The heat is back on Wireless LAN Controllers (WLCs) running Cisco IOS XE after technical details of a recently disclosed max-severity exploit were made public. A patch diffing performed by Horizon3.ai, a cybersecurity outfit

Published June 2, 2025 10:00am EDT close 'CyberGuy' warns of cyberscams costing Americans billions a year Tech expert Kurt Knutsson joins "Fox & Friends" to warn of new cyberscams and give tips on how to avoid them. NEWYou can now listen to Fox News articles! Given the number of phishing scams we have all faced over the past decade, most of us have developed a basic skill to spot and avoid obvious phishing emails or SMS messages. Cybercriminals are aware of this, and they have evolved their tactics by shifting to more complex and convincing schemes designed to bypass skepticism and lure victims.Their goal remains the same: to trick you into handing over sensitive information, especially credit card data. One of the latest examples is the rise in subscription scam campaigns. Scammers are creating incredibly convincing websites selling everything from shoes and clothes to electronics, tricking people into signing up for monthly subscriptions and willingly providing their credit card information. Facebook is being used as the primary platform to promote these new and sophisticated scams. A woman shopping online (Kurt "CyberGuy" Knutsson)What you need to knowBitdefender researchers have uncovered a massive and highly coordinated subscription scam campaign involving more than 200 active websites designed to look like real online stores. These sites, often promoted through Facebook ads, sell everything from clothes and electronics to beauty products, but the real goal is to trick users into signing up for recurring payments, often without realizing it.One of the most common lures is the "mystery box" scam, where you are promised a surprise package at a bargain price. These offers are made to look fun and harmless, but behind the scenes you are giving away personal and credit card information while unknowingly agreeing to hidden subscription terms, often written in tiny fine print.The scam doesn’t stop there. Once you’re convinced and reach the checkout page, scammers often layer in a second scam, like loyalty cards or VIP memberships that further lock you into payments. It’s all designed to confuse you, overwhelm you with supposed perks and make the scam feel like a good deal.Researchers found that many of these websites share a single Cyprus address, possibly tied to offshore entities linked to the Paradise Papers. Despite being spread across different categories and brand names, the sites often use the same layouts, AI agents and payment structures, all pointing to a centralized fraud network.Scammers frequently rotate the brands they impersonate and have started moving beyond mystery boxes, now peddling low-quality products, counterfeit goods, fake investment schemes, dubious supplements and more. To avoid automatic detection, they employ several tactics. These include running multiple versions of an ad, with only one of which is actually malicious while the others display harmless product images, uploading ad images from platforms like Google Drive so they can be swapped out later and cropping visuals to alter recognizable patterns. Listing fake products (Bitdefender) (Kurt "CyberGuy" Knutsson)The scam is expandingWhat started with simple "mystery box" scams has grown into a sprawling, coordinated campaign. These scams now feature fake surveys, tiered "VIP" memberships and deceptive credit systems that make the purchase process intentionally confusing. Users are promised deep discounts or access to exclusive deals, but in reality they’re just being locked into recurring payments.Many of the scam websites trace back to the same physical address in Cyprus, pointing to what appears to be a centralized operation. Researchers also found links to entities mentioned in the Paradise Papers, suggesting these fraudsters are hiding behind offshore infrastructure.And it’s not just mystery boxes anymore. The same scam format is being used to sell low-quality goods, fake supplements and even bogus investment opportunities. With high-quality site design, aggressive advertising and increasingly sophisticated tactics, subscription scams are becoming the new face of online fraud. A person shopping online (Kurt "CyberGuy" Knutsson)10 proactive measures to take to protect your dataEven as scammers become more sophisticated, there are practical steps you can take right now to protect your personal and financial information from subscription fraud and other online threats. Here are ten proactive measures to help keep your data safe:1) Always read the fine print: One of the simplest yet most effective ways to protect yourself from subscription scams is to slow down and read the fine print, especially on checkout pages. Scammers often hide recurring payment terms in small or lightly colored text that’s easy to miss. What seems like a one-time purchase could actually sign you up for a biweekly or monthly charge. Taking just a moment to scan for hidden terms before hitting "Pay" can help you avoid weeks of silent billing.2) Avoid mystery box or VIP-style deals: These offers often prey on curiosity and the promise of surprise or luxury for a low fee. In reality, the "mystery" is the trap: you might receive nothing or a low-quality item while being unknowingly enrolled in a recurring subscription. Scammers use the illusion of exclusivity or urgency to pressure quick decisions.3) Don’t trust ads blindly on social media: Facebook, Instagram and other platforms are a hotbed for these scams, with criminals running paid ads that mimic well-known brands or influencers. These ads often link to professional-looking but fake storefronts. If you’re interested in a deal you see online, don’t click through immediately. Instead, look up the brand or offer in a separate tab and check if it exists outside social media.4) Investigate before you buy: Before purchasing from any unfamiliar site, take a few quick steps to verify its legitimacy. Search the brand's name alongside words like "scam" or "reviews" to see what others have experienced. Look up the company's physical address and check if it actually exists using tools like Google Maps. Make sure the website uses HTTPS, review the site's contact information and cross-check reviews on trusted third-party sites like the Better Business Bureau or Consumer Reports.5) Use strong antivirus software: Adding a strong antivirus program to your devices can provide an extra layer of defense against fraudulent websites and phishing attempts. Strong antivirus software warns you about suspicious links, blocks malicious ads and scans downloads for malware. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.6) Invest in personal data removal services: Scammers often rely on leaked or publicly available personal information to target victims with convincing subscription scams. Investing in a personal data removal service can help minimize your digital footprint by removing your information from data broker databases and reducing the chances of being targeted in future campaigns. Regularly monitoring and cleaning up your online presence makes it harder for fraudsters to exploit your data for financial gain. Check out my top picks for data removal services here.Get a free scan to find out if your personal information is already out on the web.7) Be cautious with payment methods: Use secure payment options like credit cards, which often offer better fraud protection than wire transfers, gift cards or cryptocurrency.8) Limit personal information shared on social media: Scammers often gather details from public profiles to craft convincing scams. Review your privacy settings and only share necessary information.9) Use strong, unique passwords and enable multifactor authentication: Create strong, unique passwords for each of your online accounts, especially those tied to your finances or shopping. Enable multifactor authentication wherever possible, as this adds an extra layer of security and makes it harder for scammers to access your accounts, even if your password is compromised. Also, consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed password managers of 2025 here.10) Keep your devices and software updated: Regularly update your operating system, browsers and apps. Security updates often patch vulnerabilities that scammers exploit to gain access to your information or install malicious software.Kurt’s key takeawayWhile the rise of subscription scams and deceptive ads is concerning, it’s especially troubling that platforms like Facebook continue to allow these fraudulent ads to run unchecked. Facebook has repeatedly failed to adequately vet or prevent these malicious campaigns from reaching vulnerable individuals. The platform’s ad approval system should be more proactive in spotting and blocking ads promoting scams, particularly those that impersonate well-known brands or content creators. How do you feel about Facebook’s role in allowing scam ads to circulate? Let us know by writing us atCyberguy.com/Contact.For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.Follow Kurt on his social channels:Answers to the most-asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com. All rights reserved. Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Today, like most days, I made a trip to the post office to ship out my Poshmark sales. But what I'm shipping out looks a little different than it might have a few months ago. Of the seven packages I'm handing off, only one contains an item I'd consider "nice." Alongside that Fendi top are six pieces from fast-fashion brands—ultra cheap stuff I ordered from Chinese retailers like Shein and Temu that, until recently, I never expected to actually sell, given that someone could buy the same item new at, well, Shein and Temu prices. But since the United States' new tariff structure went into effect (primarily the elimination of the de minimus exemption), consumers have been forced to adjust to a reality in which they can't easily source everything from toothbrush holders to micro-trendy outfits from an low price Chinese retail giant, to say nothing of concerns over how much more they could be paying for pricier items like autos and appliances made with foreign parts or manufactured overseas. In this period of uncertainty, resale apps may be filling the void. My own Poshmark sales are up compared to the month before the tariffs went into effect, with a notable rise in sales of basic, cheap stuff. Curious, I talked to a few experts to see if my experiences were indicative of a broader trend—one that could mean good things (well, relatively speaking) for resale buyers and sellers alike.The vibe on the resale apps in the wake of tariffsThe rollout of the tariffs has been confusing and disjointed. It was (and still is) hard to predict when consumers will see price increases on foreign-made electronics, cars, and other goods, or on products assembled in the U.S. but made with imported parts. But from the start, it has been obvious that goods from China in particular were about to cost a whole lot more—including the volumes of stuff shipped directly to consumers from the likes of Temu and Shein, the latter of which is famous for uploading 10,000 new styles to its site every day (and for charging unbelievably low prices for all of them). Months ago, when the tariffs were first announced, people started wondering if they should start stocking up (and on what), whether they were importing cheap clothes from Shein or bracing for higher prices on more substantial goods like smartphones. I've bought more than my share of junk from Shein, though I know it is not exactly a sustainable or environmentally friendly choice. To make myself feel better about that, I've always listed the clothes on resale apps once I'm done with them. To be clear, these are cheaply made garments—you don't buy your capsule wardrobe on Shein; Shein is where you shop for micro-trends (styles that are currently all over your Instagram and Pinterest feed, but which won't be in two months) or basics like tank tops that you can use and abuse. Prior to the tariffs rolling out, it was inconceivable that anyone would pay me $9 (plus shipping) for a pre-worn, cheaply-made dress or workout set that I had only paid $15 for in the first place—but that's what started happening. In the past month, I've still sold clothing and accessories made by Adidas, Gucci, Skims, Ralph Lauren, Marc Jacobs, Reebok, and Givenchy, but those tend to be one-off sales. My Shein resales for the last four weeks absolutely dwarf them. I also sold a few electronics items—an Apple Watch and facial micro-current device—I had listed in my Poshmark shop months earlier. Could I chalk up all of these sales to tariffs, and to anxiety about impending price increases on electronics? My Shein sales this month vs. everything else Credit: Lindsey Ellefson Certainly I'm not alone in noticing it this trend. A Poshmark spokesperson tells me, "We’ve seen an increase in sales of internationally-made items, especially from brands that have announced price hikes due to high tariffs. Despite rising prices, demand for fast fashion remains strong as consumers seek trendy, affordable styles. Buying those pieces secondhand lets them stay on-trend while keeping clothing in circulation."In addition to Shein and Temu, higher-priced brands that publicly announced tariff-related price increases have also seen resale spikes, with sales of Columbia button-down shirts surging by 61% month over month, and sales of Hermès sandals up 27%. Buying used Hermès sandals is one thing—not all of us have $840 laying around to spend on designer slides to ring in the summer. But a Columbia button-down? That's the kind of item I'm used to finding at Marshall's for maybe $30—but people now seem to be flocking to buy them used, worried that even cheap shirts will become relatively priceier due to tariffs. Meanwhile, Poshmark reports sales on consumer electronics have increased as well: The week of April 27, resales of Sony products were up 22% month over month, and Apple products were up 21%. The times seem to be changing, and they're doing it in a hurry.What tariffs means for resale shoppersI am not only a resale seller, but a resale shopper, and the uncertainty around tariffs has made me a lot more discerning with what I'm buying new. Part of this is just that I'm now paying more attention. I love the leisure and athletic wear made by SET Active. I own a lot of it, and I have never before considered selling any of it because it lasts so long and maintains its shape so well. Until recently, I have also never paid much attention to where it is made: While SET Active designs its products in California, its active fabrics are all made in China. Prices haven't gone up on the official website yet, but in preparation for a time when they might, I've already started shopping the brand on Poshmark and Depop. It's not the worst thing in the world; buying used is both cheaper and more sustainable. I've always been an avid purchaser of resale goods—I've just never had to do it so strategically before. (I've found it easier to give up Shein altogether—I can manage fine without the $4 tank tops I've been putting through absolute hell the past few summers—but my Poshmark customers have proven more reluctant to resist the allure of fast fashion, even used.)I'm not alone in being more strategic with my resale purchases. Financial experts are noticing the same thing. "In the wake of the announcement and implementation of the tariffs, people have been looking for cheaper alternatives to the more expensive imported goods," says Aaron Razon, a personal finance expert at Couponsnake, "especially as many domestic products not only fall short in meeting the demand for certain products, but lack the variety and style that imported goods offer. [Domestic products] are also not exactly the cost-effective option consumers are looking for, and this is one of the major reasons interest in resale platforms [has] been on the increase."Bill London, an international business attorney, points out that in addition to causing prices to rise, tariffs have resulted in potential shipping delays, a fact that has also contributed to, "a surge in second-hand fast fashion interest." Six months ago, if you needed a certain kind of dress for, say, a themed bachelorette party, you could order it from Shein for $20, safe in the knowledge that you'd probably never wear it again. Today, its price could be closer to $30 or $40, and you might face delays in receiving it. The appeal of fast fashion was always in the low cost and convenience, provided you had 10 to 14 days to wait for the thing to arrive from China. Now, it just makes more sense to buy that dress from someone in the U.S. who likewise didn't see themselves rewearing it, —and now, they're selling it for roughly the same $20 they originally paid. For the buyer, it's still a relative deal, and it'll even arrive sooner. It's not just fast fashionBrands beyond Shein and Temu are seeing a lift. As the Poshmark rep pointed out, resales on select high-end brands are up, too. Buying used luxury goods has always been a smart financial decision (certainly it's a practice I've been dedicated to for a long time), but with manufacturing and importation costs an ever-murkier question, it's more sensible than ever. A spokesperson for Vestiaire Collective, a designer resale platform, tells me that U.S. buyers are increasingly able to see the duties applied to their purchases from Europe and Asia at checkout, and that the company has been working to beef up its American foothold for years. That effort is now paying off in a big way thanks to tariffs: In 2022, VC acquired Tradesey to increase its selection of pre-owned fashion offering for U.S. buyers, and it ramped up associated brand marketing the following year. VC also curates a list of goods that are ready to ship from New York City, making it easier for American buyers to identify items that can easily come to them domestically, no tariffs or duties required. Consequently, the brand rep says VC has, "seen a shift of more U.S. buyers buying from U.S. sellers" lately. Personally, I've noticed people buying from me lately, in particular, is workout attire. With the cost of everything going up, it might seem more of a stretch to pop into Lululemon to buy a new pair of leggings for over $100. Meanwhile, the trusty Shein alternative is now more money than its worth. It's this class of in-between necessities—things you don't need to survive, but may be a nice-to-have for your particular interests or lifestyle—that is a source of personal economic woe, and where resale can fill the gap. Whether you need new workout gear, a one-time wear outfit, a few basic pieces, or even a designer handbag, the reality of the post-tariff world is that you're almost certainly better off looking on resale apps before even considering buying new. (You certainly have options—I've assembled a rundown of my own favorite resale apps, including the goods you're most likely to find on each.)What this trend means for resellersI remain shocked that people who presumably