ExpressVPN is one of the most popular VPNs on the market, and for good reasons. It’s due to its global server network, lightning-fast speeds, and one of the best customer service around. But is it safe?
I wanted to test whether ExpressVPN’s claims to be the best secure VPN with maximum encryption, security protocols, and leak protection was true. The only way to see if ExpressVPN really is safe was to test its features. We tested ExpressVPN on various security criteria to check if it really is a safe VPN.
ExpressVPN Jurisdiction
ExpressVPN is headquartered in the safe jurisdiction of the British Virgin Islands that is located outside the 5/9/14 Eyes Alliance. The British Virgin Islands has no mandatory data retention laws, so ExpressVPN is not bound by law to store any user information and provide it to the authorities. This makes ExpressVPN safe and private.
ExpressVPN’s Privacy Policy
Most VPNs only claim to have a transparent privacy policy, but upon further research, you will see that they are not secure and log a lot of user data. ExpressVPN’s privacy policy is straightforward and transparent, and ExpressVPN does not keep any user logs.
The provider claims that it does not store any logs, including user activities, originating IP address, VPN IP, timestamps, and more. And they have made it clear that they don’t sell user data to third parties.
Back in 2017, ExpressVPN’s server was seized in Turkey after the assassination of Andrei Karlov, the Russian Ambassador to Turkey. However, there was no information stored on ExpressVPN’s servers. ExpressVPN issues an official response saying:
“As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.”
This incident shows that ExpressVPN does follow a true no-logs policy and, in fact, does not store any user information, as the British Virgin Islands has no mandatory data retention laws.
ExpressVPN Security Audit
ExpressVPN performed independent security audits conducted by Cure53, a renowned cybersecurity firm, and by PwC. ExpressVPN recently underwent an audit in 2020 from PricewaterhouseCoopers that investigated the company’s code and privacy practices.
ExpresVPN also announced the open-source for their browser extension, which is a huge deal as users can now see security details and updates. Now, ExpressVPN’s browser extension code is available to the public, and anyone can look through the code to make sure the extension is not storing too much data or how app permissions really work.
Experts from Cure53 fully tested ExpressVPN’s browser extension and privacy policy. The team identified a total of 8 minor vulnerabilities that were solved by ExpressVPN. Cure53 made it clear that “no security issue which would allow an attacker to influence the state of the VPN connection via a malicious web page or alike were discovered.”
What’s more important is that Cure53 also stated in their report that ExpressVPB had already fixed these vulnerabilities that were identified by the team.
ExpressVPN Encryption
ExpressVPN uses the highest standard of encryption in the industry right now. It protects your data with 256-bit AES encryption, with 4096-bit RSA key and SHA-512 HMAC authentication. AES encryption is near-impossible to break.
Similarly, SHA-512 HMAC authentication is highly secure for data transfers and torrenting. ExpressVPN is also port forward secrecy, and it also comes with a feature that changes your encryption key every time you log in.
If we talk about VPN protocols, ExpressVPN offers secure protocols that you can choose from. There is OpenVPN, L2TP/IPSec, IKEv2, and Lightway Protocol. If you choose the Lightway protocol, you also get to use different encryption – ChaCha20/Poly1305. It uses different hardware as compared to AES and is suitable for low-powered routers and mobile devices.
There is also a feature where ExpressVPN automatically connects you to the best possible protocol for you. Overall, it is a complete package. You can read our ExpressVPN review for more details on these protocols.
ExpressVPN Internet Kill Switch
ExpressVPN offers a kill switch called Network Lock. You can access ExpressVPN’s kill switch feature by going to the Settings under General Tab. This feature is available on Windows, Mac, Linux, and routers.
The kill switch features blocks all internet traffic in case the VPN connection drops. This way, it keeps your IP address and online traffic secure at all times.
On Android devices, it is called Network Protection Feature. However, this feature is lacking in iOS devices.
ExpressVPN Split Tunneling
ExpressVPN also offers a split tunneling feature that is available only on selected VPNs. Basically, this feature allows you to encrypt a certain part of your traffic while leaving some of it to pass outside the VPN tunnel.
Meaning, you can use your local web and access international sites through a VPN at the same time. You can choose the apps that will use the VPN and remove apps that will pass outside the VPN tunnel.
I decided to keep my banking app outside the tunnel and BBC iPlayer in the tunnel. When I connected to the UK server, I could use both BBC iPlayer and my local banking site at the same time.
ExpressVPN Leak Protection
A solid VPN should offer DNS, IPv6, and WebRTC leak protection to guarantee data protection and anonymity. I ran leak tests on ExpressVPN’s Windows app to see how strong it really is. Instead of using ExpressVPNs own leak test tool, I decided to use a third-party site, ‘ipleak.net,’ to ensure unbiased results.
I checked IP leaks by connecting to Netherlands servers, and it did not leak my real IP.
For DNS leak tests, I connected to a US server, and again ExpressVPN passed with flying colors.
For WebRTC leaks, I went to browserleaks.com to see if it really is private. This time also I connected to ExpressVPN’s US server, and I did not encounter any WebRTC leaks.
For more information, you can also check out our VPN leak test guide.
ExpressVPN’s TrustedServer Technology
ExpressVPN is the ace in the VPN industry using TrustedServer technology. This technology uses servers running only on RAM, making it impossible to store data. All the data is removed when you disconnect from the VPN. This technology allows data to be exchanged at high rates and instantly removing it when it’s not in use. NordVPN also uses RAM servers, as highlighted in ExpressVPN vs. NordVPN guide.
Similarly, it also allows the software that is responsible for your VPN connection to reinstall every time you disconnect and reconnect to the VPN server. So, even if a hacker manages to install a backdoor in the security, it will immediately be wiped off when you disconnect from the server and reconnect again. Therefore, this technology makes ExpressVPN safer than most competitors.
FAQs
In the case of ExpressVPN, all servers are running on RAM-disk mode so there is no server that physically stores data. As there is no data stored on drives, your security cannot be compromised. That said, VPN servers can still be compromised.
The police cannot track encrypted ExpressVPN traffic. The police can go to your ISP (internet service provider) and request them to provide your connection logs, but they will not find anything if you are using ExpressVPN to encrypt your online traffic. As can be seen in the case of the assassination of the Russian ambassador in Turkey.
Yes, ExpressVPN is trustworthy as it does not keep any logs and is based on the privacy-friendly location of the British Virgin Islands. Similarly, it is one of the few VPNs that have undergone independent audits, therefore it guarantees privacy and anonymity.
Is ExpressVPN Safe? Final Verdict
Yes, ExpressVPN is safe! It keeps no user logs and is headquartered in the safe jurisdiction of the British Virgin Islands. BVI has no mandatory data retention laws so your online activities, search history, and more cannot be leaked. Apart from that, it also uses strong AES 256 encryption that is also adopted by the US government and military to secure data and classified information.
Apart from security, ExpressVPN is a strong VPN with excellent unblocking ability, so you can access any website on the internet securely. No restrictions are strong enough to hold ExpressVPN back. You can find the details below:
ExpressVPN offers a free trial, so you can test the service free of cost. Even if you subscribe to a premium account, you have 30 days to try the service and cancel ExpressVPN to get a full refund.