ExpressVPN explained

ExpressVPN
Logo Alt:Logo of ExpressVPN
Developer:Kape Technologies
Type:Virtual private network service
Platform:
Operating System:
Status:Active

ExpressVPN is a VPN service that offers privacy and security software that encrypts users' web traffic and masks their IP addresses.[1] It is offered by a Hong Kong-based company[2] registered in the British Virgin Islands as Express Technologies Ltd.[3]

As of September 2021, ExpressVPN is owned by Kape Technologies[4] [5] and reportedly has 4 million users.[6]

History

ExpressVPN was founded in 2009 by Peter Burchhardt and Dan Pomerantz, two serial entrepreneurs who were also Wharton School alumni.[7]

On January 25, 2016, ExpressVPN announced that it would soon roll out an upgraded CA certificate.[8] Later that December, they also released open source leak testing tools on GitHub.[9]

In July 2017, ExpressVPN announced in an open letter -- and later a public statement by Apple, that Apple had removed all VPN apps from its App Store in China, a revelation that was later picked up by The New York Times and other outlets.[10] [11] [12] In response to questions from U.S. Senators, Apple stated it removed the VPNs due to a request from the Chinese government.[13] In December, ExpressVPN came into the spotlight in relation to the investigation of the assassination of Russian ambassador to Turkey, Andrei Karlov. Turkish investigators seized an ExpressVPN server which they say was used to delete relevant information from the assassin's Gmail and Facebook accounts.[14] [15] Turkish authorities were unable to find any logs to aid their investigation, which the company said verified its claim that it did not store user activity or connection logs, adding, "while it's unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install 'backdoors' or attempts by governments to otherwise undermine such technologies."[16]

In December 2019, ExpressVPN became a founding member of the VPN Trust Initiative, an advocacy group for online safety of consumers.[17]

In May 2020, the company released a new protocol it developed for ExpressVPN called Lightway, designed to improve connectivity speeds and reduce power consumption.[18] In October, Yale Privacy Lab founder Sean O'Brien joined the ExpressVPN Digital Security Lab to conduct original research in the areas of privacy and cybersecurity.[19]

On April 28, 2022, Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology issued a new directive that asked the VPN providers to collect and store user data for up to five years.[20] [21] In response to the new VPN rules that require private network providers to store user information, ExpressVPN announced it would move its India-based servers to Singapore and the UK.[22] On June 2, 2022, ExpressVPN officially announced that it "refuses to participate in the Indian government's attempts to limit internet freedom."[23]

In 2023, the ExpressVPN app launched on Apple TV.[24] [25]

Acquisition by Kape Technologies

On September 13, 2021, it was reported that ExpressVPN had been acquired by Kape Technologies, an LSE-listed digital privacy and security company.[26] [27] At the time of the acquisition, ExpressVPN reportedly had over 3 million users. ExpressVPN announced in September 2021 that it would remain a separate service from existing Kape brands.[28]

In May 2023, Kape Technologies was delisted from the LSE in a transaction by Unikmind Holdings Limited, a company owned by the Israeli and Cypriot businessman Teddy Sagi.[29]

Daniel Gericke charges

In September 2021, ExpressVPN CIO Daniel Gericke paid a $335,000 fine for previously carrying out computer network exploitation on behalf of the U.A.E. government without having a valid export license from the US government.[30] [31] [32]

DNS request leaks

In February 2024, it was revealed ExpressVPN software had for years contained a bug that exposed the domains users were visiting. The bug was present in ExpressVPN Windows versions published between May 19, 2022, and February 7, 2024, affecting those using the split tunneling feature.[33]

Features

ExpressVPN has released apps for Windows, macOS, iOS, Android, Linux, and routers.[34] The apps use a 4096-bit CA, AES-256-CBC encryption, and TLSv1.2 to secure user traffic.[35] Available VPN protocols include Lightway, OpenVPN (with TCP/UDP), SSTP, L2TP/IPSec, and PPTP.[36]

