Company attributes
Other attributes
ExpressVPN is a VPN service offered by the British Virgin Islands-registered company Express Technologies Ltd. The software is marketed as a privacy and security tool that encrypts users' web traffic and masks their IP addresses.
In September 2021, it was reported that the service was being used by 3 million users. Also in September 2021, ExpressVPN was purchased by software developer Kape Technologies, formerly Crossrider, an adware platform. Kape also owns other VPN services and cybersecurity tools.
ExpressVPN's parent company, Express VPN International Ltd, was founded in 2009 by Peter Burchhardt and Dan Pomerantz, two serial entrepreneurs who were also Wharton School alumni. The parent company does business as ExpressVPN.
On January 25, 2016, ExpressVPN announced that it would soon roll out an upgraded CA certificate. Also in December, ExpressVPN released open source leak testing tools on GitHub.
In July 2017, ExpressVPN announced in an open letter that Apple had removed all VPN apps from its App Store in China, a revelation that was later picked up by The New York Times and other outlets. In response to questions from U.S. Senators, Apple stated it had removed 674 VPN apps from the App Store in China in 2017 at the request of the Chinese government. In December, ExpressVPN came into the spotlight in relation to the investigation of the assassination of Russian ambassador to Turkey, Andrei Karlov. Turkish investigators seized an ExpressVPN server which they say was used to delete relevant information from the assassin's Gmail and Facebook accounts. Turkish authorities were unable to find any logs to aid their investigation, which the company said verified its claim that it did not store user activity or connection logs, adding; "while it's unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install 'backdoors' or attempts by governments to otherwise undermine such technologies."
In December 2019, ExpressVPN became a founding member of the VPN Trust Initiative, an advocacy group for online safety of consumers.
In May 2020, the company released a new protocol it developed for ExpressVPN called Lightway, designed to improve connectivity speeds and reduce power consumption. In October, Yale Privacy Lab founder Sean O'Brien joined the ExpressVPN Digital Security Lab to conduct original research in the areas of privacy and cybersecurity.
On September 13, 2021, it was reported that ExpressVPN had been acquired by Kape Technologies, an LSE-listed digital privacy and security company which operates three other VPN services: Private Internet Access, CyberGhost and ZenMate; antivirus software maker Intego; and other cybersecurity tools. This raised concerns based on Kape Technologies' predecessor Crossrider's history of making tools that were used for adware. At the time of the acquisition, ExpressVPN reportedly had over 3 million users. ExpressVPN announced in September 2021 that they would remain a separate service from existing Kape brands. On September 14, the US Department of Justice released a statement that ExpressVPN CIO Daniel Gericke, prior to joining the company, had helped the United Arab Emirates hack computers (including those of activists) without having a valid export license from the US government. In exchange for a deferred prosecution agreement, he agreed to pay a $335,000 fine and his security clearance was revoked.
ExpressVPN has released apps for Windows, macOS, iOS, Android, Linux, and routers. The apps use a 4096-bit CA, AES-256-CBC encryption, and TLSv1.2 to secure user traffic. Available VPN protocols include Lightway, OpenVPN (with TCP/UDP), SSTP, L2TP/IPSec, and PPTP.
The software also features a Smart DNS feature called MediaStreamer, to add VPN capabilities to devices that do not support them, and a router app, allowing the VPN to be set up on a router, bypassing unsupported devices such as gaming consoles.
ExpressVPN is incorporated in the British Virgin Islands, a privacy-friendly country that has no data retention laws, and is a separate legal jurisdiction to the United Kingdom.
ExpressVPN's parent company also develops leak testing tools, which enable users to determine if their VPN provider is leaking network traffic, DNS, or true IP addresses while connected to the VPN, such as when switching from a wireless to a wired internet connection.
As of August 2021, ExpressVPN's 3,000 server network covered 160 VPN server locations across 94 countries. In April 2019, ExpressVPN announced that all their VPN servers ran solely on volatile memory (RAM), not on hard drives. This was the first example in the VPN industry for such a server security setup, and was referred to as TrustedServer.
Lightway is ExpressVPN's open source VPN protocol. It is similar to the WireGuard protocol, but uses wolfSSL encryption to improve speed on embedded devices such as routers and smartphones. It does not run in the operating system's Kernel, but is lightweight to support auditing. It is reportedly twice as fast as OpenVPN, and supports TCP and UDP.
TorrentFreak has included ExpressVPN in their annual comparison of Best VPN providers since 2015.
On January 14, 2016, ExpressVPN was criticized by former Google information security engineer Marc Bevand for using weak encryption. Bevand had discovered that only a 1024-bit RSA key was used to encrypt the service's connections after using it to test the strength of the Great Firewall of China. He described ExpressVPN as "one of the top three commercial VPN providers in China" and asserted that the Chinese government would be able to factor the RSA keys to potentially spy on users. On February 15, Bevand updated his criticism and noted that the company reported to him that it switched to more secure 4096-bit RSA keys.
In a review done by PCMag UK editor Max Eddy in May 2017, the service scored 4 out of 5 with the bottom-line being that although the service was not the fastest, it "certainly protects your data from thieves and spies."
PC World rated the service 3½ out of 5 in their September 2017 review, commending it for its easy-to-use software while criticizing "the secrecy behind who runs the company."
In October 2017, TechRadar gave the service 4½ out of 5 stars, calling it "a premium service with well-crafted clients, an ample choice of locations and reliable performance."
In 2018, Cyber security website Comparitech tested ExpressVPNs leak testing tools with 11 popular VPN services and found leaks across every VPN provider, with the exception of ExpressVPN. However, they clarified, "To be fair, ExpressVPN built the test tools and applied them to its own VPN app prior to publication of this article, so it has already patched leaks that it initially detected."
The service received 4.5 out of 5 stars from VPNSelector in their July 2019 review, putting it in first place among VPN providers.
In 2020, tech publication TechRadar named ExpressVPN its editor's choice.
In 2021, TechRadar and CNET named the service their Editors' Choice.