ExpressVPN is not as anonymous as you think. They still can be forced to submit logs that can de-anonymize you

Anonymous · March 6, 2025, 7:28pm

ExpressVPN is fairly reputable when it comes to logging. However, I took a look at it and had a live chat with one of their agents. Here is how it went:

Thank you for visiting ExpressVPN. How can I help you today?

Me: I have a question about your privacy policy.

Chat agent: My name is Paula and I’m here to help. Sure, go ahead.

Me: You collect connections logs, right?

Paula: No, we do not. There diagnostics logs on your application but we do not get a way to get hold of it unless you send it to us.

Me: Your privacy policy says, and I quote:

Successful connection
We collect information about whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location (but not your assigned outgoing IP address), and from which country/ISP (but not your source IP address).

So you know from which country and ISP I’m connecting from.

Paula: Yes, that is correct.

Me: So that contradicts your statement. What you are talking about is crash reports, which I’m well aware of. It’ll be fairly easy to de-anonymize me from my ISP

Paula: This information can only be gathered if supplied to us by our customers by submitting their diagnostic logs.

Me: That opt-in diagnostics logs are separate section, collected by third party apps like Crashlytics and Sentry. The other successful connection logs you collect automatically. This is clearly stated in your policy.

Isn’t it clear? You should read your policy before making a statement.

Hello? Are you still there? (She was not responding for a long time)

At last she responded

Paula: Yes, we are still collected. We’ll look into this to make it more clear. Bear with me please.

Me: OK

After a very long time and no response, I tried again

Me: It’s been a while, so you know my originating country and ISP, is that correct?

Paula: Rest assured, I don’t. We don’t have that information on our end as chat agents.

Now she is just playing with words.

Me: Well your policy says you do. “You” mean as a company. I am not meaning chat agents. You get that, right?

Paula: The information we receive is fully anonymized and cannot be tied back to individual ExpressVPN users (i.e., we do not store which user sent which data, and we do not store IP addresses).

Me: You are repeating the same passage from your page. I repeat: those are anonymous diagnostics and can be turned off. I’m talking about successful connection logs which is not anonymized. You really should talk to your superviser to clarify this

Paula: Upon activation of any ExpressVPN App, you will be asked if you would like to share these data.

Me: Yes, and those are crash reports and diagnostics, not connection logs.

Paula: We do not collect connection logs just those on the diagnostic logs.

Me: Then your privacy policy is not correct? It clearly says otherwise. It is outlined as “Successful connection”, if you can’t find it (I was getting snarky)

Paula: Yes, we were able to locate that. It is collected but remains on your computer only. The diagnostic log is not something we store on our side. It sits on your computer, not ours, and it’s a temporary file that gets deleted each time you close the app. It is for you, not us, so that if you have connection difficulties, you can send us the diagnostic log, and our chat support can analyze it to figure out where the problem is. Again, it’s not something we store, and it’s up to you if you want to share it with us or not. I think almost every VPN provider will allow customers to pull down this log file to identify problems as part of the troubleshooting process.

Me: Yes, I totally get that. So you collect the diagnostics log and crash report if I choose to share and my country+ISP which I do not choose to share. For troubleshooting.

It’s okay if you get my country and IP for troubleshooting. It just would be better if you delete those logs daily.

Now the last line gave her a new line of lie.

Paula: Yes, that is correct. Only if you allow us to do so. That information are deleted when you close the application.

Me: No, I have no control over sharing my country and ISP

My country and ISP logs gets deleted when I close the apps!! That’s unbelievable and hilarious!! I don’t think you know how the application works

Paula: I understand your sentiments and your hesitation. But this is how the app works. (She is not gonna lose this lifeline)

Me: Well thank you for your opinion, I think we have reached an impasse. Thank you for your time

So, they do store my country and ISP for troubleshooting. Apparently, they delete those from their server as soon as I close the application.

