Should you still trust ExpressVPN?
The recent acquisition of ExpressVPN by Kape Technologies, immediately followed by news of the company’s CIO, Daniel Gericke, being involved in a massive cyber-spying scandal, has led a lot of security experts and customers to question ExpressVPN’s reliability and commitment to online privacy.
While the company has decided to fully support its decisions and its employees, lots of things surrounding recent events still remain unclear. While some are calling for pitchforks, others are still willing to give the company, that was at the helm of providing personal online privacy to the end user since 2009 the benefit of the doubt.
The UAE hacking scandal
Three former US Intelligence Operatives, among them ExpressVPN CIO Daniel Gericke, admitted that they had indirectly helped the United Arab Emirates gain illegal access to US computer networks.
The trio, which also includes 34-year old Ryan Adams and 49-year old Marc Baier, worked at managerial positions for an unnamed company under contract with the UAE government.
“Despite being informed […] that their work for UAE CO, under the International Traffic in Arms Regulations, constituted a ‘defense service’ requiring a license from the State Department’s Directorate of Defense Trade Controls, the defendants proceeded to provide such services without a license. These services included the provision of support, direction, and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems,” a section of the DoJ’s release read.
The three cut a deal with the US Department of Justice and will face no jail time. They were, instead, slapped with fines totaling $1.685 million and have been proscribed from obtaining US security clearance.
Gericke is to pay a fine of $335,000 for his role in rendering hacking services as per the deferred prosecution agreement.
But even as reproofs pile up as an aftermath of the state-sponsored hacking on behalf of the UAE government continues to work as the CIO of ExpressVPN, the company that has dedicated itself to fighting online privacy and security. Not only that, but the leading VPN provider has fully backed and is continuously supporting its employee.
Notwithstanding his proven involvement in the hacking, ExpressVPN has thrown its weight behind Gericke, whose executive position and status will not change.
Through a corporate statement, the company noted that it had knowledge of Gericke’s history, and it was his background that made him the ideal candidate. ExpressVPN argued that they viewed his experience as beneficial and not a risk:
“We’ve known the key facts relating to Daniel’s employment history since before we hired him […]. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.”
Though it is a show of loyalty, the stance could just as well be interpreted as a betrayal to the 3+ million users of the VPN service from a consumer perspective.
ExpressVPN doesn’t appear to be fazed about painting a bad image that may harm its reputation. The VPN team insisted there was no cause for alarm while maintaining trust in the implicated executive in a detailed official response.
“While we in no way wish to diminish the sincerity of the concerns we’ve heard, we want to reassure you that we have considered them extensively and do not share them.”
ExpressVPN may be confident in its employees, but its users and some of the world’s leading cyber security experts don’t share this commitment.
The decision to defend Gericke attracted mixed reactions from the cybersecurity and privacy community, with many arguing that ExpressVPN should have taken action against him.
Notably, NSA whistleblower, Edward Snowden, asked ExpressVPN subscribers to stop using the VPN in reply to a tweet by Joseph Menn:
If you're an ExpressVPN customer, you shouldn't be. https://t.co/l8us92W0BQ
— Edward Snowden (@Snowden) September 16, 2021
John Scott-Railton, a researcher at the Citizen Lab in Toronto, called out the provider, concluding that the VPN scene is a mess and is in need of a shakeup.
WOW: @expressvpn knowingly hired a man that helped the UAE build its spy system…
…and help hack human rights defenders & target Americans.
Time for a shakeup: the VPN industry is a toxic, dangerous mess.
— John Scott-Railton (@jsrailton) September 15, 2021
ExpressVPN acquired by Kape Technologies
Another cause of concern among ExpressVPN users is the recent acquisition of the provider by U.K.-based cybersecurity firm Kape Technologies.
The $936 million deal was confirmed the day before the Department of Justice issued a statement on the UAE hacking scandal. ExpressVPN has become the latest in a long line of VPN providers acquired by Kape. These include Private Internet Access, CyberGhost, and ZenMate, along with several of the VPN review websites.
Kape Technologies, previously called Crossrider, is listed on the London Stock Exchange. The company’s past is far from clean as it is ill-famed for creating and benefitting from malware products.
The co-founders of the company also have a troubling past. One served as an Israeli surveillance officer, while the other was charged with insider trading a while back.
Although the new name covers the firm’s shady past to some extent, it still doesn’t cleanse it of malfeasance.
In response to the announcement of Kape Technologies reaching an agreement on an acquisition deal, David Maynor, who previously worked at Barracuda Networks, warned users to cease using the VPN, and avoid Kape technologies as well:
To follow up on this its worth noting that an exec for ExpressVPN was just charged with building a cyber espionage group for a foreign government. https://t.co/6L1pXSU34Y For safety reasons maybe skip ExpressVPN and Kape https://t.co/ZUCwyGtqYc
— David Maynor (@Dave_Maynor) September 15, 2021
Should you still trust ExpressVPN?
All of the news unfolding in the last few weeks have been gravely concerning.
Both the acquisition of ExpressVPN by a company that cybersecurity experts are reluctant to trust and the news about the company’s CIO that followed almost immediately after, as well as a lawsuit trying to force the provider to log and disclose user data, are doing ExpressVPN’s public image no favors.
At the same time, ExpressVPN has been one of the leading, as well as one of the oldest VPN providers in the world, bringing personalized privacy and online security into the hands of the user. And while the VPN world keeps getting smaller day by day, the users have very few options to switch to, without ending up with the very same company that now owns ExpressVPN.
Personally, we would love to give ExpresssVPN the benefit of the doubt. But trust has to go both ways. And we always stand with the rights to online freedom and anonymity of the user.