Who Owns Express Vpn, Nord, Surfshark? VPN Relationships Explained (2024)
Posted3 months agoActive3 months ago
windscribe.comTechstoryHigh profile
skepticalnegative
Debate
80/100
VPNPrivacySecurity
Key topics
VPN
Privacy
Security
The article reveals the complex ownership structures of popular VPN services, sparking concerns about user data privacy and security, with many commenters expressing skepticism about the trustworthiness of these services.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
78
60-72h
Avg / period
17.8
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Oct 3, 2025 at 8:30 PM EDT
3 months ago
Step 01 - 02First comment
Oct 3, 2025 at 9:57 PM EDT
1h after posting
Step 02 - 03Peak activity
78 comments in 60-72h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 10, 2025 at 9:11 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45469376Type: storyLast synced: 11/22/2025, 11:47:55 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://kumu.io/embed/9ced55e897e74fd807be51990b26b415#vpn-c...
Don't use the embed link from above, use this one: https://kumu.io/Windscribe/vpn-relationships
And the website just gives 2005 amateur PHP coder vibes. Not just the design. The session expiry is seems very long - I hadn't visited for a few days and I'm still logged in. I'd be surprised if it wasn't infinite.
And I find there's a good correlation between the quality of the apps and the overall quality of the company. No surprise that the Mullvad VPN app is excellent
It's extremely high quality on MacOS in my experience. It's never crashed for example whereas Airvpn's crashes daily. It connects almost instantly. I don't think I've ever seen it give an error
And I was on Proton for 3y, until the CEO were backing Trump and Vance on Reddit and other places. Their port forwarding was also painful as well, but it worked.
Cancelled. PIA does the port forwarding nicely and stabily. No jank scripts to run every 60 seconds.
Now evidently PIA is a bunch of scum capitalists. But in reality, who isn't?
Mullvad? But they killed port forwarding for "abuse".
Something happened, but THAT didn't.
https://medium.com/@ovenplayer/does-proton-really-support-tr...
Either it was someone paid to write this, or if author really believes this, they are not someone I trust.
Maybe the organization is non-profit (which I do not believe is practically true), it does not explain them sharing so much with Tesonet.
Source: I bought this data from VPN companies... Hell, you can inject ads and surveys if you want!
So am I right in saying that the data that's encrypted by VPNS is only in transit? It then sits on a server in plain text, ready to be queried by third parties for money.
…except approximate content sizes and timing patterns.
I'm more interested in this part - how does that work? Do you just reach out to them directly and ask "hey, let me buy your user data"? Or is there some sort of service they offer?
People love to stick to what they irrationally believe in. I would give you push back as well by saying 95% is a very conservative number. I would say 98-99%
But hey, they say they don't sell my data isn't it?
How does this work? They harvest your DNS! They inject surveys into your YouTube packets. They tabulate just how much traffic goes to which specific games on Twitch. How? The provider is the endpoint, not you.
It's not the whole picture, but it's enough to sell to marketers.
This is what happens EVERY time I say this! Look again! It happened, I have 1 upvote... It's almost as if the VPN companies don't want you to believe this is true!
Story time! I have been cashed out of three startups. $600 total, across them all. It's the people in the Valley who've struck out over and over who know the truth, not the successes.
One of those startups was about tracking the games played on Twitch, and selling that info to Esports entities, marketing firms, etc. The company did not succeed because, honestly, it's not hard data to scrape yourself. BUT, we tried. And where did we get our data? VPN providers. Major VPN providers. We don't care about your personal data. We care about whether you watched a Twitch stream of GTA or Madden.
And for a time, yes, we could buy injected surveys. Packets, literally injected into your streams of data. This was expensive, iffy, and controversial, but it was on the rate cards.
DNS is very useful, and unencrypted. OpenDNS makes its money on this same info. Stop putting your heads in the sand. Ya'll have seriously lost the path.
This is believable.
> It's where they make their money.
I'm much more skeptical of this. I know linus tech tips is not exactly an expert organization, but I believe the discussions they've had about almost starting a VPN and backing out for ethical reasons, and they made it clear that the core VPN product would have huge profit margins. You can always do greedy things to make more money, but for a paid VPN I'd need some solid evidence to believe that data sales are a huge line item or especially that they're the main source of money.
If you're including the swaths of free VPNs then that makes your number a lot harder to use.
In your later comment you said "DNS is very useful, and unencrypted. OpenDNS makes its money on this same info." Is the VPN company only openly selling DNS info or are they selling more, such as connection logs?
How did you approach the VPN provider to ask to buy this info?
