ExpressVPN Is a Case Study in Why VPN Reviews Require More Legwork
Two members of Congress have called on the Federal Trade Commission to tackle a digital threat that privacy watchdogs have been concerned about for years: Virtual private network companies continue to profit from rising surveillance fears by advertising largely unverifiable promises not to log users' online activity.
In their July letter, Democrats Rep. Anna Eshoo, of California, and Oregon Sen. Ron Wyden address what may finally be a tipping point in the fight for VPN transparency -- more abortion-seekers are now turning to VPNs for protection while risking imprisonment in pursuit of life-saving health care. The letter's concerns about VPNs include the following, some of which are also issues ExpressVPN has publicly dealt with, and all of which are issues affecting how VPNs are reviewed.
First, ethically dubious VPN companies armed with outsized advertising budgets often fund glowing faux-reviews disguised as unbiased consumer advice. Even among editorially independent reviewers, though, properly testing a VPN already means grappling with the complexities of not just encryption tech but the industry's overall resistance to investigation. This muddies the waters for consumers and may potentially conflict with US advertising regulations.
Second, VPN tech and the VPN industry are both opaque. VPN companies serve customers in countries with anti-VPN laws, so sometimes they have servers discreetly placed in those countries. VPN owners often hide their true identities with legal sleight-of-hand in off-shore company shell games. These are two common industry practices. In the best cases, these practices may protect a good VPN from a government takedown. In the worst cases, these practices can allow a VPN to become a business front for government surveillance (a honeypot). Either way, these practices are profitable and make it impossible to fully vet a VPN independently.
These issues are important because a low-quality VPN review from a popular website could land a trusting reader in jail or worse.
Since my last review, NSA whistleblower Edward Snowden issued a tweet telling users to abandon ExpressVPN because ExpressVPN CIO Daniel Gericke was cooperating with the FBI in an unrelated DOJ investigation. Immediately following the DOJ news, a London-based parent company that used to sell ad tech (and is backed by a billionaire previously jailed for insider trading) bought ExpressVPN for $936 million. Many reviewers warned users away from ExpressVPN. I almost did too. But instead, I spent several months methodically investigating the service and its parent company. I still recommend it to privacy-critical users. But that isn't the point of this commentary.
The point of this commentary is that Congress is calling for investigation into the VPN industry and -- given the above paragraphs' content -- I am also calling for VPN reviewers to do better at investigating the VPNs they review. ExpressVPN's story is a case study on how reviewers like me can do this better.
Read more: How We Test VPNs
Kape's evolving business model
When ExpressVPN first announced that it was being bought by London-based Kape, our biggest concern was that the VPN would be forced to share customer registration data with Kape -- outside of the VPN's privacy-protective British Virgin Islands jurisdiction -- as other Kape subsidiaries' policies allow. I've repeatedly reached out to Kape for comment without response, but there are still a few ways we can define the relative range of risk Kape poses to ExpressVPN's privacy integrity.
First, ExpressVPN's own repeated public assertions of continued operational independence from Kape are somewhat self-affirming; they indicate Kape isn't making moves to silence its new VPN. ExpressVPN's statements also gain more weight as it raises the stakes for its own -- and Kape's -- public image by being a loud voice in the i2Coalition's continued calls for transparency in the VPN industry.
Kape's revenue incentives have shifted as well -- from ad-tech dollars based on its previous CrossRider product, to a booming privacy market that Kape expects to grow 17% a year. That shift has paid off for Kape with an 89% revenue spike from $122 million in 2020 to $231 million in 2021. Within that increase, privacy product revenue jumped 30% and accounted for $117 million -- about half of overall revenue. Security-related revenue rose by 18% when Kape-owned Intego antivirus revenues surged 20%. And Kape's digital content profits -- which came entirely from the acquisition of Webselenese in March 2021 -- reached $88 million by year's end, representing 53% year-over-year growth for Webselenese.
"100% of Kape's revenue comes from subscription services or online content publishing; 0% of revenue comes from ad serving. Digital privacy and security accounted for 73.5% and 26.5% of its FY2020 revenue respectively. Since 2016, Kape has not earned a single dollar of revenue from ad-tech or any other aspect of the former Crossrider platform," Kape said in a September 2021 release.
While the release isn't enough to hang a hat on, its sentiment was echoed in March when Kape CEO Ido Erlichman filed the company's 2021 wrap-up, touting 20% organic customer growth and a VPN-driven 260% increase in paying subscribers, for a total of 6.5 million subscribers.
Kape, Erlichman said, is "one of the sole players wholly focused on digital privacy, and without any monetisation from any customer data."
Kape projects revenues will hit $610 million to $624 million at the end of 2022 -- more than double last year's revenue.
There aren't any former Crossrider execs left in Kape's C-suite to hear the good news but there are still some familiar faces, including Teddy Sagi. The billionaire, who was convicted of insider trading in 1994, held a 54.3% controlling share in Kape as of its January holdings statement, a slight uptick from December -- when he put $60 million worth of loans on the table for Kape. That's down from his 60.5% holding before ExpressVPN was bought. That $60 million might hold a lot of sway, but it's not enough to keep Kape on Sagi's leash now that Kape's got a boosted debt facility of $290 million from the Bank of Ireland, Barclays, Citibank and others.
