Last week, we reported on the news that ExpressVPN CIO Daniel Gericke has been fined in the USA, forfeited his foreign and US security clearances, and will face future employment restrictions due to his role in Project Raven.
Project Raven was a programme run by the government of the United Arab Emirates to hack into accounts of rivals and groups opposed to the UAE regime. Gericke was one of three ex-US intelligence and military personnel thought have worked as paid mercenaries on the programme.
The revelations about Gericke couldn't have come at a worse time for ExpressVPN, surfacing as they did just a day after it was announced that ExpressVPN had been acquired by Kape Technologies in a deal that valued the VPN at a cool US$936 million.
At the time, ExpressVPN stood by Gericke. They insisted that they had been fully aware of his past and that he retained their complete trust.
However, it now seems that, while this may be the case for ExpressVPN's senior management team, it is not the case for all of their team.
Staff question ExpressVPN transparency
It has emerged that staff at ExpressVPN have submitted a significant number of very challenging questions to the management team, criticising the fact that they found out about Gericke through the media and questioning the management's judgement in their handling of the incident.
The questions were first revealed by Vice magazine which has been shown a series of questions submitted through an online form ahead of a team meeting earlier this week.
“To find out such news of the people we work closely with every day through an online article was absolutely distasteful. Why weren't we given a heads-up? Isn't transparency and respect our core values?”, questioned one.
Transparency seems to have been a major concern among ExpressVPN staff. Another question revealed by Vice asked, “Why didn't you explain this before (e.g., when Dan was hired) and not until after you've been ‘exposed'?' Are there any other employees whose histories should now be proactively clarified?”
It is a very legitimate point and one that some ExpressVPN customers might well be asking too.
To their credit, ExpressVPN has sought to answer this one publicly. In a new statement, they have explained that the failure to tell staff in advance was due to legal restrictions and they did describe this as “regrettable” before adding, “in a perfect world, would have been handled differently.”
It is a fair point. The Gericke situation was part of a complex legal procedure known as a Deferred Prosecution Agreement (DPA) and had information about it been leaked in advance, the entire arrangement could have collapsed.
But the question ExpressVPN still has not addressed is why it judged it suitable for an online privacy company to hire someone like Gericke knowing the legal situation he was in.
The reputational impact
There is no doubt that the Gericke case has done ExpressVPN some reputational damage and the staff undoubtedly know that.
“How would you convince a prospective candidate that we're still an ethical company who believes in internet privacy [sic] when there are stories on top news sites saying ‘ExpressVPN CIO Helped United Arab Emirates Hack into Phones, Computers'?”, asked one staff member.
This is a question that the company has not yet answered publicly and is one that could yet be hitting their customer base too.
Another unanswered question said, “Can you provide us with information of the total number of cancelled [ExpressVPN] subscriptions/products uninstallation since the announcement of the acquisition and DPA?”
This question will ultimately be what decides whether ExpressVPN has handled the Gericke, and indeed the Kape acquisition, effectively.
If they lose a significant number of subscribers and the Gericke case continues to impact the public perception of the company, ExpressVPN could well be forced to take a different stance on this issue.
There is no sign that they are contemplating this at the moment but it is an option that must surely still be on the table.
In our initial coverage of this case, we stated that we did not believe that Daniel Gericke posed a security threat to ExpressVPN users.
But, there is no denying that the ExpressVPN has been harmed by this case and clearly it has hit team morale within the ExpressVPN camp too.
Hopefully, ExpressVPN can find a way to patch up relations with its workers and reassure them about the role of Daniel Gericke. If it cannot, the a swift and decisive resolution of this situation will be needed to ensure ongoing customer confidence in ExpressVPN.