It feels like VPNs are suddenly everywhere. What was once a technology used only by IT professionals and large businesses has now become a product with double-digit market penetration rates among consumers worldwide. How did this all come about and where is the industry headed?
In this exclusive world-first interview with ExpressVPN co-founders Peter Burchhardt and Dan Pomerantz, we gained deeper insight into the evolution of VPNs from two of the industry’s pioneers.
Launched more than a decade ago, ExpressVPN is one of the longest standing VPN providers and has been central to the technology entering the mainstream. It was the first top-tier VPN service to be pre-installed on laptops (e.g. from HP and Dynabook), and today it’s among the most popular consumer VPN brands on the market.
While TechRadar Pro had met and spoken with Peter and Dan several times before, this is their first on-the-record interview. The two have maintained a low profile until now, which is perhaps unsurprising for the founders of a privacy-focused service.
“For many years we were proud to let our product and service speak for itself, content to provide guidance behind the scenes. We didn’t see ourselves as the type of tech founders jostling to be on the cover of Time magazine,” says Burchhardt.
How did you two meet, did you work together before?
Dan Pomerantz: We actually studied at Wharton at the same time, but somehow we never met back then. We were introduced to each other years later through common friends.
I had always been an entrepreneur, and I sketched out the first business plans for a consumer VPN service. When I brought the idea to Peter and asked him to join as technical co-founder, he could hardly contain his excitement. We launched ExpressVPN in 2009, and the rest is history.
How has the world of VPN changed since 2009?
Peter Burchhardt: A lot! The market has grown immensely. When we started, privacy and security was a niche market. The consumer VPN landscape at that time was miniscule.
And don’t forget smartphones were just starting to take off back in 2009, and Facebook had only been open to the general public since 2006. So while Dan and I could see to some degree how critical digital privacy and security issues were about to become, it certainly wasn’t part of everyday conversation yet. Even some of my former colleagues at Microsoft thought I was crazy.
Since then, there’s been a huge shift in how aware of and concerned people are about their privacy and security online. It’s quickly becoming mainstream now. I think caring about privacy is a human instinct, like how we naturally close the bathroom door. Effectively everyone using the internet is exposed to some threats to their privacy.
DP: The percentage of people who are aware of those issues has increased dramatically, and especially in recent years there’s been a rapid increase in the number of people who are both aware and have decided to do something about it. Ultimately by taking back some control over their privacy and purchasing a premium VPN service.
We were lucky to get started early. Now that the market has undergone fast growth, we are well positioned as we already have a strong brand and product, and a very capable team.
Is the shift to being aware of privacy issues a global trend?
PB: Essentially everyone in the world who’s connected to the internet faces the same types of threats to their privacy and security, although to different degrees.
However, there are regions where these issues are more prominent in public discourse. For example, I think the Snowden revelations marked a watershed moment for Americans. And today many European nations and Australia have laws requiring their ISPs to retain user metadata. The privacy implications are enormous, and the fact that the topic is hotly debated in so many countries helps to drive awareness of these issues worldwide.
People are aware but are they really taking action or stuck in indecision?
DP: There’s absolutely lots of work to be done to educate and empower consumers. It’s not enough to just provide the tools or services, but it needs to be easy and accessible for them to protect themselves.
People often think “oh, I have nothing to hide,” or “there’s nothing I can do.” Those are misconceptions that we have to work to dispel. You don’t have to be doing something “wrong” to want to protect your privacy. Think about your browser history, would you be happy to publish that online for all to see?
And sometimes people start [using a VPN] for something very specific, say to protect themselves while on public Wi-Fi, and we have a role to play in helping them understand what other circumstances they might want to have VPN protection for.
There is an argument from VPN skeptics that most of the internet is already secure. For example, I can’t think of a bank’s website that isn’t protected by https. What do you see as the value-add for VPNs?
PB: The VPN gives you more control over who is able to collect specific data about you. Without a VPN, many third parties know which apps and websites I use every day. Also, those apps and websites can make an uncomfortably accurate guess at my physical location even when I didn’t grant them that access. And many apps, websites, and hardware devices fail to protect my data sufficiently. Some don’t even try, and I can’t tell whether they’re trying, and some try but fail to do it well enough, and people most often can’t judge that themselves. The VPN adds a layer of protection like a safety net.
When you use the internet without a VPN, even with https, you’re inadvertently telling several third parties about the list of websites and apps that you use. The parties are those running the pipes of the internet, starting with your Internet Service Providers and their various downstream partners, and the operators of hotel and coffee shop Wi-Fi networks. The list can be large and unknown. Many of those companies know your identity, and they might store and resell those data about you without your knowledge or approval. Why is that the case even when you use https? Because technologies called DNS and SNI transmit those data in plain text, and because the pipe operators can still see the destination of your traffic.
Once a third party has data about us, they might use them in ways that we wouldn’t approve of if only we knew. The VPN gives us back more control over many types of our personal data. Not all data, of course, but many meaningful types.
The privacy benefits make sense to me, but like you mentioned before, many internet users perceive (perhaps wrongly) that they shouldn’t care because they have nothing to hide. Can you speak to the security benefits more specifically?
