The summary of many comments so far seems to be: "I don't believe this is what actually happened when this warrant was executed in Sweden, because it doesn't sound like something that would happen when a warrant is executed in the US."
> After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything
Setting aside impacts on customers, I wonder how common seizures would need to be to support a purely financial case that businesses that are known to not store identifying information are therefore less likely to incur the cost and effort of scrambling to replace seized hardware.
I did notice that phrase doing a lot of work there. I'm actually super curious: when a bunch of goons turn up on your doorstep fully expecting to cart away boxes of electronics, /how on earth/ do you "demonstrate that this is indeed how our service works", there and then on the spot, in a sufficiently convincing manner that they leave again empty-handed?
I’ve got no real insight, but my guess would be that a) the goons have both technical and legal competence and b) Mullvad had legal representation show up quickly.
Have legal representation show up quickly means nothing.
Consider the many, many scenarios where search warrants are served on companies with in house legal. Law firms. Individual lawyers. Literally happens every single day.
Law enforcement has a warrant signed by a judge. Just because a lawyer of some sort is there doesn't mean they're going to stand around paralyzed saying "Oh there's a lawyer here, better stop what I'm doing and wait for XYZ".
They're going to say "Oh you're a lawyer? Good for you. Here's a copy. Get out of the way and stand over there."
Same thing for any technical or legal competence on the part of the authorities. You assembled enough cause for the warrant to be issued and you're going to walk away because the subject of the warrant basically says "Well see, I can explain everything..."?
This is probably the equivalent of Neil deGrasse Tyson talking his way out of a speeding ticket on the side of the road by giving one of his (in)famous "Well actually officer, the Earth revolves around the sun while turning on it's axis at 25k MPH so actually I was..."[0].
Their version of events makes absolutely no sense to me.
This is quite silly. A warrant isn’t a magic bullet that ends all your rights and gives the police superpowers. A lawyer can very much say “no, this information isn’t responsive to the warrant”, where a lay person may not realise this, and volunteer information that they have no legal obligation to hand over.
The police absolutely rely on the information and power asymmetry between them and the public. You honestly don’t think the police behave very differently being watched (and these days often filmed) by a dozen high powered lawyers in suits, who will challenge absolutely everything they’ve just done as soon as they’re out the door?
I did not say it ends your rights. I did not say it gives them superpowers.
What it does do is give them government and legally sanctioned power backed up by force to do whatever the warrant says. They can tear your house apart. Seize your property. They can withdraw your blood by force if necessary. Micheal Jackson (rich, famous, and powerful) had his genitalia examined. They can certainly (and do) go in your office and take every single thing computer or data related if those devices may contain information relevant to the warrant.
"This information isn't responsive to the warrant?" - I feel like I'm living in an alternate universe at this point... That's borderline "One weird trick just say these magic words and the police disappear". Watch video of search warrants being executed. They walk out with TONS of material - anything electronic related, hand trucks with boxes of documents, etc. When the FBI searched a billionaire former US President they walked out with 28 boxes of documents[0].
Is anyone here under the impression that a search warrant for relevant electronic records involves the police sitting down with you and looking at your computer? No. They'll take EVERYTHING, image it for evidentiary purposes, and then take as much time as they need to review it in search for whatever was specified in the warrant.
A person or lawyer can say anything they want but the outcome in 99.9% of cases is the guys with the guns are going to do whatever they feel empowered to do. If there's anything questionable it can be argued in court later.
High powered lawyers in suits? The FBI executed a search warrant on a billionaire former United States President... Yes they'll likely behave differently but they're certainly not scared of you or whatever you or a lawyer says in the moment.
In street crime this is often called "You can beat the rap but you can't beat the ride".
In the moment the power asymmetry is very real. I point you to thousands of hours of YouTube police body camera footage, etc that demonstrates it.
With respect, you're speaking with an unwarranted degree of confidence about a topic you do not seem very well versed in.
The key problem is that you're confusing two very different kinds of police operations. If the police get a tip off about a dangerous meth lab in your basement, then yes, they will execute a dawn raid, in which they storm your house, guns drawn. In that moment you simply comply, and any police overreach is sorted out later in litigation.
But this is absolutely not how warrants work in high corporate contexts. The police will arrive at reception, politely identify themselves and ask to be shown in, ask everyone to step away from their keyboards, and then begin speaking calmly with whoever is in charge. Being involved in investigations is simply a part of life for any sufficiently large corporate entity. No one is running around, no guns are being pointed at anyone, no one is particularly phased. Most staff are sent out to go for a walk, a few are kept back to walk the police forensics techs through what data is (or isn't, in this case) kept on premises.
I applaud your zeal against police overreach, but most cases of police overreach happen on the streets and in people's homes, not in some glass tower under the watchful gaze of a team of hostile lawyers. That's why - to return to your post above - legal representation absolutely does matter, and anyone interacting with the police in any capacity without it is being inexcusably reckless. Here's a law lecture to make that point better than I can: https://www.youtube.com/watch?v=d-7o9xYp7eE.
Appreciate the respect (and sense it as well). Warning a lot of anecdotal and "I have a friend" inbound that (I believe) provides plenty of factual and real world data to justify my confidence on these matters:
- I have many friends in law enforcement. I've been on many ride alongs and seen probable cause, phoning in warrants, etc on the street in person.
- One of my friends is on a county level SWAT team and executes high-risk criminal search warrants all of the time.
- Another one of my friends is an agent with a criminal federal law enforcement agency (IRS CI) that deals with a lot of "soft"/white collar/financial/computer/crypto/corporate crime. Including lawyers that have perpetuated financial schemes and crimes against their clients (it's amazing how many sleazy lawyers embezzle money from their clients in personal injury, settlements, etc). They execute A LOT of search warrants.
