ExpressVPN has announced a new system designed to prevent access to domains hosting child sexual abuse material (CSAM) while preserving the privacy guarantees central to VPN services.
The initiative combines a partnership with the Internet Watch Foundation (IWF) and a DNS-based filtering technology that blocks access to verified CSAM domains without inspecting user traffic or logging activity.
The initiative, called “Not on My Network,” introduces a server-side toolkit named OpenBoundary, which restricts connections to domains identified by the IWF as hosting dedicated CSAM content. According to ExpressVPN, the system is deployed across its global VPN server infrastructure and aims to prevent the company’s network from being used to access or distribute such material.
The Internet Watch Foundation, a UK-based nonprofit organization that tracks and works to remove child sexual abuse material from the internet, maintains a regularly updated list of domains associated with confirmed CSAM. ExpressVPN will receive access to the organization’s verified CSAM Domain List, and feed it into the filtering mechanism used by OpenBoundary.
DNS-level blocking without deep inspection
OpenBoundary operates at the DNS resolver level, allowing ExpressVPN servers to check requested domains against the IWF list before a connection is established. If the domain matches an entry flagged by the nonprofit, the system immediately drops the request at the network boundary.
ExpressVPN says the approach was designed specifically to avoid techniques commonly criticized in privacy tools, such as deep packet inspection (DPI) or client-side scanning. The company claims the system does not decrypt VPN traffic, examine packet contents, or collect user activity logs, preserving the service’s long-standing no-logs policy.
Dr. Peter Membrey, Chief Research Officer at ExpressVPN and one of the architects of the initiative, described the system as a narrowly scoped safeguard rather than a broader monitoring framework.
According to Membrey, the debate around online privacy has often been framed as a trade-off between maintaining strong encryption and introducing safety mechanisms. He argues that infrastructure can enforce targeted restrictions against clearly identified criminal domains without weakening encryption or tracking users.
Open-source release planned
ExpressVPN plans to open-source OpenBoundary, publishing its code along with a technical whitepaper detailing the architecture and deployment model. The company said the goal is to encourage wider adoption among VPN providers, internet service providers, and cloud platforms.
Two other VPN providers, CyberGhost VPN and Private Internet Access, have already committed to joining the effort, according to the announcement.
The initiative also includes developer outreach programs tied to the broader #NotOnMyNetwork campaign. These efforts include support for open-source safety projects through events such as the Hack the East Hackathon and the FOSSASIA Hackathon 2026, where developers are encouraged to build privacy-preserving safety tools.
From a user perspective, the change should be largely invisible. Connections to domains on the IWF list will simply fail to resolve through ExpressVPN’s infrastructure. Because the filtering happens at the DNS level before traffic flows, ExpressVPN says it does not alter encryption, monitor browsing activity, or store identifying data.
Leave a Reply