I am fully aware of what vpn services to use and not. I am not using Express VPN, I am simply doing research for a master thesis, when I came across these results from Express VPN. If you have any ideas or corrections, please let me know why a VPN provider would need to have access to these permissions.

Screenshot is from Exodus service, which let’s you view what exactly perimissions and trackers each app uses. You can check out the results and the tool for yourself here: https://reports.exodus-privacy.eu.org/en/reports/com.expressvpn.vpn/latest/

Link to Image

In the mobile space, there are Chinese calculators apps on Androids by manufacturers that require internet access…

To be fair, the calculator on my phone has a built in currency converter and would need network access to get the exchange rates

That’s legit and justifiable though I rather my apps to perform just one core duty and don’t unnecessarily append unnecessary functions to justify internet access.

And the calculator apps I’m referring to doesn’t have currency function. I only found out when I use root and XPrivacyLUA to monitor apps permissions some years back for context.

My eyes… ouch

@thepiguy@lemmy.ml
link
fedilink
17
edit-2
7M

I prefer mullvad. Not only is their pricing and account system much more privacy focused, they are a European (Swedish) company and are bound by the laws of my country by default. Another European one is surfshark (Dutch) which I used before. I trust mullvad more though. They also have open source clients and had no user data stored when they were raided once before.

Edit: clarifying the reason I used surfshark. I used it back when I was in high school a few years ago, so their 3 year plan seemed like a very good price. They also supported this very obscure VPN protocol whose name I can’t remember, and my school just so happened to have forgotten to block it on their network. But I couldn’t use that protocol on Linux due to incomplete connection steps provided by surfshark, and I switched to using linux full time in the second half of my first year, so that was a waste and I just used my mobile data.

They also push the envelope on privacy, and frequently publish security reports.

not to discredit what they do and what’s been said, but i think it’s important to keep in mind (with one’s threat model in mind also) that they’re based in Sweden, a 14 eyes country.

What’s 14 eyes?

basically an agreement between 14 countries to share signals intelligence amongst one another. effectively, if your data gets captured in Sweden, all the participating states are able to get their hands on it. check out the Wikipedia article for more details on 14 eyes: https://en.wikipedia.org/wiki/Five_Eyes#Fourteen_Eyes

Thank you.

What kind of VPN would need those permissions?

The one that Edward Snowden (yes, that one) publicly and explicitly called out that people shouldn’t use. I won’t rehash it here, but it’s worth reading about.

voxel
link
fedilink
14
edit-2
7M

probably qr scanning
bt for FIDO

FIDO can be done locally. Why external key?

Captain Beyond
link
fedilink
31
edit-2
7M

Not an endorsement of ExpressVPN, I’ve learned to avoid companies that sponsor on youtube. However, I believe you don’t need the proprietary app to use the service, you could use a free software OpenVPN client such as this one.

They do offer support for OpenVPN although, unsurprisingly, they heavily push their proprietary client as the preferred way to use the service. This alone would be enough to discourage me from using it or recommending it.

If handfuls of youtube sponsor callout videos has been proof of, is that you should never use a service advertised on youtube.

Kindly enlighten us good sir.

Any money spend on marketing is not used to improve the product.

So, not advertising is the best advertisement for intelligent consumers?

Yes. See Sennheiser versus Beats.

There are Bluetooth FIDO security keys out there for 2FA, like: https://thetis.io/products/fido2-ble-security-key. Some implementations can also use a phone, running an app via BLE. Not sure if they use it, but that could be one reason it’s asking for that permission.

Camera permission may be needed for scanning QRCodes to set up 2FA.

I use Express VPN and the camera permission is relatively new as I don’t have it enabled and it’s never asked me prior to enable it. I dug through the app and found it within their new password manager when you add a new credentials it offers you to help setup 2FA with the major providers and you can optionally scan a QR code with it so it’s a benign convenience feature.

Bluetooth on the other hand I cannot explain unless it’s to proxy any connections Bluetooth devices might make.

