ExpressVPN Comes Out With New Transparency Initiative: 3rd Party Audit

Having a privacy policy in place is all well and good but ensuring compliance with that policy is another thing entirely, which is why ExpressVPN asked PriceWaterhouseCoopers (PwC) to audit its privacy policy and confirm the application of fundamental privacy protections. While they were at it, ExpressVPN got them to check out their TrustedServer technology as well, establishing what impact this feature has on the service it delivers.

ExpressVPN certainly isn’t the first VPN to request an independent audit and it won’t be the last. The trend started a couple of years ago when TunnelBear approached Cure53 to perform a public security audit. The results weren’t all that great but the fact that TunnelBear was willing to expose its vulnerabilities no doubt had a positive effect on their public image and reputation. It also meant, of course, that TunnelBear developers could tackle those vulnerabilities and improve its overall service.

Like TunnelBear, this latest independent audit of ExpressVPN is very much focused on privacy and security. While other VPNs, like NordVPN and VyprVPN for example, have chosen to audit their no-logging policy, the audit conducted by PwC covers this and much more about how ExpressVPN actually operates.

By examining the privacy policy itself, as well as the TrustedServer technology, and actual compliance to the privacy policy, PwC’s audit is in-depth enough to address any concerns about ExpressVPN and its commitment to user privacy and security.

ExpressVPN approached PwC with a list of three criteria that it wanted to be audited:

1. It’s privacy policy and how it relates to the VPN service
2. It’s TrustedServer technology
3. How it ensures all operations comply with its privacy policy

ExpressVPN’s Privacy Policy Audit

In announcing the results of the PwC audit, ExpressVPN pointed out that “PwC does not allow excerpts of their processes or conclusions to be shared, in order to ensure that the audit results are not taken out of context and misunderstood”.

Last year, however, when PwC performed an audit of NordVPN’s logging policy, the leaked audit report indicated that their procedures included both the inspection of sample configurations on its servers and the scrutiny of a sample of its log files. We can assume similar processes were used in PwC’s public security audit of ExpressVPN.

Indeed, according to the statement ExpressVPN released, it wanted PwC to verify its privacy claims and assess the accuracy of those claims in terms of how the servers operate and how this protects user privacy.

In effect, ExpressVPN asked PwC to do for them what Turkish authorities unwittingly did for them a couple of years ago. Those of you that remember that far back will recall that, at the end of 2017, despite cooperating with authorities, ExpressVPN failed to assist law enforcement officials with information regarding one of its users, simply because it didn’t have any.

As ExpressVPN stated at the time, “ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs”.

That’s not to say that ExpressVPN keeps no logs at all, in fact, most VPNs are forced to collect some information simply to ensure the smooth operation of its services. As ExpressVPN explains, “We collect minimal usage statistics to maintain our quality of service”. In other words, it will monitor the following:

1. Which app version is in use
2. Whether a user established a successful VPN connection on any given day, the location of the VPN server used and from which country they connected
3. The aggregate amount of data transferred.

None of this information can identify an individual user, their online activities, or their original IP address but can help ExpressVPN ensure that troubleshooting technical support is effective and that no single user is consuming so much data that it’s having a negative impact on other users.

All sounds pretty innocent so far, but let’s see if the TrustedServer Technology really is all it’s cracked up to be.

Is ExpressVPN’s TrustedServer to be Trusted?

ExpressVPN’s innovative TrustedServer innovative was released earlier this year, transforming the traditional architecture of a VPN server network. Turning its back on the conventional hard drives usually used to read and write permissions that enable applications to run and renovating all its servers so they rely entirely on volatile RAM memory instead.

The idea behind this move was primarily security motivated and, by ending the use of hard drives, ExpressVPN has been able to reduce the risk of sensitive user data falling into the wrong hands. RAM needs power in order to store data so, if that power source is turned off, all the information disappears with it. When it’s turned back on again, the system is all clean and fresh and ready to start all over again with no prior knowledge of what was there before. A little like my dog in fact!

When a server powers up, it loads only the latest read-only image which shows the entire software stack and enables the operating system to reboot itself. This image is also encoded and can only be accessed with the correct cryptographic signature.

TrustedServer also ensures complete software consistency across the international server network. In other words, each of ExpressVPN’s 3,000+ servers will always be using the same software, have the same patches in place and will be configured for optimum performance and security at all times. This reduces the possibility of vulnerabilities and misconfigurations and streamlines system maintenance.

How ExpressVPN complies with its privacy policy

Privacy policies rarely make for a gripping read and less scrupulous VPN providers have used complex legalese to make their policies sound more appealing than they really are. The best privacy policies are those that are simple enough to understand and which explain exactly what information is collected and why. Of course, this is only one aspect of a privacy policy and how a company actually ensures it complies with the key elements is as important as the policy itself.