With this there are several types of situations I've noticed:
1) SWAT team friend gets an early AM no-knock warrant and an army effectively shock and awes you in your sleep at 3 AM. This is the "they can and will destroy your house" as they can do things like rip your walls apart because they heard you have drugs in them or whatever. This is usually a lot of warrants, drug cases, etc where the justification for the search/arrest is an undercover narcotics buy or something like that and cause can be presented that the subjects are violent, armed, and/or likely to destroy evidence with a daytime "knock and announce" warrant. From what I've gathered the colloquial term for these groups is "door kickers".
2) IRS CID friend goes out to have a "friendly" chat/interview with someone. There's no warrant but it's a federal felony to lie to most federal law enforcement so they'll do a lot of "ask questions they already know the answer to" because the lie itself is a crime and they'll leverage or convict you on that alone. No one ever talk to them. Seriously. Not ever. They'll walk away but it's likely not the last you'll see of them (they'll come back with a warrant).
3a) IRS CI (or similar) comes back with a warrant. From my understanding there are special steps and justifications that must be presented for a search warrant to be executed before 6 AM and after something like 9 PM. From what my friend tells me they show up after 6 AM-ish and "bang on the door and shout police and search warrant multiple times loud enough for the entire neighborhood to hear". Compared to SWAT team friend these are very gentle and reasonable (approaching what you're describing). From what I can remember they very rarely even physically force entry. The subject politely and calmly answers the door, they put their guns away, and everyone does their thing.
3b) What you're describing. If the warrant is for a business or individual known to be at a business during business hours they'll calmly walk in during business hours with their cool blue yellow-lettering "raid jackets" that communicate "we mean business" compared to their usual dress suit (with gun on hip) "uniform". This is the "Ok everyone stop what you're doing, step away from your computer, and go over there". From what I understand it's amazing how intimidating a cheap blue nylon jacket that says "IRS" or "FBI" on it can be.
While these scenarios FEEL very different they are more similar than dissimilar. In all cases simply having a lawyer present isn't going to modulate their behavior significantly - they're going to do what they came to do. Meth lab and a poor nobody? They'll definitely go harder. Billionaire former president? By the book but they're still going to get what they came for.
What people don't seem to understand about warrants is the fundamental shift in power they represent:
1) We have laws. Laws that govern what anyone can do - including law enforcement and government.
2) The police operate under these laws as police.
3) When law enforcement needs to comply with the law while being able to extend governmental power they apply to the independent judicial branch of government to review and act as a check against their governmental (LE) power.
4) At the point a judge signs a warrant law enforcement is empowered by the entire judicial branch of government to largely do whatever is necessary (within other laws, policies, and procedures) to enforce what is now (effectively) a court order.
So at this point law enforcement is actually doing two things:
1) They are furthering their investigation.
2) They are satisfying a court order.
So... The support here of this bizarre Mullvad statement is bewildering to me. While this is anecdotal and very US-focused there isn't a functioning government/justice system in the world where this scenario makes any sense whatsoever:
1) Law enforcement has an investigation.
2) They assembled enough evidence to pursue a search warrant.
3) They were granted said warrant.
4) They sent out SIX (presumably) armed police officers from the national police to execute a search and enforce the warrant.
5) Even after all of this... They arrive and are essentially talked out of doing anything because the subject of the warrant said "we don't have that".
I'm really trying to understand the support for the (essentially) impossible scenario described in this statement from Mullvad.
Thank you for your recognition on my zeal against police overreach - what I've learned over hours and years of my curiosity and peppering these friends with questions is "don't talk to the police, ESPECIALLY the Feds in the US". When I received training on interacting with federal law enforcement in a corporate context the script was:
"Hi I'm agent X from Y and I have a few questions".
All you say is: "Do you have a business card? Thank you - someone will be in touch." With that "someone" being an attorney.
Do not say another single word. If it's a search (3 AM SWAT or nice conversation in your office) things can be calm, polite, and cordial but at the end of the day LE has an incredible amount of power at this point and when it comes down to it they're going to use it and get what they're looking for.
> They can tear your house apart. Seize your property. They can withdraw your blood by force if necessary. Micheal Jackson (rich, famous, and powerful) had his genitalia examined. They can certainly (and do) go in your office and take every single thing computer or data related if those devices may contain information relevant to the warrant.
Thats only true for the US, which isn't where Mullvad is located.
Swedish law enforcement did an initial investigation. Applied for a warrant. Was granted a warrant. Then six officers from the national police arrived to serve the warrant.
In any country in the world with a functioning government they are not just going to walk away because someone said they don’t have the materials covered in the warrant.
> In any country in the world with a functioning government they are not just going to walk away because someone said they don’t have the materials covered in the warrant.
That's probably true, but entirely unrelated to what you claimed before.
You said this specifically, and none of that is permissive anywhere in Europe.
> They can tear your house apart. Seize your property. They can withdraw your blood by force if necessary. Micheal Jackson (rich, famous, and powerful) had his genitalia examined. They can certainly (and do) go in your office and take every single thing computer or data related if those devices may contain information relevant to the warrant.
They'll only be able to take what's specifically allowed according to the warrant, and if the warrant was worded to only include servers with storage mediums, and they don't have any, then nothing could be collected until the warrant was reissued. Which would likely be done pretty quickly.
> That's probably true, but entirely unrelated to what you claimed before.
I'm not seeing how but I don't think it matters.
> You said this specifically, and none of that is permissive anywhere in Europe.
Europe doesn't have crime? Europe doesn't have law enforcement that needs to assemble and collect evidence? Law enforcement in Europe doesn't have situations where the entirety of the situation and circumstances can't possibly be known and warrants need to be extremely (almost impossibly) specific?
Again, US centric but I point to the search warrant affidavit for a billionaire former US President[0]. Page 37 and 38 include language that (from what I've seen) is fairly typical. Statements like "any and all areas that may contain XYZ". "Any and all physical documents", etc.
The US and Europe generally are very different places and US governmental overreach, infringing on civil liberties, abuse of power, etc is a popular topic on HN (I don't disagree). However, the US isn't quite the dystopian Orwellian nightmare described on HN (yet).