How did they make money? Easy: there were also selling a botnet! So if you used their "free VPN", you could be part of a botnet for DDOS or to create fake reviews/upvotes from thousands of "legit" IP addresses.
1. Getting access to geolocked data
2. Torrenting "Linux ISOs"
?
It's still not perfect since you're still leaking information about the privacy set implied by the outer ClientHello, but this possibly isn't much worse than the destination IP address you're leaking anyway.
2. Because you normally visit example.com using an incognito window, your browser hasn't cached the redirect to SSL, or the address bar suggestion, and you haven't bookmarked the site.
3. You key in example.com, the browser connects over http, and the evil wifi MITMs your unencrypted connection - removing the redirect to SSL and messing with the page however the evildoer wants.
Obviously a VPN provider can also do this, but you might hope they're less likely to.
Getting someone to open an unencrypted webpage is almost trivial. It's often one of the only web pages you can open on a device.
So you have identified some marginal privacy issue, and have identified that a VPN doesn't solve it, but rather that it moves the risk to a third party actor you subjectively feel is better. Well I feel that, subjectively, introducing a third party generally decreases security.
I believe that not all privacy and security considerations can or should be solved technically, but rather we have extra-technical mechanisms like law and social norms that provide some protection on the edge cases. For example, an employee cannot lookup information for personal reasons on a system they are entrusted to in a professional capacity. I'm no expert, but you probably have first laws that prohibit that, second corporate policy that prohibits that, and thirdly social pressure that prohibits that to some extent. Are they perfect? Not necessarily which is why for the most part we rely on technical encryption and security mechanisms.
But at some point these examples become so contrived and the medicine becomes the poison, so you enter into territory that is pretty standard in other industries, what's to stop a waiter from spitting into a cup? There's no spit filter in place of McDonalds, there's other mechanisms protecting us.
On a similar note, logic and debate is not the only way to convey this phenomenon, so here's some more artistic retort to privacy schizophrenia.
https://www.youtube.com/watch?v=jf9I04Oa-hU
How is any of this "medicine becoming the poison" or "schizophrenic"?
Also, you are just switching up the "unprotected stretch" between your local wifi, and, say, Google's servers, whereas now that "unprotected stretch" lies between the VPN provider servers in Latvia or British Virgin Islands or Panama, or whatever dubious jurisdiction, and, say, Google. Sure, you added a layer of protection against the random hacker sitting in your Starbucks, but you have added many more vectors.
It becomes the poison because the solution you are introducing brings more issues. And it's schizophrenic because the issue to begin with, was minuscule (a hacker stepping into MacDonalds, breaking the network encryption and then also the application encryption.
Maybe if this were 2010 and websites still used HTTP, or you are using a local email client without TLS configured. But it's 2025, everything has HTTPs and you are using an HTTPs email client.
VPNs to protect corporate networks is sensible. Consumer VPNs are a different thing entirely and they do not provide increased security at best, decrease security at worst, and usually cater to schizoid threat models, where the threat actor is the state, rather than more realistic threat scenarios.
As long as the VPN is up, the worst the wifi can do is cut you off. It can't alter your connections.
It's far fewer trust points.
> Also, you are just switching up the "unprotected stretch" between your local wifi, and, say, Google's servers, whereas now that "unprotected stretch" lies between the VPN provider servers in Latvia or British Virgin Islands or Panama, or whatever dubious jurisdiction, and, say, Google. Sure, you added a layer of protection against the random hacker sitting in your Starbucks, but you have added many more vectors.
When I use a VPN for protection, the server is in the US too.
And if it's for netflix I'm going to some major country, not dubious-land.
(Also I'd say datacenter and internet core routers are less likely to attack some random person's traffic, but that's not core to my argument.)
> It becomes the poison because the solution you are introducing brings more issues. And it's schizophrenic because the issue to begin with, was minuscule (a hacker stepping into MacDonalds, breaking the network encryption and then also the application encryption.
For most wifi networks, there is no encryption between users. And it's quite likely that the neglected router got hacked over the internet and is part of a botnet.
> Maybe if this were 2010 and websites still used HTTP, or you are using a local email client without TLS configured. But it's 2025, everything has HTTPs and you are using an HTTPs email client.
Until you type in a URL and HSTS isn't set.
WPA2? Sure it can be broken, but you still would have to break HTTPS on top of that.
I don't deny that a third layer adds security in that scenario, as 3 layers is more than 2 layers. But you necessarily weaken some other stretch in a zero-sum fashion, as mentioned. I'll concede that the server can be in your own country if you so choose to. But these datacenters are not necessarily controlled by the VPN provider, and they may be highly heterogeneous, in addition there will be many routers in the VPN DC to destination stretch that can still be hacked. Although again I'll grant that endpoint routers are probably weaker targets than ISP routers.