Many VPN providers have even relocated to different countries to ensure they can deliver the terms set out in their privacy policies. ExpressVPN, for example, opted for the British Virgin Islands as its base because it has no mandatory data retention laws that may conflict with the terms set out in its no-logging privacy policy.

ExpressVPN goes quite a lot further than that in terms of ensuring none of the information specified as not being logged gets accidentally accessed or stored somewhere. As it declared in its pre-audit statement, ExpressVPN’s “servers are designed and configured to prevent logging of anything… that would contradict our privacy policy”.

For example, rather than using an email address to log in, users are allocated a random username and password that “are unrelated to the credentials used to login to the ExpressVPN website”. Although we can’t access PwC’s audit report, we can safely say that its servers were audited to confirm its compliance with its own privacy policy.

Does this Audit Tell Us Everything?

To be fair, ExpressVPN doesn’t pull any punches when it comes to privacy and a trip to its Trust Center should be enough to convince most people that this is a dependable and transparent cybersecurity service committed to user privacy.

You can’t please all of the people all of the time, however, and there’ll always be a few naysayers around. This rings true with ExpressVPN’s latest transparency initiative as well and some are saying its decision to approach PwC was borne more out of the desire to perform an eye-catching publicity stunt rather than an honest attempt to prove the efficacy of its service and its privacy policy compliance.

Others are saying that a security audit of a VPN isn’t as important as a no-logging audit, as the latter “ensures that their data privacy claims are true”. While we may not be able to see the actual audit report itself, from ExpressVPN’s statement to PwC, it’s abundantly clear that one of the things they want auditing is compliance with the company’s no-logging and privacy policies, even if it isn’t always included in a security audit.

So, is there anything we might want to know about ExpressVPN that isn’t covered in the PwC audit? To be honest, not really. If you were curious about the security of its browser extensions, that was covered earlier in the year with a separate audit by Cure53. If you want to know anything else, you can visit its Trust Center or head over the Center for Democracy and Technology and see what they have to say about ExpressVPN.

Is this ExpressVPN’s First Transparency Initiative?

ExpressVPN really does seem to take privacy seriously and last year joined with CDT to create a new transparency initiative that would hopefully encourage other VPNs to commit to similar standards of responsible disclosure.

By compiling a list of questions concerning VPN providers’ privacy practices, security protocols, protections, corporate accountability, and business models, the CDT was determined to give users access to the information they need to adequately assess and compare different VPN services.

Despite it being nine months since the CDT launched its Signals of a Trustworthy VPN survey, only six VPNs have opted to answer the questions, which doesn’t reflect very well on the VPN industry but does give those six service providers a bit of extra kudos. Of course, ExpressVPN is there, along with other well-known VPNs like TunnelBear and VyprVPN. The likes of CyberGhost and NordVPN are conspicuous in their absence, however, making us wonder if they don’t have something to hide.

ExpressVPN published its answers to the CDT survey on its own site, but the answer of all six participating VPN providers are available on the CDT website. Probing questions into exactly how a VPN makes its money and exactly how it protects customer data against unauthorized access force participants to impart with information that directly affects its users.

For example, if a VPN isn’t charging for its services, where is it getting an income from? A few years ago, several free VPNs were discovered to be using their customers as a product, selling users’ bandwidth and data to other users. According to the CDT, a service’s business model should suggest that “a VPN’s users are its actual customers rather than its product”.

It’s a great initiative and one that empowers the user – it’s only a shame it hasn’t been embraced by more VPN providers. This reflects the general state of affairs with VPNs, which is precisely why the likes of ExpressVPN are keen to boost transparency and introduce means by which a VPN can prove its reliability.

Conclusion

Opting for a no-logging VPN is sensible but opting for an audited no-logging VPN is seriously smart. Just as most of us can’t see inside a padlock to establish just how robust its mechanism is, neither can we see into a VPN to establish just what kind of a job it’s doing in terms of keeping us and our data secure. It’s only by VPNs wearing their hearts on their sleeves that we can begin to compare them based on clear-cut criteria relating to how they process and handle sensitive data.

As vice-president, Harold Li, stated, ExpressVPN believes “in earning that trust through transparency”. He went on to explain that the audit was requested in order to “provide verification of the privacy and security commitments we make to customers”. While ExpressVPN is by no means the only VPN provider looking to make its services more transparent and trustworthy, it’s certainly leading the way and we hope to see more VPNs jump on the bandwagon in the near future.

The latest transparency initiative from ExpressVPN proves its tireless commitment to providing the business model, technology, and documentation required to give its users complete peace of mind. When viewed alongside its participation in the CDT initiative last year and its Cure53 audit earlier this year, it paints a clear picture of a leading VPN that seems to be motivated by privacy rather than profit.