ExpressVPN co-founders Peter Burchhardt and Dan Pomerantz got $237 million worth of shares in the $936 million purchase, landing them a collective 13.6% share of Kape. Both are staying on with Kape, managing ExpressVPN's operations. Burchhardt also got the right to appoint a non-voting board member for the foreseeable future -- or so long as ExpressVPN accounts for at least 5% of Kape's earnings.
With an average growth rate of 35.1% over the past four years, ExpressVPN is unlikely to fall short. In 2020, it pulled down $279.4 million in revenue -- a 37% jump from 2019. Along with a slate of hardware partnerships, the company brought 290 staffers into the Kape fold, 48% of whom are the R&D engineers Kape said it needs. About $30 million worth of "synergy" cuts are coming as backroom ExpressVPN staff get folded into Kape's. Most crucially, though, are the 3 million subscribers Kape got with the ExpressVPN purchase, bringing Kape's retention rate to 81%.
That 81% is the key number here. Kape says 92% of its revenue is recurrent. With Kape no longer relying on ad tech dollars, the tent-post revenue strategy is cross-product subscriptions targeting current users, 30% of which are already in their third year of using a Kape product.
Good press is hard to find, but easy to buy
How is Kape going to target those customers for retention? Through a journalistic conflict of interest.
As noted above, Kape also now owns Webselenese, a platform for two no-longer-independent VPN review sites, vpnMentor.com and Wizcase.com. Kape bought the platform for $155.1 million per its full-year filing in March 2021. Webselenese's "integration" grew Kape's audience size by 62% with 105 million readers.
"Webselenese's mission is to provide honest and unbiased information via its well-regarded websites," Kape said in its March buying statement. "Its team of researchers extensively research and test every product before reviewing and recommending it, in doing this, Webselenese only recommends products and services that its writers would use themselves."
Sudden changes to VPN rankings on vpnMentor.com and Wizcase.com suggest otherwise. As noted by more reviewers that I can link to, both sites dropped NordVPN and Surfshark from their top-three picks following the Kape buyout, replacing them with Kape-owned Cyberghost and Private Internet Access.
To that end, it certainly appears that Kape is following in the footsteps of other digital giants by self-dealing -- guiding otherwise unaware readers to its own in-house products and services. And it's paying off: In a July 2021 trading update, Kape said buying Webselenese led to "reduction in average customer acquisition cost." By March 2022, Webselenese's revenue was up 53%. And Kape's digital content profits accounted for the largest chunk of Kape revenue.
That's the irony of Kape's evolving business model: Unlike the CrossRider days, the monetization of data now appears to be more of a liability than an asset. If you look at the transparency in ExpressVPN's audited tech, it's easy to see the most obvious incentive Kape would have to preserve the integrity of its flagship VPN: Any per-person data set the VPN would be able to gather on Kape's behalf would be embarrassingly incomplete compared with the finely polished and hypertargeted per-person data sets offered in a bullish market of invasive data brokers. Likewise, selling that customer data would expose Kape's highest-performing new VPN (its entire portfolio, really) to dangerous market competition, destabilizing Kape's overall subscriber retention rate while the company still carries a truckload of debt.
After all, why risk the reputation of your crown jewel privacy product when it's far more profitable to own an advertising machine that poses as an independent consumer technology review site?
Who reviews the reviewers?
While prudent reviewers who waved readers off ExpressVPN in the past few months no doubt intended to offer "better safe than sorry" counsel, there's a risk of creating the opposite effect if you issue uncritical calls to abandon ship based on uncertain new ownership or yet-unseen US government VPN interference. Just as dangerous are uncritical calls to stay the course, even as red flags begin appearing. Whether panning or praising ExpressVPN, neither of those uncritical calls take seriously the privacy needs of a growing number of vulnerable people who are new to privacy tools.
VPN users who need safety from local-level law enforcement and ISP data collection aren't limited to exiled ex-spies, international criminals or UAE-surveilled human rights activists. They're everyday users who walk among us, and we have to stop dismissing their privacy needs as though they are the demands of paranoid outliers. Period.
Not every surveillance state shares intelligence with the US, nor is there evidence that the US' surveillance apparatus -- vast though it may be -- is omniscient. ExpressVPN's hard-tested security, sprawling global infrastructure and flexible protocols allow its 3 million users to get potentially lifesaving information past law enforcement in countries where other VPNs falter. You can't account for every countries' broadband infrastructure quality, political restrictions, and local intelligence gathering capabilities -- but if any VPN is up and running in one of the world's tight spots, you can almost bet it's going to be ExpressVPN.
Shooing these users away from what may be their only locally reliable VPN doesn't help privacy-critical VPN users whose own political concerns don't include being targeted by the US federal government -- such as everyday users in China and Russia.
Nor does it help users in US states (where half of ExpressVPN users register) who lack federal protection while trying to survive dangerous state restrictions -- like abortion seekers in my own state of Kentucky. Add to that list all the gay kids on conservative college campus networks, abuse victims seeking escape, workers organizing labor unions and people working in one state's legal cannabis industry while living in another, anti-cannabis state. The list goes on. All of them are privacy-critical users, and I recommend they use ExpressVPN.
As always, that recommendation could change in an instant, in the event of a security breach, a privacy violation, an unexpected change in corporate policy or a savvy rival that ends up outgunning Express in terms of value or technology. But until it does, I'm offering my recommendation to use it, right along with a maxim that once hung on the wall of the City News Bureau of Chicago:
If your mother says she loves you, go check it out.