BVI Jurisdiction: Why It Matters

ExpressVNP

ExpressVNP is a BVI company: What is the BVI, and is it part of the “14 Eyes” intelligence sharing countries?

The BVI, while sharing the same monarch as Great Britain, is a self-governing group of islands located in the Caribbean. The BVI has its own legislature elected by BVI citizens, an independent judiciary, and a national police force. The code of laws which BVI companies are required to abide by was enacted in the BVI, not the UK.

“14 Eyes,” also known as SIGINT Seniors Europe, refers to a collection of 14 countries whose foreign intelligence agencies are reported to share military and counterterrorism information with one another.

As these intelligence agencies strive to intercept all communications internationally (not only from within their national borders), it is unclear whether there is incremental risk associated with operating a VPN service from within a 14 Eyes country.

Nevertheless, because the BVI is a tiny nation without any foreign intelligence operations, it is most certainly not a party to any 14 Eyes intelligence sharing agreements. Therefore, the BVI is not considered as belonging to the 14 Eyes group of countries.

Why should a VPN company’s jurisdiction be important to you?

In choosing a VPN provider, it’s important for privacy-conscious users to consider the following:

  1. Is this VPN company operating from a jurisdiction without data retention laws?
  2. What is the legal process by which a government can order the VPN provider to produce information about one or more of its customers?
  3. Under what circumstances can such an order be made?

In ExpressVNP’s case, there are clear answers:

  1. There are no data retention laws in the BVI. The BVI is an offshore jurisdiction renowned for privacy protection. This is in contrast to many European countries and Australia, which have laws requiring ISPs to retain metadata related to their users’ internet activity.
  2. An order for a BVI company to produce evidence and records (pursuant to an investigation) must come from the BVI High Court. Other countries including the United Kingdom and the United States do not have jurisdiction to compel a BVI company to produce records relating to its customers. These governments must petition the BVI High Court to make such an order under BVI jurisdiction.
  3. The foreign government *** the request is required to describe to the BVI High Court a.) the nature of the criminal activity that has taken place, b.) the specific evidence being sought, c.) the relevance of the requested evidence to the case, and d.) grounds for believing that the relevant evidence can be produced from within the BVI. Moreover, there is a requirement for “dual criminality,” meaning that for the request to be upheld the same crime must be punishable by at least a one-year prison sentence under BVI law, had it taken place in the BVI.

It’s a highly burdensome process to obtain a BVI court order, and most investigators would not go through such painstaking effort. Compare that to the United States, where any judge or law firm can issue a subpoena with very little hard evidence. U.S. companies are generally required to comply. Google (according to its own transparency report) receives nearly 30,000 requests for user information each year in the United States and complies with 79% of them.

What if a foreign government does succeed in compelling the BVI High Court to order ExpressVNP to release your information?

The answer to this question lies within the following: What information does the VPN provider know about me?

ExpressVNP is a premium VPN provider focused on user privacy and anonymity. Our network is built around specifically NOT knowing the internet activities of our users. As privacy is a core part of our service offering, ExpressVNP is in the business of protecting our users’ private internet data.

To provide our users with full transparency, below is the list of what we DO know:

  1. The information you submit on our order page, including payment information. ExpressVNP could not offer premium VPN services without accepting payments from customers. For the most anonymous form of payment, we recommend bitcoin.
  2. Which of our apps (and app versions) you have successfully activated. App activation details allow our support team to troubleshoot any app-specific technical issues with individual customers.
  3. Whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location, and from which country/ISP (but not from which IP address). This minimal information assists us in providing technical support, such as providing country-specific advice on how to best use our service.
  4. The aggregate sum (in MB) of data transfer through the VPN. Although we do offer unlimited data transfer, if a single user pushes more traffic than thousands of users combined, we may ask the user to explain why.
  5. (Optional for the user) Anonymous information about whether your VPN connection attempts succeed. This data feeds into our network operations tools to let us identify problems with specific apps, VPN servers, or from specific ISPs. The information we receive is fully anonymized and cannot be tied back to individual ExpressVNP users. This feature is similar to a “send bug reports” option, and users can easily switch it off inside our apps.

