A good VPN keeps you safe and secure. It prevents your IP-address from being broadcasted over the Internet.
However, how secure is your VPN really? Does it keep any logs that can hurt your anonymity, for example?
Every year we ask the leading VPN providers some tough questions to provide prospective users with all the info they need. Here are the responses we received from ExpressVPN in 2021.
TF: Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long?
ExpressVPN: No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data content, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity. It is not possible to match a user to data points that we never possess. We have carefully engineered our apps and VPN servers to categorically eliminate any such sensitive information. For more details on how we do this, as well as how we protect user privacy and security in general, visit the ExpressVPN Trust Center.
TF: What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate?
Express VPN International Ltd is a British Virgin Islands (BVI) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach.
TF: What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced?
ExpressVPN: To protect our customers’ privacy, we do not monitor or log any user activity on our network. We do however reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time.
TF: Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?
TF: In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?
ExpressVPN: As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices. User privacy and anonymity are always preserved.
TF: What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?
Our first principle is that we never store any data that could match an individual to specific network activity or behavior. Thus, we may only inform law enforcement that we do not possess logs of connections or user behavior that could associate a specific end user with an infringing IP address, timestamp, or destination. Not storing any sensitive information also protects user privacy and security in the event of law enforcement gaining physical access to servers. This was proven in a high-profile case in Turkey in which law enforcement seized a VPN server leased by ExpressVPN but could not find any server logs that would enable investigators to link activity to a user or even determine which users, or whether a specific user, were connected at a given time.
Legally our company is bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. Regarding a demand that we log activity going forward: Were anyone ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.
TF: Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked?
ExpressVPN: We do not believe in restricting or censoring any type of traffic. ExpressVPN allows all traffic, including BitTorrent and other file-sharing traffic (without rerouting), from all of our VPN servers. At the moment, we do not support port forwarding.
TF: Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?
ExpressVPN: ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, there is no way for ExpressVPN or any external party to link payment details entered on our website with a user’s VPN activities.
TF: What is the most secure VPN connection and encryption algorithm you would recommend to your users?
ExpressVPN: ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, neither ExpressVPN nor any external party can link payment details entered on our website with a user’s VPN activities, including IP assignments.
TF: Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality?
ExpressVPN: Yes, our Network Lock feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios where other VPNs might leak. We do not currently support IPv6 routing through the VPN tunnel.
ExpressVPN also protects users from data leaks in a number of ways; our leak protection and open-source leak testing tool suite are detailed on our Digital Security Lab page.
TF: Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers?
Our VPN servers are hosted in trusted data centers with strong security practices, where the data center employees do not have server credentials. Leased vs co-located is not the salient factor in determining security.
For example, most modern servers, whether they are leased or co-located, support IPMI (Intelligent Platform Management Interface) or similar tools to enable remote deployment and management. They need to be securely configured, patched, and managed. The salient question is whether and how a VPN provider manages their infrastructure to ensure that the threat of entry via IPMI is well mitigated. Beyond reducing and hardening IPMI’s attack surface, another important class of mitigations is ensuring that the potential damage from an IPMI-compromise is minimal.
The efforts we take to secure our VPN server infrastructure are extensive and include:
With our proprietary TrustedServer technology, we reinstall the entire VPN server software stack from scratch with every reboot, ensuring we have complete confidence in what software is running on each of our servers and that no unauthorized software or backdoors can persist on these servers. This also improves our ability to ensure the latest security patches are deployed rapidly and consistently across our VPN server network.
With TrustedServer, our VPN servers run in RAM only, ensuring that all data is wiped when a server is powered down, and that no data is written to disk.
We use unique keys per server, so even if one server were compromised, it could not be used to impersonate others. These keys are not stored on the hard disk and are only loaded on servers into memory after each reboot when our TrustedServer technology has ensured that server has been securely set up and configured. We do not store master keys or website keys on servers.
We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. We do not collect connection logs, activity logs, or any other information that could enable us or anyone else to match an individual user to specific network activity or behavior.
We developed a verification system that sharply reduces the risk that a compromised individual or machine could inadvertently distribute malware to our customers. (This is especially relevant with the recent news around how SolarWinds shipped a malware-laced update to its 18,000 customers.) PwC Switzerland also conducted an independent audit to validate these safeguards.
We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS.
TF: In which countries are your servers physically located? Do you offer virtual locations?
ExpressVPN: ExpressVPN has over 3,000 servers in 94 countries. For more than 97% of these servers, the physical server and the associated IP addresses are located in the same country—a physical footprint covering every continent save Antarctica, ensuring there are server locations near all users. For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards for server security, reliability, and speed, we use virtual locations to still make it possible for users to assume IP addresses registered to such countries. These locations represent less than 3% of ExpressVPN’s server count, and the specific countries are published on our website here.