UPDATE: ExpressVPN have commented on the situation, read the comments below.
Online privacy is like a game of dominoes – as soon as one service falls, others are immediately compromised.
Yesterday we reiterated the Wall Street Journal report on Google’s issues with email privacy. Simply put, it has come to light that some third-party app developers for the Gmail platform can access private inboxes to mine data. The article says it is even considered common practice for human employees to read private communications to improve algorithms, fix bugs, etc. Scary stuff, to be sure!
Email exchanges between VPN providers and clients may include names, transactions details, etc…
Well, today we’d like to share our concerns about the ominous link between this story and the VPN market. After the original story broke, we decided to look at some DNS reports and see whether any of our favorite VPN’s were using Gmail as their email service. Obviously, a significant number of them do, or we wouldn’t be writing about it.
Google has tried to mitigate their data privacy issues, but they have not denied that some third-party developers have access to your emails. This is a hard blow for those VPN providers who use Gmail to communicate with you. How can they claim your privacy is safe if even Google says that’s not true?
By the way, all of the above also applies to (among others) Microsoft and Yahoo.
So here are some Top VPN service providers, whose data protection game needs some serious work:
So here’s the biggest surprise on this list of culprits – ExpressVPN. This is one of the biggest, safest, and all-around best VPN services on the market. We had it ranked #1! It boggles the mind that a company with this many resources and such an expensive product has failed to make sure they use a secure email service. TorGuard, with its thousands of servers around the globe, may even be bigger. We’re less disappointed with PrivateVPN – while its reputation has had no blemishes before now, they are understandably not as well-equipped to cover all their bases.
The VPN security of these popular services is also in question:
Of particular note is VPN Unlimited, whose email service is Yandex. That is, potentially, a whole new can of worms due to the relationship between big business in Russia and the government.
Why is this important?
One of the primary functions Virtual Private Networks have is protecting their users’ data privacy and personal identity. The top VPN services do this extremely well – they have powerful encryption, private DNS, they work hard to plug all kinds of data leaks, and they try to keep their interactions with users as anonymous as possible.
Journalists, political activists, simple torrent users – people from all walks of life trust VPNs with their secrets. Some of these secrets could even be life-threatening in the wrong hands. Even short of that, email exchanges between VPN providers and clients may include names, transaction details, and other things you’d rather keep out of sight! In that context, the idea of these communications being read by third parties is very troubling indeed.
Let’s be clear – we’re not here to sell torches or pitchforks. Sensitive though this issue may be, for all we know its impact can be trivial. It’s also not the VPN providers’ fault that Google has some nasty skeletons in their closet. Having said that, if you are using any of the affected VPNs – do yourself a favor and ask some hard questions!
These VPNs are safe to use
Despite all of the above, the other side of this dirty-looking coin is still shiny. So, let us balance the grim findings with a list of top VPN service providers that you can use without risking email leaks to third parties. We have checked dozens of VPNs and here’s what we have for you:
When big names like ExpressVPN fall in suspicious lists like these, all one can say is that there is nowhere safe in this world. Everything is compromised and your data is never safe and private. If you are on the web, you are out there for sure!
As I understand, Culprit ere are not VPN providers but email service providers. VPN are suffering collateral damage as clients of these email providers.
But, this sure opens the eyes of clients as well as VPN providers. We need to be watchful of such scenarios.
While I was looking for VPN, I found this article very interesting. The comments and replies also are very educating. So far, I have known what to use but definitely not the ones leaking my email messages. Thanks
Well that’s a shock I had heard only good stuff about ExpressVPN, I’ve read the comments and their response and to me they still sounds legit and safe. Thanks for the article though.
I’m shocked that ExpressVPN isn’t using a secure email provider for it’s clients! I’ve read several of the comments here and there seems to be some doubt of whether this article is accurate. I’m sure there will be a lot of people moving to some of the other VPNs you’ve listed, like Nord & CyberGhost, if not at least asking some questions of their current providers.