It may be my US blinders but I don't understand an environment like the one you describe where a search warrant from government (law enforcement and an independent judicial branch) would be specific enough to include ambiguous terms like "servers". What is a "server", really? Even the technical crowd on HN would debate that ferociously.
I think HN is giving LE and government too much credit here. I have a friend in LE in the US at the federal level who deals with a lot of electronic, crypto, etc investigations and search warrants. He frequently tells me things like "then I have to sit down with the 60 year old lawyers/bureaucrats and get them to understand what a crypto tumbler is".
Again, possibly too US centric but Sweden or otherwise the process is clearly more similar that not:
1) There's an investigation.
2) LE puts together some justification for a warrant.
3) They apply for and get one (again - there's a low common denominator here because everyone through the chain up to and including a judge needs to understand what's described).
4) The get warrant.
5) They send out six police officers from the national police organization.
6) They arrive and someone (per Mullvad's statement) says "we don't have that". If there is a single computer on site (or potentially even storage media, etc) there's no way to establish the veracity of that statement (coming from a party that is clearly under criminal investigation) without performing a search of some kind or (more likely) seizing materials for review later.
7) Per Mullvad's statement LE didn't do anything and (incredulously) walked away without taking any action whatsoever.
I'm not saying what did or didn't happen, I'm saying what they're describing is pretty fantastical.
I think you're misunderstanding me. My only issue was with the quoted examples. I completely agree that the situation is pretty unbelievable and the warrant was likely very poorly worded if they were forced to leave without taking anything.
To me, the whole situation sounds more like a local government failure which mullvad successfully capitalized on.
Yes it was. I don't understand how you could have a functioning legal system anywhere if a search warrant can be neutralized by saying "I don't have that" without any kind of search taking place.
If the search warrant says "take servers containing information about X" and the search team asks which servers contain information about X and gets answer "none" which they have reason to believe it's true - then there's no point taking anything and not taking anything would not hurt the function of the legal system. Of course cops may go on a power trip and take stuff anyway to show how powerful they are, but that has nothing to do with the legal system. Apparently these cops weren't of that sort, congrats to them.
Are you saying in Sweden police can enter your home, seize your computers, phones and documents without a court order, to look for evidence of some hunch? No that is very far from the general western democracy laws we broadly expect
Search and seizure laws are designed to protect citizens from the police and from the state, not some humanitarian protection for criminals
I realize this happened in Sweden. My dad was a professor at the Karolinska Institutet in Stockholm; I practically grew up there. My first name is spelled "Kristian" for this reason.
Yes Sweden is very different from the US. In fact, seven years ago some Swedish cops on vacation in NYC became somewhat famous and drew significant attention (at the time) to policing issues in the US[0]. People in the US were literally saying "WE NEED SWEDISH COPS".
That said... Even by Swedish standards (of which I'm familiar) I find it very, very, very hard to believe the government would bother to do an initial investigation, draft and apply for a warrant, serve the warrant with SIX police officers, and then walk out with a handshake because some guy in the office says "we don't have that".
Meh, police get the address wrong sometimes. I could totally see them either not understanding of not believing a 'no logs' policy.
So they get a warrant for 'servers with client connection logs' and when they arrive they discover that there are no servers - nothing with a HD and certainly no storage systems, and then they contact their boss and are more willing to re-examine and maybe decide to trust that the company was being honest.
Mullvad don't say they weren't searched, just that nothing was taken. They informed the police that what they wanted didn't exist and demonstrated it to the police/prosecutor's satisfaction. Cops have access to technical consultants if they need expertise to verify this.
Good code and wiring probably helped - if there's a rat's nest of cables running into the ceiling it's hard to trust, but if there's a really clean patch panel and short direct runs between equipment it's easier to demonstrate that what you see matches the device map and how it's configured.
I don't know how things work in Sweden, but I wouldn't be surprised if this process was more reasonable than in the US.
It's funny how much we talk about the 4th amendment and due process, when our level of due process is actually not that great. If police come knocking at your door in the US, they are likely to trend toward the most extreme actions they can get away with. That doesn't need to be how things work, and I wouldn't be surprised to learn that law enforcement behaves better somewhere like Sweden.
This analogy breaks down at a certain resolution but imagine if the cop who pulled over Tyson brought the district attorney with him and Tyson has God in the passenger seat. I could absolutely envision a situation where God explained the facts to the DA who subsequently changed his mind about whether there was a substantial likelihood of a conviction, which is (usually) the ethical threshold for bringing prosecution.
I don't know where this perspective of "Sweden has so many rights and protections the legal system is parallel to general practice in the rest of the world" comes from.
> I don't know where this perspective of "Sweden has so many rights and protections the legal system is parallel to general practice in the rest of the world" comes from.
I don't know where that came from either, I certainly didn't say anything like that. However using his rape accusation to show Sweden is bad isn't a great example. He raped a woman, they tried to get him for it.
I'm not saying "Sweden is bad" I'm saying "Sweden, like any other government in the world, has a lot of power and they use it".
I used Assange specifically because I think it's pretty clear the lone superpower in the world (the United States) clearly threw their weight around on the Assange situation. It's not a leap (at all) to think a popular VPN provider that (due to the nature of their business) likely attracts the interest of law enforcement from governments around the world - almost certainly including the US - would trigger similar levels of interest at the highest levels of government internationally.
Rape is clearly abhorrent but I think it's pretty obvious Assange had a gigantic target on his back because he pissed off and embarrassed the United States. Any rape investigation should be taken very seriously but when you look at the Assange situation it's VERY clear the aggressiveness and pursuit of that was far beyond what is likely typical in those kinds of investigations.
I think the same would happen in this scenario and anyone who says "oh they're just a VPN provider Sweden wouldn't take it too seriously" is pretty naive.
How about the possibility that this is Sweden with a different set of priorities, an underlying crime that's relatively petty, and a prosecutor that is mostly disinterested in the case but had to at least pretend to make an effort?