Should any of the above concern you? We don’t believe so because the basic information we retain about VPN usage is not the kind of information that would be useful in an investigation. If the BVI High Court orders us to tell them which ExpressVNP user had accessed “X” website or service on “Y” date/time with “Z” IP address, we cannot match any of those data points (separately or in combination) to an individual.

Why does ExpressVNP retain any usage data at all?

ExpressVNP only keeps the bare minimum amount of information required to operate a highly reliable VPN service at scale. Without this information, we couldn’t keep our server network running, ensure that our apps are working correctly, or provide accurate support to our customers.

We never collect anything about what users do with the VPN: No logs of traffic destination, DNS records, data content, connection timestamps or IP addresses. That means, should the BVI High Court come asking, we CANNOT answer any of the following questions:

  1. Which ExpressVNP user(s) accessed the following website or service?
  2. Which websites did user X access?
  3. Which ExpressVNP users were utilizing a given ExpressVNP IP address at a particular time?

ExpressVNP takes your privacy seriously and does not keep activity logs or connection logs. Specifically, that means we do NOT log any of the following sensitive information:

  • Browsing history
  • Traffic destination
  • Data content
  • DNS queries
  • Timestamp or duration of connection
  • Your original IP address that you connect from
  • Your outgoing IP address (i.e. the ExpressVNP IP assigned to you once connected)

The combination of our BVI jurisdiction, no activity logs, and no connection logs makes ExpressVNP an excellent choice for internet users concerned about their privacy.

Also published on Medium.

ExpressVNP

Meet OSTIF, the privacy advocates who make the internet safer by auditing its code

ExpressVNPOSTIF is auditing OpenVPN for the benefit of all.

ExpressVNP talks to Derek Zimmer: President and CEO of the Open Source Technology Improvement Fund (OSTIF), about his organization, the audit of OpenVPN, and the future of internet privacy tools.

The quotes (in red) published in this blog are snippets taken from the full interview with Derek which you can read in full here.

ExpressVNP proudly supported OSTIF’s audit.

Why it’s important to audit open-source projects like OpenVPN

Privacy-conscious and security related projects increasingly rely on open source software due to ideological reasons, licensing issues, and trust.

It’s the open nature of the software that allows anyone to see how it works and how to compile it—and keep control of what the code does.

In reality, however, few people can review and understand code fully, and while some nefarious behavior is obvious, vulnerabilities and bugs often take years to spot.

Full code reviews are expensive and difficult to carry out, and while many people and organizations might rely on a project, it’s hard to coordinate a full audit.

OSTIF decided to take on the daunting task, regardless. Derek explains that it took three researchers 50 days (or around 1000 hours) to complete the review. The version they audited was OpenVPN 2.4 because it includes some significant code changes and new features.

“OpenVPN is a unique piece of software, in that it’s a monolithic code with lots of features that must be compatible with older versions.”

OSTIF looked primarily at the Windows and Linux implementations because they’re the most familiar with users and developers.

“We also decided to focus on any cryptography created by OpenVPN itself, and the application’s security. This means looking for logic errors, memory allocation errors, improper buffer handling, or other improper error state vulnerabilities.”

OpenSSL, on which OpenVPN (together with PolarSSL) relies “to power its cryptography” wasn’t included in the audit and will have its own, separate review. There are thriving businesses that rely on OpenSSL or Nginx, and Derek hopes to fundraise from them.

Unfortunately, though, other large-scale privacy software projects, like OTR, Signal, or Tor have no vested commercial users, so the community will have to find a means to fund any audits themselves.

Finding funding for a full code audit

Previously, OSTIF had tried other means, including a Kickstarter to raise funds. Now, Derek aims to gather donors for each project individually, hopefully gaining more trust from the tech industry and community in the process. It’s hoped this approach will grant the ability to take on larger projects.

