• Home
  • Battery Tips
  • ExpressVPN Is a Case Study in Why VPN Reviews Require More Legwork

ExpressVPN Is a Case Study in Why VPN Reviews Require More Legwork

Commentary: Members of Congress are right to ask the FTC to investigate the VPN industry.

Two members of Congress have called on the Federal Trade Commission to tackle a digital threat that privacy watchdogs have been concerned about for years: Virtual private network companies continue to profit from rising surveillance fears by advertising largely unverifiable promises not to log users' online activity.

In their July letter, Democrats Rep. Anna Eshoo, of California, and Oregon Sen. Ron Wyden address what may finally be a tipping point in the fight for VPN transparency -- more abortion-seekers are now turning to VPNs for protection while risking imprisonment in pursuit of life-saving health care. The letter's concerns about VPNs include the following, some of which are also issues ExpressVPN has publicly dealt with, and all of which are issues affecting how VPNs are reviewed.

First, ethically dubious VPN companies armed with outsized advertising budgets often fund glowing faux-reviews disguised as unbiased consumer advice. Even among editorially independent reviewers, though, properly testing a VPN already means grappling with the complexities of not just encryption tech but the industry's overall resistance to investigation. This muddies the waters for consumers and may potentially conflict with US advertising regulations.

Second, VPN tech and the VPN industry are both opaque. VPN companies serve customers in countries with anti-VPN laws, so sometimes they have servers discreetly placed in those countries. VPN owners often hide their true identities with legal sleight-of-hand in off-shore company shell games. These are two common industry practices. In the best cases, these practices may protect a good VPN from a government takedown. In the worst cases, these practices can allow a VPN to become a business front for government surveillance (a honeypot). Either way, these practices are profitable and make it impossible to fully vet a VPN independently.

These issues are important because a low-quality VPN review from a popular website could land a trusting reader in jail or worse.

Since my last review, NSA whistleblower Edward Snowden issued a tweet telling users to abandon ExpressVPN because ExpressVPN CIO Daniel Gericke was cooperating with the FBI in an unrelated DOJ investigation. Immediately following the DOJ news, a London-based parent company that used to sell ad tech (and is backed by a billionaire previously jailed for insider trading) bought ExpressVPN for $936 million. Many reviewers warned users away from ExpressVPN. I almost did too. But instead, I spent several months methodically investigating the service and its parent company. I still recommend it to privacy-critical users. But that isn't the point of this commentary.

The point of this commentary is that Congress is calling for investigation into the VPN industry and -- given the above paragraphs' content -- I am also calling for VPN reviewers to do better at investigating the VPNs they review. ExpressVPN's story is a case study on how reviewers like me can do this better.

Read more: How We Test VPNs

Kape's evolving business model
When ExpressVPN first announced that it was being bought by London-based Kape, our biggest concern was that the VPN would be forced to share customer registration data with Kape -- outside of the VPN's privacy-protective British Virgin Islands jurisdiction -- as other Kape subsidiaries' policies allow. I've repeatedly reached out to Kape for comment without response, but there are still a few ways we can define the relative range of risk Kape poses to ExpressVPN's privacy integrity.

First, ExpressVPN's own repeated public assertions of continued operational independence from Kape are somewhat self-affirming; they indicate Kape isn't making moves to silence its new VPN. ExpressVPN's statements also gain more weight as it raises the stakes for its own -- and Kape's -- public image by being a loud voice in the i2Coalition's continued calls for transparency in the VPN industry.

Kape's revenue incentives have shifted as well -- from ad-tech dollars based on its previous CrossRider product, to a booming privacy market that Kape expects to grow 17% a year. That shift has paid off for Kape with an 89% revenue spike from $122 million in 2020 to $231 million in 2021. Within that increase, privacy product revenue jumped 30% and accounted for $117 million -- about half of overall revenue. Security-related revenue rose by 18% when Kape-owned Intego antivirus revenues surged 20%. And Kape's digital content profits -- which came entirely from the acquisition of Webselenese in March 2021 -- reached $88 million by year's end, representing 53% year-over-year growth for Webselenese.

"100% of Kape's revenue comes from subscription services or online content publishing; 0% of revenue comes from ad serving. Digital privacy and security accounted for 73.5% and 26.5% of its FY2020 revenue respectively. Since 2016, Kape has not earned a single dollar of revenue from ad-tech or any other aspect of the former Crossrider platform," Kape said in a September 2021 release.

While the release isn't enough to hang a hat on, its sentiment was echoed in March when Kape CEO Ido Erlichman filed the company's 2021 wrap-up, touting 20% organic customer growth and a VPN-driven 260% increase in paying subscribers, for a total of 6.5 million subscribers.

Kape, Erlichman said, is "one of the sole players wholly focused on digital privacy, and without any monetisation from any customer data."

Kape projects revenues will hit $610 million to $624 million at the end of 2022 -- more than double last year's revenue.

There aren't any former Crossrider execs left in Kape's C-suite to hear the good news but there are still some familiar faces, including Teddy Sagi. The billionaire, who was convicted of insider trading in 1994, held a 54.3% controlling share in Kape as of its January holdings statement, a slight uptick from December -- when he put $60 million worth of loans on the table for Kape. That's down from his 60.5% holding before ExpressVPN was bought. That $60 million might hold a lot of sway, but it's not enough to keep Kape on Sagi's leash now that Kape's got a boosted debt facility of $290 million from the Bank of Ireland, Barclays, Citibank and others.

ExpressVPN co-founders Peter Burchhardt and Dan Pomerantz got $237 million worth of shares in the $936 million purchase, landing them a collective 13.6% share of Kape. Both are staying on with Kape, managing ExpressVPN's operations. Burchhardt also got the right to appoint a non-voting board member for the foreseeable future -- or so long as ExpressVPN accounts for at least 5% of Kape's earnings.

With an average growth rate of 35.1% over the past four years, ExpressVPN is unlikely to fall short. In 2020, it pulled down $279.4 million in revenue -- a 37% jump from 2019. Along with a slate of hardware partnerships, the company brought 290 staffers into the Kape fold, 48% of whom are the R&D engineers Kape said it needs. About $30 million worth of "synergy" cuts are coming as backroom ExpressVPN staff get folded into Kape's. Most crucially, though, are the 3 million subscribers Kape got with the ExpressVPN purchase, bringing Kape's retention rate to 81%.

That 81% is the key number here. Kape says 92% of its revenue is recurrent. With Kape no longer relying on ad tech dollars, the tent-post revenue strategy is cross-product subscriptions targeting current users, 30% of which are already in their third year of using a Kape product.


2022-08-01 19:49:59