ExpressVPN on Building the Future of Privacy: Rust-Powered Protocols, Zero-Knowledge Innovation, and Embeddable VPNs

With cutting-edge technology like TrustedServer and the exclusive Lightway protocol, ExpressVPN has long been at the forefront of digital privacy. The business keeps raising the standard for speed, openness, and trust as cyber threats become increasingly sophisticated. 

In this exclusive conversation, Dr. Peter Membrey, Chief Research Officer and the lead behind Lightway and a key force at ExpressVPN since 2016, opens up about the transition to Rust for security-critical infrastructure, the deeper role of zero-knowledge technologies, and how VPNs are evolving into native components of digital life.

Peter offers unique insight into how ExpressVPN is future-proofing its stack to meet modern cybersecurity demands—and why they believe VPNs must go beyond performance to become embeddable, verifiable, and radically transparent.

Keep reading to learn more about ExpressVPN's development philosophy, Lightway’s rebirth in Rust, and what tomorrow’s privacy-first Internet might look like.

1. You have been with ExpressVPN since 2016. What drew you to ExpressVPN, and how has your journey evolved since then?​

My passion for solving the big problems has always been the compass guiding my career path. There's something uniquely powerful about using code to solve complex problems, create innovative solutions, and deliver real value.

Before joining ExpressVPN, I worked in finance analyzing market data, price feeds, and optimizing low-latency trading software, which gave me a strong foundation in quantitative analysis and performance optimization. ​

What ultimately drew me to ExpressVPN in 2016 was the company's unwavering dedication to privacy and its focus on strong engineering principles. I wanted to be part of something with a meaningful impact beyond just building products. 

The opportunity to build technology that empowers users worldwide to secure their digital lives aligned perfectly with where I wanted to take my career. The skills I developed analyzing the protocols powering the financial markets transferred seamlessly to the VPN world, benchmarking network protocols, optimizing connection speeds, and measuring user experience improvements.

That analytical mindset has been instrumental in our approach to solving real-world issues for our customers.​ ​

My journey at ExpressVPN has evolved from focusing on incremental improvements to existing systems to leading transformative projects like Lightway. The scope of my role has expanded alongside the growing complexity of digital privacy challenges.

2.​ You led the development of Lightway, ExpressVPN’s proprietary VPN protocol. What inspired the creation of Lightway, and what were the main goals that set it apart from existing protocols?​

When we started ExpressVPN, we relied on the most established protocols in the industry. We spent considerable time researching, optimizing, and squeezing every bit of performance from existing solutions. Eventually, we reached a crossroads where incremental improvements weren't enough. We needed something better that would directly address our customers' needs. This realization sparked the development of Lightway. ​

When we first released Lightway in 2020, our primary goal was to create a protocol that would allow users to stay connected continuously without forcing them to choose between privacy, speed, and convenience. 

The modern digital lifestyle demands constant connectivity across multiple devices and networks, but existing protocols weren't designed with this seamless experience in mind. 

Lightway was built from the ground up specifically to meet the daily needs of our users. We engineered it to deliver a significantly faster, more secure, and more reliable VPN experience while minimizing battery consumption. The protocol establishes connections in a fraction of the time compared to traditional options, maintains those connections even when switching networks, and runs with minimal overhead on the device.​ ​

As digital threats and user needs have evolved since Lightway's initial release, we made the strategic decision to rewrite it in Rust this year. This modern coding language offers inherent memory safety that eliminates entire categories of security vulnerabilities, delivers better performance through more expressive code—enabling our team to implement improvements more efficiently.

I had considered Rust back in 2020, but due to challenges with the build system and performance, it wasn’t yet able to deliver what we needed for our customers. ​

3.​ Lightway was recently rewritten in Rust. Why did you choose Rust for this transition, and what role do you see languages like Rust playing in the future of secure internet infrastructure?​

The digital landscape continuously evolves, prompting us to evaluate and enhance our software. While C remains a perfectly acceptable language for building low-level systems like Lightway, Rust represents a contemporary programming language that offers significant benefits over C for our use case. 