Hi Eleuterio,
There are certainly doubts and we’re not claiming we know the truth – merely pointing out that using Gmail leaves room to ask the question. And that’s something we don’t want to worry about when using a VPN.
Let’s clarify further:
Signup emails might not come through Gmail as such, in fact, any other transactional emails can be sent using any SMTP server or service that provides this feature (in this case, SendGrid). However, if people write ExpressVPN (or ZenMate, or whoever else) using [email protected], these messages may contain signup data, other sensitive data, as well as metadata that can be in the email. In the end, most likely Google can still identify what username/email is using ExpressVPN, and also link it back to an IP address.
It is likely that usage of 3rd party apps is disabled and this is good for security, however, by default Google does not offer any PGP encryption or encryption of email messages on the inside with a master password, like Tutanota/Hushmail or Protonmail. These email services couldn’t see the emails if they wanted to!
As you may know, Google has the ability to show ads by Gmail target group, which is identified by people receiving or sending specific emails. Those users can be easily identified when using Gmail MX addresses and therefore potentially end up on a list of risky VPN users.
What’s more interesting is it seems very likely that internal ExpressVPN communications would make sensitive data available to Google – using Google Drive for storage, an employee sending user data via Gmail, etc. As a consequence, Google will have this information that could later be used against users. We at VPNpro strongly believe in the privacy and security of users, therefore we still see a problem with VPN providers using Gmail for any of its communication when there are plenty of alternatives on the market with proper encryption to make sure even the email provider can’t access private information.
This article is nothing more than sensationalist link/click bait. I’m glad Express corrected many of the fallacies and inaccuracies.
Another one I wanted to point out from your reply above:
“1. Perhaps, but your MX is Google, and that means all your signup emails go through Google. That is not trivial data.”
Sign up emails can come from any email server – regardless of MX records. I could generate an email from Express from my own web server with 1 line of code. That’s why so many people fall for phishing scams.
Before you put people on blast, please do your homework.
At ZenMate, we are currently closely observing the development around the Gmail case in light of the report published by the Wall Street Journal earlier this month. As of now, we did not find any existing proof or evidence that the emails we have received or sent via the ZenDesk platform connected with a corporate business Google account got in any way compromised, leaked or shared with an uncertified third party.
We share thoughts expressed by our colleagues at Express VPN. In our opinion, the article by Kevin Marlowe is not necessarily a simple reiteration of the initial report by the Wall Street Journal. It’s a mixture of facts and suggestions without any proof, which may, in turn, result in reduced trust in the VPN industry.
While playing a role of a watchdog is both welcome and necessary, being a real watchdog is a challenge.
The wording “may leak” is a very ambiguous one, protecting the author in the shadow of not being responsible for his words. It may be interpreted as “leak” by many, but – apparently – it’s not what the author truly means. These suggestions, allegations, and inductions may have by default increased stickiness, but nobody can prove anything at the current moment, as no evidence exists. There is no reason to believe that something is wrong.
At ZenMate, we believe in the freedom of speech and therefore, treat this article as just one of the elements of this freedom.
i’ve used TorGuard for a month or so and i’m happy with the performance. tried some of those ‘good vpns’ as well and the download speeds sucked a**. so whatever
no decent person ever used gmail..
I still dont really get how vpns leak email messages or what they have to do with this whole Gmail issue. So what can i do if my vpn uses Gmail?
Hi Niels,
1. The VPNs are not at fault here, but they are risking their (and, by extension, your) privacy by using Gmail.
2. First of all, you should talk to your VPN service provider.
3. If their answers don’t satisfy you, consider choosing one of the VPN services that don’t use Gmail/Microsoft/Yahoo/etc. as their email service.
Hope that helps!
This article is completely inaccurate, and there is no risk of any ExpressVPN customer data being compromised in the manner described.
For the sake of correcting the record, we’ve outlined the key fallacies below:
“it has come to light that some third-party app developers for the Gmail platform can access private inboxes to mine data.” –> Maybe so, but our Google Apps policies prevent any ExpressVPN staff from using such third-party apps.