Try to imagine the police executing a warrant against a Google datacenter because one of their customers is under investigation.
If they want to be massive schmucks they could in theory cart off with every server in the building, but they're also not supposed to do this, because the warrant is to seize particular things, and should be something like "servers containing the data of X user" and not just "servers" if the judge is doing what they ought to do.
The police also don't really want to cart off a thousand tons of irrelevant equipment, because it's physical labor and they have to do paperwork to catalog it and it takes up a lot of space in their evidence room. The main reason they do this in practice is to grief the target of the investigation, or to be more charitable, to make sure the target of the investigation isn't lying about which equipment is relevant. But that doesn't really apply when they're searching the building of some independent third party who has done nothing wrong and has more to lose by making false statements to the police than by the police finding what they're looking for.
So what they might do instead is ask the company which servers have relevant data on them. And if the true answer to that question is none, well, that should be the end of it.
It was Swedish cops. We all know I
US cops would both be unlikely to comprehend the situation and would take everything that wasn't nailed down out of spite even if they did and would experience no consequences however other folks in better countries actually have rights.
They had warrants to seize servers containing data relevant to a case. None such exists. They didn't have the right to just steal like US cops.
This is assuming the point of not having disks is to keep the confidential data in RAM.
The problem with disks is they're hard to securely erase. Some NAT mapping gets written to a log or swap file and then you overwrite it but the device silently reallocated that sector and the old one is still there. DRAM doesn't do that. Then if you e.g. power cycle the machine once a day, it never contains data more than a day old.
Mullvad's RAM-based architecture is more of a "look, we can't accidentally log things, we don't have disk to log things on" than "there's no way to capture the secrets this particular server holds".
I guess their OS could defend itself from something like this by actively deleting any potentially compromising customer data as soon as it loses it's connection to the internet. No idea if it does though.
The design of their diskless architecture (where everything is provisioned to RAM on boot, and no data needs to be stored at all), and the nature of their service, likely means that they could be even more sensitive, eg, reboot on a minimal acceleration from an internal accelerometer, minor power irregularities, momentary internet outage, etc.
I'm wondering this as well and I haven't seen a sufficiently good explanation yet. I know they've done audits of different kinds over the years, I've read up about their infrastructure and the way they run their services, but I don't realistically see any of that being enough of an argument, right there on the spot, when the police turn up with a warrant. What could they possibly have demonstrated and how?
> What could they possibly have demonstrated and how?
Affiliation with an intelligence agency, who tell the petty beat cops to turn around and mind their own business. Probably more or less the same way that BATFE agents pretending to coyly sell illegal machine guns turn away any regular cop who might wander into the fishing expedition. With phone calls to police chiefs I imagine.
In the US, the goons would probably take everything that had a plug, and the owners would spend a year or two getting their stuff back, if they are lucky. And, the goons enjoy total immunity so if they stole anything on the way, tough cookies. Example: https://www.forbes.com/sites/nicksibilla/2019/09/17/federal-...
Perhaps a business would structure their physical infrastructure in anticipation of the language of search warrants. They could use documentation, the principle of separation of concern, and well-labeled physical devices.
So you might need to have a browser that lies and presents configuration information that is common enough not to be unique, probably an OS inside of a VM might be one of the possible starting points. Outright denying access to some of that might actually help identify you, but pretending to be a common setup might not even work that well.
I'm frankly not sure whether privacy on the web is even truly possible nowadays, at least without a lot of effort. Even with a VPN, I treat the web as something that is more or less "spying" on me regardless, in the metadata collection and storage sense.
Yes that seems to be the case here on Hacker News as well as it seems like my submissions and comments don't show up unless I'm logged in. Let's see about this one.
Ever used creepjs? It's literally impossible to escape fingerprinting that actually works now. Also if you use not-Windows, no browser currently properly spoofs its javascript OS value, especially if queried within a WebWorker, so that alone makes you stand out way more just by not using Windows, at least until browsers make a way to spoof that too.
And the people that say "just disable CSS/JS"... guess what? Almost nobody does that, which makes you stand out even more!
> So you might need to have a browser that lies and presents configuration information that is common enough not to be unique,
there are so many ways to fingerprint a user that trying to blend in with the crowd is pointless. If anything, it's better to have your browser present a unique fingerprint that regularly changes than to have to pray that you've somehow managed to avoid every single thing that could possibly flag you individually.
Not really. Modern web browsers expose a lot of information, such as your language, time zone, screen resolution, CPU and GPU details (number of cores, vendor, model...), etc. There's even <canvas> fingerprint which depends on your GPU driver version.
If you use a custom built desktop computer, you're going to have a pretty unique browser fingerprint because few people will use the same exact hardware configuration. On the other hand, if you use Apple hardware you'll look the same as other Mac/iPhone users. The other option is to use Tor Browser or Tails OS, but I don't think that's feasible for everyday browsing.
As other people have said, it's suprisingly difficult to have privacy on everyday browsing today. Personally, I blame Google. I believe they purposefully pushed modern web standards into maximum user data exposure for their own profit.
That's also surprisingly hard. Even assuming that every feature you need will work (which won't probably be the case), many popular websites as well as nearly all banking/shopping sites are behind Cloudflare, captchas or something else that doesn't like non-standard browsers at all. You will be automatically flagged as a suspicious user or a bot and will be prevented from accessing the site or be presented with tons of captchas. Google won't even let you access your account or Gmail.
At least that's been my experience. In fact, I've even encountered problems while using Chromium and Firefox on Linux, just because some sites didn't like the user agent.
In short, to use the modern web you need a modern browser, and modern browsers are very leaky and fingerprintable by design.
> Maybe VPNs should start to offer “browser anonymization” as a service.
The problem is that they'd need to render the website server-side and then serve it to you. That has their own problems, as the VPN provider now has total control of all web content you see.