The software also features a Smart DNS feature called MediaStreamer, to add VPN capabilities to devices that do not support them, and a router app, allowing the VPN to be set up on a router, bypassing unsupported devices such as gaming consoles.[37]

ExpressVPN is incorporated in the British Virgin Islands, a country that has no data retention laws, and is a separate legal jurisdiction to the United Kingdom.[38]

ExpressVPN's parent company also develops leak testing tools, which enable users to determine if their VPN provider is leaking network traffic, DNS, or true IP addresses while connected to the VPN, such as when switching from a wireless to a wired internet connection.[39]

In December 2021, ExpressVPN modified its product to protect against Log4Shell, updating its VPN to automatically block all outgoing traffic on ports used by LDAP.[40]

In January 2022, ExpressVPN launched Parallel Connections, a backend feature which simultaneously runs multiple methods of connecting a user to a given server, automatically picking the one that connects a user first.[41]

ExpressVPN launched Aircove, a Wi-Fi 6 router that includes a built-in VPN, in September 2022. Aircove permits speeds up to 1,200 Mb/s (600 Mb/s for 2.4 GHz and 1,200 Mb/s for 5 GHz), covers areas up to 1,600 sq feet, and offers a quad-core 64-bit processor.[42] [43]

TrustedServer

In April 2019, ExpressVPN announced that all their VPN servers ran solely on random-access memory (RAM), without the need of hard disk drives. In theory, as soon as a computer is shut down, all information on the server vanishes and cannot be recovered; the next time the server reboots, a fresh version of the VPN infrastructure is spawned. This was the first example in the VPN industry for such a server security setup, and was referred to as TrustedServer.[44]

In February 2022, ExpressVPN announced a $100,000 bug bounty for anyone who was able to hack its in-house technology, TrustedServer.[45]

As of August 2022, ExpressVPN's server network covered 94 countries.[46]

Lightway protocol

Lightway is ExpressVPN's open source VPN protocol. Launched in 2020, it is similar to the WireGuard protocol, but uses wolfSSL encryption to improve speed on embedded devices such as routers and smartphones. It does not run in the operating system's kernel, but is lightweight to support auditing. It is reportedly 2.5x as fast as OpenVPN and other older protocols, improves reliability by 40%, and supports TCP and UDP.[47]

In August 2021, ExpressVPN announced the full public release of Lightway as well as full open-sourcing of Lightway's code.[48]

Research

In 2020, ExpressVPN announced its new digital security research initiative Digital Security Lab, which investigates digital rights and security issues while educating consumers.[49]

In 2021, Digital Security Lab released a new report that examined data collection practices in apps for opioid addiction and recovery. Research found that the large majority of all these apps provided third parties, including Facebook, Stripe, Inc., and Google, access to user data.[50] [51] In a similar 2021 study, Digital Security Lab analyzed 450 apps and found that all studied apps contained questionable location trackers.[52] Digital Security Lab also conducted a study on Generation Z’s mental health, finding that 86% of Gen Z participants perceived that social media had a direct impact on their happiness.[53]

A 2022 survey on remote workers found that 78% of employers digitally monitor their employees without staff knowledge.[54]