would have once ordered their workout sets and summer shorts off Shein are filling the fast-fashion void by purchasing mine, but take it from me: If you have ever considered selling your old clothes or housewares, but figured what you have to offer is too basic, cheap, or plentiful to make the effort worth it, this is your moment. I used to have cheap goods and fast fashion listed on my resale accounts only because it helped keep my number of available listings up, which contributed to my profiles' reputation and lured in buyers for the pricier objects I actually expected to sell. Now, though, it's the cheap stuff that is really moving, and making me money. I've started reevaluating my closet and reconsidering what meets my threshold for "worth it" to list. Post-tariffs, everything is worth it to list. As London puts it, "The tariffs have altered the way in which people do their shopping." It's still pretty early into the great American tariff experiment, but some brands commissioned surveys early on this year to see how people were planning to deal with cost increases and found that a major chunk of consumers indeed expected to rely more on resale. ThredUp, another online resale platform, found that 59% of consumers reported that if apparel got more expensive, they'd look to more affordable options, like secondhand buying, and consumers planned to spend 34% of their apparel budget on secondhand items this year. And those figures are a lot higher for Millennials and Gen Z buyers: They reported planning to spend almost half their clothing budget on resale. Data from Smartly, an online shopping rewards app, also shows that 50% of survey respondents planned to consider resale goods in the face of rising costs. This means that even for casual resellers or those new to the concept entirely, there are a lot of new prospective buyers, which can translate directly to quick sales. At a time when the cost of necessary goods is rising right alongside those in-between necessities, you can make extra cash by selling what you already have. In general, my sales are way up month over month since tariffs went into effect in early May Credit: Lindsey Ellefson Will the resale spike last?I've been buying and selling on resale apps for years and have always had success finding cool stuff to buy as fast as I could get rid of my old clothing, accessories, and electronics. While I've definitely noticed a spike in my sales lately, that's not to say there wasn't demand before the tariffs were announced. If you're new to buying or selling on an app, don't worry that the bubble will burst and you'll have invested a bunch of time in listing your wares for nothing—even if and when the moment passes, reselling can still be a reliable way to make a little extra cash. (In the meantime, if you have a lot to sell and want to maximize your profits, download a cross-lister like Vendoo, which helps you easily list the same product across multiple marketplaces.)Some experts do expect that things could cool down in the nearer term. "Whether the trend persists depends on a number of things, such as how long the tariffs are in effect and how buyers respond to costs," London says. "The resale market for the products is likely to continue expanding if the tariffs are maintained. The demand might plateau or divert towards quality goods or eco-friendly goods when buyers adapt." Razon, meanwhile, thinks resale apps will continue to thrive, but that the interest in procuring cheaply-made things, like fast fashion, may wane. "Resale platforms have been on the good end of the recent tariff increases, especially with consumers looking for cheaper alternatives to imported goods," he says. "The truth is—though it may take consumers time to realize it—they will eventually come to appreciate better-quality goods. There is a great chance that consumers' interest in these lesser-quality goods will wear off as soon as they begin to adjust to the new economic reality."That is to say, list your Shein, Temu, and Aliexpress stuff now while people are still mourning its loss, but also consider those more familiar brands that may also soon see price hikes. Take stock of your closet and do a bit of research to see where all your potential stock is made. Just like I'm worried my beloved SET Active attire is going to go up in price because it's made in China, consumers may soon find themselves wanting to source cheaper stuff from Nike, Adidas, Lululemon, Levi's, and more, as all of those companies manufacture a lot of their clothing overseas. The resale platforms themselves are already anticipating that their digital products are going to get more valuable and stay valuable through (and beyond) the tariff era. Manish Chandra, Poshmark's founder and CEO, says, "As the landscape of tariffs and imports evolves, we believe the secondhand marketplace will become an increasingly valuable and cost-effective resource for American consumers. By shopping from Poshmark closets or starting their own, consumers are supporting sustainability and helping strengthen the American economy." In other words, buying resale is another way of buying American, even if everything you're buying was made in India or China.

Strava drama has become the name of the game in the fitness tracking world. I suppose when your favorite fitness app also includes a social media element, a little tension is inevitable. Add competitive leaderboards into the mix, and you've got a recipe for intrigue that would make reality TV producers salivate.If you're tuned into leaderboard controversies, you'll know that runners and cyclists are deeply divided on whether the platform is doing too much—or not nearly enough—to combat fake entries. If you ask me, when some users are deploying electric unicycles to dominate local climbing segments, that's evidence enough something needs to be done. And now Strava is doing something: The company has announced the launch of AI-enabled Leaderboard Integrity, a new tool intended to separate legitimate athletes from creative cheaters. How Strava is using AI to root out cheatersFor the uninitiated, the reason people cheat is usually to claim King of the Mountain (KOM) and Queen of the Mountain (QOM) titles—coveted crowns that represent the fastest times on specific segments. Peruse the Strava subreddit for a few minutes, and you'll be sure to see grievances about leaderboard cheaters. Strava's latest update is designed to identify and flag "irregular, improbable, or impossible" performance recorded on the platform. The system acts as a digital referee, capable of detecting when an impossibly fast e-bike ride has been mislabeled as a regular cycling effort, then politely prompting users to correct their entries.The technology goes beyond simple speed checks. Strava revealed in February that its machine learning system analyzes activities using 57 different factors, including speed patterns, elevation gains, and acceleration data, to determine when something doesn't add up. The result of this crackdown? Strava has already removed 4.45 million activities from its platform. The deleted activities generally fall into two main categories: entries uploaded with the wrong sport type (like labeling an e-bike ride as regular cycling) and activities recorded while in a vehicle. To be fair, the latter category likely includes everything from users forgetting to stop their tracking while driving home, to more deliberate attempts to game the system by recording car or train journeys as part of legitimate running segments.How Strava users are reactingThe fitness community's reaction to Strava's cheater detection has been characteristically split. Serious athletes and segment hunters generally applaud the stricter measures—after all, leaderboard integrity is what makes the app's competitive element at all meaningful. If the numbers are fraud, what's the point?However, some users worry about false positives—that is, legitimate exceptional performances getting flagged by overzealous algorithms. And the AI is overzealous: Some users have commented that their personal records are being deleted without any sort of prompt or ability to dispute the AI's findings. If you're a serious athlete, seeing your genuinely impressive times being questioned by an automated system that might not account for peak human performance is naturally going to rankle.Outside of leaderboard integrity, Strava's AI initiatives are generally overzealous and inaccurate. I'm not alone in noticing how absurd its new route generation can get. I'm talking routes with concentric loops, cutting through buildings, major roads instead of residential paths, and other issues that will make no sense to a real human moving through the world. Given the immense heat map data that we've all effectively donated to Strava, to be given such shoddy AI-generated routes is fairly bonkers, and it's hardly surprising that its cheat-detecting tools would also be less than precise.The bottom lineControversy aside, Strava's competitive features should be more about personal motivation than serious competition. If cheater detection is ruining your experience, I recommend some perspective. Try not to let it spoil what should be a fun, social fitness experience—especially given the AI tools don't (yet) seem accurate enough to reflect reality.But with 4.45 million activities already in the digital trash bin, Strava's message is clear: The days of easily gaming the leaderboards are over. Of course, as fitness tracking technology continues to evolve, so too will the methods people use to fool the system. Hopefully Strava stays one step ahead of creative rule-benders.

