ExpressVPN and Project Raven: everything we know so far

ExpressVPN and Kape
(Image credit: ExpressVPN)

ExpressVPN’s executive Daniel Gericke made news last week as one of three former US intelligence and military personnel who have altogether been fined more than $1.6 million by the US Department of Justice (DoJ) to resolve alleged charges around "Project Raven".

Exactly what happened and how it affects the VPN industry is a complicated story, especially when there are multiple parties involved, several three-letter acronyms and a couple of legal terms thrown in the mix. 

TechRadar Pro breaks down the key facts, how Edward Snowden got involved and whether ExpressVPN users should be worried about the incident.

What exactly did the US Department of Justice announce?

The DoJ revealed that three former U.S. intelligence operatives - including current ExpressVPN executive Daniel Gericke - were facing federal charges in connection with their work for DarkMatter, a company based in the United Arab Emirates (UAE).

The men were allegedly part of a secretive operation called “Project Raven” that ran from 2016 to 2019. The programme enabled the UAE government to spy on various targets, ranging from suspected terrorists and critics of its regime, according to a Reuters report.

The three men have since reached a deferred prosecution agreement (DPA) with the US  government. It is important to note that contrary to popular belief, a DPA is not a conviction or a plea, but an agreement between the prosecutor and defendant to resolve the matter without going to court. Were the actions of the defendants considered to be gravely detrimental to U.S. national security interests, it is unlikely that the case could have been resolved without a trial or guilty plea.

As part of the DPA, the three also agreed not to dispute any of the facts alleged by prosecutors - which is probably the main reason why we have not heard directly from any of them so far. TechRadar understands that Gericke has been advised by his lawyers to not speak to the media about this matter.

Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division described this agreement as “the first-of-its-kind resolution”.

While the parties named in the DPA are unlikely to be able to shed more light on the matter, previous Reuters reporting says Raven operatives believed “the mission was blessed by the U.S. government” as they were told the NSA were being regularly briefed and had approved of the project. However, the DoJ release asserts that the men “chose to ignore warnings” that their work required a license from the US State Department.

What “key facts” did ExpressVPN know about Daniel Gericke?

ExpressVPN said in a public statement on 15 September that they knew “the key facts relating to Daniel’s employment history” before hiring him. 

In a response to TechRadar Pro’s queries, ExpressVPN confirmed that at the time of Daniel Gericke’s hire in December 2019, the company was aware that Gericke had previously worked at CyberPoint and DarkMatter but had no knowledge of his association in Project Raven. 

CyberPoint is an American defense contractor that had the US government’s authorization to work with the UAE in what is described as a counter-terrorism mission. When Project Raven transferred from CyberPoint to DarkMatter, prosecutors say the latter company failed to seek these approvals.

Former operatives described Project Raven to Reuters as having helped the UAE break up an ISIS network as well as assess the risk of terrorist attacks. However, whistleblower Lori Stroud said she eventually discovered that the UAE’s “national security targets” included not only terrorists, but also dissidents and human rights activists.   

While the Reuters report in January 2019 disclosed DarkMatter’s involvement in Project Raven, ExpressVPN told TechRadar that it was not made known to the company at the time of Gericke’s hire that he was in any way associated with Project Raven, which was classified.

ExpressVPN said it was only made aware of Gericke’s association with Project Raven along with the existence of the DPA and its related proceedings on 7 September 2021, when the DoJ finalized the DPA with the three individuals named in it. ExpressVPN also reiterated that they “do not condone Project Raven”, describing the project as “antithetical to our mission”, and that the company “stands firmly on the side of a more free, secure, and private internet”.

Why did ExpressVPN hire Daniel Gericke in the first place? And why are they defending him even to this day?

In a public statement published on ExpressVPN’s blog on 16 September, the company explained using a soccer/football analogy, that, “the best goalkeepers are the ones trained by the best strikers”. ExpressVPN added: “Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere.”

It’s true that cybersecurity companies often hire former military officers and intelligence experts. This includes Head of Cyber Investigations at McAfee John Fokker (see our in-depth interview with him), CEO of FireEye Kevin Mandia, CEO of Deloitte-owned root9B Eric Hipkins and more. 

Many cybersecurity firms specifically recruit veterans and have dedicated hiring programs for them. They often have specialist expertise that is hard to find in the private sector.

ExpressVPN highlighted the value that this kind of candidate can bring to the table: “Since Daniel joined us, he has performed exactly the function that we hired him to do: He has consistently and continuously strengthened and reinforced the systems that allow us to deliver privacy and security to millions of people.”

