=^.^=

There's Something You Should Know about Private Internet Access (PIA) VPN

Roughly a decade ago I signed on with Private Internet Access as my first commercial VPN provider. At the time it was one of - if not the - biggest player in the arena. It enjoyed a universally good reputation both for network capacity and privacy, having emerged from two separate court cases producing - as it claimed and appeared to in fact be collecting - no logging data on its clients. It was also one of the first VPN providers to distribute value-added custom desktop and mobile client software with features one expects from all services today: the ability to easily select from many geographically disparate servers, preventing DNS query leakage, implementing a "kill switch" functionality to ensure application connections don't re-establish over the regular uplink when the VPN connection drops, etc.

[pia]

Not being something I needed to use very often, my subscription seemed to roll over at the promotional rate I signed up at so I let it ride for a few years until the PayPal account it was attached to dissolved. Fast forward to a few weeks ago, a friend let me use their account to test it out again because I was looking for an easy geofence evasion solution so I could provide a romantic interest with entertainment unfairly blocked in Canada.

No sooner than I mentioned this in one of my chat groups I was admonished that "PIA was bought by a spammer." That's quite the accusation, but given numerous unfortunate buyouts over the years (LavaSoft's AdAware comes to mind) not an unreasonable one. It wasn't hard to find further echos of the insinuation on the web but some thoughtful digging I was able to piece together what I believe are the fair and objective facts regarding the situation. Nowhere are they summed up better, in my opinion, than in this incredibly well-written and patiently researched article by Sven Taylor of Restore Privacy: Strange Ties: Private Internet Access, Kape, and Crossrider. That article from 2019 was very recently followed-up one month ago on September 15, 2021 with Kape Technologies (Formerly Crossrider) Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites then, incredibly, again just a couple of weeks ago on October 29, 2021 with Taking a Closer Look at Kape Technologies, Crossrider, and Malware.

To the best of my understanding - and with my apologies to those involved if I in any way am misconstruing the events - these are the facts that I feel would be relevant to the reasonable consumer's due diligence in determining if PIA is worthy of one's custom today:

  • PIA originated largely as it had appeared to: over a decade ago, justifiably gaining popular support, and it quickly grew to become a major player in the commercial VPN industry.
  • Separately, Crossrider was founded in 2011 and brought to market a novel cross-platform, cross-browser development platform for the major browsers of the era.
  • Crossrider's SDK facilitated monetization, as much commercial software does. The capability was effectively neutral. The implementation however, being in the hands of the extension developers and not Crossrider, could be abused. And it was - extensively; it provided an effective avenue for revenue to flow to developers employing a wide range of nefarious tactics including content injection and privacy invasion.

    From Kape's statement to RestorePrivacy:

    The Crossrider SDK and development platform was used by tens of thousands of independent developers to create cross-browser extensions, and unfortunately a small number of bad actors misused the platform to develop adware and malware. The team at the time attempted to combat the problem, including as a participant and supporter of the Clean Software Alliance, but ultimately decided to shut down Crossrider altogether in 2016 in the face of rising abuse.

[angel]

So there we have it. A tragic case of a plucky tech upstart with a bright future that brought a new, effective and vital tool to market only to have it abused by bad actors which undeservedly devastated their reputation by mere association despite laudable efforts to combat their own platform's misuse and when that wasn't enough they nobly sacrificed their flagship product for the greater good at the expense of a bottom line they by all accounts could have sustained for the low price of looking the other way. Actually quite a heroic story when you think about it - and I don't mean to sarcastically disparage it. I have uncovered no evidence that indicates the events transpired any way other than how they are recounted by Kape Technologies, the rebranded, reorganized and refocused reincarnation of Crossrider that emerged from an apparently two year long restructuring initiated in 2016.

You know the old tune, we're just going to deep-six for a couple years and switch from a company that enables and profits from data mining and ad injection and stuff and emerge from our cocoon a beautifully transformed, trustworthy security and privacy technology leader. As one does.

The problem is there are other reasons to be skeptical of Kape Technologies. Certainly less stark than the accusations of outright malware pushing but the story is far from over here.