See also

External links

Notes and References

  1. Web site: VA Technical Reference Model v 23.11. U.S. Department of Veterans Affairs. en. December 30, 2023.
  2. Tomchick, C. (2021, March 11). Chinese vpns are recording world data on a massive scale.
  3. Web site: BVI-based Express VPN adds Bermuda server to network. November 2, 2023.
  4. Web site: Privacy is Our Priority. kape.com. live. https://web.archive.org/web/20220103071543/https://www.kape.com. January 3, 2022. March 3, 2022.
  5. News: reuters.com. live. Kape Technologies buys ExpressVPN for $936 million. 13 September 2021 . https://web.archive.org/web/20210913155922/https://www.reuters.com/technology/kape-technologies-buys-expressvpn-936-mln-2021-09-13. September 13, 2021. March 3, 2022.
  6. Web site: live. We've reached 4 million active subscribers!. Expressvpn blog. en. https://www.expressvpn.com/blog/4-million-subscribers. January 20, 2023. January 26, 2023.
  7. Web site: VPN's coming-of-age: A discussion with the ExpressVPN co-founders. August 11, 2021. October 23, 2020. TechRadar.
  8. Web site: ExpressVPN's response to the 1024-bit CA key blog post. ExpressVPN. January 25, 2016. live. https://web.archive.org/web/20180104005232/https://www.expressvpn.com/blog/ca-key-response. January 4, 2018.
  9. Web site: ExpressVPN Privacy Research Lab. May 30, 2018. www.expressvpn.com. en.
  10. News: Apple removes VPN Apps from China App Store. July 29, 2017. ExpressVPN. April 17, 2018. en-US.
  11. News: Apple defends complying with China. Lee. Dave. August 2, 2017. BBC News. April 17, 2018. en-GB.
  12. News: Apple Removes Apps From China Store That Help Internet Users Evade Censorship. Mozur. Paul. July 29, 2017. The New York Times. April 17, 2018. en-US. 0362-4331.
  13. Web site: Letter from Cynthia C. Hogan, Vice President at Apple, to Senators Ted Cruz and Patrick Leahy. Hogan. Cynthia C.. November 21, 2017. U.S. Senator Patrick Leahy of Vermont. April 17, 2018. October 11, 2019. https://web.archive.org/web/20191011020012/https://www.leahy.senate.gov/imo/media/doc/Apple%2011212017.pdf. dead.
  14. Web site: Social media posts, e-mails of Turkish policeman who killed Russian ambassador deleted via virtual computer. April 17, 2018. Hürriyet Daily News. 18 December 2017 . en.
  15. News: 2017-12-19. New evidence links exiled Turkish cleric to Russian envoy's assassin. en. Arab News. April 17, 2018.
  16. News: December 19, 2017. ExpressVPN statement on Andrey Karlov investigation. en-US. ExpressVPN.com/blog. April 17, 2018.
  17. Web site: Industry-Leading i2Coalition Launches 'VPN Trust Initiative' for Promoting Internet Safety. Technadu. en. December 9, 2019. August 11, 2021.
  18. Web site: ExpressVPN Lightway wants to make internet connectivity faster. July 28, 2021. May 6, 2020. All Things Secured.
  19. Web site: ExpressVPN teams up with Yale researcher to kickstart new digital security initiative. TechRadar. October 29, 2020. August 11, 2021.
  20. Web site: April 28, 2022. Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. live. https://web.archive.org/web/20220429055040/http://cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf. April 29, 2022. June 3, 2022. Indian Computer Emergency Response Team.
  21. Web site: CERT-In issues directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. live. https://web.archive.org/web/20220428090833/http://pib.gov.in/PressReleasePage.aspx?PRID=1820904. April 28, 2022. June 3, 2022. Press Information Bureau.
  22. News: Ahmed. Nabeel. ExpressVPN moves India servers out of the country to ensure privacy, service continuity. live. https://web.archive.org/web/20220602111120/https://www.thehindu.com/sci-tech/technology/expressvpn-moves-india-servers-out-of-the-country-to-ensure-privacy-service-continuity/article65487265.ece/amp. June 2, 2022. June 3, 2022. The Hindu. 2 June 2022 .
  23. Web site: June 2, 2022. Rejecting data demands, ExpressVPN removes VPN servers in India. June 3, 2022. ExpressVPN.
  24. Web site: The Apple TV just got its first big native VPN app. The Verge. December 4, 2023. Wes Davis. December 30, 2023.
