Signals of Trustworthy VPNs An industry initiative with the Center for Democracy and Technology
When users choose a VPN, they are trusting the provider with their online privacy and security. We at ExpressVPN believe that everyone should have the information and guidance needed to evaluate whom they can trust, no matter which VPN service they ultimately select.
That’s why we’ve worked with the Center for Democracy and Technology—an independent non-profit organization that champions online civil liberties and human rights around the world—to develop a list of questions that VPN services should be able to answer to signal their trustworthiness. Together, we hope to raise standards across the industry and empower users to make more informed decisions when choosing a VPN—ultimately making the internet more private and secure for all.
We’ve published the questions and our answers below, which are also available on the CDT’s website.
Corporate Accountability & Business Model
What is the public facing and full legal name of the VPN service and any parent or holding companies? Do these entities have ownership or economic stakes in other VPN services, and if so, do they share user information? Where are they incorporated? Is there any other company or partner directly involved in operating the VPN service, and if so, what is its full legal name?
ExpressVPN is operated by Express VPN International Limited, a privately held British Virgin Islands company. ExpressVPN’s leadership team and owners are not involved in any other VPN company/brand or any business other than ExpressVPN.
While the company, its infrastructure, and its agreements with users all fall under BVI jurisdiction, ExpressVPN’s team is physically distributed across more than a dozen cities worldwide. In many cases we contract with local entities or subsidiaries to provide payroll services for staff that ExpressVPN hires. Our core functions like engineering, network operations, marketing, and customer service are performed by full-time, dedicated employees who work solely on ExpressVPN.
Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?
No, neither Express VPN International Limited or any related companies own a VPN review website.
What is the service’s business model (i.e., how does the VPN make money)? For example, is the sole source of the service’s revenue from consumer subscriptions?
ExpressVPN’s sole source of revenue is from consumer VPN subscriptions. We never sell user information or utilize the information that customers provide to us for any purpose other than operating the VPN service.
Privacy: Logging/Data Collection Practices and Responding to Law Enforcement
Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated? If so what data? (including data from Client / VPN app, APIs, VPN gateways).
ExpressVPN’s apps and servers are engineered to categorically eliminate sensitive information. We do collect limited metadata to aid technical troubleshooting and service improvements, which are: operating systems and app versions successfully activated; dates (not times) when connected to the VPN service; choice of VPN server location (no IP addresses are ever stored); total amount (in MB) of data transferred per day. None of the above data enable ExpressVPN or anyone else to match an individual to specific network activity or behavior.
Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?
No, ExpressVPN never logs any user browsing or network activity data, and we go to great lengths to ensure such information never even hits a disk on any server. We run our own private, zero-knowledge DNS on every VPN server. And of course, as we do not possess any such activity data, we do not (and cannot) share it.
Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?
Our first principle is that we never store any data that could match an individual to specific network activity or behavior. Thus, our process is to inform law enforcement that we do not possess logs of connections or user behavior that could associate a specific end user with an infringing IP address, timestamp, or destination. Not storing any sensitive information also protects user privacy and security in the event of law enforcement gaining physical access to servers. This was proven in a high-profile case in Turkey in which law enforcement seized a VPN server leased by ExpressVPN but could not find any server logs that would enable investigators to link activity to a user or even determine which users, or whether a specific user, were connected at a given time.
ExpressVPN is based in the British Virgin Islands, a jurisdiction with strong privacy legislation and no data retention requirements. Legally our company is only bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or are made in conjunction with BVI authorities. The British Virgin Islands only upholds foreign governments’ requests for information when the crime under investigation would be punishable by at least a one-year prison sentence under BVI law (dual criminality provision).
Security Protocols and Protections
What do you do to protect against unauthorized access to customer data flows over the VPN?
ExpressVPN takes the following approach to ensuring the security of our systems and customers:
- Make systems very difficult to compromise.
- Minimize the potential damage if a system were to be compromised.
- Minimize the amount of time that a system can remain compromised.
- Validate these points with regular penetration tests, both internal and external.
Specifically for our VPN servers, here are some examples of measures we employ:
difficult to compromise:
- Fast patching, made possible through automatic provisioning and deployment
- Hardened OS and applications
- Training of employees
- Requiring multi-factor authentication, including YubiKey physical touches for commits and SSH access
- Hardening workstations, i.e. protecting devices used by employees by eliminating risks and threats
- Using bastion boxes for SSH access, which channel information between the internet and the internal network through a high-security intermediary
Strong security settings
for the VPN:
- Secrets generated on the server itself
- Weak authentication protocols are disabled
- Strong encryption and hashes
- Perfect forward security to ensure that compromised or stolen encryption keys do not affect the security of past or future communications (learn more in our related blog post)
- Clients strongly authenticate servers: clients expect both a signature from our CA, as well as a specific common-name for a given server; we can revoke server certificates in less than an hour (learn more in our related blog post)
- Requiring code reviews for all changes
- Github scanning for known vulnerabilities in dependencies
- External scanning for known vulnerabilities
- Static analysis tools running with every commit as part of our Continuous Integration process
- Audits by external security penetration testers
- Physical security of the team and infrastructure
Minimizing the potential damage
stemming from a compromised server:
- Encrypted filesystem
- Services running with least privilege possible
- Authentication credentials are strongly hashed
Limiting the length of time
that a system can remain compromised:
- Notice any potential hack early: Intrusion detection, including integrity checks at boot
- Read-only disk image running in RAM only, doesn’t use disk, which means neither data nor access by hackers can persist
- Frequent rebuilds of the OS to ensure servers are regularly patched and preventing attackers from having persistence (learn more in our related blog post)
- Frequent reboots: since we boot into a read-only image with integrity checks, a reboot will clear most attempts at persistence
In general, security is ingrained in our culture. ExpressVPN’s reputation and long-term business success depend on protecting our customers. We believe we are both properly incentivized as well as capable of doing this well.
We maintain a library of content detailing various other measures for other parts of our service such as our website, API servers, and customer support team. For more information, please visit our Trust Center.
What other controls does the service use to protect user data?
We work to empower customers to protect their privacy and security in every aspect of what we do. In addition to those we’ve mentioned in previous answers, some other ways we do this include:
- Open-source leak testing tools, aimed at enabling reviewers and other third parties to independently verify leakproofing claims, providing insight into what our engineers work on to protect users, and raising the bar for the entire VPN industry.
- Acceptance of Bitcoin as payment for those seeking to increase their anonymity.
- Transparency and disclosure to users when things go wrong and we accidentally ship bugs in our software, through blog posts and other communications.
- Bug bounty program for any potential security vulnerabilities and privacy leaks.
- Extensive guides to general privacy and security matters on our website, including primers on tech safety for survivors of domestic violence, securing your mobile device, protecting your financial privacy, and more.
- Contributions to the VPN community, including helping to fund the Open Source Technology Improvement Fund (OSTIF)’s independent security audit of OpenVPN.
- Public advocacy for digital rights, including sponsoring and working with organizations such as OpenMedia (who we recently joined up with to develop a Message-Your-MEP tool) and the EFF.