  • In March 2017 Crossrider purchased CyberGhost VPN in its first step to enter the VPN market and re-imagine itself as a security and privacy focused player
  • In 2018 Crossrider purchased ZenMate VPN
  • After rebranding as Kape Technologies in 2018 Private Internet Access became its largest acquisition yet by customer base and dollar amount at a sizable USD$127M:

    From the Private Internet Access acquisition press release, courtesy of Business Wire November 19, 2019:

    LONDON--(, a consumer security software business, is delighted to announce the transformational acquisition of Private Internet Access (PIA), a leading US-based digital privacy company. This acquisition will significantly increase the company’s presence in North America and doubles its existing user base to over 2 million paying customers with a truly global brand.

    This catapults Kape towards becoming the ‘go-to’ privacy company for consumers, paving the way to dominating the rapidly growing digital privacy space, which is already worth US$24 billion in 2019 and is expected to grow by 50% by 2022. According to the Breach Level Index, in the first half of 2018, more than 25 million records were compromised every day, which equates to 291 records every second. As technology develops, and more and more data is shared online, the need for online protection is increasing exponentially. The acquisition of PIA will see Kape’s user base double to over 2 million paying subscribers with almost half of them in the US. The combined group is expected to be profitable and generate over US$120 million in revenues in 2020.

    As part of the transaction, Kape will add a number of encryption-based consumer software solutions to its privacy suite available on mobile, tablet and desktops, including: Plus Ultra, a software that speeds up internet connections; LibreBrowser, a completely private browser; and Private.sh, a private and encrypted search engine. This suite will provide people a truly private digital environment.

    Ido Erlichman, Chief Executive Officer of Kape, said: “This is a game-changing moment for both Kape and PIA, transforming our vision of creating a truly global privacy company into a reality.”

    Ted Kim, Chief Executive Officer of LTMI (PIA’s holding company), added: “We are excited to join forces with Kape to create a true pioneer in digital privacy with significant scale. This transaction brings us one step closer in realising our vision of a digitally private and secure world for our customers.”

    Lumos Partners, LLC acted as the exclusive financial advisor and Baker Botts L.L.P served as legal counsel to PIA/LTMI. Bryan Cave Leighton Paisner acted as legal counsel for Kape.

    About Kape (AIM: Kape)

    Kape is a cybersecurity company focused on helping consumers around the world to have better experience and protection in their digital life. Kape develops and distributes a variety of digital products in the online security space. The Group utilises its proprietary digital distribution technology to optimise its reach and create a superb user experience. Kape offers products which provide online security, privacy and an optimal online experience. Kape's vision is to provide online autonomy for a secure and accessible personal digital life, with a team of over 350 people across seven locations worldwide.

    www.kape.com

    About PIA

    PIA was established in 2009 and is a security software business, based in Denver, Colorado. Since its inception, PIA has grown to become a leading VPN service provider focused on the consumer market, employing approximately 65, with 35% in an R&D capacity. PIA has over 1 million paying subscribers globally, with 48% of them based in the US.

    Contacts

    For Kape corporate public relations enquiries, contact:
    Vigo Communications
    Tel: +44 (0)20 7390 02347
    [email protected]

  • Just two months ago (from the time of writing) Kape made its biggest acquisition yet: USD$946M for ExpressVPN.

    From the ExpressVPN acquisition press release, courtesy of Reuters September 13, 2021:

    JERUSALEM, Sept 13 (Reuters) - British-Israeli digital security software provider Kape Technologies PLC (KAPE.L) said on Monday it was buying virtual private network (VPN) firm ExpressVPN for $936 million in a deal aimed at creating what it called a "premium consumer privacy and security player."

    Kape said the acquisition expands its customer base to more than 6 million from nearly 3 million and would create a tier one digital privacy and security firm best positioned to capitalise on the expected market growth.

    ExpressVPN, it said, has seen a compound annual growth rate (CAGR) of 35.1% over the past four years amid strong demand for consumer-friendly data privacy and security products.

    Consumers have increasingly turned to VPNs such as ExpressVPN to obscure their identities on the internet.

    "Controlling one's digital presence is at the forefront of every tech consumer’s mind now, and Kape is more committed than ever to innovating and delivering the tools internet users need to protect their data and rights," said Ido Erlichman, chief executive of Kape Technologies.