I'd say the most realistic options to avoid browser fingerprinting is either using Apple hardware or sandboxing the browser inside a virtual machine. And it's better to use Chrome because it has the most users by a large margin. Firefox, Brave and the new Mullvad browser do implement some anti-fingerprint mitigations, but they have few users so you'll stick out more.
Use the VPN from a VM. You can also configure Mullvad to use socks so that it can only be accessed from Firefox (which has OS independent socks settings)
People have different use cases for a VPN. I use one because I travel a lot, and spend a lot of time on dodgy public Wi-Fi. Not because I’m living some Jason Bourne fantasy.
Yeah. A commercial VPN that's demonstrated its record-keeping policy under subpoena is reasonably safe if your objective is pirating media. HN commentators act like the VPN target market is Sino-Iranian freedom fighters who split their time between rescuing Uyghurs and searching for a way to cure their magical curse that makes them dissolve into dust if Google can tell they did a search for good restaurants in the area.
Most people are just trying not to get a scary letter from HBO.
> Most people are just trying not to get a scary letter from HBO.
It's safe to assume that VPN company operating in the US is compromised but I figure that three letter agencies aren't going to spoil their honeypot over some kid downloading movies and TV episodes, which just gives you an added layer of protection against raids while also preventing your ISP from selling your browsing history and avoiding DMCA letters which unfortunately can get you perma-banned from your ISP based on nothing but unproven accusations from unreliable 3rd parties.
Briefly, law requires establishing probable cause, that _one_ specific person has done specific things, to underwrite search warrant. VPN IPs are shared between users, meaning any one of the ~X00 users sharing a single ip could be doing any number of things at the same time.
I think the comment was made under the assumption the user lives in a place with a reasonably fair legal system. Of course all bets are off if you don't.
Well if they have ISP flow logs, that'll be trickier because it will enable very granular inspection of the traffic and the timings of that traffic.
However if they are trying to cast a wide net and inquire Google and other service providers for it, that will lead to a lot of collusions and they won't be able to tell it is from country A because it is from the VPN.
When tunneling through a VPN ideally thousands of users will share the same exit IP. So even if all your apps "phone home" identifiable information there is no way to prove that whatever traffic "the law" is trying to pin you on actually originates from your machine.
Unless of course if the VPN keeps detailed traffic logs which is why that’s generally frowned upon.
> What good is a VPN when multiple apps on your computer are phoning home?
The point of a VPN is that whenever an app phone home, they will do so through the VPN. Standard VPN configuration (which I supose the Mullvad client performs?) is to entirely disallow any traffic that doesn't go through the VPN
You're missing the reason this is important - the companies that run those apps (spotify, facebook, steam, discord, etc.) will be able to correlate your VPN connection with your non-VPN connection, and tie those both to an app account that identifies you.
It means unless you've got a dedicated download/seed box running your torrent downloads, one that doesn't have anything else on it and never connects to anything without a VPN connect, it's possible to track you down way more easily than you would think.
Another easier option is to run the VPN client and torrent client in a Docker container, with networking separate from the host machine. Then the only thing using the VPN is the torrent client.
If your ISP suspects your IP address (can see your are connected to specific VPN server) they can just contact top websites, example: twitter, facebook or google and ask them if there are any users connected with the same IP at given specific time.
This is a confusing take to me. So my ISP which has my billing information is trying to find out who I am by calling Google? They know who I am.
The inverse is what you're trying to prevent. Service ABC has malicious activity and calls Google to ask which accounts are accessing from that IP address. However this has two main problems.
a) Why would Google give this info over willingly.
b) Most VPN's assign the same outbound IP address to multiple users. So it's not a 1-1 mapping.
c) People who are using a VPN for something malicious are not also signed into Google.. I'd think.
It's not a 1-1 mapping but it can narrow things down to you and maybe a handful of others. If you're doing something like file sharing repeatedly over several days/weeks they can pull data for all of that time and when your IP is the only constant they'd know it was you. If they have only a handful of people it could potentially be, and they care enough they can seize and search the devices of everyone to find the person.
Also, you don't have to be logged into google for google to know who you are. If you're using windows, your OS is also phoning home constantly with identifying data. If you use steam, it's also phoning home. Run wireshark sometime and see how much your computer is sending to random servers without you doing anything or being "logged in".
a) This is why you go through the legal system instead of asking Google directly. Report malicious activity to a three-letter agency of your choice, and let them do the dirty work.
b) You can reduce the list of suspects significantly by correlating activity on multiple services from the same IP address around the same time.
c) You'd be wrong... especially since Google never really forgets who you are, even when you are not signed in.
I personally use a bunch of VMs for web browsing, all with different exit IPs.
And yes, a lot of people use VPNs but don't use them correctly. But I'd rather help them to use them more effectively, rather than shout down that VPNs "don't work". And even when they're not used correctly, most people don't have particularly omniscient threats. And even imperfect use still helps everyone else by creating cover traffic, a fluid market for VPN services, and more evidence to websites that (IP-based) nagwalls hurt legitimate visitors.
Actually no, just home-rolled with virt-manager. I can definitely see the advantages of Qubes, but at this point it feels like it would be a lot of learning and changes for what is mostly a similar system. And I don't think it would work for the servers/daemons I run either.
You're right that this is a huge problem with modem OS/software that's constantly phoning home, and people would be wise to avoid using those programs/operating systems when using a VPN to hide their identity. but many VPNs offer plausible deniability by assigning many people the same IP.
A request to MS asking for who had a given IP address at a certain time could return multiple devices in different countries/states/cities. Narrows things down significantly, but not always a dead give away.
> They will outright send a re-educator to visit you if you browser the web about the sensitive topics
This also true if you post the wrong things to social media in Canada (https://northernontario.ctvnews.ca/sudbury-ont-police-say-yo...) and in Australia (https://www.youtube.com/watch?v=vWZ06UThHas) and in the UK if you post something offensive they'll outright arrest you. I'm sure I read an article at some point about someone in the US being questioned by police for posting a movie quote to social media, but I can't seem to find anything about it now, just finding tons of examples of police in the US getting in trouble for posting racists things.