ExpressVPN is good at its job. It's easy to be skeptical of any service with a knack for self-promotion, but don't let ExpressVPN's hype distract you from the fact that it keeps its front-page promise of "just working." Outside of solid security, the two best things ExpressVPN offers are fast speeds and a simple interface. Our tests showed only a 7% average drop in download speed and a 2% loss of upload speed, worldwide. And while the lack of extra features may frustrate experienced users, it makes for a true set-and-forget VPN on any platform. This isn't to say ExpressVPN is without flaws — it's nearly bereft of customization options and it's notably more expensive than its competition — but it beats most VPNs in a head-to-head matchup. For this review, we followed our rigorous 10-step VPN testing process, exploring ExpressVPN's security, privacy, speed, interfaces and more. Whether you read straight through or skip to the sections that are most important for you, you should come away with all the information you need to decide whether to subscribe. Editors' note: We're in the process of rebooting all of our VPN reviews from scratch. Once we do a fresh pass on the top services, we'll be updating each review with a rating and additional comparative information. Table of contents Findings at a glance Installing, configuring and using ExpressVPN ExpressVPN speed test: Very fast averages ExpressVPN security test: Checking for leaks How much does ExpressVPN cost? ExpressVPN side apps and bundles Close-reading ExpressVPN's privacy policy Can ExpressVPN change your virtual location? Investigating ExpressVPN's server network Extra features of ExpressVPN ExpressVPN customer support options ExpressVPN background check: From founding to Kape Technologies Final verdict Findings at a glance Category Notes Installation and UI All interfaces are clean and minimalist, with no glitches and not enough depth to get lost in Windows and Mac clients are similar in both setup and general user experience Android and iOS are likewise almost identical, but Android has a nice-looking dark mode Speed Retains a worldwide average of 93% of starting download speeds Upload speeds average 98% of starting speeds Latency rises with distance, but global average stayed under 300 ms in tests Security OpenVPN, IKEv2 and Lightway VPN protocols all use secure ciphers Packet-sniffing test showed working encryption We detected no IP leaks Blocks IPv6 and WebRTC by default to prevent leaks Pricing Base price: $12.95 per month or $99.95 per year Lowest prepaid rate: $4.99 per month Can save money by paying for 28 months in advance, but only once per account 30-day money-back guarantee Bundles ExpressVPN Keys password manager and ID alerts included on all plans Dedicated IP addresses come at an extra price ID theft insurance, data removal and credit scanning available to new one-year and two-year subscribers for free 1GB eSIM deal included through holiday.com Privacy policy No storage of connection logs or device logs permitted The only risky exceptions are personal account data (which doesn't leave the ExpressVPN website) and marketing data (which the policy says should be anonymized) An independent audit found that ExpressVPN's RAM-only server infrastructure makes it impossible to keep logs Virtual location change Successfully unblocked five international Netflix libraries, succeeding on 14 out of 15 attempts Server network 164 server locations in 105 countries 38% of servers are virtual, though most virtual locations are accessed through physical servers within 1,000 miles A large number of locations in South America, Africa and central Asia Features Simple but effective kill switch Can block ads, trackers, adult sites and/or malware sites but blocklists can't be customized Split tunneling is convenient but unavailable on iOS and modern Macs Aircove is the best VPN router, albeit expensive Customer support Setup and troubleshooting guides are organized and useful, with lots of screenshots and videos Live chat starts with a bot but you can get to a person within a couple minutes Email tickets are only accessible from the mobile apps or after live chat has failed Background check Founded in 2009; based in the British Virgin Islands Has never been caught selling or mishandling user data Turkish police seized servers in 2017 but couldn't find any logs of user activity Owned by Kape Technologies, which also owns CyberGhost and Private Internet Access A previous CIO formerly worked on surveillance in the United Arab Emirates; no evidence of shady behavior during his time at ExpressVPN Windows Version 12 leaked some DNS requests when Split Tunneling was active Installing, configuring and using ExpressVPN This section focuses on how it feels to use ExpressVPN on each of the major platforms where it's available. The first step for any setup process is to make an account on expressvpn.com and buy a subscription. Windows Once subscribed, download the Windows VPN from either expressvpn.com or the Microsoft Store, then open the .exe file. Click "Yes" to let it make changes, wait for the install, then let your computer reboot. Including the reboot, the whole process takes 5-10 minutes, most of it idle. To finish, you'll need your activation code, which you can find by going to expressvpn.com and clicking "Setup" in the top-right corner. You can install ExpressVPN's Windows app from the Microsoft store, but we found the website more convenient. Sam Chapman for Engadget Extreme simplicity is the watchword for all ExpressVPN's designs. The Windows client's launch panel consists of three buttons and less than ten words. You can change your location or let the app pick a location for you — the "Smart Location" is the server with the best combination of being nearby and unburdened. Everything else is crammed into the hamburger menu at the top left. Here, in seven tabs, you'll find the Network Lock kill switch, the four types of content blockers, the split tunneling menu and the option to change your VPN protocol. You can also add shortcuts to various websites, useful if you regularly use your VPN for the same online destinations. To sum up, there's almost nothing here to get in the way: no delays, no snags, no nested menus to get lost in. It may be the world's most ignorable VPN client. That's not a bad thing at all. Mac ExpressVPN's app for macOS is almost identical in design to its Windows app. The process for downloading and setting it up is nearly the same too. As on Windows, it can be downloaded from the App Store or sideloaded directly from the expressvpn.com download center. Only a few features are missing and a couple others have been added. Split tunneling is gone (unless you're still on a macOS lower than 11), and you won't see the Lightway Turbo setting. ExpressVPN recommends some servers, but it's easy to search the whole list. Sam Chapman for Engadget Mac users do gain access to the IKEv2 protocol, along with the option to turn off automatic IPv6 blocking — Windows users have to leave it blocked at all times. Almost every website is still accessible via IPv4, but it's useful if you do need to access a specific IPv6 address while the VPN is active. Android Android users can download ExpressVPN through the Google Play Store. Open the app, sign in and you're ready to go. The Android app has a very nice dark-colored design, only slightly marred by an unnecessary information box about how long you've used the VPN this week. ExpressVPN's Android app puts a little more information on the screen than it needs to, but still runs well. Sam Chapman for Engadget There's a large button for connecting. Clicking on the server name takes you to a list of locations. On this list, you can either search or scroll and can choose individual locations within a country that has more than one. We connected to as many far-flung server locations as we could, but not a single one took longer than a few seconds. The options menu is organized sensibly, with no option located more than two clicks deep. You will see a couple of options here that aren't available on desktop, the best of which is the ability to automatically connect to your last-used ExpressVPN server whenever your phone connects to a non-trusted wifi network. There are also a few general security tools: an IP address checker, DNS and WebRTC leak testers and a password generator. These are also available on the website, but here, they're built into the app. With the exception of the latter, we'd recommend using third-party testing tools instead — even a VPN with integrity has an incentive to make its own app look like it's working. iPhone and iPad You can only install ExpressVPN's iOS app through the app store. During setup, you may need to enter your password to allow your phone to use VPN configurations. Otherwise, there are no major differences from the Android process. ExpressVPN looks good on iPhone and iPad. Sam Chapman for Engadget The interface is not quite as pleasing as the dark-mode Android app, but it makes up for that by cutting out some of the clutter. The tabs and features are similar, though split tunneling and shortcuts are absent. Also, both mobile apps make customer support a lot more accessible than their desktop counterparts — plus, mobile is the only way to send email support tickets. Browser extension ExpressVPN also includes browser extensions for Firefox and Chrome. These let you connect, disconnect and change server locations without leaving your browser window. It's nice, but not essential unless you have a very specific web browser flow you like. ExpressVPN speed test: Very fast averages Connecting to a VPN almost always decreases your speed, but the best VPNs mitigate the drop as much as possible. We used Ookla's speed testing app to see how much of your internet speed ExpressVPN preserves. For this test, we emphasized the locations ExpressVPN uses for most of its virtual servers, including the Netherlands, Brazil, Germany and Singapore. Some terms before we start: Latency, measured in milliseconds (ms), is the time it takes one data packet to travel between your device and a web server through the VPN. Latency increases with distance. It's most important for real-time tasks like video chatting and online gaming. Download speed, measured in megabits per second (Mbps), is the amount of information that can download onto your device at one time — such as when loading a web page or streaming a video. Upload speed, also measured in Mbps, is the amount of information your device can send to the web at once. It's most important for torrenting, since the amount of data you can seed determines how fast you can download in exchange. The table below shows our results. We conducted this on Windows, using the automatic protocol setting with the Lightway Turbo feature active — a recent ExpressVPN addition that keeps speed more consistent by processing connections in parallel. Server location Latency (ms) Increase factor Download speed (Mbps) Percentage dropoff Upload speed (Mbps) Percentage dropoff Portland, Oregon, USA (unprotected) 18 -- 58.77 -- 5.70 -- Seattle, Washington, USA (best server) 26 1.4x 54.86 6.7% 5.52 3.2% New