    Dan Pomerantz, co-founder of ExpressVPN, said the firm will have more capital and resources to "accelerate our product development, deliver even more innovation to our users, and protect them from a wider range of threats."

    Kape said ExpressVPN will continue to operate day-to-day as an independent service.

[low]

Let us indulge in the least generous suspicions for a moment - after all the "tinfoil hat crowd" is, or one could be forgiven for expecting it to be, a core target demographic of commercial VPNs. Surely as a userbase expands so rapidly the pressure on any company (one might imagine moreso one with a history connected to advertising, user metrics, data mining and so on - regardless of how innocent or incidental that history may be) to leverage the data collection opportunities that arise into a revenue stream increases in stride. I don't think it's unreasonable to wonder why so many different VPN operations?. Certainly there is logic to buying out userbases and it clearly makes sense to perpetuate established brands but in simple economic terms it would surely make sense to consolidate not just the ownership and governance but also operations and resources. Instead Kape seems to go out of its way to reassure customers that each VPN service it buys will continue to be operated independently, with more or less unbroken continuity. Choosing not to cut out overhead, scale up core infrastructure and migrate users even at a trickle pace to a more homogeneous "master platform" could give one the impression that Kape is trying to obfuscate its position to the lay customer or even nurture a misleading sense of choice in an increasingly artificial market. On the other hand, there is merit to maintaining a level of independence between very similar units within a business: multiple discreet systems, if they are all reasonably efficient and generating revenue, bring clear and substantial benefits in terms of resiliency and an organization's ability to carry out experimentation, analysis and R&D. By not making any obvious changes immediately after a fresh acquisition Kape also benefits from not giving the existing userbase additional reasons to reevaluate their relationship; by seeming to do nothing they make it easier for even those customers that harbour reservations about the takeover by such an entity to also do nothing. And doing nothing beats the hell out of cancelling subscriptions.

Conversely, at best, one might interpret these events to be something akin to conventional media consolidation. Kape Technologies PLC is publicly traded on the London Stock Exchange. Throwing almost one billion American dollars at its latest prize it is quite clear the company that started in 2011 with a hot product yet had to shutter for two years when that one-trick tanked is no joke some ten years later.

[high]

Perhaps in the same vein as how many biotech megacaps aren't really pharmaceutical companies - they're investment funds whose core competency is just making money by acquiring the right microcaps - maybe today's Kape isn't really a technology company at all. Maybe it's really a simple investment fund that's found a niche in being very good or very lucky at buying the right growth equities. Operating on that assumption would imply security and performance aren't their real forté and it would be logical to focus on the kinds of metrics expected to suffer under the priorities of a volume and margin maximizing vehicle: capacity, reliability, human labour (quality of support), etc.

I will submit that my personal tinkering and benchmarking over the past few weeks has been deeply disappointing but I must qualify my input by admitting my tests have been by no means exhaustive or scientific. Over wired 100mbit/s synchronous links I can often sustain 60-70mbit/s over the default OpenVPN protocol with default settings but typically only when using automatically selected servers. It seems manually choosing a server even a few hundred kilometres away is almost always out of the question for streaming quality throughput much less consistency at even the lowest bitrates. That being said, equally anecdotally, it is interesting to note that negative reviews posted to reddit and the like receive what feels like unusually high (though genuine) response rates from users asserting their satisfaction. Comments regarding interaction with support and billing departments however seem decidedly negative and speak to a wide disappointment with obviously pre-canned responses and script-like interactions.

All of that being fine and dandy it's time to put our tinfoil hats back on because in my opinion the most troubling fact about Kape has nothing to do with difficult-to-substantiate fears of service quality being run into the ground. I couldn't blame you if you found my earlier allusion to a misleading sense of choice in an increasingly artificial market a little spooky and over the top. Are you sitting down?

From These VPN "Review" Websites are Actually Owned by VPNs by Sven Taylor of Restore Privacy May 20, 2021:

In March 2021, news broke that Kape had purchased Webselenese, which is the parent company of vpnMentor and Wizcase. These are two large VPN review websites that collectively get about 6.8 million visitors per month according to Ahrefs data (May 2021).

...

Now let’s examine how the rankings changed after the acquisition.