The point of a VPN-as-a-service is that many thousands of connections originate from that same IP, making it difficult to correlate individual connections to an identity.
I've been a Mullvad customer for some time and I'm quite satisfied. But the main issue I have is that many of its servers are blacklisted by Cloudflare and other services. Because Mullvad provides the strongest anonymity a VPN can provide, it attracts not only normal users, but also malicious users (scammers, hackers, or less malicious but more numerous scrappers).
I've run into this as well, but for what it's worth, this is a problem every VPN provider struggles with. The most colorful example I have is receiving an email from my bank telling me they've blocked access to online banking because someone tried to log into my account from a suspicious IP — yes, it was me. Luckily I use a fairly small local bank who cuts through issues like this swiftly with a short phone call.
Does anyone here know how to corroborate Mullvad's account of this event? Perhaps we can find the Swedish entity that wrote the warrant and any public information reported by the officers executing said warrant?
If such information is publicly accessible, and it corroborates Mullvad's story here, I'd feel like that's pretty compelling evidence that we can trust that Mullvad isn't simply committing fraud by promising not to log customer data while actually logging it.
When the prosecutor brings forth the charges to a court, this information will be public. Until then it is probably covered by “förundersökningssekretess”, which just means that ongoing investigations are not public.[0]
You can contact the “Åklagarmyndigheten” (the Swedish prosecutor authority) and ask them and they’ll help you out. Generally speaking it is pretty easy to get information from government agencies in Sweden due to our constitution. Everything is public by default, with some exceptions like military secrets. I think it shouldn’t be a problem for the prosecutor to confirm they had a warrant at Mullvads office, and maybe even to confirm they didn’t seize anything, unless they think it could harm the ongoing investigation somehow.
That's a specious argument, because the choice could be between logging your traffic and being forced to shutdown under some kind of Swedish NSL, or forced to keep operating and logging even if they want to shut down. Not saying this is what happened, just that your reasoning doesn't really hold. Hell it's entirely possible Mullvad is a honeypot operated by some foreign intelligence service.
Read a page of text, then read it again to see if it changed. This test never seems to fail, at least in the sort of dreams I can remember having after waking up. Usually I can't read at all in dreams, and when I can, the text is different every time I read it.
I thought this was just me! There have been times when I've "read" in dreams (signs, usually), but I don't actually visualize the words. I just "know" what they say.
We're assuming in this scenario that your memory is still basically functional, so the math on a sheet of paper won't be replaced suddenly without you noticing.
If you can't even remember things in the medium term that's a level beyond "trapped in a dream" that's much more hopeless.
So, with that assumption, you make a computer solve a problem that's impossible for a human to work through in a practical amount of time. And then you verify it got the right answer. This proves the math wasn't done by your dreaming brain. (At least it proves it to a pretty good certainty, and you can repeat the test.)
Many NP-complete problems are good candidates here for slow solutions and fast verifications.
Yeah I kept thinking about simulation stuff too but GP's method is a good one for being trapped in one's own mind situation.
Also for situations that have the standard dream level of fidelity, you can try basic reality checks like putting your finger through your hand or more conspicuously spinning along your own axis.
I would even say "highly unlikely". I revisited how I understand "unlikely" after reading this:
> Radioactive capsule that fell off truck found in Australia... Radiation Services WA general manager Lauren Steen describing it as a "highly unlikely" scenario.
What do you mean? Lag 2008:717 does not contain any provisions about forcing companies to log or store data.
Rättegångsbalken does have a provision that a prosecutor can order you to preserve information you already have saved for a maximum of 180 days (https://lagen.nu/1942:740#K27P16S1). I can't find anything about what the punishment for ignoring such an order would be, but to say a company could be forced to keep operating seems extraordinarily unfounded.
Try this one [1] which contains an obligation for operators to comply and maintain secrecy. I'm not a lawyer, and definitely not a swedish lawyer, but my point is, despite baked in protections, like most countries, Sweden seems to have a robust set of overlapping national security and surveillance laws.
When you try to argue something is law, please have the decency to link to the actual law, you have linked a proposal and not the law as accepted by parliament.
> it's entirely possible Mullvad is a honeypot operated by some foreign intelligence service.
“Entirely” possible? Sure, I guess it’s “entirely” possible that the NSA is actually controlled by a reptilian, illuminati cabal of extraterrestrials, while we’re just making stuff up without any factual basis whatsoever.
Bad faith responses like this lashing out at people like bragr make me even more suspicious. You know damn well, or should know, that companies secretly being owned by intelligence agencies is something that has happened before and could happen again. Meanwhile there is no evidence at all for reptilian ETs ever existing.
And furthermore, I am sure you know that when dealing with matters of security, it pays to exercise precaution and be wary of scenarios you cannot prove to be happening at the moment. E.g., you don't know your new friend you met at the bus stop is secret police, an informant for the Vichy government, but until you're damn sure he isn't then you don't let him know the location of your resistance safehouse. You don't need to have proof that your new friend has done anything wrong to be cautious of that possibility.
mullvad has time and again shown itself to be one of if not the best actors in the entire vpn space, but you still have no real way of knowing if they are being honest.
also their business definitely doesn't depend on being honest or standing for their values. there are plenty of vpn's who run on fake marketing that give the impression that they have certain values and do certain things while actually not doing it and they are way more successful than mullvad.
> there are plenty of vpn's who run on fake marketing that give the impression that they have certain values and do certain things while actually not doing it and they are way more successful than mullvad.
Yes, but Mullvad also doesn’t whore themselves out to any YouTuber that will accept a sponsorship agreement. I’ve never seen an ad for them. I’ve only heard of them from people who tell me they’re the best.
Of course we shouldn’t trust them 100%. Trust isn’t required them competent OpSec is implemented within a workflow. Trust is a vulnerability.
pretending you don't need trust when you actually do is a vulnerability. of course you need to trust that mullvad is doing what they actually say they are doing. there is literally no way for you to verify everything they claim.
