ExpressVPN is one of the best VPNs out there, largely because of how fast it is. This is due to several factors, not the least of which is the server technology the company employs. Called TrustedServer, it promises not just greater speeds than the competition, but also superior privacy. Let’s take a look at how it works.
The Foundation of TrustedServer
The full workings of TrustedServer are laid out in this post on the ExpressVPN blog by Shaun S., an engineering fellow at the company and the creator of the technology. The full post goes into remarkable detail—we wish more companies were this transparent—so we’ll just quickly recap it here for the less tech-savvy among you.
At the core of every VPN provider are its servers, computers that reroute your connection. We’ve explained VPN servers in detail, but in short, they have their own type of hardware and software, including their own type of operating system.
In the case of TrustedServer, this operating system is a custom version of Linux, which is updated weekly. Each time a new version of the OS is created, the code is checked by a second engineer—and, for more in-depth changes, even a third.
Each engineer also has to access their work using a special cryptographic key used to identify them. This ensures that nobody can add anything that might compromise the integrity of the OS, either through malice or by accident.
After the update has been put together, the new build of the OS is tested on internal servers by the team before deployment. Assuming all is well, the update is then rolled out, again with a number of failsafes to ensure safety.
It’s a highly involved process with lots of double-checks, which, together with the transparency of the process, gives us a lot of faith in the security of ExpressVPN’s servers. However, this isn’t even what makes Trusted Server particularly unique.
How TrustedServer Works
The point to these regular weekly updates—besides making sure any new threats can be dealt with—is that resetting a server also deletes any data on it. This is because ExpressVPN’s servers don’t use regular hard disk memory to run, but instead run entirely on RAM, or random access memory.
The difference is that once you write something to regular memory, it stays there until somebody deletes it, while RAM wipes everything stored on it when the system reboots. This means that even if the system were to be breached, none of your logs (records that show when you connected and where you connected to) can be found. This is at the core of what VPNs are and thus is very important.
Naturally, the issue here is that if somebody were to breach the system (or get a warrant) on the day before the update is slated to go, they’d get a week’s worth of logs off of it. As such, ExpressVPN has implemented a system that it claims guarantees no logs are created, let alone kept.
Again, this system is layered, with failsafes built on top of failsafes. The first step is how ExpressVPN engineers its VPN protocols—the rules that govern how the VPN server talks to other computers on the network. ExpressVPN’s proprietary Lightway protocol allegedly keeps no logs whatsoever, but ExpressVPN has customized all the protocols it uses, like OpenVPN, so they don’t do so, either.
However, you can’t always predict what will happen: maybe a protocol will reconfigure itself by accident, or some other mishap makes it so that a log is accidentally created. To prevent this, ExpressVPN sets things up in such a way that any output by any VPN-related software is sent directly to a black hole inside the operating system.
Known as /dev/null, this is a special file that destroys anything sent there without a trace. It’s a pretty cool little gimmick, and one we suspect is used by many VPNs to destroy logs.
Closing the Circle
All the above sounds great, but as is often the case with claims of no-log VPNs, you’re taking all the company’s promises at face value. After all, it’s not likely you can just go in and check whether TrustedServer works as advertised. To solve this issue, more and more VPNs are relying on independent audits performed by third parties.
ExpressVPN engaged PriceWaterhouseCoopers, a massive accounting and security firm better known as PwC, to conduct its audit of TrustedServer technology, and it passed with flying colors. This indicates that the technology works as advertised.
That said, there are a few notes we should make. For one, ExpressVPN doesn’t allow you to sign up anonymously, so your personal data, like name and address are still in a database somewhere and could be vulnerable to attack.
The other is that, audit or not, you’re still taking any no-log promises at face value. While ExpressVPN hasn’t given us too much reason to doubt its word, PwC has: The company’s recent history is rife with accusations of malfeasance: for example, one whistleblower claims that financial auditors pulled their punches to make sure that they would retain the business of Silicon Valley companies they were auditing. This 2020 article by accounting site Going Concern has a recap of some of the biggest lawsuits PwC was involved in.
That said, ExpressVPN also has undergone audits of other parts of its tech (like this one by Code53 for its browser extension,) so we feel confident in saying that TrustedServer works as advertised. Overall, ExpressVPN’s transparency is a good indicator that you can trust its technology to keep your data safe.