Mr. Forager
creator
link
fedilink
37M

thanks for the insights :)

deleted by creator

lol

ultratiem
link
fedilink
877M

I don’t get why the entire world isn’t on Mullvad.

I don’t trust these guys at all. I trialed them and despite their full money back guarantee, they locked me into a support loop, always switching support staff with boiler plate responses and links that dealt with account issues or whatever. It wasn’t until I left a stern reply demanding the refund or I would escalate the matter with the proper regulatory bodies.

It took 4 support tickets. To me, they came across hella shady.

I know this isn’t popular but I really like Nord. I’ve been with them for years before the ad campaigns that turned people off. Mullvad can use wireguard so I may look at them again at some point, but the Linux cli client for Nord is really solid and picks the fastest server in whatever region you like.

ultratiem
link
fedilink
77M

Wireguard is insanely fast. Like insanely fast compared to traditional VPN connections. For me that is an absolute dealbreaker they don’t have it.

Once you start using Wireguard you can’t go back.

Thanks for the update. I just checked them out and they seem like they have a lot of servers. They’re almost double what I paid for Nord. Is there enough of a difference to consider switching? My Nord subscription doesn’t expire for five more months though.

ultratiem
link
fedilink
17M

Up to you. For me it would be about trust. These guys are supposed to be my disguise. And then obviously speed.

I have a 1Gbps line and see no speed impact using Mullvad. Unless I move to real far geographical servers. And even then, some still hit peak throughput.

The anonymity is great too as you can send them an envelope with cash and your account number and they’ll process it. Their service feels like you walked up to someone on the street, got a month’s of VPN and walked off. I wish every sale had to be set up this easy.

Mullvad is by far the best for privacy since you can literally pay with cash and all your account is is a number. No email, no phone number (unless you pay with Swish), nothing at all identifiable except your IP.

The pricing is honest and very consumer friendly, although being more expensive than average. There is no subscription, just monthly cost with no special discounts to get you to buy it “cheaper”.

And they got raided by police and provided them with everything they had: Literally nothing.

Worst thing about mullvad is they only offer like 5 devices or so for your subscription. If they bumped it up to 7 or 8 I’d have no complaints.

For the price, 5 devices is really reasonable

I didn’t say it was unreasonable. I just think it would be nice to have a couple more. I’m usually running out on the devices I run and have to proactively prune connections from machines that might, at the moment, not be using them. What I really wish is that it had tiers: like paying 1 euro for each available connection, versus just “5 euros and 5 connections” - I don’t need 10 full connections, but I’d be happy paying 7 euros for 7 connections.

@SpaceCadet@feddit.nl
link
fedilink
1
edit-2
7M

That depends entirely on your use case, and how “devices” is defined.

For example, I run a couple of docker containers which each have their own VPN connection for different purposes. All connections originate from the same IP and run on the same physical machine even, but if they would be counted as different “devices” that would eat up the 5 device limit rather quickly.

they closed off Port Forwarding

I used to host my Minecraft server safely 😭 don’t know any trusted VPN that has Port Forwarding

AirVPN still has port forwarding. They are run by a non profit activist group and you can use it without their app. Works with openvpn and wireguard natively.

Windscribe

AirVPN

You can set up a VPS and tunnel that to your minecraft server using wireguard some iptables magic if you’re into Linux.

ProtonVPN still offers it I believe

I use Azire, maybe see if they would work for you? They have port forwarding and don’t rotate their IPs that often.

AirVPN

Aido
link
fedilink
-37M

PIA has port forwarding but it costs extra

It doesn’t cost extra, though the IP changes often. You could however buy a dedicated IP, which supports PF and costs extra. I tried PIA in July and it worked well, but the IP changes were annoying when hosting my Minecraft server.

Use something like NoIP.

kryllic
link
fedilink
147M

Dilly dilly, Mullvad is great. I prefer it over ProtonVPN just for how lightweight and simple it is

@LWD@lemm.ee
link
fedilink
67M

I know the camera permission can be explicitly denied by you, and the app can’t work around that. As for Bluetooth, I think it’s the same story, although I haven’t checked …

This isn’t an endorsement of the VPN service, as other people have pointed out it has some issues

Don’t use ExpressVPN, they and others make money off of your data.