I don't myself. If it isn't on my own infra, I won't trust it.
The idea that folk are keeping passwords in some cloud management portal owned by some company boggles my mind. But this is a very controversial opinion and offends many.
Alright, I'll bite. Not all password managers are the same. In particular, the good ones have no direct access to your data. It's encrypted before reaching them, so even if they get hacked, the attacker can't access your passwords without your master password as well, which hopefully you're not giving out.
You don't have to trust password managers if you don't want to, but if you want others to accept your reasoning as to why, you'll have to convince them using an argument that actually applies.
While GP didn't spell this out, they have, in my opinion, a point. If you use a cloud portal, usually web based (be it browser, electron or similar), that asks for your master password, you need to trust the provider that the master password is not send to their servers. Even if you trust the provider to adhere to this principle, if their infrastructure is compromised an attacker can serve you a different webapp that sends your master password to the server. Same goes for auto-updating native apps.
This does not render the model of keeping the master password client side only moot, it is more secure no matter what. You successfully mitigate the read-only attack of dumping the storage of the cloud provider. However, if you assume a full, on-going compromise of the infrastructure, your password is not secure anymore.
I get that this is moving the goal posts a bit but I wanted to post this anyway. I think if you have highly valuable credentials and want the maximum security for them, you should play out as many possible attack vectors as possible.
i never said you shouldn't ever trust anything. I personally do trust mullvad. I've been using it for over a decade. I'm just not in denial over the fact that there is trust required. Second of all, aside from signal which I have superficially played around with, I don't and have never used any of those services you mentioned and they have absolutely nothing to do with the topic at hand so maybe you can tell me why you brought them into this conversation?
Because I don’t think it’s wise to trust ANY company with major secrets, just because they claim to not view them. Thus I agree with your sentiment and recommend it be applied far more widely
> mullvad has time and again shown itself to be one of if not the best actors in the entire vpn space, but you still have no real way of knowing if they are being honest.
There are parallels to the now-defunct Crypto AG. Impeccable reputation, but no way of independently verifying it it did what it said on the can. It took decades for the truth about its links to the CIA to come out.
My theory is that if you need an iron-clad guarantee of privacy, you're not going to get it from a VPN.
If you're interested in hiding from civil snoops (RIAA, MPAA), by all means, use one. If you're interested in hiding from a government, then by all means, keep rolling the honeypot dice.
Also, just because a company doesn't get your name, doesn't mean they don't know every little thing about you. PPI doesn't include my fingerprint, but Google 100% has my online fingerprint.
> I'm a paying customer, yet I have never given them any PII.
By nature, every VPN gets at least the IP you are connecting from and the IPs (and almost always also hostnames) you are connecting to. I'd consider that PII.
As long as you only connect from one IP and only ever access one host, sure! That's not trivial to achieve with most VPN clients and devices/operating systems, though.
> You bet, and please! Stay anonymous all the way. Just put your cash and payment token (randomly generated on our website) in an envelope and send it to us. We accept the following currencies: EUR, USD, GBP, SEK, DKK, NOK, CHF, CAD, AUD, NZD.
> Which payment methods do you accept?
> We accept cash, Bitcoin, Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish, Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24.
> Can I really pay with cash?
> You bet, and please! Stay anonymous all the way. Just put your cash and payment token (randomly generated on our website) in an envelope and send it to us. We accept the following currencies: EUR, USD, GBP, SEK, DKK, NOK, CHF, CAD, AUD, NZD.
Anonymity is not binary. It's a spectrum. Phyical cash mailed to a company with only an account number is significantly more anonymous than a check or credit card they bill.
Perfect anonymity is probably impossible because information theory is impossible to escape. Which means you are trying to determine how far along the spectrum you can reasonably get for your particular risk profile.
Comments that pretend like perfect anonymity is the goal or act like it's binary are singularly unhelpful.
Can bet 99.99% that Mullvad throws the envelope in the trash and just forgets about it.
So, yes, there is a theory that someone may go in the trash in Sweden, finds the envelope, the stamp (and it has to be a british one), investigate who bought the stamp, get the assistance of the shopkeeper in UK (without raising suspicions), successfully reviews tons of security cameras footage to find who bought, etc.
And still don't know which activity to link it to.
A perfect waste of public resources if the NSA really does that, when all they needed to do is to purchase a VPN provider or fund Tor and claim to be no-logs VPN ;)
> So, yes, there is a theory that someone may go in the trash in Sweden, finds the envelope[...]
Presumably the theory is more like [1] - that the postal service, when they scan the envelope to read the address, save the scanned image and give it to the cops.
I agree that the NSA would be better off just running their own VPN services - or indeed intercepting everything on major backbones and just seeing what source IPs connect to Mullvad's servers.
> Can bet 99.99% that Mullvad throws the envelope in the trash and just forgets about it.
Storage is cheap - really cheap. I bet automatically capturing images of all mail during sorting and archiving that for years is not only viable, but a vital investigation/intelligence tool. One would ask Mullvad for the cash payment dates[1], and cross-reference with all mail sent to a Mullvad postal address. One city-level datapoint on where user was, cross-checked with the latest IP address, where stamps were bought[2], and you've massively trimmed the list of suspects, especially if they are behind a NAT and sharing the IP.
1. They have to keep track of payment dates, which is a side channel.
2. Where and when stamps were bought. I'm certain GCHQ can keep track of individual stamp IDs, the batches they belonged to, when they were procured by the retailer and have a reasonable guess when that specific stamp was bought by mail-sender.
Wow, looks like you lost that bet! They indeed shred that envelope.
"Put the money in an envelope together with the payment token and send it to us. We will open the envelope, add time to the account (corresponding to the amount of cash sent), and then use a shredder to destroy the envelope and its non-money contents."
The UK will know with certainty that a specific stamp was used to send a specific envelope to Mullvad. (e.g., America has been logging images of every envelope that passes through its postal service for over two decades).