York, NY, USA 156 8.7x 57.25 2.6% 5.57 2.3% Amsterdam, Netherlands 306 17x 53.83 8.4% 5.58 2.1% São Paulo, Brazil 371 20.6x 53.82 8.4% 5.65 0.9% Frankfurt, Germany 404 22.4x 55.71 5.2% 5.67 0.5% Singapore, Singapore 381 21.2x 52.76 10.2% 5.64 1.0% Average 274 15.2x 54.71 6.9% 5.61 1.6% These are extremely good results. ExpressVPN is a winner on both download and upload speed. No matter where we went in the world, we never lost more than about 7% of our download speeds, and upload lost an astoundingly low average of 2%. This suggests that ExpressVPN deftly distributes its user load between servers to eliminate bottlenecks. This Ookla speedtest shows you can still get fast internet while connected to ExpressVPN -- our unprotected speeds are around 58 Mbps. Sam Chapman for Engadget The latency numbers look worse, but the rise in the table is less sharp than we projected. Ping length depends far more on distance than download speed does, so we expect it to shoot up on servers more than 1,000 miles from our location. Keeping the average below 300 ms, as ExpressVPN does here, is a strong showing. ExpressVPN security test: Checking for leaks A VPN's core mission is to hide your IP address and make you untraceable online. Our task in this section is to figure out if ExpressVPN can carry out this mission every time you connect. While we can't be 100% certain, the tests we'll run through below have led us to believe that ExpressVPN is currently leak-proof. Available VPN protocols A VPN protocol is like a common language that a VPN server can use to mediate between your devices and the web servers you visit. If a VPN uses outdated or insecure protocols, or relies on unique protocols with no visible specs or source code, that's a bad sign. Not all protocols are available on all apps, but Mac has the full range. Sam Chapman for Engadget ExpressVPN gives you a selection of three protocols: IKEv2, OpenVPN and Lightway. The first two are solid choices that support the latest encryption algorithms. OpenVPN has been fully open-source for years and is the best choice if privacy is your goal. While IKEv2 started life as a closed project by Microsoft and Cisco, ExpressVPN uses an open-source reverse-engineering, which is both better for privacy and quite fast. Lightway is the odd one out, a protocol you'll only find on ExpressVPN, though its source code is available on Github. It's similar to WireGuard, in that both reach for faster speeds and lower processing demands by keeping their codebases slim. However, Lightway was recently rewritten in Rust to better protect the keys stored in its memory. Ultimately, you can't go wrong with any of ExpressVPN's protocol options. 99% of the time, your best choice will be to set the controls to Automatic and let the VPN decide which runs best. Testing for leaks ExpressVPN is one of the best services, but it's not leak-proof (as you can read in the Background Check below). Luckily, checking for DNS leaks is a simple matter of checking your IP address before and after connecting to a VPN server. If the new address matches the VPN server, you're good; if not, your VPN is leaking. First, we checked the Windows app with split tunneling active to ensure the flaw really had been patched. We tested several servers and didn't find any leaks, which suggests the patch worked, though leaks were rare even before ExpressVPN fixed the vulnerability. We checked our IP while connected to the virtual India location, which is run from a physical server in Singapore. Don't worry -- it still looks like India to streaming services. Sam Chapman for Engadget In fact, we didn't find any leaks on any ExpressVPN server we tested on any platform. Though questions remain about iOS, as you'll see later in this section, that's a problem on Apple's end that even the best VPNs can do very little about for now. The most common cause of VPN leaks is the use of public DNS servers to connect users to websites, which can mistakenly send browsing activity outside the VPN's encrypted tunnel. ExpressVPN avoids the risks of the public system by installing its own DNS resolvers on every server. This is the key factor behind its clean bill of health in our leak testing. Two other common flaws can lead to VPN leaks: WebRTC traffic and IPv6. The former is a communication protocol used in live streaming and the latter is a new IP standard designed to expand domain availability. Both are nice, but currently optional, so ExpressVPN automatically blocks both to ensure there's no opportunity for leaks to arise. One note about VPN security on iOS: it's a known and continuing problem that iOS VPNs do not prevent many online apps from communicating with Apple directly, outside the VPN tunnel. This risks leaking sensitive data, even with Lockdown Mode active in iOS 16. A blog post by Proton VPN shares a workaround: connect to a VPN server, then turn Airplane Mode on and off again to end all connections that were active before you connected to the VPN. Testing encryption We finished up our battery of security tests by checking out ExpressVPN's encryption directly. Using WireShark, a free packet sniffer, we inspected what it looks like when ExpressVPN transmits data from one of its servers to the internet. The screenshot below shows a data stream encrypted with Lightway UDP. After connecting to ExpressVPN, HTTP packets were rendered unreadable while in transit. Sam Chapman for Engadget That lack of any identifiable information, or even readable information, means encryption is working as intended. We repeated the test several times, always getting the same result. This left us satisfied that ExpressVPN's core features are working as intended. How much does ExpressVPN cost? ExpressVPN subscriptions cost $12.95 per month. Long-term subscriptions can bring the monthly cost down, but the great deals they offer tend to only last for the first billing period. A 12-month subscription costs $99.95 and includes three months for free with your first payment, costing a total of $6.67 per month. The bonus disappears for all subsequent years, raising the monthly cost to $8.33. You can also sign up for 28 months at a cost of $139.72, but this is also once-only — ExpressVPN can only be renewed at the $99.95 per year level. There are two ways to test ExpressVPN for free before making a financial commitment. Users on iOS and Android can download the ExpressVPN app without entering any payment details and use it free for seven days. On any platform, there's a 30-day money-back guarantee, which ExpressVPN has historically honored with no questions asked. You will have to pay before you can use it, though. In our opinion, ExpressVPN's service is solid enough that it's worth paying extra. Perhaps not this much extra, but that depends on what you get out of it. We recommend using the 30-day refund period and seeing how well ExpressVPN works for you. If it's a VPN you can enjoy using, that runs fast and unblocks everything you need, that's worth a server's weight in gold. ExpressVPN side apps and bundles ExpressVPN includes some special features that work mostly or wholly separate from its VPN apps. Some of these come free with a subscription, while others add an extra cost. Every subscription includes the ExpressVPN keys password manager. This is available under its own tab on the Android and iOS apps. On desktop, you'll need to download a separate extension from your browser's store, then sign in using your account activation code. It's available on all Chromium browsers, but not Firefox. Starting in 2025, new subscribers get an eSIM plan through holiday.com, a separate service linked to ExpressVPN. The baseline 1GB holiday eSIM plans last for 5 days and can apply to countries, regions, or the entire world (though it's not clear whether the package deal applies to the regional and global plans). Longer-term plans include larger eSIM plans. You can add a dedicated IP address to your ExpressVPN subscription for an additional cost per month. A dedicated IP lets you use the same IP address every time you connect to ExpressVPN. You can add the address to whitelists on restricted networks, and you're assured to never be blocked because of someone else's bad activity on a shared IP. Unlike many of its competitors, ExpressVPN doesn't currently offer antivirus or online storage services, but there is a comprehensive bundle of ID protection tools called Identity Defender. We haven't reviewed any of these products in detail, but here's a list for reference: ID Alerts will inform you if any of your sensitive information is leaked or misused online. It's free with all plans, but you'll have to enter your personal information on your ExpressVPN account page or a mobile app. ID Theft Insurance grants up to $1 million in identity theft reimbursement and comes free with new ExpressVPN one-year or two-year subscriptions. It's not yet available to those who subscribed before it launched in October 2024. Data Removal scans for your information in data brokerages and automatically requests that it be deleted. It's also free with one-year and two-year plans. Credit Scanner is only available for United States users. It monitors your activity on the three credit bureaus so you can quickly spot any suspicious transactions. The Identity Defender features are currently only available to new ExpressVPN customers in the US. Close-reading ExpressVPN's privacy policy Although we worry that the consolidation of VPN brands under the umbrella of Kape Technologies (ExpressVPN's parent company) will make the industry less competitive, we don't believe it's influencing ExpressVPN to take advantage of its users' privacy. To confirm, and get a full sense of what sort of privacy ExpressVPN promises its users, we set out to read ExpressVPN's privacy policy in detail. It's long, but thankfully aimed at casual users instead of lawyers. You can see it for yourself here. In the introduction, ExpressVPN states that it does not keep either activity logs (such as a user's browsing history while connected to the VPN) or connection logs (such as the duration of a user's session and their IP address, which can be used to extrapolate browsing activity). It then specifies the seven types of data it's legally allowed to collect: Data used to sign up for an account, such as names, emails and payment methods. VPN usage data which is aggregated and can't be traced to any individual. Credentials stored in the ExpressVPN Keys password manager. Diagnostic data such as crash reports, which are only shared upon user request. IP addresses authorized for MediaStreamer, which is only for streaming devices that don't otherwise support VPN apps. Marketing data collected directly from the app — a "limited amount" that's kept anonymous. Data voluntarily submitted for identity theft protection apps. Of those seven exceptions, the only ones that count as red flags are account data and marketing data. Both categories are highly personal and could be damaging if mishandled. Fortunately, complying with subpoenas is not one of the allowed uses listed for either data category, nor does the policy let ExpressVPN sell the data to other private parties. The only