ExpressVPN Publishes Statement on the Involvement of its CIO in the “KARMA” Spyware Operation
- ExpressVPN states they always knew about the previous activities of their CIO and saw that as an opportunity.
- The VPN firm claims that the former U.S. intelligence agent actually helped them build a more robust product.
- While everything the company claims on the technical side is easily acceptable, the ethical side remains stained.
ExpressVPN’s current CIO (Chief Information Officer), Daniel Gericke, has found himself in the trio of former U.S. intelligence agents called by the state to pay their way out of conviction for criminal charges of aiding government-supported surveillance operations in the United Arab Emirates. Naturally, this has sparked some negative attention around the popular VPN product provider who has just been acquired by Kape Technologies.
As the company explains in their blog post, they knew about Gericke’s involvement in the “KARMA” spyware operation since the moment they were interviewing the man for the job, as he actually disclosed all non-classified information to them. Moreover, they explain that Gericke’s background in operations of this kind and scale, and the knowledge that derives from this experience, offered the firm a first-class opportunity to achieve ultimate privacy and security against all possible threats thanks to the expertise and the consultation of the executive.
ExpressVPN claims that their product already had robust protections against external and internal threats before Gericke arrived in 2019, but with his help, everything was taken up a notch. But this doesn’t mean that they simply trusted the man to do however he pleased. Instead, ExpressVPN says they relied upon their internal system that incorporates “least privilege,” “permission limitations,” “build verification,” and “TrustedServer” technologies, so neither Gericke nor any other executive could have tampered with the code of their products.
After all, the above has been confirmed multiple times through audits carried out by independent experts who scrutinized the infrastructure, privacy policies, client app code, and anything else that sits at the core of the ExpressVPN service.
The VPN company had written an entirely separate detailed post to give specific examples of how Gericke helped them enhance the internal security of their product. Like offense security drills, the development of a “Security Operations Center,” improvement of risk assessment and mitigation through red teaming, and insisting on moving ExpressVPN off of SonicWall firewalls before the company suffered a massive data breach in January 2021.
In summary, ExpressVPN tells its customers not to worry about the news and that everything they did was purposeful and fully under control. On the ethics aspect, though, there’s little that can be said or done to extinguish that fire, so whether or not this is a consideration when selecting a VPN product, that’s up to you.