveness.
Tools: How do you test a VPN for leaks?
ExpressVPN Leak Testing Tools:
Rigorous, regular testing is key to ensuring a VPN service protects against leaks. As part of our investment into user privacy and security, ExpressVPN has developed an extensible suite of leak testing tools designed for both manual and automated regression testing.
While these tools were built to be used internally, we came to recognize they could be beneficial to improving privacy and security across the VPN industry as a whole. We have thus open-sourced them, enabling anyone to assess their risk of leaks and evaluate VPNs, as well as help the entire VPN industry raise its privacy and security standards.
These tools currently test for a number of different types of leaks, including:
- IP address leaks
- IP traffic leaks
- DNS leaks
- WebRTC leaks
- Bittorrent leaks
- Leaks resulting from unstable network connections
- Leaks resulting from VPN servers being unreachable
ExpressVPN will continue to evolve these tools and release new ones in the future.
To learn more about the tools and how to use them, visit our Leak Testing Tools page.
To download the tools from Github, click here.
Online leak tests:
For certain types of leaks, you can conduct simple tests with the following leak test pages developed by ExpressVPN:
We welcome researchers, academics, developers, and others to join us in our effort to improve privacy and security standards in the VPN industry. If you’d like to help improve and expand the leak testing tools, we'll be accepting contributions in the usual fashion via GitHub. If you’re interested in leakproofing and privacy and would like a more involved role, either as a collaborator or part- or full-time team member, please drop us a line at firstname.lastname@example.org and let us know.