As TechRadar have done in the past, notably with NordVPN (and its infamous data breach) and IPVanish (when it was accused of logging data), we asked ExpressVPN to go on the record to explain their rationale for defending Gericke.

In a statement to TechRadar, ExpressVPN co-founder Dan Pomerantz said, “I know Daniel regrets that he wasn’t and isn’t able to speak on-the-record regarding the matters covered in the DPA. But I think I can speak for him that his experience seeing how cybersecurity tools could be co-opted and misused has made him a firm believer in our mission of equipping internet users with the tools to protect their digital privacy and security. In the past two years, he has gone above and beyond in delivering on this mission, translating his unique expertise into concrete improvements in security for our users. I can say without a doubt that ExpressVPN users are more secure today thanks to Daniel’s contributions.”

The statement further elaborates: “In fact, Daniel has actively pushed our organization to drastically reduce the risk of internal threats. He has worked to ensure ExpressVPN is secured from the ground up, such that all changes to any code require ‘four-eyes review’ and multifactor authentication. Everything from our security rules to our VPN software code is managed in such a way to prevent a single bad actor from creating a backdoor or compromising our users’ privacy in any way. All products and services developed by us go through rigorous, multi-person security testing before they are deployed to our users.”

Should ExpressVPN users be worried? 

The short answer is that there’s not any concrete reason to be worried. But we will be watching closely to make sure ExpressVPN keeps good to their commitments. And to quote one of our esteemed peers, “Trust, but verify”.

The long answer can be found on ExpressVPN’s blog, which explains how no single internal team member - including Gericke - is able to cause damage to their systems and users because of the robust protections they have in place. Two such examples, according to the blog post, include their TrustedServer technology and app build verification system. 

Another concern voiced on several online forums was whether Gericke could be compelled by the FBI to hand over ExpressVPN source code or user information for unrelated requests - including those involving ExpressVPN users suspected of committing crimes.

ExpressVPN believes such concerns are overblown: “We don't see any reason the FBI would request information not pertinent to the DarkMatter investigation, but nonetheless the DPA specifically does not enable the FBI to request materials or documents not in Daniel's immediate possession. Data regarding ExpressVPN users are held under BVI jurisdiction and are not in Daniel’s personal possession or control. In the unlikely scenario the FBI attempted to make a request that infringed upon ExpressVPN data, Daniel and his legal counsel would assert the limits of the DPA in denying such a request and refuse to hand over confidential company information,” ExpressVPN said in a statement. The company added, “We only collect the minimal data required to operate our VPN service at scale. No one can have access to data if we don’t collect it to begin with.”

That said, it is impossible to ignore the tweet from former NSA employee Edward Snowden, who stole and leaked millions of secret government documents. Following the announcement of the DPA, Snowden warned users to stop using ExpressVPN. Incidentally, Reuters noted that Stroud was the one who first helped Edward Snowden get hired into NSA, which is perhaps why Snowden is weighing in on the story as well. Edward Snowden, Lori Stroud and Marc Baier (one part of the trio named in the DPA with ExpressVPN’s Gericke) all worked for the NSA in Hawaii at the same time. Ironically, Snowden’s history of working within the US intelligence community and then switching to the other side is not without similarities to Gericke’s. 

ExpressVPN’s path forward

It’s difficult to decide how much weight should be given to an individual’s past action when reviewing his current employer’s product and service. While it’s clear that Project Raven runs counter to the values of a VPN service, we don’t feel that it’s for us, at TechRadar, to decide whether an individual should be judged on old news, or given a second chance. 

Especially when the individual in question appears to have turned over a new leaf some years ago. What we are clear on is that we have yet to see anything pointing to ExpressVPN being involved in surveillance or activity logging.

There are veiled suggestions and suppositions; there's no apparent evidence of wrongdoing, no mechanism to explain what it might be. It's a bad look for them, yes, and that matters in such a trust-based business, but it's still just a 'look’.

ExpressVPN’s leadership has been transparent in its response to this troubling incident. Their recent audit and open-sourcing of the Lightway’s core code is another check on the side of transparency and good security practices. 

Reassuringly, ExpressVPN has also stressed their commitment to independent audits going forward, such as those which will “annually recertify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs”. That’s something we, at TechRadar Pro, would like to see across the VPN industry

We'll keep a closer-than-usual eye on any development, and will be asking questions along the way. With matters of trust, it’s imperative that a company doesn’t just talk the talk. We’ll be watching to make sure they are truly walking the walk.

TOPICS
Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.