Thank you for the heads-up. Do you have any articles about this?

Mr. Forager
creator
link
fedilink
57M

ExpressVPN is owned by Kape Technologies, which was previously named Crossrider. And Crossrider was a plugin development platform that allowed users to distribute ad injection software, which some considered malware. (Kape did not respond to a request for comment.) Kape also previously operated software called Reimage, which is said to enhance computer performance but has been reported to signal false positives on its security tests in order to sell its premium service. Teddy Sagi, the owner of Kape Technologies, was listed in the Panama Papers as a sole shareholder of at least 16 offshore companies—primarily real estate—established through Mossack Fonseca, according to Haaretz. In 1996, 16 years before he acquired Kape Technologies, Sagi was sentenced to nine months in prison for bribery and fraud, according to the Financial Times.

Source; https://innovation.consumerreports.org/wp-content/uploads/2021/12/VPN-White-Paper.pdf

Thank you very much, we should always strive to back up claims with relevant links and data, no matter if it’s common sense or how trivial it might seem.

While the quote and linked paper give a good picture of the VPNs and their controversies, such as ExpressVPN, CyberGhost, and PIA being under ownership of a less-than-trustworthy company which also happens to be specialized in malware and surveillance, I did not find anything that directly supported @spudwart@spudwart.com’s claim.

The only controversy (except questionable ownership) I could find in the article was a few paragraphs lower regarding the Andrey Karlov assassination, where ExpressVPN denied the existence of logs but investigators somehow still managed to extract a serial number of a computer(?) after a datacenter raid. Not sure if I got that right, but it would fit the established profile from this comment chain:

ExpressVPN, on the other hand, told investigators it did not have any logs or customer data on a server in Turkey, which was raided by Turkish authorities, according to Hurriyet Daily News. According to the site, authorities said the server was used to hide details regarding an assassination of a Russian ambassador. ExpressVPN released a statement about the incident.

It’s almost midnight here, so please correct me if I missed something.

Oh, and nice paper, has a good, natural flow and appears to keep technical jargon to a level where anyone should be able to draw well informed conclusions.

Aw man, now PIA is bad too? Crap. I was really enjoying them. ☹

PIA being owned by the same scammy company as ExpressVPN does not necessarily mean that it itself also is bad, but one should keep an open eye on them.

Like I said, I haven’t found any evidence that ExpressVPN sells their customer data, even though it might be likely.

@LWD@lemm.ee
link
fedilink
47M

RTF… Privacy Policy?

“Read the fucking post” lawl, the post says “I don’t use ExpressVPN,” and the person I replied to was like “Don’t use ExpressVPN!”

The intention wasn’t to be a direct response to the OP, but to be a general statement of advice.

Mr. Forager
creator
link
fedilink
97M

Yeah I dont, as I wrote in the description, im just researching different providers.

Wait, are you the same guy I asked for access to your draft when you’re done?

How is the paper going? Will you also be covering self-hosted VPNs in your thesis? Also, SSL-VPNs seem to be coming up nicely, so if you’re interested in obfuscation, that might be interesting to you! Can’t wait to read what you’re cooking!

Mr. Forager
creator
link
fedilink
30
edit-2
7M

Hahah thats me! :P (lemmy is a small world) My main focus is most likely going to be free vpn’s and the risk of using them. I have to limit the scope quite a bit and want to cover areas that are not that well properly documented… yet…

But thanks for the tips! I will defo read up on it and see wheter or not I can have a “alternatives” section towards the end.

Edit -> This research paper might feed your temporary needs :P https://www.usenix.org/system/files/usenixsecurity23-ramesh-vpn.pdf

Thanks, downloaded! Keep up the excellent work!

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 84 users / day
  • 537 users / week
  • 1.5K users / month
  • 6.58K users / 6 months
  • 1 subscriber
  • 2.43K Posts
  • 56.3K Comments
  • Modlog