really annoying thing here is that if you ask ExpressVPN to delete your personal data, you won't be able to use your account from then on. You aren't even eligible for a refund in this case, unless you're within 30 days of your initial subscription. As for marketing data, ExpressVPN collects device fingerprints and location data when you sign up for an account on its website. The privacy policy also claims this is anonymized, as its "systems are engineered to decouple such data from personally identifiable information." Audits corroborate this, as we'll see in the next section. So, while it would be better if ExpressVPN didn't collect any personal data at all, its practices don't appear to pose a risk to anything you do while using the VPN — just the ExpressVPN website. Privacy audits VPN providers often get third-party accounting firms to audit their privacy policies. The idea is that a well-known firm won't mortgage its reputation to lie on behalf of a VPN, so their results can be trusted. For the last several years, ExpressVPN has had KPMG look over its privacy policy and relevant infrastructure (see "TrustedServer" below). KPMG's most recent report, completed in December 2023 and released in May 2024, found that ExpressVPN had enough internal controls in place that users could trust its privacy policy. The report is freely available to read. This is a very good sign, though we're looking out for a more up-to-date audit soon. TrustedServer "TrustedServer" is a marketing term ExpressVPN uses for its RAM-only server infrastructure. RAM-only servers have no hard drives for long-term storage and return to a standard disk image with every reboot. This makes it theoretically impossible to store user activity logs on them, even if ExpressVPN wanted to do that. The KPMG audit, linked above, reports that TrustedServer works as advertised. Between its many clean privacy audits and the Turkish server incident in 2017, we're prepared to say ExpressVPN is a private VPN, in spite of its aggravating exception for marketing. Can ExpressVPN change your virtual location? Next, we tested whether ExpressVPN can actually convince websites that you're somewhere other than your real location. Our security tests have already proven it can hide your IP address, but it takes more than leak-proofing to fool streaming sites these days — Netflix and the others have gotten very good at combing through metadata to sniff out proxy users. The process for testing this is a lot like how we handled the DNS leak tests: try several different servers and see if we get caught. We checked five sample locations outside the U.S. to see if we a) got into Netflix and b) saw different titles in the library. The results are below. Server Location Unblocked Netflix? Library changed? Canada Y Y United Kingdom Y (second try; Docklands failed) Y Slovakia Y Y India Y Y (different from UK library) Australia Y Y In fifteen tests, ExpressVPN slipped up only once. Docklands, the UK server it chose as the fastest, wasn't able to access Netflix. We switched to a server labeled simply "London" and unblocked it without issue. ExpressVPN can change your virtual location so you can explore the wonderful world of K-drama. Sam Chapman for Engadget All the other locations got us access to an alternate Netflix library on the first try. We even checked whether the India server, which is physically located in the UK, showed us different videos than the UK servers. It did, which makes us even more confident that ExpressVPN's virtual locations are airtight. Investigating ExpressVPN's server network ExpressVPN users can connect to a total of 164 server locations in 105 countries and territories. These locations are reasonably well distributed across the globe, but as with all VPNs, there's a bias toward the northern hemisphere. There are 24 locations in the U.S. alone and a further 66 in Europe. That isn't to say users in the Global South get nothing. ExpressVPN has IP addresses from nine nations in South America (Argentina, Brazil, Bolivia, Chile, Colombia, Ecuador, Peru, Uruguay and Venezuela) and six in Africa (Algeria, Egypt, Ghana, Kenya, Morocco and South Africa). The network even includes Kazakhstan, Uzbekistan and Mongolia, impressive since central Asia may be the region most often shafted by VPNs. However, many of these servers have virtual locations different from their real ones. For those of you choosing a server based on performance instead of a particular IP address, ExpressVPN's website has a helpful list of which servers are virtual. The bad news is that it's a big chunk of the list. A total of 63 ExpressVPN locations are virtual, or 38% of its entire network. To reduce the sting, ExpressVPN takes care to locate virtual servers as close to their real locations as possible. Its virtual locations in Indonesia and India are physically based in Singapore. This isn't always practical, leading to some awkwardness like operating a Ghana IP address out of Germany. But it helps ExpressVPN perform better in the southern hemisphere. Extra features of ExpressVPN Compared to direct competitors like NordVPN and Surfshark, ExpressVPN doesn't have many special features. It's aimed squarely at the casual market and will probably disappoint power users. Having said that, what they do include works well. In this section, we'll run through ExpressVPN's four substantial features outside its VPN servers themselves. Network Lock kill switch "Network Lock" is the name ExpressVPN gives to its kill switch (though it's called "Network Protection" on mobile). A VPN kill switch is a safety feature that keeps you from broadcasting outside the VPN tunnel. If it ever detects that you aren't connected to a legitimate ExpressVPN server, it cuts off your internet access. You won't be able to get back online until you either reconnect to the VPN or disable Network Lock. ExpressVPN's kill switch is called Network Lock on desktop, and Network Protection on mobile (Android pictured) Sam Chapman for Engadget This is important for everyone, not just users who need to hide sensitive traffic. The recently discovered TunnelVision bug theoretically allows hackers to set up fake public wi-fi networks through which they redirect you to equally fake VPN servers, which then harvest your personal information. It's unlikely, but not impossible, and a kill switch is the best way to prevent it — the switch always triggers unless you're connected to a real server in the VPN's network. Like most of ExpressVPN's features, all you can do with Network Lock is turn it on and off. You can also toggle whether you'll still be able to access local devices while the kill switch is blocking your internet — this is allowed by default. Threat manager, ad blocker and parental controls ExpressVPN groups three tools under the heading of "advanced protection" — Threat Manager, an ad blocker and parental controls. Threat Manager consists of two checkboxes: one that blocks your browser from communicating with activity tracking software and one that blocks a list of websites known to be used for malware. Check any of these boxes to use the pre-set blocklists whenever you're connected to ExpressVPN. Sam Chapman for Engadget You can't customize the lists, so you're limited to what ExpressVPN considers worthy of blocking. They share their sources on the website. While the lists are extensive and open-source, they rely on after-the-fact reporting and can't detect and block unknown threats like a proper antivirus. The adblock and parental control options work the same way: check a box to block everything on the list, uncheck it to allow everything through. In tests, the ad blocker was nearly 100% effective against banner ads, but failed to block any video ads on YouTube or Netflix. The parental control option blocks a list of porn sites. It's an easy option for concerned parents, but only works while ExpressVPN is connected. As such, it's meant to be used in conjunction with device-level parental controls that prevent the child from turning off or uninstalling the VPN client. Split tunneling Sometimes, you'll find it helpful to have your device getting online through two different IP addresses at once — one for your home services and one for a location you're trying to spoof. That's where split tunneling is helpful: it runs some apps through the VPN while leaving others unprotected. This can also improve your speeds, since the VPN needs to encrypt less in total. You can configure split tunneling through either a blocklist or an allowlist. Sam Chapman for Engadget ExpressVPN includes split tunneling on Windows, Android and Mac (though only on versions 10 and below). You can only split by app, not by website, but it's still pretty useful. For example, you can have BitTorrent handling a heavy download in the background while you use your browser for innocuous activities that don't need protecting. ExpressVPN Aircove router By now, it should be clear that we find ExpressVPN to be a highly reliable but often unexceptional VPN service. However, there's one area in which it's a clear industry leader: VPN routers. ExpressVPN Aircove is, to our knowledge, the only router with a built-in commercial VPN that comes with its own dashboard interface. Usually, installing a VPN on your router requires tinkering with the router control panel, which turns off all but the most experienced users — not to mention making it a massive pain to switch to a new server location. Aircove's dashboard, by contrast, will be instantly familiar to anyone who already knows how to use an ExpressVPN client. It even allows different devices in your home to connect to different locations through the router VPN. Aircove's biggest drawback is its price. Currently retailing at $189 (not including an ExpressVPN subscription), it's around three times more expensive than an aftermarket router fitted with free VPN firmware. Some of you might still find the convenience worth the one-time payment. ExpressVPN customer support options ExpressVPN's written help pages are some of the best on the market. Its live chat is more of a mixed bag, and complex questions may cause delays. However, it is at least staffed with human agents who aim to reply accurately, rather than resolve your ticket as quickly as possible. You can directly access both live chat and email from ExpressVPN's mobile apps (on desktop, you'll have to go to the website). Sam Chapman for Engadget We approached ExpressVPN's support features with a simple question: "If I requested that ExpressVPN delete all my personal data, would I be able to get a refund for my unused subscription time?" (Remember from the Privacy Policy section that submitting a full deletion request also cancels your ExpressVPN account.) Our first stop was expressvpn.com/support, the written support center and FAQ page. It's divided into setup guides, troubleshooting, account management and information on each of ExpressVPN's products. The setup guides are excellent, including screenshots and clearly written steps; each one includes a video guide for those who learn better that way. Troubleshooting is just as good — no videos, but the same standards of clarity and usefulness