For Lightway, transitioning from C to Rust offered several benefits that were closely in line with our vision for a next-gen VPN protocol, such as:

• Better security: the coding language, Rust, is inherently safer— none of the critical threats that exist in C can occur in Rust
• Better performance: with a simpler code base, Lightway in Rust is now more efficient, using less power, and operating faster. The safety guarantees also enable safer multi-core processing, allowing Lightway to easily scale
• Future-ready: Rust’s modern design enables easy extension of the protocol to integrate new features and improvements, all without compromising on performance

4.​ We know that the Lightway protocol went through two independent audits by Cure53 and Praetorian. Beyond just audits, how do you see transparency evolving in the VPN space? Could zero-knowledge proofs or other technologies play a role in future trust-building mechanisms?​

Independent audits remain fundamental to our commitment to trust and transparency. These audits aren't just checkboxes for us—they're essential tools that help users make informed decisions about trusting us with their privacy.

Looking forward, I believe transparency in the VPN industry will need to become increasingly technical and verifiable. The "trust us" approach is no longer sufficient in a world where privacy threats are growing more sophisticated. That's why we've embraced open-sourcing the core of Lightway—allowing anyone to inspect our implementation and verify our security claims. ​

On the technology front, we're constantly evaluating emerging innovations that could enhance transparency and go by a mission of privacy by design. One example is our approach to our dedicated IP offering. Zero Knowledge IP Allocation—the cornerstone of ExpressVPN’s dedicated IP service—ensures that IP addresses are allocated privately and cannot be monitored.

We are seeing a lot of interesting ideas in both the research literature and in the new tools and projects that are being released. The holy grail of any privacy platform would be the ability to demonstrate cryptographically that the service being received is exactly what was being offered in a way that does not require the user to trust an external third party.

These sorts of technologies will likely become fundamental to next-generation private platforms, and there will likely be a seismic shift in the industry as user expectations for privacy evolve.

5.​ ExpressVPN pioneered TrustedServer, the industry’s first RAM-only server tech. What newer innovations are you exploring that could further revolutionize infrastructure for VPNs?

ExpressVPN is continuously investing significant resources into developing new technologies to help meet users’ needs. 

While we can’t give away any specifics at this time, we have some game-changing technologies in the pipeline that should start making an appearance in the near future.​

6.​ How has TrustedServer impacted real-world user privacy and breach prevention, and what steps are you taking to ensure ExpressVPN’s technology stack stays future-proof against evolving cybersecurity threats?​

When TrustedServer was first released, we posted (at the time) the largest bug bounty in the history of the bugcrowd platform of $100,0000 USD for any critical flaws that anyone could find. 

Not only has this bounty never been paid out, but so far, no one has even attempted to claim it. That said, we never stand still. TrustedServer is always being tweaked and improved. 

We are also always thinking about the future of TrustedServer and how we could do things differently. As new technologies and approaches become available and proven, we will see how they can be integrated to enhance protection and support for our users.​ ​

7.​ Do you foresee VPNs being integrated more natively into operating systems, browsers, or even hardware? How is ExpressVPN preparing for that kind of integration in the future? 

The VPN landscape is evolving rapidly, and we're indeed seeing a shift toward more native integration across digital ecosystems. As privacy concerns grow and remote work becomes standard, VPNs are transitioning from standalone applications to essential components of our digital infrastructure. 

At ExpressVPN, we've been strategically preparing for this integrated future through our Lightway protocol:

• Embeddable by design: Lightway was specifically engineered to be embeddable across virtually any system. This versatility allows us to integrate VPN technology into platforms and devices that traditionally couldn't support it, opening new possibilities for protection across the digital ecosystem.
• Open source foundation: Since its inception, we've maintained Lightway as an open-source project. This transparency builds trust and enables the protocol to be freely adopted and adapted by developers, manufacturers, and technology partners worldwide.

The combination of Lightway's lightweight architecture and open-source nature positions us ideally for a future where VPN functionality becomes an expected component of digital systems rather than a separate service layer.​

8.​ Finally, what is the one message you’d like to share with users who rely on VPN daily to safeguard their privacy and security online?

When users ask me about using VPNs daily for privacy and security, I always tell them this: VPNs are incredibly valuable tools, but they're just one piece of a larger privacy puzzle. 

VPNs do crucial work by encrypting your traffic and masking your IP address - this helps protect you from snooping ISPs, potential hackers on public Wi-Fi, and various forms of tracking. However, they are not magical shields.

When looking for a reliable VPN, be skeptical of any provider overpromising without any proof of their claims. Look for transparency reports, security audits, and clear explanations of their limitations.

The one message I'd want to leave your readers with is pretty simple: Stay curious and keep learning. Digital privacy isn't something you set and forget - it's an ongoing practice that evolves with technology. Your VPN is a fantastic start, but make it part of a broader privacy mindset.