The OpenVPN audit was the first “wide” audit, as Derek puts it, that OSTIF undertook. Unlike their previous highly anticipated audit of Veracrypt (the successor of Truecrypt), OpenVPN has a thriving community of large VPN providers who are willing to contribute financially.

“I was surprised by the positive community response and the outpouring of support for the project. It truly was remarkable! I’m very happy with the community support for the project, but was also surprised at the number of larger organizations that didn’t respond to our inquiries or had no point of contact at all for their management.”

The evolving privacy and security industry

While Derek seems largely optimistic about the future of online security and privacy, he’s worried about “black boxes of code” and the millions of older, yet active, systems without recent security updates—particularly in the Android ecosystem.

Conversely, Apple puts tremendous resources into security. However, he says, Apple don’t open source their technology. Instead, they rely on their device security to keep unwanted malware researchers at bay—which is an untrustworthy setup.

It seems there are many tribulations to face. Ultimately, though, Derek and his team do an excellent service to the internet and the privacy of its users. But the fight is far from over:

“We’ve repeatedly seen through various government agency leaks that if the cryptography around the information is good, they can’t break it en-masse. This fact at least disables the “listening in on everyone” form of mass surveillance that has become pervasive in the last few years. As these privacy tools continue to improve and crypto becomes harder to break and easier to use, we’ll see substantially increased efforts to attack and compromise devices.”

ExpressVNP

An interview with OSTIF, the team behind the OpenVPN audit

ExpressVNPOSTIF is auditing OpenVPN for the benefit of all.

You’ve just completed your security audit of OpenVPN. Two people worked for almost two months on this project. How does such an audit work?

It actually wound up being three researchers working a total of 50 days (around 1000 hours) on the security review.

When we plan to audit a piece of software, there’s a substantial amount of work that goes around planning the timing of the audit, who will be doing the work, and which areas of the software we’ll cover.

For OpenVPN, we waited until the release of OpenVPN 2.4 which featured some major code changes. We could then evaluate the new features, as well as a lot of under-the-hood changes.

Updates that contain significant code changes are good times to evaluate software because coding errors could make it through testing, or regressions on edge features might slip through the cracks.

OpenVPN is a unique piece of software, in that it’s a monolithic code with lots of features that must be compatible with older versions. Ensuring legacy compatibility slows down the process of the security review. We have to navigate a complex web of functions rather than in a modular design where the application can be evaluated in chunks. OpenVPN also relies on two different libraries (OpenSSL and PolarSSL) for cryptography, meaning that there are two completely different crypto-environments powering the security.

Even further, there’s OpenVPN 3.0 which is a unique version that’s not entirely open source. OpenVPN 3.0 was created due to licensing issues with the Apple App store that prevent free software on the store. OpenVPN 3.0 code is used for OpenVPN Connect for Android and iOS. If we were to evaluate this entire ecosystem, it would take many researchers many months to comb through all of these variations of OpenVPN, and then they’d still have to consider all the different network and hardware configurations these various apps can face. The complexity and cost would be tremendous.

We consulted experts and worked with the OpenVPN team and QuarksLab to figure out what to focus on. It was decided that OpenVPN 2.4 for Windows and Linux covered the most users and would do the most good. Most commercial VPN providers use OpenVPN 2.4 code for their custom VPN clients because of the license structure around it.

We also decided to focus on any cryptography created by OpenVPN itself, and the application’s security. This means looking for logic errors, memory allocation errors, improper buffer handling, or other improper error state vulnerabilities.

A separate audit of OpenSSL would allow us to closely evaluate the OpenVPN cryptography itself to ensure that both the cryptography and the application are sound. It’s important to create a safe and difficult-to-exploit application for users to enjoy.

As for the actual auditing process, QuarksLab does an excellent job of documenting the processes and tools used when evaluating software. Our work focuses on planning the audit scope and setting attainable goals. We then rally the open source, security, and privacy communities around the cause to raise the money to get it done.