The table below highlights the rankings on vpnMentor’s homepage before and after the site was purchased by Kape. Notice the changes in CyberGhost and Private Internet Access.

Before ownership change

  1. NordVPN
  2. ExpressVPN
  3. Surfshark
  4. CyberGhost
  5. Private Internet Access

After ownership change

  1. ExpressVPN
  2. CyberGhost
  3. Private Internet Access
  4. IPVanish
  5. PrivateVPN

With vpnMentor.com, you can see that NordVPN and Surfshark have been completely removed from the top recommendations. Additionally, CyberGhost and Private Internet Access have gone up in the rankings to the #2 and #3 spots after the ownership changes.
We see similar developments with the before and after changes on Wizcase.com:

Before ownership change

  1. NordVPN
  2. ExpressVPN
  3. Surfshark
  4. CyberGhost
  5. Private Internet Access

After ownership change

  1. ExpressVPN
  2. CyberGhost
  3. Private Internet Access
  4. PrivateVPN
  5. HMA VPN

Just like with vpnMentor, we see that the parent company’s brands were raised in the recommendations, while some competing brands were dropped.

So one more time, just so we're clear: they don't make malware. They're just shamelessly, gratuitously deceitful. I believe the technical term for elaborate propaganda like this is psyop.

It gets better. Come meet the team!

[attachment-t9jyut]
Primary shareholder of Kape Technologies Teddy Sagi. [Photo: Himself]

Teddy Sagi is an Israeli billionaire and the main man behind Kape Technologies PLC. He made much of his fortune in online gambling. As a mover, shaker and international man of mystery Teddy has been profiled by such prestigious publications as Forbes and Wikipedia and The Panama Papers where he has been linked to at least sixteen offshore accounts. It should be noted that no wrongdoing has been associated with the accounts. Yet,

The Financial Times reports Teddy served a nine-month prison sentence after being convicted in Israel of bribery and fraud in 1996.

According to The Jerusalem Post, just a little over one month ago Teddy avoided an assasination attempt. He blames "Iranian Terror". An unnamed source blames his Russian mob debts.

[attachment-tM5VMd]
CEO of Kape Technologies Ido Erlichman. [Photo: Sharon Dery]

Ido Erlichman is a former undercover counterterrorist commando. He has served as CEO of Kape Technology for five years and by most accounts is responsible for the turnaround of Kape's fortunes.

Koby Menachemi though since departed, co-founded Crossrider back in 2011. Worthy of note for being a Unit 8200 (Israeli SIGINT) alum. Yikes. Koby and Teddy get a little spotlight in this article by Thomas Brewster of Forbes that details the murky ties between adware and Israeli intelligence figures: These Ex-Israeli Surveillance Agents Hijack Your Browser To Profit From Ads.

It should be noted that since military service is compulsory in Israel past affiliation with intelligence outfits is a more common trait than one might otherwise be accustomed to. But a past affiliation with intelligence outfits is a past affiliation with intelligence outfits. Ya dig?

The best for last: Mark Karplès is not affiliated with Kape. He was onboarded a few months before the PIA acquisition by co-founder Andew Lee in the position - of all things - as Chief Technology Officer. Mark rose to fame as the perpetrator of various frauds and mismanagement as CEO of the ill-fated Mt. Gox bitcoin exchange. If he is to be judged by the alleged coding, security and management style during his tenure at Mt. Gox it is questionable what value he could bring to an established, multi-million dollar VPN platform and his inexplicable placement at PIA has been the cause of numerous fits and cancellations among the userbase, unfortunately they have yielded little in the way of answers.

[attachment-pkUGnH]

Please don't come away from this with the wrong impression; god knows I enjoy people with a little colour to their personalities. Some minor jail time here and a raging drug addiction or two there is the spice that makes folks interesting. But there is a preponderance of shadiness surrounding Kape and its properties that makes me instinctively wary. If I could get PIA to perform reasonably in my particular setting I might still consider using it for simple geofence hopping, but I would avoid using it for any purpose where my security and/or privacy were important. I would definitely never pay for it.

Now that you have the facts I hope you feel equipped to make an educated decision. If there are any important details I have left out or if I have any of the details wrong please reach out.

Good luck, be safe!

Comments

There are no comments for this item.