Don’t fall for VPN lies

joelgsamuel · March 6, 2025, 7:28pm

I use a VPN because I trust it less than the network I am currently on. I don’t expect pure privacy from a VPN provider let alone the networks that are being traversed from the device and local network through to a VPN point of presence (for example: internet peering exchanges)

However, in terms of de-anonymisation (should something be anonymous) this would require, as per your title, handling over those logs to someone who has the desire and capability to do it. It is still a valuable additional process/obfuscation layer even if imperfect.

AutoModerator · March 6, 2025, 7:28pm

Congratulations on your first post in r/opsec! OPSEC is a mindset and thought process, not a single solution — meaning, when asking a question it’s a good idea to word it in a way that allows others to teach you the mindset rather than a single solution.

Here’s an example of a bad question that is far too vague to explain the threat model first:

I want to stay safe on the internet. Which browser should I use?

Here’s an example of a good question that explains the threat model without giving too much private information:

I don’t want to have anyone find my home address on the internet while I use it. Will using a particular browser help me?

Here’s a bad answer (it depends on trusting that user entirely and doesn’t help you learn anything on your own) that you should report immediately:

You should use X browser because it is the most secure.

Here’s a good answer to explains why it’s good for your specific threat model and also teaches the mindset of OPSEC:

Y browser has a function that warns you from accidentally sharing your home address on forms, but ultimately this is up to you to control by being vigilant and no single tool or solution will ever be a silver bullet for security. If you follow this, technically you can use any browser!

If you see anyone offering advice that doesn’t feel like it is giving you the tools to make your own decisions and rather pushing you to a specific tool as a solution, feel free to report them. Giving advice in the form of a “silver bullet solution” is a bannable offense.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

psxpetey · March 6, 2025, 7:28pm

Always with the VPN’s lmao good enough for pirating that’s about it

patdirty212 · March 6, 2025, 7:28pm

gorgeous highly recommended internet site
I support expressvpn

Miller_John22 · March 6, 2025, 7:28pm

Though ExpressVPN keep logs such as connection date or server to which you are connecting but it’s all stored on their RAM-only servers, which means it won’t sit there forever as a permanent file. By far comparing to other VPNs, ExpressVPN does have an incident in the past where nothing was found on its server during the Turkish investigation. So it is not like you will be totally exposed while using it.

1One_Muffin · March 6, 2025, 7:28pm

I have revisited this issue.

I contacted them and they insist by saying that by “we collect” in their privacy policy they actually mean that this happens only locally, located in the diagnostics file which they can only get if you send it to them.

Chat agent said: “I understand where you are coming from. The successful connections are from the Diagnostic log file that we ask for troubleshooting only. This is stored on your device only, we will need to ask for this information to get this diagnostic log file”
I replied: gotcha, but perhaps then what is written in the privacy policy should be clarified a bit better? by saying “we collect” it is not clear at all that you mean the local diagnostic log file, it sounds as if you keep logs on the server.

Then the chat agent conceded the point that I and the OP here made and said to me and I quote: “I’ll have this matter documented properly for the appropriate team to review what is written on our Privacy Policy page. I’ll set this to top priority for the appropriate team to be notified”

I will revisit this issue with them and see if they do clarify their privacy policy.

FutureOrBust · March 6, 2025, 7:28pm

I dont k how if I misunderstood you, but your connection to a VPN is encrypted and any “networks being traversed” between your computer and the VPN would see no data except that your endpoint is the VPN provider.

RemindMeBot · March 6, 2025, 7:28pm

There is a 1 hour delay fetching comments.

I will be messaging you in 7 days on 2020-01-31 17:58:33 UTC to remind you of this link

CLICK THIS LINK to send a PM to also be reminded and to reduce spam.

^(Parent commenter can ) ^(delete this message to hide from others.)

^(Info)	^(Custom)	^(Your Reminders)	^(Feedback)

joelgsamuel · March 6, 2025, 7:28pm

Yes, but they will still see source IP address and destination information. There is a lot of correlation that can take place based on that data alone, even through to determining what city/timezone someone might be in by the hours they are usually connected.