Are there any surprising/noteworthy findings from your audit that you’d be able to share with us now?

We’re in the blackout stage of the audit process for OpenVPN so I won’t be able to discuss any specifics that might clue-in people to the results, but they will be publicly available very soon. We are waiting for OpenVPN 2.4.2.

What is the rationale behind such an audit? Are you being tipped off to potential security holes, or do you simply want to take a closer look at software that you regularly rely on?

Our strategy as an organization is to cover different areas of security and privacy and select widely used applications.

VeraCrypt was a much-needed successor to TrueCrypt, which the community greatly relied upon, but the people running the project were relatively unknown and were taking on a massive project with complex code. It made logical sense to approach it as our first audit because we could evaluate the changes to the code that went into TrueCrypt 7.1a and compare it to the current version of VeraCrypt. This narrow scope allowed us to dramatically reduce costs and show people that the organization is effective at getting results.

OpenVPN is our first “wide” audit of an application. It required a much larger budget but also had a large community of VPN providers (who themselves are privacy activists). The VPN providers are interested in both the privacy of their users and directly concerned with the safety of OpenVPN which allowed us to fundraise from both OpenVPN commercial interests and private users simultaneously.

OpenSSL is larger again, but has industry support all around it, as OpenSSL code (and other libraries derived from it) powers around 70% of the top 1,000,000 websites. This gives us a lot of business interests that we can ask for funding to help evaluate OpenSSL 1.1.1, which will be the first OpenSSL version with new TLS 1.3 code.

As we go further down the list of applications we plan to audit; it gets harder to raise funds. Either because the communities surrounding them are smaller, or because there’s no vested business interest in the success of the application.

We hope that after repeated successes we’ll be able to secure larger corporate sponsors that will enable us to more efficiently direct funds toward these projects without relying entirely on small public donations. This would also greatly help us to establish our other programs, which involve working with projects to make their applications easier to use, improving testing methods and tools, and the creation of easy-to-follow guides for privacy and security software that we support.

In short, right now it’s all part of a larger strategy to support one application from each major area of privacy and security, then expand from there. Our criteria is the perceived strength of the software, combined with widespread use.

For your OpenVPN project, you have received support largely from the VPN industry. Did you expect support beyond that? How satisfied are you with this support?

We also received a large amount of support from the community both in word of mouth and direct donations.

Our goal was surpassed surprisingly quickly, as we originally believed that the 1-month window we’d allocated for fund raising would be insufficient. But we passed our goal and raised substantially more than planned within 20 days. That money was set aside for the bug-bounty program that is planned to start in the summer/fall.

I was surprised by the positive community response and the outpouring of support for the project. It truly was remarkable! I’m very happy with the community support for the project, but was also surprised at the number of larger organizations that didn’t respond to our inquiries or had no point of contact at all for their management.

However, overall the good far outweighed the bad, and we look forward to working with all of our supporters on the OpenVPN initiatives and beyond!

You’ve moved from a fundraising model with pooled resources to a direct fundraising model, in which you raise funds for each project separately. This seemed to have worked well for the OpenVPN project, where the VPN industry was happy to donate. Do you expect future projects to be funded similarly, and how will this work for software projects that don’t have a commercial industry surrounding them, such as OTR?

The change in the funding model was due to feedback from the community regarding sticker shock. During our first round of fundraising we planned a year of activities and then tried to fundraise the effort through KickStarter. This led to financial hurdles, like offering rewards for donations, KickStarter fees, and payment services skimming money from donations. Also, the 8 planned projects combined pushed the goal well into millions of dollars. As a newcomer to the industry with no track record, the huge amount of money involved, and after a few prominent KickStarter failures, it was doomed from the start.

