If you care about your privacy, odds are you’re either using a VPN or looking to use one. And if you’re already using one, you may be looking to switch to a different provider.
Choosing the right VPN provider is critical in your quest to preserve as much of your privacy as you can.
In this article, we review ExpressVPN’s service offering to see if we can recommend their service in good faith.
Short on time?
Here's what matters most.
ExpressVPN is a solid choice for security-minded people, as well as for more casual users who get into the VPN scene for things like video streaming and accessing coffeeshop WiFi.
Their privacy and security policies are top-notch: they’ve been successfully audited. And diskless servers is something we would love to see other VPN providers embrace.
ExpressVPN is one of the more popular VPN providers out there. They’ve been around for over ten years and put privacy front and center on their website.
They use industry-standard encryption and commit to their strong no-logging policy.
They have native apps for just about every platform you could think of and they allow up to 5 simultaneous connections to their network.
They also operate diskless VPN servers – which makes data harvesting very difficult as everything runs on volatile memory.
ExpressVPN was founded in 2009, from the British Virgin Islands. Since then, they’ve grown massively to become one of the most popular and well-known VPN services available.
They offer over 3000 server locations in 94 countries around the world.
- Industry-Standard Encryption
- Native Applications
- Supports More Routers Than We Knew Existed
- Strict No-Logging Policy
- VPN Kill Switch
- Diskless Servers
- Not much information available about the company
- No Ads & Tracker Blocker
- Cannot choose your ciphers/level of encryption
Things to Consider Before Buying a VPN Subscription?
A good VPN service needs to be strong on three main fronts:
One element that is mission-critical in achieving this is to commit to a strong no-logging policy.
A VPN provider that logs your online activities is not one you should sign-up to. That would be a nice way of shooting yourself in the foot.
No-logging, coupled with strong encryption, is the best way to guarantee privacy and security.
Another element to look at, which may not always be obvious at first glance, is the payment methods accepted by the provider.
Because your anonymity can be compromised by the money trail you leave behind. A VPN provider who is really committed to privacy should always accept cash or bitcoin, or both.
Features & Convenience
I performed a quick speed test over ExpressVPN’s network.
My Internet connection had 60Mbps download and 30Mbps upload.
My ISP connection was giving me my even more than my full 60Mbps download. And I was getting around 25Mbps upload.
Upload is typically slower than download, as ISPs provide more download channels than upload channels.
We performed the test on a New York server, which is geographically close to my actual physical location.
The speed test was performed three times, for better accuracy. And we took the average of the three tests as the final value.
Tested on a 60Mbps (Download) and 30Mbps (Upload) network
Server: U.S.A., New York
Average Download Speed: 60.76Mbps
Average Upload Speed: 26.91Mbps
So we do see a small decrease in speed, but nothing alarming whatsoever. VPNs inevitably slow down your connection to some degree, due to the VPN’s added overhead.
We can also see that my upload speeds are slightly faster. This is likely due to network volatility, but we won’t complain.
These results are very good. And the ping times hardly changed.
Speed does not seem to be an issue with ExpressVPN.
Again, network volatility being what it is, the results could be different tomorrow. But for a quick test, this is impressive.
ExpressVPN is one of the more expensive VPN providers.
They offer three subscription terms:
- 12.95 USD for one month of service
- 59.95 USD for six months of service (works out to 9.99 USD per month)
- 99.95 USD for one year of service (works out to 8.32 USD per month)
These prices are slightly higher than the others we’ve seen. I’d rather pay a little more and get excellent service than get a discounted lemon…
There are, however, some equivalent options out there that are less expensive.
All subscriptions are backed by a 30-day money-back guarantee.
ExpressVPN provides a streaming-friendly service and streaming over a VPN has many advantages:
- Avoiding ISP bandwidth throttling
- Circumventing geo-restrictions
- The security benefit of a fully encrypted connection
As you probably already know, Netflix banned VPN use from its service in 2018.
Now, many VPN providers claim to be able to bypass the ban, but they don’t all succeed.
In my ExpressVPN/Netflix test, it just worked. I connected to U.S.-based server, logged into my Netflix account and I was streaming within seconds and without any buffering.
Do note that because of the way VPNs are blocked, a server that worked for you will eventually stop working, as Netflix catches up and blacklists the server address.
Switching servers will normally fix this.
For more information on accessing Netflix over ExpressVPN, you can look at their Netflix support page.