“This is a hard blow for those VPN providers who use Gmail to communicate with you.” –> A key point here: ExpressVPN doesn’t use Gmail to communicate with customers. We use Zendesk, which is an industry-leading ticketing system with strong customer data protection policies.
“These VPNs might be leaking your email messages” –> That’s false. As outlined above, there’s no risk of customer support-related emails leaking in this manner. Furthermore, this sensationalist headline insinuates that somehow all of a customer’s emails—even those unrelated to communicating with a VPN provider—are at risk of leaking, which goes far beyond what the article suggests and is completely unfounded.
In summary:
– The potential security issue outlined here does not impact ExpressVPN or its customer communications.
– The fact that we use Google Apps internally in our company has nothing to do with how we communicate externally with customers through support tickets (which happens via Zendesk).
– We have internal protections against third-party apps accessing anything we store inside of Google Apps. The security risk stated by the Wall Street Journal was purely about third-party apps, not Google itself. We don’t grant third-party apps any access permissions whatsoever in either Google Apps or Zendesk.
– ExpressVPN staff use appropriate tools for operational security in our own communications, such as PGP email and many others.
– Some VPN providers you list as “safe” have MX records pointing to Microsoft instead of Google, which has the same category of risk as it relates to third parties. In fact, any hosted email system would carry this type of risk.
– If VPN providers run their own ticketing system or email system, it’s arguably much harder to keep that secure, and would require significant engineering resources to do so. As VPN is our core competency, we opted not to put a dozen engineers to work on building and maintaining a ticketing system. We instead chose to trust Zendesk with that. VPN providers who run their own systems should be transparent about what steps they are taking to ensure that those systems don’t get hacked.
First of all, thank you for the detailed comment. As we try to make it clear in our article, we appreciate ExpressVPN and recognize the level of quality you guys have achieved. The fact that you responded so quickly only proves that!
With that said, we feel the clarification doesn’t live up to your otherwise-awesome product. Here’s why:
“Maybe so, but our Google Apps policies prevent any ExpressVPN staff from using such third-party apps.”
Be that as it may – and we have little doubt this is the case – you are asking ExpressVPN users to take you at your word. No logging policies and other such things exist to put users at ease – “even if the FBI comes and we want to cooperate, we have nothing to give them.” In this instance, users are placed in an awkward position. All they know is you use Gmail – they can’t see what your Google Apps policy looks like. Moreover, one Google Apps policy is always one mouse-click away from a different policy.
It is also a legitimate concern for users that your communications (whatever they may be) are in Google’s power rather than yours. As long as that’s the case, there are always going to be concerns and questions.
“A key point here: ExpressVPN doesn’t use Gmail to communicate with customers. We use Zendesk, which is an industry-leading ticketing system with strong customer data protection policies.”
1. Perhaps, but your MX is Google, and that means all your signup emails go through Google. That is not trivial data.
2. Your support email is [email protected], so, before going to your Zendesk inbox, does the mail not go through a Gmail server?
As a side point, Zendesk is also a third party with their own privacy policy and their own procedures. Regardless of how privacy-friendly these may be, that’s still one more actor handling sensitive user data.
“That’s false. As outlined above, there’s no risk of customer support-related emails leaking in this manner. Furthermore, this sensationalist headline insinuates that somehow all of a customer’s emails – even those unrelated to communicating with a VPN provider – are at risk of leaking, which goes far beyond what the article suggests and is completely unfounded.”
The headline states that “These VPNs might be leaking your email messages”. In no way does that mean that a) these VPNs are leaking your email messages; b) users’ email messages not received by the VPN provider are at risk of leaking. Neither implication was our intention, and we feel the language reflects that.
Your comment raises some legitimate points, particularly about the difficulty of running a self-owned ticketing or email system, as well as the transparency that requires. We agree and will pursue that topic in future articles!
PS: Your point about MX records pointing towards Microsoft is noted and we have already updated the article accordingly!