prevail. The section starts with general problems, then delves into specific issues you might face on each operating system. Each article clearly derives from a real customer need. The live support experience To get answers on our refund question, we visited the account management FAQs. This section stated that the refund policy only applies within 30 days of purchase. Pretty clear-cut, but we still wanted an answer on our special case, so we contacted live chat by clicking the button at the bottom-right of every FAQ page. Live chat is in the bottom-right corner of every page of expressvpn.com. Sam Chapman for Engadget Live chat starts with an AI assistant, which is not too hard to get past — just ask it a question it can't answer, then click "Transfer to an Agent." We got online with (what claimed to be) a human in less than a minute. Answering the question took longer and involved an uncomfortable 10-minute silence, but we did get a clear verdict from a real person: refunds are within 30 days only, no matter what. If the live chat agent can't answer your question, you'll be redirected to open an email support ticket. Annoyingly, there's no way to go directly to email support through the website or desktop apps, though mobile users have the option to skip directly there. ExpressVPN background check: From founding to Kape Technologies ExpressVPN launched in 2009, which makes it one of the oldest consumer VPNs in continual operation. In more than 15 years of operation, it's never been caught violating its own privacy policy, though its record isn't free of more minor blemishes. Headquarters in the British Virgin Islands Founders Dan Pomerantz and Peter Burchhardt registered the company in the British Virgin Islands from the start to take advantage of that territory's favorable legal environment for online privacy. The BVIs have no law requiring businesses to retain data on their users, and the process for extraditing data is famously difficult, requiring a direct order from the highest court. In 2021, the BVI implemented the Data Protection Act (DPA) [PDF link], which prevents companies based in the territory from accessing data on their users anywhere in the world. It's a great privacy law in theory, modeled on best-in-class legislation in the EU. However, we couldn't find any evidence that its supervising authority — the Office of the Information Commissioner — has a leader or staff. In other words, while ExpressVPN is not legally required to log any data on its users, there's technically nobody stopping them from doing so. Whether you trust the jurisdiction depends on whether you trust the company itself. Let's see what the other evidence says. Security and privacy incidents Two significant incidents stand out from ExpressVPN's 16-year history. In 2017, when Andrei Karlov, Russia's ambassador to Turkey, was shot to death at an art show. Turkish police suspected someone had used ExpressVPN to mask their identity while they deleted information from social media accounts belonging to the alleged assassin. To investigate, they confiscated an ExpressVPN server to comb for evidence. They didn't find anything. A police seizure is the best possible test of a VPN's approach to privacy. The provider can't prepare beforehand, fake anything, or collude with investigators. The Turkey incident is still one of the best reasons to recommend ExpressVPN, though eight years is a long time for policy to change. The second incident began in March 2024, when a researcher at CNET informed ExpressVPN that its version 12 for Windows occasionally leaked DNS requests when users enabled the split tunneling feature. While these users remained connected to an ExpressVPN server, their browsing activity was often going directly to their ISP, unmasked. The bug only impacted a few users, and to their credit, ExpressVPN sprang into action as soon as they learned about it. The team had it patched by April, as confirmed by the researcher who initially discovered the vulnerability. But while their quick and effective response deserves praise, it's still a mark against them that a journalist noticed the bug before they did. Kape Technologies ownership and management questions In 2021, an Israeli-owned, UK-based firm called Kape Technologies purchased a controlling interest in ExpressVPN. In addition to ExpressVPN, privately held Kape owns CyberGhost, Private Internet Access, and Zenmate (before it merged into CyberGhost). As shown on its website, it also owns Webselenese, publisher of VPN review websites WizCase and vpnMentor, which poses an apparent conflict of interest. When reached for comment, a representative for ExpressVPN said that "ExpressVPN does not directly engage with, nor seek to influence, the content on any Webselenese site," and pointed us to disclosure statements on the websites in question — here's one example. Even so, it's a good reminder not to take VPN reviews at face value without knowing who's behind them (Engadget is owned by Yahoo, which does not own any VPNs). Diving deeper into the background of Kape's ownership will lead you to owner Teddy Sagi. Go back far enough, and you'll see he did prison time in Israel and was mentioned in the Pandora Papers, among other things. More recently, headlines about the billionaire have focused more his businesses in the online gambling and fintech arenas, as well as his real estate ventures. An ExpressVPN representative told us that "Kape's brands continue to operate independently," and our investigation bore that out — we couldn't find any proof that Kape or Sagi have directly attempted to influence ExpressVPN's software or daily operations. Closer to the immediate day-to-day operations of ExpressVPN was the company's employment of Daniel Gericke as CTO from 2019 through 2023. During that time, the US Justice Department announced it had fined Gericke and two others for their previous employment on a surveillance operation called Project Raven, which the United Arab Emirates (UAE) used to spy on its own citizens. The revelation prompted a public response from ExpressVPN defending its decision to hire Gericke, arguing that "[t]he best goalkeepers are the ones trained by the best strikers." ExpressVPN's representative confirmed that the company still stands by that linked statement. Gericke parted ways with ExpressVPN in October 2023, per his LinkedIn profile. While we don't know what we don't know, we can say that ExpressVPN has not notably changed its public-facing security and privacy policies during the time it's been connected to Kape, Sagi, or Gericke. In the end, how much ExpressVPN's history matters to you is a personal choice. If you object to any current or past actions by Kape Technologies or Teddy Sagi, there are other premium VPN options you might prefer. If you need more information to make up your mind, we recommend reading through CNET's 2022 deep dive on ExpressVPN's corporate history. Final verdict ExpressVPN is the VPN we most often recommend to beginners. It takes zero training to use, and consistently gets past filters on streaming sites. It also runs in the background with virtually no impact. If anything is worth the high price of admission, it's the excellent speeds distributed evenly across the worldwide server network. However, for certain specific cases, ExpressVPN may not be the best choice. There's no way to set up your own server locations, like NordVPN offers, and no double VPN connections, like you can build for yourself on Surfshark. Its corporate background is more suspect than the entities backing Proton VPN, and unlike Mullvad, ExpressVPN doesn't work in China — it's so well-known that the government targets its servers specifically. We suggest going with ExpressVPN for general online privacy, for spoofing locations in your home country while traveling, or if you regularly need to unblock sites in other countries. That encompasses 19 of every 20 users, which is fine by us, as ExpressVPN is a great service. It's just more of a reliable old screwdriver than a multi-tool. This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/vpn/expressvpn-review-2025-fast-speeds-and-a-low-learning-curve-160052884.html?src=rss

Macworld A new report shows Android phones outfitted with Qualcomm cellular modems outperforming the iPhone 16e with its own Apple C1 modem. Unfortunately, the limited nature of the tests, combined with the fact that it was commissioned by Qualcomm, means we can’t learn much from it. The tests were performed by Cellular Insights, and you can read the summary here or the full report here. The general summary of the results is that the Android devices had download speeds around 35 percent faster than the iPhone 16e, and upload speeds between 81 percent and 91 percent faster. That the report was paid for by Qualcomm, of course, makes it suspect, but there are other limitations worth noting. First, the report doesn’t let us know which Android phones were tested. It says one is “a 2025 flagship device powered by Snapdragon X80 5G Modem-RF System priced at $799” and the other is “a 2024 flagship device powered by Snapdragon X75 5G Modem-RF System priced at $619.” That narrows it down somewhat, but it’s odd that the iPhone 16e is named (the only device with an Apple C1 modem after all) and the Android devices are kept somewhat secret. Second, the testing all took place in only three locations in a single small geographical area—the Astoria neighborhood in Queens, New York City. Even our own testing, which we noted was quite limited, managed to test five locations around the greater Sacramento area. Finally, the study exclusively used T-Mobile’s commercial SA 5G network. As with our own testing, which took place only on the Verizon network, looking at a single carrier (especially only in one neighborhood) captures only a very limited experience. A more extensive set of tests comes from Ookla, whose report back in March used data from many users across the country testing with its popular Speedtest app. That report captured the experience on all three major carriers, and interestingly, the gap between the iPhone 16 (using a Qualcomm modem) and the iPhone 16e (with the Apple C1) was widest on, you guessed it, T-Mobile’s network. So this test looks slightly suspect. Not only is it paid for by Qualcomm, but it pits the $599 iPhone 16e against unnamed Android phones, in just three locations of a single neighborhood, on the carrier in which Qualcomm’s modems just happen to outperform Apple’s by the widest margin. And it only tests upload and download speeds, not other aspects such as stability when moving within and between cell areas, latency, or power utilization. None of this means the report is false, but it gives the appearance of cherry-picking tests to get the results you want. Ultimately, there’s nothing of note here. The C1 modem was never meant to outperform Qualcomm’s best modems, only to provide a comparable experience to mid-tier products with good stability and lower power utilization. Apple’s future modems (C2 and C3, presumably) are expected to increase performance with each generation, ultimately with the aim of beating Qualcomm’s best offerings in 2026 or 2027.