Torrenting / P2P
While ExpressVPN doesn’t seem to mention torrenting at all on the website, turning to TorrentFreak’s 2020 VPN guide again, we find the following:
“ExpressVPN allows all traffic, including BitTorrent and other file-sharing traffic (without rerouting), from all of our VPN servers. At the moment, we do not support port forwarding.”
So apparently all of their servers are P2P friendly. Perhaps they should mention this on their website?
In any case, I tested it on a U.S. server, and it worked flawlessly.
ExpressVPN supports all major operating systems. And they also support a huge number of router models.
For the complete list and setup instructions, visit ExpressVPN’s website.
ExpressVPN provides native applications for the following platforms:
- Windows Phone
- Chrome OS
- Many Routers
- NAS Devices
- Chrome & Firefox Browser Extensions
I think they may have the Universe covered with that list… 🙂
The native macOS app was is clearly laid out and easy to understand and use. This is all very good.
I had no need to contact support when playing with ExpressVPN, so I can’t really comment on their customer service. But they do provide live chat and their support section has a lot of information and should answer most questions.
Number of Simultaneous Connections
ExpressVPN allows you to make up to 5 simultaneous connections. This is in line with many other providers.
It’s not the least generous nor the most generous service in terms of simultaneous connections.
It’s also possible to configure ExpressVPN on your router (ExpressVPN supports more routers than I’ve seen from any competitor) and connect as many devices as you want to the VPN.
Your router will only count as one device.
Number of Servers
ExpressVPN operate over 3000 server locations, in 94 countries. Is that enough for you?
Multiple Server Hops
A VPN that supports multiple server hops makes you harder to identify. This is because it will bounce your traffic over two different VPN servers.
The second server hop obfuscates the first server’s location and encryption and makes you that much harder to deanonymize.
ExpressVPN does not support multiple server hops at this time.
Ads & Tracker Blocker
ExpressVPN do not support ads & tracker blocking at this time.
ExpressVPN do not provide dedicated servers that route your traffic through the Tor network.
They simply provide a support document with instructions on how to use the Tor Browser over VPN.
We hope that in the future ExpressVPN will provide Tor over VPN services.
For more information on Tor, visit their website.Visit ExpressVPN (save 35%)
Logs and Privacy
Let’s now turn to ExpressVPN’s policies. The policies a VPN provider commits to, are crucial in assessing the privacy and security of a VPN service.
Have they ever spied on their users at the request of law enforcement?
We found no evidence at all that ExpressVPN ever breached their users’ trust.
And even though they don’t publish a warrant canary, we have no reason to believe they ever spied on their users.
ExpressVPN was asked this question by TorrentFreak, in the 2020 edition of their Which VPN Services Keep You Anonymous?
“[Q:] What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?”
“[A:] Legally our company is only bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. As a general rule, we reply to law enforcement inquiries by informing the investigator that we do not possess any data that could link activity or IP addresses to a specific user. Regarding a demand that we log activity going forward: were anyone ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.”
Would they warn users if/when compromised by law enforcement?
In the above statement, they commit to refusing such requests. Good.
How do they respond to DMCA notices?
Again, from TorrentFreak’s VPN guide:
“As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices.”
And again, very good. Do you see how crucial the no-logging policy is to a VPN service?
ExpressVPN has a dedicated page from their website detailing their no-logging policy. Here’s a screenshot:
This is all good. They understand what constitutes sensitive information. No need to worry about extensive data retention here.
Further, if we turn to TorrentFreak’s guide, we find this:
"No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data contents, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity.”
Again, all good.
They also go on to describe the minimal data they do collect. There’s nothing nefarious there and none of it could be used to identify users. Feel free to go through it.
"ExpressVPN is committed to protecting your privacy. We want you to understand what information we collect, what we don’t collect, and how we collect, use, and store information. We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.”
Security and Encryption
Supported VPN Protocols
IKEv2 and OpenVPN are robust and secure VPN protocols. Both IKEv2 and OpenVPN have been around for a long time and have demonstrated their security.
L2TP/IPSec, however, is considered weak and potentially compromised. And PPTP is considered compromised and obsolete.
I believe it’s better not to support weaker protocols, to protect newer users who may not be aware they’re using a weak protocol.
But to ExpressVPN’s credit, they do label L2TP/IPSec as being weak in their native apps. And you need to download additional software from ExpressVPN’s site to enable PPTP.
This should prevent greener users from using insecure protocols.
