When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records.
What ExpressVPN said after the U.S. Justice Department’s deferred prosecution agreement disturbed some employees further. The company had known about Dan Gericke’s history as a mercenary hacker for the United Arab Emirates.
The VPN provider said it had no problem with the former intelligence operative protecting the privacy of its customers. In fact, the company had repeatedly given Gericke more responsibility at ExpressVPN even as the FBI investigation of his conduct pressed toward its conclusion.
Gericke was named chief technology officer in August, according to an internal email at the time, and remains in the post.
Shortly after the court filings showed Gericke and two other former U.S. intelligence operators agreeing to pay a fine and give up any future classified work, he emailed his colleagues at ExpressVPN.
“I can imagine that this kind of news is surprising or even uncomfortable,” Gericke wrote in the message obtained by Reuters, then assured them that he had used his skills to protect consumers from threats to their security and privacy.
When senior company executives during a regular online question-and-answer session last Friday with employees accepted queries about Gericke’s deal and then discussed the sale announced days earlier of the company to British-Israeli digital security software provider Kape Technologies PLC, the workforce vented its anger.
One employee wrote anonymously on an internal chat board: “This episode has eroded consumer’s trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?”
More than 40 employees voted in support of that question during the session, sending it to the top of the queue. Other employee complaints were reported earlier on Thursday by Vice. The questions and vote totals were made available to Reuters by someone authorized to have them.
Asked about the controversy, ExpressVPN said in a statement that the exchange was part of a regular monthly session between management and employees.
“As a company, we value openness, dialogue and transparency -which includes robust debate and incisive questioning,” the company said.
It said it had not known of the federal investigation or the details of Gericke’s work in UAE, and it said that country’s surveillance campaign was “completely antithetical to our mission.”
A 2019 Reuters investigation showed how a team that Gericke was embedded within, codenamed Project Raven, had helped the UAE surveil a wide range of targets, including human rights activists and journalists. The story did not name Gericke individually.
At ExpressVPN’s session with leaders Friday, the second-most supported question also concerned him.
“As an individual I have a problem accepting that Dan was hired despite disclosing past actions. These actions are not small thing we can easily forget or accept. Don’t they go against all the things XV stands for?” that person asked.
To Reuters, the company responded: “It’s only through clear commitment and contributions to our mission that Daniel has been able to earn senior leadership roles within the company and the full confidence of our co-founders.”