If you're on a WPA2 network you just have to observe a device connecting and you can crack their session key. It's very easy. Not that you need to do that, you could ARP spoof. Or the router could be hacked.
And you don't have to break HTTPS to have a good chance of attacking someone. There's enough HTTP around.
So it's easy to fall through both of those layers.
Nowadays most traffic is tls encrypted, but there are still metadata that can be collected.
That logic is questionable given how poorly "spying on public wifi users" scales. You either need to put a bunch of eavesdropping radios in a bunch of public places or somehow convince a bunch of small businesses to use your "free wifi" solution. Even if you do have access, it's hard to monetize the data, given that nearly every device does MAC randomization (so you can't track across different SSIDs) and iOS/windows rotates mac addresses for open/public networks. OTOH setting up metadata capture on a commercial VPN service is pretty straightforward, because you control all the servers.
Despite the randomized Mac address, you can still fingerprint devices using all the usual tricks when they connect to the authentication and authorization page before you allow them to access the broader internet.
If the receipt had a passcode on it, you've got a link between all of your browser fingerprint, radio fingerprint and payment detail fingerprint and possibly customer loyalty provided at time of payment.
Fingerprinting is overrated given that every iPhone 17 is identical to any other iPhone 17. If you leave system settings at stock, which most people do, there's very little to fingerprint.
>Doesn't pretty much every Starbucks location in the United States use a nationwide provider?
True, although mobile data is cheap and plentiful enough that I rarely bother using wifi at cafes or fast food places. The only time I use public wifi is if I'm staying long term, which basically only encompasses trains, airports, and hotels. Those are diverse enough that it's tough to build a complete profile.
>If the receipt had a passcode on it, you've got a link between all of your browser fingerprint, radio fingerprint and payment detail fingerprint and possibly customer loyalty provided at time of payment.
I don't think I ever saw a place that was that guarded about their wifi. The closest I've seen is hotels requiring your room/last name, which would allow them to identify you, but at the same time I'm not sure how much information they can glean, other than that I'm logging into gmail or airbnb. Persistent monitoring that ISPs can do is far more useful.
Debatable; i promise you that somebody out there is willing to buy the info and will attempt to combine it with $otherInfo such that it becomes valuable enough for somebody else to buy. Lots of adtech/survalence-tech operates with thin margins at _massive scale_.
> I don't think I ever saw a place that was that guarded about their wifi.
It's rare; i'd run into it only a few times a year. Typically PoS systems and WiFi are not integrated. I also haven't really been paying attention since LTE is good now :).
And yes, I'm aware that you're most likely trading one surveilence for another - but honestly at this point I'd much rather trust my paid VPN provider with my browsing data than my ISP and ultimately the government.
Your ISP will need to comply with local laws and regulations, and you'll have some recourse if broken. A third-party VPN operating in an overseas jurisdiction could be doing anything with your data.
I think you've managed to exactly describe the problem with them, and yet you phrase it as a positive.
My government can do parallel construction, can send teams of armed gunmen to my house, and otherwise find far more methods to persecute me than the intelligence services of Russia or China can.
Being innocent of any kind of crime does not necessarily remove one from the crosshairs of law enforcement organizations, particularly the FBI, who have an extensive, well-documented history of violating citizens' constitutional rights, conducting partisan witch hunts against political opponents, being a lawless menace to civil rights activists, anti-war activists, gay rights activists, both pro-abortion and anti-abortion activists, and is probably busy right now planning on being a menace to trans inclusivity activists.
There is no such thing as a friendly government, but I'd much rather have my data in the hands of a government 10,000 miles away than in the hands of my own government. My own government hunts, injures, stalks, harasses, socially ostracizes, and even kills my fellow citizens far more than any foreign government ever has.
a) your ISP (who knows your billing information) knowing which sites you visit, and any site you visit can correlate internet activity back to your household
b) your VPN provider knowing all the sites you visit
Many other countries have protections like that, "on paper" (!!!) - but the point is in how it is used or misused, or rather completely ignored - directly or indirectly, like in the USA currently and many other countries in the world.
A Bavarian man captioned an image of Robert Habeck (the vice chancellor of Germany at the time) with "Schwachkopf Professional" - "Professional Idiot". It was styled after the Schwarzkopf ad campaign. For this, Habeck filed a criminal complaint "to stop hate crime" against the man and the man's apartment was searched by the police and a tablet confiscated. Oh, and he was arrested over it as well. [0]
(The man was also accused of posting some nazi imagery earlier in the year, but the order to search his house seems to be related only to the insult. [1])
Imagine if you could be arrested for calling your (vice) president an idiot.