I suppose L2TP/IPSec is supported for legacy systems that may not support IKEv2 and PPTP support is presumably there to support certain older Windows systems that need to use PPTP.
Encryption Level & Supported Ciphers
ExpressVPN uses the industry-standard AES256 encryption, regardless of which protocol you use. AES256 is a very secure cipher that contains no known vulnerabilities.
This is the only encryption scheme available on ExpressVPN and many other providers. And this is mostly very good.
Again, it protects newer users from using weak ciphers and potential misconfigurations.
The only downside I see with this approach is that more advanced users can’t adapt their encryption scheme to their current activities.
Regardless, I still think this is the better approach for a commercial VPN service.
DNS Leak Protection
Protecting your DNS traffic is critical when using a VPN.
You don’t want your ISP to see your DNS requests when on VPN. But if your DNS leaks, that’s exactly what happens.
ExpressVPN, like other serious VPN providers, also offer no-logging DNS servers from within the VPN tunnel to their users. So your DNS requests are secured and also benefit from the VPN’s encryption.
Simply connect to the VPN and your DNS traffic is automatically protected.
VPN Kill Switch
If your connection to the server should ever drop, for whatever reason, without a VPN Kill Switch, your traffic will go out to the Internet unencrypted.
A VPN Kill Switch protects you from this scenario by blocking all traffic from your device so that your privacy isn’t compromised by a disconnect.
ExpressVPN offers a VPN Kill Switch, called Network Lock, in all of their apps. Good stuff.
Many people make a huge deal about jurisdiction when it comes to VPN providers. And it is true that jurisdiction can impact a VPN provider’s security.
However, in my opinion, the logging policy is much more important than jurisdiction.
If you’re a political activist in an authoritarian country, avoiding VPN providers based in one of the 14 Eyes nations is probably good advice.
But make sure you select a VPN provider that commits to a strict no-logging policy.
ExpressVPN is based in the British Virgin Islands, which has legal and political independence from the U.K. Some have raised doubts about that independence, but it’s not an issue I’ll be able to settle.
I feel perfectly secure on ExpressVPN’s network, mainly because of their no-logging policy and their diskless servers.
For more information on the dynamics between VPN providers, jurisdiction, and Intelligence sharing, take a look at our 5, 9 & 14 Eyes: What Does It All Mean For VPN Users? article.
A warrant canary is a document that’s regularly published and which states that a service provider has not received a secret warrant and gag order from law enforcement.
The document can be taken down in the event the provider ever does receive a secret warrant/gag order.
This way, it can indirectly inform its user base that the service has, somehow, been compromised, without violating the gag order. And that may be enough for those feeling concerned to take action.
ExpressVPN does not publish a warrant canary. Hopefully, this will change in the future.Visit ExpressVPN (save 35%)
Do They Own or Rent Their Infrastructure?
There’s a definite security benefit when a VPN provider owns its entire infrastructure, as this limits possible third-party access to the servers.
On the other hand, when renting infrastructure a VPN provider is able to provide many more locations, more easily.
This comes at the cost of a potential security vulnerability.
ExpressVPN rent their infrastructure.
However, while this does introduce the risk of third-party access, ExpressVPN mitigate this risk by running their servers from volatile memory (RAM), rather than on disc. This is what we call diskless servers.
Turning to TorrentFreak’s VPN guide, when asked if they own or rent their infrastructure, ExpressVPN answered this:
“Our VPN servers are hosted in trusted data centers with strong security practices, where the data center employees do not have server credentials. In the past year, we have developed technology to let our servers run in RAM only, booted from a read-only disk. That means we can apply server patches quickly and with certainty and prevent any possible intruder from persisting on our servers.”
This is the most secure way to manage rented infrastructure.
If a vulnerability is ever discovered, with the entire stack running from RAM, they simply need to reboot the server and it’s gone.
The rebooted server is back to “factory settings”. Very cool.
Have They Ever Been Hacked?
In the security space, a hack can make or break a service’s reputation. So it’s very important to find out if a VPN provider you’re considering has ever been hacked.
As far as we know, ExpressVPN has never been hacked. I suspect part of the reason for this is their diskless infrastructure.
Adding credence to this is the fact that they were independently audited, by PricewaterhouseCoopers, in 2019.
The audit found no major vulnerabilities found and verified their no-logging, diskless infrastructure.
What Information Is Collected During Sign-Up?
The sign-up process is straightforward with ExpressVPN.