  25. Web site: ExpressVPN Releases Apple TV App: Our Hands-On Impressions. CNET. December 9, 2023. Attila Tomaschek. December 30, 2023.
  26. News: September 13, 2021 . Kape Technologies Agrees to Buy ExpressVPN for $936 Million . December 2, 2021 . . en.
  27. Web site: September 13, 2021 . Kape Technologies buys ExpressVPN for $936 mln . September 14, 2021 . Reuters . en.
  28. Web site: September 16, 2021 . ExpressVPN to join Kape to strengthen push for privacy . September 16, 2021 . ExpressVPN . en.
  29. Web site: Successful public offer by Teddy Sagi for Kape Technologies . 2024-04-26 . Successful public offer by Teddy Sagi for Kape Technologies . en.
  30. Web site: September 14, 2021 . Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges Arising from Their Provision of Hacking-Related Services to a Foreign Government . September 25, 2021 . Department of Justice . en.
  31. Web site: September 15, 2021 . Ex-U.S. intel operatives admit hacking American networks for UAE . September 19, 2021 . Reuters . en.
  32. Web site: ExpressVPN CIO Helped United Arab Emirates Hack Into Phones, Computers . 2022-12-04 . PCMAG . en.
  33. Web site: ExpressVPN bug has been leaking some DNS requests for years . 2024-04-26 . BleepingComputer . en-us.
  34. News: ExpressVPN Review - Impressive Speeds, But One Small Drawback. RestorePrivacy.com. March 8, 2018. May 17, 2018. en-US.
  35. News: Which VPN Services Keep You Anonymous in 2018? - TorrentFreak. March 4, 2018. TorrentFreak.com. May 30, 2018. en-US.
  36. Web site: Which VPN protocol is best?. September 30, 2020. ExpressVPN.com.
  37. Web site: Castro . Chiara . February 24, 2022 . ExpressVPN MediaStreamer: what is it and how to use it . February 12, 2024 . TechRadar.
  38. Web site: ExpressVPN review: This speedy VPN is worth the price. November 19, 2020. August 11, 2021. CNET.com.
  39. Web site: New Open Source Tools Test for VPN Leaks LinuxInsider. linuxinsider.com. 13 December 2017 . en. May 30, 2018.
  40. Web site: Log4j is patched, but the exploits are just getting started. Verge. December 16, 2021. Corin Faife. August 7, 2022.
  41. Web site: ExpressVPN Introduces New Functionality on iOS Called 'Parallel Connections'. TechNadu. January 29, 2022. Novak Bozovic. August 5, 2022.
  42. Web site: ExpressVPN Launches First Hardware Wi-Fi 6 Router With Built-In VPN Protection. Forbes. September 22, 2022. Mark Sparrow. October 16, 2022.
  43. Web site: ExpressVPN Launches First Wi-Fi 6 Router With Built-In VPN. CNET. September 29, 2022. Rae Hodge. October 16, 2022.
  44. News: ExpressVPN inches closer to a 100% secure server with TrustedServer initiative. TechRadar.com. September 30, 2020.
  45. Web site: ExpressVPN offering $100,000 to first person who hacks its servers. Bleeping Computer. February 8, 2022. Bill Toulas. August 7, 2022.
  46. Web site: How does ExpressVPN work? Plus how to set it up and use it. ZDNet.com. en. August 17, 2021. September 25, 2021.
  47. News: ExpressVPN's Lightway protocol out of beta and available to all. en. Tech Advisor. August 10, 2021. September 25, 2021.
  48. Web site: ExpressVPN open-sources Lightway protocol and unveils security audit results. TechRadar. August 10, 2021. Mike Williams. August 7, 2022.
  49. Web site: ExpressVPN teams up with Yale researcher to kickstart new digital security initiative. Tech Radar. October 29, 2020. Anthony Spadafora. September 3, 2022.
  50. Web site: The struggle to make health apps truly private. Vox. July 12, 2021. Sara Morrison. September 3, 2022.
  51. Web site: Opioid addiction treatment apps found sharing sensitive data with third parties. July 7, 2021. Carly Page. September 3, 2022.
  52. Web site: These dating apps are tracking your location. ZDNET. February 12, 2021. Eileen Brown. September 3, 2022.
  53. Web site: Most Americans feel lonelier than ever despite social networking platforms. ZDNET. December 15, 2021. Eileen Brown. September 3, 2022.
  54. Web site: Why 78% Of Employers Are Sacrificing Employee Trust By Spying On Them. Forbes. March 15, 2022. Mark Perna. September 3, 2022.