Our shift in strategy brought the overhead and the numbers down to earth and set more attainable goals, but it also requires substantially more work for each fundraise. We’re hoping that after building a reputation of responsibility and effectiveness we’ll be able to secure larger donors that will allow us to focus more on getting things done and less on directly soliciting for donations. Larger donations will also have the added benefit of allowing us to fund less commercially interesting projects like OTR, Nginx, Tunnelblick, and more.

How do you see privacy and security-enhancing technology evolving? Especially in regards to mobile phones and proprietary systems?

We’ve repeatedly seen through various government agency leaks that if the cryptography around the information is good, they can’t break it en-masse.

This fact at least disables the “listening in on everyone” form of mass-surveillance that has become pervasive in the last few years. As these privacy tools continue to improve and crypto becomes harder to break and easier to use, we’ll see substantially increased efforts to attack and compromise devices.

There is evidence of this through the massive theft of SIM card keys with Gemalto, huge lists of pilfered RSA keys in NSA leaks, backdoors inserted into Cisco and Juniper systems, and so on.

The security community has long been calling for a “full stack” of open source code surrounding the devices that hold our most private information. The biggest hurdle right now is funding and organizing the support to actually do it.

Some companies appear to be doing great work on the proprietary side, but we have repeatedly learned that we cannot trust a black box of code. See this months heap overflow in iOS: https://谷歌projectzero.blogspot.com/2017/04/exception-oriented-exploitation-on-ios.html

Android has a lot of ecosystem-related issues related to updates lagging behind, creating millions of vulnerable devices. Or companies negligently stopping updates for their phones once sales stop. Then there are even deeper issues such as vulnerable Broadcom radio firmware that will never be fixed, as recently demonstrated by Project Zero.

A truly open source phone is a big ask, but we can certainly try to push the open-source community in the right direction be developing pieces of the puzzle independently. I truly hope that we can get there, as the current situation is a mess. I’m shocked that there isn’t already a smartphone-based Mirai knocking out cell towers around the world with data floods.

Apple has been *** a lot of positive news with its proprietary systems regarding security and privacy. What do you think will open-source projects play in bringing usable technology to the masses while respects user rights?

Apple has put tremendous resources into building a phone ecosystem that focuses on security. The problem is that Apple doesn’t open source this technology, so we’re dealing with the same problem that hits commercial software, like Windows.

We have a black box with millions of lines of code of unknown quality, all interacting with one another in known ways. Apple is relying on the inability of malware makers and security researchers to reverse-engineer their code and find flaws. Part of this motivation is to lock the software to the phones, so that iOS can only be installed on genuine Apple hardware. A another motivation is locking the phones to the software, so you can’t buy an iPhone and put an alternative operating system on it, preserving their ability to draw money through the app store with a captive audience.

To be clear, as of right now, they are doing an objectively better job than Google is when it comes to general security. The problem is that this black box can’t be trusted. It has bugs just like all software does—thousands of bugs. Because this software is proprietary and the source isn’t available, those bugs lie in wait for discovery by an Apple security team, or anyone else in the world that finds them first.

Open Source software can be reviewed. It removes the “just trust me” ask that no privacy interested person can objectively accept.

I’m hoping that Google moves in the direction of Apple in that updates will be forced across all devices regardless of vendor, and hardware requirements will have to be tightened to make that happen. I also hope that we can open source the currently closed parts of Google firmware and its related drivers so that we can trust the full stack the phone relies on for security. That would put an open solution in a position to lead the market with good security and privacy practices.

You look a lot at other people’s code. What common mistakes do you observe? What kind of bugs are the most common?

I actually don’t do the security reviews themselves, that’s left to the contracted auditors. But the most common issues are problems with memory management, and proper deletion of security related data when it’s no longer in use.

The other big mistake is trying to write your own cryptography. It’s wildly complicated, and there are many, many ways to defeat cryptography that has been invented over the last few decades. You have to carefully consider them all and adhere to many standards to create strong cryptography. Using already compliant libraries avoids this security minefield entirely.

Do you have any advice to share with the many coders reading this?