They only require you to supply a valid email address. That’s it.
And there’s nothing stopping you from simply creating e new email address for specifically that purpose if you’d rather not supply your active email address. We like this.
Accepted Payment Methods
As we just mentioned, a VPN provider’s anonymity claims are impacted by the payment methods they accept.
We’re happy to see that ExpressVPN accepts credit cards, PayPal and Bitcoin, as well as other payment methods, like UnionPay, AliPay, and Interac.
We would have like to see cash on their list as well. But we’re happy bitcoin is accepted.
All in all, quite good.
ExpressVPN supports split tunnelling. Split tunnelling enables you to perform what is called selective routing.
This means that you can, for example, route your Internet traffic through the VPN tunnel, but keep your local access to your LAN network and access your file server, for example.
Or, you could decide to only route certain applications through the VPN while letting other traffic flow through your ISP connection.
It’s extremely flexible and can be set up as you like.
Just remember to deactivate split tunnelling when you’re done, so that you don’t inadvertently use your ISP connection while thinking you were going over the VPN tunnel.
We talked about this above. But I still wanted to highlight this. And the “Unique Features” section feels like the right place.
As we explained above, ExpressVPN runs their entire infrastructure from volatile memory (RAM). This is a huge security boon. We hope to see more VPN providers following suit.Visit ExpressVPN (save 35%)
What Others Have Said
ExpressVPN has been around for a long time. So it wasn’t surprising to find a large number of reviews across the Internet. Here are a few quotes:
“It’s easy to see why ExpressVPN is so widely used. It’s not least for its amazing speeds. It has so much more to offer, including the highest level of encryption, a huge global network, advanced split tunnelling, and impressive unblocking capabilities.”
“ExpressVPN has a huge network, plus it's fast, secure, unblocks Netflix, supports torrents, has no serious logging, offers clients for everything, and is easy to use. In short, this is a quality VPN which delivers in just about every area.”
“ExpressVPN's dedication to privacy is impressive, and its fleet of far-flung servers outclasses much of the competition. That comes at a hefty price, and many may not need its worldwide access.”
NordVPN is an excellent VPN service, based in Panama. They offer a great mix of security, privacy, and convenience.
DNS leak protection, CyberSec, strong encryption, VPN kill switch have you covered on the security front.
And dedicated P2P servers, native apps for every major (and not so major) platform, and up to six simultaneous connections (or more with a VPN router) make the service very user-friendly.
- Industry-Standard Encryption
- Native Applications
- Strict No-Logging Policy
- Ads & Tracker Blocker
- VPN Kill Switch
- Tor Over VPN
Surfshark is a VPN provider based in the British Virgin Islands, which was founded in 2018.
They take a strong stance on user privacy and security, while still offering some very convenient features, such as background P2P routing.
Their sign-up process is minimalistic, in that it only requires a valid email address from you.
They only support IKEv2 and OpenVPN. And while this may seem restrictive, we commend Surfshark for not weakening their users security by supporting insecure or obsolete VPN protocols.
Surfshark offers a very good service with a strong focus on privacy. And at 1.99 USD per month, it’s the least expensive, serious VPN service we’ve seen.
- Industry-Standard Encryption
- Native Applications
- Strict No-Logging Policy
- Ads & Tracker Blocker
- VPN Kill Switch
- Passed Security Audit in 2018
They do not log any user activity and they own and control all of their infrastructure.
They support almost every platform available and offer helpful guides on setting up their service on all of their supported platforms.
Based in Gibraltar
- Strict no-logging policy
- Support Multihop servers
- Accept cash and bitcoin
- Blocks ads & trackers (AntiTracker)
- Own and control their entire infrastructure
So that’s our review of ExpressVPN.
All in all, ExpressVPN is a solid choice for security-minded people, as well as for more casual users who get into the VPN scene for things like video streaming and accessing coffeeshop WiFi.
Their privacy and security policies are top-notch, they’ve been successfully audited.
And diskless servers is something we would love to see other VPN providers move towards.
We would also like to see an ads & tracker blocker at some point.
And ExpressVPN is on the more expensive side for VPN services. But nothing extreme here. And I’d rather pay a few extra bucks for real privacy and security than pay less for an illusion.
ExpressVPN can be recommended in good faith.Visit ExpressVPN (save 35%)
ExpressVPN Review: What You Need To Know
By Marc Dahan
Last updated: June 4, 2020