PB: For anyone who uses apps (not just web browsers) and internet-connected hardware devices, the list of data you’re giving up about yourself is even larger. For anything other than a web browser, you usually can’t tell whether they are protecting your data correctly. Some don’t even try, such as many apps and hardware devices that still transmit data in plain text, and many try but don’t do it well enough. The mobile apps even of major banks have had publicly disclosed security vulnerabilities where they tried to protect your information with https, but did it incorrectly in a way that would allow an attacker to trick them into sending and encrypting the information to an imposter, stealing your passwords and banking information. When these issues become known, they get fixed, but there’s a good chance that many more such issues are hidden. The fact that even major companies make such mistakes confirms the cliché that it’s difficult to do security right. A VPN adds an additional layer of protection.
As we hear in the news from time to time, sometimes there even are bugs in the core of the internet. For example, the famous Heartbleed bug was in the heart of https. Using a VPN drastically reduces the risk of falling victim to such exploits.
We often hear from our readers that shopping for a VPN can be overwhelming. It’s such a crowded market. What do you see as the differences between VPN providers? How do you feel about bigger, established companies getting into the VPN market too?
PB: To some extent, you’re putting parts of your privacy and security in the hands of your VPN provider, so you have to be able to trust that they know what they’re doing and have your best interests in mind.
The differences can sometimes be difficult for users to discern by themselves. Is the service fast and reliable over long periods of time? How reliably do the apps really protect all of the user’s network traffic, staying leakproof even in the many edge-case scenarios that occur over time? Does the company adhere to its privacy policy, for example, by not storing activity logs or connection logs? That’s why we’re working so hard to increase transparency and education, as well as publishing audits.
DP: How the company operates also makes a big difference. ExpressVPN is 100% privately owned. No external investors, no backing from big tech. We don’t have any other brands or unrelated lines of business, so we don’t have conflicting interests. We’re able to focus on doing what’s best for customers. The individuals who work on ExpressVPN are spread out across more than a dozen countries, and what we have in common is a passion for a more secure internet.
Having been around for so long, we’re also proud to see how the company has built a strong track record. We’ve been able to demonstrate in the real-world and to third parties that the security and privacy protections we promise really do work. For example, having PwC audit our servers and processes to confirm compliance with our privacy policy. Or open-sourcing the industry’s first set of leak testing tools. Or even the unfortunate case we saw in Turkey, in which investigators seized a VPN server leased by ExpressVPN, and they couldn’t find any server logs that would link activity or connections back to a user.
A lot of your competitors are branching out to other types of privacy and security products (even beyond). Do you feel pressure to do the same?
DP: We see ExpressVPN as competing in the broader privacy and security space. While VPNs are an essential tool for protecting yourself online, there are a number of threats to internet users that VPN tech alone cannot address. We’ll have many more exciting announcements on this front in the months and years to come.
PB: That being said, everyone in the company is focused on building a best-in-class VPN service. We strive to deliver to our users across the globe: speed, reliability, and security. That’s why ExpressVPN developed truly innovative features like TrustedServer and our new Lightway VPN protocol.
Why take the Lightway path when others are turning to Wireguard?
PB: The team that’s working on the product day-to-day is probably better equipped to answer in full detail what we have planned for Lightway. The simple answer is there’s a lot to like about Wireguard, but it wasn’t originally built for providing a privacy-focused VPN service at scale. Other providers have tried to solve that by layering on proprietary solutions. Our team thought it was better to solve the problem from ground up to provide the VPN experience we know our users want.
What was the impetus for TrustedServer and the shift to running servers in RAM? I’m sure you know that other VPN providers have followed your lead and are trying to do the same.
PB: Our job is to protect users’ data privacy and security, and we view how ExpressVPN runs VPN servers to be central to that. It’s less visible than what’s happening on the client side, in the apps, so it gets less attention from users and even the media, but it’s absolutely critical.
TrustedServer runs all our physical servers based on read-only and cryptographically signed images operating only in RAM. This was the subject of a PwC technical audit whose report customers can access, and we’ve documented the technology and our underlying release processes in a fair amount of detail publicly. Because the images are read-only and signed, we have a high amount of confidence about what’s running on our infrastructure across 150+ locations worldwide. While such technology is wide-spread for virtual infrastructure, TrustedServer’s innovation is doing that even for the physical infrastructure required for running an internet-scale VPN service. Because the servers operate in RAM, the potential impact of mistakes is reduced. If a server is compromised or a bug accidentally writes down an undesired piece of information, the data won’t persist past a reboot.
TrustedServer is an important piece in our “defense in depth” strategy for security. We list the things that might go wrong, then we design systems such that those things become unlikely to occur. For example, we make servers very difficult to hack, but we can’t claim it’s impossible. No one can. If something bad were to occur, we try to ensure that the damage is limited. That means we try to treat data as a “toxic asset” and minimize what’s stored, notice problems early, and limit the amount of time that they can persist.
What’s next for the VPN industry?
DP: We see it morphing into the industry of protecting users’ privacy and security online. VPN just happens to be one of many technologies used to protect users. Given the huge worldwide market, it’s attracted a lot of competition. All the major antivirus players now have VPN offerings and there are many startups with innovative new approaches. We look forward to the competition and the many benefits it will bring to consumers. We think that the industry as a whole can collaborate in helping explain the issues to users in transparent and easy-to-understand ways so they can make informed choices. That’s why we helped found the VPN Trust Initiative with the i2Coalition.
New online threats are emerging all the time, and we want to help consumers to have the confidence and know-how to navigate them.