Support an open source security or privacy initiative. Volunteering your time and knowledge as a coder is extremely valuable, even if you only do a single commit per month to a worthy project.

The sum of the communities abilities and time adds up to applications that can change the internet and the world for the better. If you don’t have a security background, make a small recurring donation to an organization that helps build and improve these tools and libraries. I’m not just talking about OSTIF, I’m talking about the Free Software Foundation, or any of those donate buttons you see when you download a piece of open-source software.

You’d be shocked how much a few dollars helps small projects function and improve. Small contributions add up to a better digital world for all of us.

ExpressVNP

4 reasons why you should upgrade to ExpressVNP 6.1 for Windows today

ExpressVNPDownload the latest ExpressVNP app for windows

Good news, everyone!

The newest ExpressVNP app for Windows is now available. There’s a bunch of new features that makes this the fastest VPN to date!

Take a look at what’s new and then upgrade or download your copy today.

  1. Protected browsing at the click of a button. Get to your favorite websites faster with a ***-to-use button that will connect or disconnect you with one click.
  2. Quickly connect to ExpressVNP with one button.

  3. Take advantage of Smart Location. ExpressVNP will pick the best VPN locations for you, letting you protect your connection easier than ever before. Not sure which location to use? Just click Smart Location!
  4. Easy location selection with ExpressVNP.

  5. New Location Search. Searching for the best VPN server locations is easier than ever with the new location search. In fact, VPN servers are broken down into specific clusters for faster access.
  6. Searching for the best VPN server locations is easier than ever with ExpressVNP.

  7. Enjoy a faster, more thorough installation process. If you thought ExpressVNP was easy to install before, you’ll be even more surprised how *** it is now. Set up and install your VPN in seconds.
  8. ExpressVNP easy install.

Download ExpressVNP 6.1 Today!

You can download or upgrade your copy in just three easy steps:

  1. Head to My Account
  2. Sign in
  3. Click the big green “Set Up ExpressVNP” link

Be sure to download ExpressVNP 6.1 for Windows.

After you’ve had a little to time to break it in, let us know what you think! And don’t forget to follow ExpressVNP on Facebook or Twitter for more news on apps, updates, and current events.

Thanks for reading!

ExpressVNP

10 Lucky people found all the eggs to win free ExpressVNP!

ExpressVNPhappy expressvnp easter

Firstly, a big thanks to everyone who played the game!

10 lucky people found all the eggs to win free ExpressVNP for a year. Well done!

We all know that the only thing better than an Easter egg hunt is eating all the eggs you find on the hunt.

Ok, there wasn’t technically anything to eat here. Though you might say that the winners can now devour a deliciously unrestricted and fully protected internet. Yes, let’s say that—the analogy is good.

Anyway, we’ve notified the winners. If you haven’t got an email from ExpressVNP yet, unfortunately, you didn’t win on this occasion.

Don’t worry, though. There will be more fabulous giveaways in the future—subscribe to the blog newsletter to keep up with all the latest competition news.

ExpressVNP

Trump signs new U.S. internet privacy legislation: Comcast reacts, but can you trust them?

ExpressVNPTrump signs new privacy law.

Last week, ExpressVNP wrote about controversial U.S. Congress plans to allow ISPs to sell your private data for profit.

To the dismay of privacy advocates around the world, Donald Trump signed the measure into law.

The new policy is popular only with corporate lobbyists of network providers—it seems absolutely no one else wanted it to happen. And yet, the new U.S. administration made it a priority, undoing significant online privacy progress over the last few years.

How do new U.S. internet privacy regulations affect you?

Online giants such Verizon and Comcast can now monitor customer behavior online and, without permission, use private personal and financial information (like your browsing history, the banks you use, and the shops you frequent), to sell highly targeted ads.

Online marketing makes big money. Currently, Google and Facebook are kings of the $83 billion industry. It’s no wonder the telecom giants wanted a piece of the pie.