Unless you've messed with your smartphone's camera settings, it's very likely you snap photos in 3:4 (or 4:3 if you're holding the phone in landscape). This aspect ratio is the default for most smartphone cameras, which means our photo libraries are full of images that all fit this frame.The issue is, despite the smartphone's place as the world's most popular camera, not all social media platforms respect the 3:4 aspect ratio. Instagram, for example, supports its classic square 1:1 images, as well as a 4:5 aspect ratio, but not 3:4. At first glance, 4:5 looks like 3:4—so much so, you might not have ever noticed a difference when uploading your photos. But rest assured, a 3:4 photo uploaded to Instagram's 4:5 aspect ratio gets cropped to match that frame, which means you lose a little of the top and bottom of each photo you post this way. If you pinch on the preview of your post to zoom out, you'll reveal the parts of your image that aren't making the final cut. You can move the image up or down to reveal more of the top or bottom, but you'll only cut off more of the opposite end either way.Instagram now supports 3:4 imagesLuckily, that's now changing. In a post on Threads, Adam Mosseri, head of Instagram, announced that the app now supports 3:4 uploads. The reception seems largely positive, though some users clearly want more from Instagram—namely, 2:3 support, a popular aspect ratio with photographers.Instagram also announced the news on its Creator's Broadcast Channel. The post confirms the change applies to both single-photo posts as well as carousel collections, and that you can still share 1:1 and 4:5 images as you wish. The company attached an example, comparing two different Instagram posts—one that posts an image in 4:5, and another that posts the same image in 3:4, with dotted lines demonstrating where the image would be cropped in 4:5. Credit: Instagram The change is rolling out now for all Instagram users, but you might not see it right away. My Instagram app still appears to default to 4:5, even after I updated to the latest version on iOS. It's important to note that 4:3 images, as well as other landscape or horizontal aspect ratios, have been supported on Instagram. In theory, you could've flipped your 3:4 images to post the full picture, but you would have forced your friends to turn their phones (or heads) sideways to see it.

You cross the finish line after what feels like a perfect 10-mile run and your watch beeps triumphantly, displaying that beautiful round number: 10.00 miles. You're already composing your social media post in your head. Then you upload to Strava and—betrayal. Your activity shows 9.99 miles. It might seem like a bug, but as Strava explains, it's very much by design.Welcome to the "Strava Tax," the phenomenon that has spawned memes, advice, and probably a few extra loops around parking lots as runners desperately try to hit that magical round number.What's really happening when Strava rounds down?The Strava Tax isn't actually Strava being petty or skimming distance off your achievements. It's more of a collision between mathematical precision and the messy reality of how different devices handle GPS data.Here's the thing: when your watch displays 10.00 miles, that's often not what it actually recorded. The raw GPS data might show 9.993 miles, 9.996 miles, or 10.001 miles. Your watch rounds this to a nice, clean 10.00 for display purposes—because who wants to see 9.99634 miles on their wrist?So your watch and apps don't just display raw GPS data—they "improve" it. They smooth out GPS wobbles, correct for obvious errors, and sometimes add their own interpretations of where you actually went. Your Garmin might think you ran through that building (especially as AI maps take over), while your phone's GPS smooths your route to follow the sidewalk.Different manufacturers handle this data inconsistency in different ways. Even devices from the same manufacturer can display identical GPS data differently, depending on the model, firmware version, or even the specific algorithms running on each device. Some devices will show 1.00 km as soon as you hit 991 meters (0.991 km), while others wait until you actually complete a full kilometer. It's like having different definitions of what "close enough" means.Beyond that, mile definitions aren't actually universal. You'd think a mile is a mile, right? Not in the world of fitness devices. The precise definition is 1609.344 meters, but some devices use 1609 meters for simplicity. That small difference adds up over longer distances.But Strava takes a different approach. When displaying distances, Strava rounds down rather than using standard rounding rules. So that 9.993 miles becomes 9.99 miles on your activity page, not 10.00 miles.Why Strava rounds downStrava often sits in the middle of different manufacturers and devices. Imagine if Strava applied the same "enhancement" algorithms that your Garmin uses to data coming from an Apple Watch. The Apple data might get double-processed, potentially inflating distances. Or if it used Apple's data smoothing, it might actually reduce accuracy.Instead, Strava takes a conservative approach: it displays the data as close to raw as possible, using consistent rounding rules across all devices. This means sometimes your beautiful round numbers get truncated, but it also means a 10K from a Garmin is treated the same as a 10K from an Apple Watch.Zooming out, when it comes to fitness tracking, it's helpful to remember that the numbers we see are often more complicated than they appear. We all know GPS isn't perfect. Think about it: your device is trying to track your position using satellites 12,000+ miles above Earth. Trees, buildings, weather, and even solar activity can affect accuracy. How often to record points, how to connect the dots between points, how to filter out obvious errors, how to handle missing data—each manufacturer makes different choices. Strava's choice, in its own words, is to "err on the side of caution rather than let the accuracy of our records start to dilute."Tips to live with the Strava TaxAt the end of the day, there's a deeper reason why so many runners bond over Strava Tax memes. The Strava Tax taps into something more than just measurement accuracy—it hits our psychological relationship with round numbers. There's something deeply satisfying about completing exactly 10 miles, 5K, or 100 kilometers. These numbers feel complete, accomplished, worthy of celebration.When Strava displays 9.99 miles instead of 10.00, it doesn't just remove a hundredth of a mile—it removes the psychological satisfaction of hitting that milestone. It's the difference between "I ran 10 miles!" and "I ran...well, basically 10 miles."This is why you see runners doing extra loops around parking lots, cyclists riding circles in their driveways, and forum threads debating whether 9.99 miles "counts" as a 10-mile run. It's not really about the 0.01 miles—it's about the story we tell ourselves and others about our achievements.So what's a data-obsessed athlete to do? A few strategies:Embrace the range: Instead of fixating on hitting exactly 10.00 miles, think in ranges. A 9.98-10.02 mile run is essentially the same thing—you ran about 10 miles.Know your device: Learn how your specific watch or phone handles distance calculation. Some devices let you calibrate distance measurements or choose different GPS settings that might be more or less aggressive in their processing.Focus on trends: Day-to-day variations in distance measurement matter less than long-term trends. Are you running farther this month than last month? That's more meaningful than whether Tuesday's run was 5.99 or 6.01 miles.Plan ahead: If hitting exact distances is important to you, plan routes that give you a small buffer. Aim for 10.1 miles if you want to ensure you hit at least 10.0 on Strava.The Strava Tax might be annoying, but every time you glance at your watch and see a distance, remember: there's a satellite constellation, multiple algorithms, and several companies' worth of engineering decisions all working together to give you that number. And sometimes, despite all that technology, you still end up with 9.99 miles. But hey—you still ran the distance. The GPS satellites aren't judging you, and neither should you.