Photo: II.studio (Shutterstock)
The popular VPN service ExpressVPN recently sold to Kape Technologies, a company with a shady past some users are worried undermines the VPN’s privacy.
Kape positions itself as a cybersecurity and digital privacy firm, but the company was previously known as Crossrider, and was notorious for creating and distributing data-tracking adware. Kape was co-founded by a billionaire convicted of insider trading, and an ex-Israeli surveillance agent.
Along with the issues raised over ExpressVPN’s new parent company, it was also recently discovered that ExpressVPN’s CIO, Daniel Gericke, faces illegal hacking charges for aiding the UAE with cyberattacks against other governments. This raises concerns over ExpressVPN’s safety as a product—but ExpressVPN isn’t the only VPN under scrutiny.
Kape also owns three other VPN companies—Cyberghost, Private Internet Access (PIA), and ZenMate—in addition to ExpressVPN. All four Kape-owned VPN services operate as separate companies, and while there’s no evidence these companies are mishandling your data or engaging in suspicious activity, there are also reasons to avoid them if you’re serious about privacy.
Privacy and malware concerns
First, let’s talk about privacy. Prior to its acquisition, ExpressVPN was a privately owned company based in the British Virgin Islands, which is more privacy-friendly than other countries and therefore a more desirable jurisdiction for a VPN company.
While the company still operates primarily out of the British Virgin Islands, Kape, its parent company, is based in the UK. On the one hand, the UK has privacy-friendly GDPR laws, but it’s also part of the Five Eyes intelligence-sharing alliance between the U.S., UK, Canada, Australia, and New Zealand, which are generally considered “unsafe” to use for serious anonymity and data privacy.
That means Kape can theoretically collect and share any user data these VPNs save—specifically account data like names, email addresses, and payment information—regardless of where these companies officially operate.
Should you be concerned?
So, to summarize so far: ExpressVPN is now owned by a UK-based company that used to make adware under a different name and can, theoretically, share user account data with Five Eyes nations. On top of that, we now know one of its executives has a shady past that calls into question ExpressVPN’s privacy goals. Sounds pretty bad. But is there any tangible evidence that ExpressVPN is actually spying on its users, pushing adware, or undermining their privacy?
At this point, no.
Some users claim ExpressVPN is slowing down their PCs, but these anecdotal reports have not been verified and no one has suggested a potential cause of the apparent slow-downs. That doesn’t mean these claims are outright false, mind, just that they shouldn’t be taken as concrete, damning evidence.
The fact is, all four Kape-owned VPNs are “no-log” services—meaning they do not track browser activity or connection logs—so they don’t have any browser data to work with in the first place. And ExpressVPN in particular routinely submits its code to third-party audits to confirm its no-log claims and to test the app for malware injection and other vulnerabilities. So far, all audits have come back clean. They do have access to your account information, which some users may find unacceptable, but that’s a common practice among, well, virtually any online company. Average users shouldn’t worry about this any more than you worry about handing your credit card info over to Netflix or Amazon.
Yet despite all evidence that ExpressVPN isn’t an adware-ridden sham that is stealing your data and selling it off to third-party businesses and foreign governments, we’re still not sure you should use ExpressVPN—nor Cyberghost, PIA, or ZenMate—for one simple reason: monopolization.
While the four VPN companies Kape owns would appear to be “competitors” on the surface, all these companies ultimately make money for Kape, and Kape steers their business strategies and privacy policies. The more companies Kape owns, the less incentive these products have to compete—or enact aggressive privacy-forward policies.
Of course, one would assume VPN reviewers would call out any untrustworthy or blatantly suspicious activity, right? Well, in addition to buying the VPN companies, Kape is also buying up VPN review websites. We’re not saying there’s evidence Kape is interfering with these publications or that they’re pressured to give Kape’s products a better score, but anyone can see the clear conflict of interest here.
To be clear: ExpressVPN, Cyberghost, PIA, and ZenMate, are fine for general users. But if you’re serious about data privacy, online anonymity, and the health of the VPN market as a whole, we suggest looking for independent VPNs that prioritize privacy and transparency instead of supporting large companies intent on cannibalizing an entire market—and therefore disincentivizing competition, innovation, and consumer-friendly policies among the products it owns.