[0] https://www.dw.com/en/germany-greens-habeck-presses-charges-...
[1] https://www.tagesspiegel.de/politik/falschaussage-im-fall-sc... (it's in German)
You must not set foot in the USA, India, China, et cetera, then.
Imagine you say? Getting arrested might be the least of your worries in today's world if you decide to call a president (or the immediate underling) an idiot in many countries :D
If you can prove that an ISP can inspect packets, it would be major news.
* Kazakhstan
* China
* Belarus
* Iran
* Mayanmar
- list of countries that are known or suspected to MITM traffic, including SSL
https://cyberscoop.com/russia-tls-security-certificate-autho...
https://jpgamboa.com/china-ssl-authority-revoked-by-browsers...
Now it only sounds weird when a country exherts their national sovereignity because the US doesn't need to perform any additional steps to install any of their Certs, they have hundreds of them by design.
Yeah. I don't think the US explicitly requires it but they don't have to, there are more than enough US-based entities with root certificates who they could send a National Security Letter to if they ever wanted one. (Also the US FKPI root certificate is at least shipped by some vendors, although it seems to be disabled by default)
Toss that into any sort of "anomaly detection" or other such nonsense, and it's easy to create rare edge cases at an ISP level.
It's somewhat analogous to how you can sometimes "reverse" hashes like SHA256. E.g., suppose the thing you're hashing is an IPV4 address. There are only 4 billion of those, so a pre-image attack just iterating through all of them and checking the forward direction of the hash is extremely effective. TLS makes that a little more complicated since the content itself is actually hidden, but time and space side-channels give you a lot of stochastic information. You might not be able to deduce somebody's bank password, but you can probably figure out where in the bank's login flow they are and approximately what they did once they logged in.
Using timing, amounts of data, and what was being connected to, you could recreate what someone was looking at and swiping direction. (left/right sent different amounts of data)
DPI does not require any decryption of payload. Even cheap consumer devices can perform DPI on encrypted traffic. ISPs absolutely use DPI as a part of standard practice, and have been for decades. It is a basic network traffic management tool.
This happened to discord literally a few days ago.
I use VPNs when I'm trying to ferret out the scope of an outage. I have VPN servers on local ISP which moves me around different routing. I use a commercial service to move me further out and to other countries.
I don't just mean being able to access some private web interface you have on a private server in your at home, I mean connecting a satellite office to the main corporate office.
But for all of these consumer marketed VPNs, I think your list has 90%+ covered...
Perhaps we use the same word to describe them because initially they did use the same technologies, but they have branched out ever since? Maybe IPSec would be a common tech used. But the algorithms are not the same anymore since they serve different purposes (Personal privacy vs corporate/sysadmin security)
In the corporate world VPNs were usually a lower level abstraction security mechanism or a redundant security mechanism to either complement application layer_security, or to hot-patch modern security unto legacy LAN systems. VPN encryption is usually provided by the local router. Common algorithms are IPSec/IKev2.
In the personal privacy world, we are talking about a proxy that hides identification such as IP addresses, and pools connections to provide privacy. The actual encryption is not the main security mechanism even, as it only covers the transit between consumer to proxy, leaving (a potentially longer transit) between the proxy to the actual destination.
In terms of purpose and architecture it's closer to bitcoin tumblers, or Tor or Freenet, or money laundering placement. The fact that they call it VPNs seems to me more of a marketing scheme or political play to avoid association with all of the above, than an actual technical or academical description. If someone were to analyse these technologies, I'm sure a neutral or critical approach would avoid uncritically calling them VPNs in the same way that research is published not about Viagra, but on Sildenafil.
That's where my head was at. When i hear my colleagues talk about a VPN, i'm thinking about an IPSEC tunnel and an afternoon of swearing at ios on some outdated ASA. When I hear regular people talking about a VPN, my mind immediately goes to "oh, so you want to watch rick and morty on netflix and don't know anybody hosting a jellyfin/plex server".
When do we coin a new term? Or do we? Does "vpn" turn into a word like "truck" where it's only the context that tells you if we're talking about a 2 axle pickup truck in a home depot parking lot or something pulling a 40ft container unit?
"Crypto" in the 90s meant secret keys and message encryption, nowadays it's the term for the numerous ponzi scheme "investments"...
Express VPN, NordVPN and Surfshark belong to another category of software than the VPNs used by companies.
