ExpressVPN Review 2024: Features, Pricing & More

ExpressVPN Protocols

ExpressVPN currently supports the following protocols:

• Lightway: This is ExpressVPN’s proprietary protocol. Its core codebase is currently open source on GitHub. The protocol is definitely faster than OpenVPN and about equivalent to the speeds of a VPN using WireGuard. On its website, ExpressVPN claims, “Nine out of ten beta users reported that Lightway got them connected to the VPN faster than before.” I didn’t track any difference in speed when connecting to a server, but my experience is not universal. Lightway comes in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) variants. TCP is more reliable but slower, while UDP is faster but won’t consistently connect to some networks.
• OpenVPN: OpenVPN is a free and open-source security protocol commonly used by most VPN providers. It is one of the oldest security protocols in the VPN space, being initially released in 2001. Along with Lightway, ExpressVPN’s implementation of OpenVPN comes in TCP and UDP variants.

No-Logs Policy

As with many top VPN providers, ExpressVPN claims a no-logs policy, which was last audited by professional services network KPMG in late 2022. Although the company claims that the full report is publicly available, I was not able to access it without logging into the ExpressVPN website with my account. While only available to customers is technically public, I would prefer if the company made it available for prospective buyers as well. The report is pretty detailed and technical, more so than similar reports I’ve read from some competitors, which I appreciate. I did find it a little odd that the auditors found no potential holes whatsoever in how ExpressVPN operates, which makes the whole thing feel more like a rubber-stamped audit than something conducted with a critical eye for improvement. Still, it’s also possible that there were no holes.

When I looked at ExpressVPN’s privacy policy, I did spot one red flag I’m not happy about. In the section titled “Successful Connections,” I see this: “We collect information about whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location (but not your assigned outgoing IP address), and from which country/ISP (but not your source IP address).” The company goes on to state that this information is to help with technical support for country-specific issues and the like. Users can be tracked with the information collected, as knowing which ISP and country a user connected from can be used to un-privatize previously private traffic. That’s bad enough, but the privacy policy doesn’t state what ExpressVPN does with the information after it’s been collected. I’d prefer to see more transparency on whether that connection data is stored or deleted after a user’s session has ended.

Kape Technologies

In 2021, ExpressVPN was purchased by Kape Technologies, a British-Israeli cybersecurity company. Kape is also the owner of other major VPN names such as Private Internet Access and ZenMate. Kape Technologies, under its former name Crossrider, released a development platform of the same name that helped with developing browser extensions for different browsers at once, which was at the time more difficult to pull off than it is now.

While the platform was used to create legitimate apps as well, its monetization options were leveraged by ad injectors. Essentially, ad injection is the process of putting ads on websites that weren’t supposed to be there. This can be in the form of the ever-annoying pop-up ad or by replacing legitimate ads on the website. This is done through the use of malware.

In a 2015 UC Berkeley paper on the ad injection industry, Crossrider’s place in the market was specifically highlighted: “Crossrider is a mobile, desktop, and extension development platform that enables drop-in monetization via major ad injectors. Crossrider provides its affiliate ID to ad injectors while separately tracking kick-backs to developers.” Crossrider’s heavy use by bad actors eventually led to the platform’s shutdown in 2016 and the company’s rebirth as Kape Technologies in 2017. For more information, I recommend Alex Lekander’s excellent article on the subject for RestorePrivacy.

In statements to us and others, Kape Technologies has repeatedly stood by the integrity of its VPNs, and ExpressVPN, as the newest VPN acquisition by Kape, has nothing to do with the company’s Crossrider past. However, I find it difficult to fully trust any VPN owned by Kape, and if you’re looking for a VPN to better protect your privacy online, I would caution you away from any Kape-owned VPN.

Our Experience Testing ExpressVPN’s Security

When reviewing ExpressVPN’s security for myself, I didn’t encounter too many issues. I did detect one DNS leak when using dnsleaktest.com, but subsequent tests didn’t reproduce that result. Aside from split tunneling not working, I didn’t encounter any major malfunctions in the app’s features either. The platform’s ad and tracker blocking worked fine, though I usually recommend users look for a dedicated ad/tracker-blocking product instead of bundling that sort of thing with a VPN. I didn’t experience any connectivity issues, though there was some lag when trying to connect to a server or switch servers.