Gericke, along with Marc Baier and Ryan Adams, agreed to pay over $1.68 million to resolve the charges levied by the DOJ. Gericke’s share in the fine amounts to $335,000. Project Raven involved the development and deployment of hacking and surveillance tools for the UAE government. Allegedly, US nationals and activists critical of the UAE’s human rights record were targeted by these tools. ExpressVPN has put out an official response seeking to assure customers of their commitment to a free, secure and private internet. Additionally, the statement highlights Gericke’s role in “strengthening and securing the systems that allow us to deliver privacy and security to millions of people.”
Former US Officials Helped UAE Spying Program
Before joining ExpressVPN in December of 2019, Gericke worked as a senior manager, along with Baier and Adams, at a UAE based company that carried out hacking activities for the UAE government between 2016 and 2019. According to the DOJ, the three provided “support, direction and supervision” to create sophisticated “zero-click” hacking systems. These exploits were used to “illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.” The three were previously warned on several occasions that their work for the UAE company was a “defence service,” which requires a license from the State Department’s Directorate of Defense Trade Controls (DDTC). However, they continued their work without a license. Bryan Vorndran of the FBI’s Cyber Division said the Bureau will fully investigate those who profit from the illegal cyber activity. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences,” He added.
ExpressVPN’s Response
On Monday, 20 September, ExpressVPN issued an official response to the story. The statement highlighted the company’s commitment to their customers’ privacy and their overall security. Additionally, it voluntarily opens up its systems for review on a regular basis. To iterate this it referred to a review conducted by PwC in May 2021. ExpressVPN also said that it had complete knowledge of Gericke’s past experience when they hired him, including his time with the UAE company. However, the company did not have details of any classified activity or any investigation against him. The company added that while Gericke earned their trust, they did not solely rely on that trust. Instead, ExpressVPN relies on its own controls, and the “robust protections built into our operations that would prevent tampering or damage from within.” The statement also conveyed that Gericke performed the exact function that the company expected from him. “He has consistently and continuously strengthened and reinforced the systems that allow us to deliver privacy and security to millions of people,” the statement adds. “Indeed, since he joined our team, he has significantly strengthened the security of our systems and products in many ways, direct and indirect.” ExpressVPN also detailed how it protects against internal and external threats. It also highlighted that it led the charge for greater transparency throughout the VPN industry. It has also been running a bug bounty program since 2016. In 2020, it switched to using BugCrowd, which “encouraged greater transparency, since all bugs and their respective fixes can be publicly disclosed and published on BugCrowd’s website.” It credits Gericke for this push for greater transparency, as well as setting up the BugCrowd program.