Some differences are:
1- One is used by consumers, the other is used by businesses.
2- One protects communications to a client-controlled Local area network. The other protects communications with third party services.
3- One provides encryption, the other provides anonymization.
2- The hammer doesn't care where the nail is; local carpentry or third-party furniture still require the same tool.
3- Both sides of the VPN are encrypted to each other, and anonymous to anyone else. No difference that I can see.
First, a hammer is a build (compile time) tool, while VPN is a runtime tech. Closer to a nail if you will.
Additionally, millions of products use hammers, while there's two product categories that use VPNs.
The product distribution of VPN products is bimodal, there's no inbetweens it's either a privacy oriented consumer VPN, or it's a security oriented corporate product.
Regarding the specific technology, there is no technical definition of what a VPN is, it's not an industry term, it's a marketing term. Similar to "Web", it's not HTTP, it's not TCP. This is in stark contrast to Internet (as in Internet Protocol).
Related technologies are IPSec, IKev2, WireGuard, but VPN is one of those trademarkless industry buzzword terms that companies are can latch onto for free and participate of a commodity market.
On an unrelated note, this is not unlike the term AI, which can somehow apply to fake images and conversational software. And coincidentally, modern AI is also bimodal, it's either text or syntethic images, the common ancestor might have been that the textual product originally was also synthetic generated text, but with agents and text as thought (in a Sappir-Whorf fashion) have since greatly diverged.
That's one of the best reasons to use a VPN if you're in Australia. Give up as little as possible.
I have found, however, lots of sites block or Captcha-restrict IP addresses that are (somehow determined as) non-residential, and Netflix restricts its content as well.
It's all a game of who do you trust most / least versus convenience in the end.
Recently a SaaS supplier blocked my IP because I was logging in programmatically every thirty seconds to collect data on batch processing in a customer project, basically two HTTP requests to get an access key and then the data, and I was lazy so I just put those in a script and dumped the second response to a log file and put that in a scheduler. Turned out that another customer of the SaaS supplier somehow could see the traffic on my customer's SaaS instance and panicked because in their mind it was obviously the russians attacking or something, and when they brought this to the supplier they also panicked.
So to keep doing this I had to move over to checking whether the previous access key was still valid and reuse it if so, as well as moving my 'location' to another country. Apparently this is fine but logging in two times a minute is not. It also happens that I need to do research on network services and cloud environments, where having the ability to just hit a couple of terminal incantations to switch 'where' I am helps out quite a bit sometimes.
Is this common?
It was surprising in a way I don't hesitate to call bad, but this supplier is an enterprise style organisation so of course they've only ranted at me and don't plan to alter their infrastructure.
If you live in a country that restricts your internet access, which to be fair is most these days, a VPN can help. Most of us just don't care about those restrictions or they are more easily circumvented using a 3rd. party DNS. Also if you're in country like Iran or Russia, you really need to trust your VPN provider and strange corporate structures and staff sharing really isn't helping in that respect.
For the average person, no you don't need a VPN. You might need one for a few days or week per year, if you travel and need to access your bank or corporate infrastructure (in that case your employer most likely have their own VPN). VPNs are a niche business, but online influencers have convinced a lot of people that they need a VPN for everything, which simply isn't the case for the vast majority of us.
4. Though it hurts anonymity, and is relatively rare: I2P or Hyphanet, because some websites block known P2P nodes[1]. Important if your bank or work is being a jerk about it.
5. As ThatMedicIsASpy notes, ISP issues: some routers soil the bed from P2P, some ISP's throttle P2P traffic regardless of legality, etc.
[1] https://old.reddit.com/r/i2p/comments/tc3bhs/is_anybody_else...
VPNs don't increase privacy, they just change who has the opportunity to spy on your traffic. Sometimes, it's much better if it's some foreign random ISP instead of your local government, who can send law enforcement agents where you live.
4. Perform DDoS
5. brute force passwords
6. try out leaked passwords
7. exploit vulns.
8. CSAM
9. Phish
10. Spam
11. Evade taxes with crypto
12. Sell drugs
13. Terrorism
Lots of malicious uses for VPNs, or was your question about legitimate usecases? In which case:
14. Sending emails about cryptography
15. Pornography
16. activism
17. Journalism/Whistleblowing
18. Military
Although some of the legitimate/ilegitimate categories might be subjective, which is precisely why it's a grey legal area at all.
1) I need to come out of a particular country for some systems access. If I'm travelling it's easier than having IT team change permissions.
2) I use dedicated IPs for some systems.
3) Testing websites where I want to appear local to a particular country.
267 more comments available on Hacker News