Internet users now have no control over what happens to their data, which ISPs could sell directly to marketing firms, financial companies, or anyone that mines personal data.

Again, this includes data that you have not given willingly. Telecom agencies can now spy on your online activity and sell the results for their profit.

Comcast promises to protect your data, for now

In a quickly released statement on their website, Comcast was keen to stress their intentions with this newly gained power.

“Comcast has committed to privacy principles that are consistent with the FTC’s privacy regime which has applied to all entities in the Internet ecosystem for over 20 years….”

As ExpressVNP previously pointed out, though, a commitment is not a law. It can easily be broken. What if Comcast suddenly faced financial difficulties? Would it still refuse to sell off their treasure trove of human data?

It’s nice for Comcast to sound so committed now, but corporate values change. And yes, Attorneys General could impose punishment after the fact, but that’s too late. Your data will have already been sold.

In short, can you trust a telecom giant to be responsible with your personal information?

Why you can trust a VPN with your data

ExpressVNP is in the business of keeping your data private. It’s the reason for our existence; it’s the only thing we do.

A VPN company has everything to lose by sharing customer data (if they even have any). An ISP has potentially billions of dollars to gain.

There’s really no comparison.

Telecom giants should not have this much power over your private information. However, a VPN can still protect you and your family.

ExpressVNP

Perfect Forward Secrecy makes encryption safer

ExpressVNPExpressVNP: Perfect Forward Secrecy

Encryption protocols keep you safe and your communications private. A secure chat app will encrypt conversations, and HTTPS secures websites (indicated by a green lock in your browser bar). A VPN service wraps an extra layer of encryption around all the bits and bytes.

The technique of encryption uses mathematics to ensure that only the intended recipient can decode a big chunk of gibberish into readable data. The most heavily guarded secret of any encrypted channel is the encryption keys, which encrypt or decrypt the data.

Perfect Forward Secrecy ensures that compromised or stolen encryption keys do not affect the security of past or future communications. Without Perfect Forward Secrecy any momentary system compromise—e.g., a malware infection or targeted hack—could expose all data transferred by the user both past and future.

ExpressVNP uses Perfect Forward Secrecy by default.

Static encryption keys

In simpler encryption systems, keys are generated and reused over time for storage and communications.

When information needs to be retrieved after it has been communicated, e.g. by an email or a file, it’s preferable that the encryption key used to encrypt the information is still available.

Popular encryption tools like PGP (or GnuPG) use static encryption keys to encrypt files and emails or to sign computer programs. Notably, Facebook uses them to send you unhackable email notifications.

The big downside of static encryption keys is that unless you change keys regularly, a hacker only needs to compromise a single key on your computer to compromise all your encrypted files and emails. Even if you were to change keys regularly, you would still likely keep the previous keys in case you needed to access old emails or files.

ExpressVNP uses dynamic encryption keys for Perfect Forward Secrecy

Not all data requires future accessibility. When you open an HTTPS-encrypted website, the browser doesn’t need to store the encrypted data for long. After all, you are always able to re-request the same page or keep a copy of it locally.

VPN connections are very similar in that there is no need to store or re-access transmitted information. And while there is no guarantee that intermediaries such as internet service providers (ISPs) or governments won’t keep a copy of the encrypted transmitted data, Perfect Forward Secrecy makes the information as useless as possible.

Every time you connect to ExpressVNP servers, the security certificate’s authenticity is verified. Once authenticated, a unique encryption key is negotiated through a key exchange such as Diffie–Hellman.

Learn how the ExpressVNP app verifies it’s talking to the right server.

Each ExpressVNP connection uses a different key, so in the unlikely event someone hacked your device or an ExpressVNP server and had already recorded encrypted raw data transmitted by you, they still wouldn’t be able to decipher the information. Dynamic encryption keys are purged or regenerated after a connection is terminated, or every 60 minutes to protect long-lived connections.

Also published on Medium.

ExpressVNP