It would also be trivial for the UK to know:
- When and where that stamp was initially sold (and to whom, if buying online!)
- When and where an envelope bearing that stamp entered the postal system
- When and where envelopes with other stamps from the same booklet entered the postal system
> Not really very realistic is it though? I can only imagine this sort of thing is only done if the suspect is someone like Bin Laden, not the average Joe using a VPN for pirating Photoshop.
This is a misconception caused by the scale of surveillance today. In the old days you were right. To do this kind of tracing they'd have to assign someone to do it which takes human resources and is not infinitely scalable. So they'd only do it to people deemed interesting enough, so average Joe was safe.
Today the scope has changed completely. Everything can be correlated all the time, so it is. No suspicion or probable cause needed.
And all of this is null and void if you buy your stamps from aliexpress and for the low low effort of simply driving to a different city to throw the envelope into the postbox.
Not really very realistic is it though? I can only imagine this sort of thing is only done if the suspect is someone like Bin Laden, not the average Joe using a VPN for pirating Photoshop.
To make this happen each stamp would during product have to know where it would will be sold. Is that actually how it works? Can you show me the evidence for that.
If they scan the stamp's code at time of purchase, and associate it with your debit card, that'd be an obvious way of tracking you.
If they don't do that, if they meet the stamp along the letter's journey, they can scan the code and check which batch it's from, and there could be a database of which post office got which batch, and then it's a matter of checking that post office's purchases/security cameras.
If all stamps are indistinguishable from each other, then you could've bought the stamp months ago on the Isle of Skye and used it in London, they wouldn't be able to tell the difference.
You can pay a Lightning invoice to get a voucher which is redeemable on the website. You get an extra layer of privacy, and also don't need to wait for an on chain transaction.
At that point, you can probably just pay by credit card: If your aim is to frustrate invasive ad trackers and profilers on the web (and you assume that Mullvad isn't outright colluding with these), that should be good enough to break any links.
On the other hand, if you don't trust Mullvad's assertion that they delete the link between accounts and credit card payment records after 40 days [1], what makes you think you can trust them to not keep a record of individual scratch cards sold on Amazon, which Amazon can then correlate to an order ID and by extension account and shipping address?
At a higher level, if somebody can convince Mullvad to collude in that manner, they can likely also just ask them to outright hand over your traffic flows and connection data.
How would they do that? Those are shipped directly from Amazon, and don't have any external markings that could be used to link specific card to amazon account. Unless the idea is that vouchers arrive at amazon in some additional packaging and then are repackaged after linking voucher to the account.
By the end of the day I agree, if you have any "real" reason for using VPN you pretty much have to implicitly trust your provider to not keep any traffic flows and connections that could correlate traffic to your IP, but not even sending money in envelope saves your from that.
If your worried about anything in a 40 day window the credit card <-> account_id is a liability
Amazon doesn’t know the redemption code on the gift card. So Amazon knows that you purchased a Mullvad gift card, but can’t associate the transaction with a Mullvad account. Likewise Mullvad knows service was paid for with a gift card (possibly that the gift card is from a lot sold on Amazon). But they do not know which Amazon transaction the card is associated with.
Unless your behavior and the behavior of others deanonymizes the Amazon purchase <-> redemption your account should be indistinguishable from any other that purchased a Mullvad gift card from Amazon in that window of time.
If you care about privacy, then Amazon is the last company I would buy from. From personal experience, I would be far more concerned about what Amazon does with your data than Mullvad.
Once again this shows the huge disconnect between the government authorities and the tech industry. Basic knowledge and a quick investigation would make clear that Mullvad is not storing any customer data.
I might be uninformed here, but on the surface Mullvad says they don't record customer data but there's always a chance they might be recording some data or lying.
So I figure that authorities still obtained a search warrant to atleast see what data they can get their hands on and to verify that this is true. In that case, it doesn't really illustrate any disconnect.
> Basic knowledge and a quick investigation would make clear that Mullvad is not storing any customer data.
This is something more along the lines of trust. Sure you don't have to provide PII but Mullvad could supppsedly still be recording other data which would count as customer data.
> So I figure that authorities still obtained a search warrant to atleast see what data they can get their hands on and to verify that this is true. In that case, it doesn't really illustrate any disconnect.
They also need to follow process and make a reasonable attempt to follow a lead.
They can’t just read a company’s website, assume that no evidence exists, and then give up on that line of exploration. Note that in several high profile cases, companies have publicly claimed to not be storing data but later been found to have incriminating logs.
It would be irresponsible for them to not follow up with Mullvad, despite what they advertise.
It doesn’t make sense to suggest that this is a disconnect with law enforcement.
> but there's always a chance they might be recording some data or lying.
As mentioned in another comment, at least they would have to be lying + the external companies who've done the third-party audits would have to be lying too (including companies like Cure53).
An audit is always just a point-in-time (or possibly periodic) snapshot.
A VPN company is also not a monolith: They have servers literally distributed around the globe. Ensuring physical security for all of them is not trivial, and I doubt that their auditors have visited every single data center. This is to say nothing of global traffic correlation capabilities of state-level actors; access to their servers network uplink is all that's needed to deanonymize many connections.
Besides that, they have human staff as well, and while it's possible to distribute permissions and require four eyes for all important changes, there's always loopholes in a complex system.
I have no reason to doubt that Mullvad is being truthful about any of their efforts or aspects of their service, but even if they're not, this is by no means equivalent to absolute security.
There's also usually another disconnect: between tech industry publicity and tech industry reality. Mullvad could have been, and maybe even still is, lying about how they operate, because it's good for business.
At least there have been some public and external audits that brings up the trust a bit, if you trust that those external companies are honest and putting their reputation on the line.
Government investigations pursue lots of avenues unlikely to be fruitful. It's basic due diligence to check all the boxes; you don't say "standard procedure is to issue a warrant, but we'll make an exception to our process in this case because their website suggests it won't get any data, plus they hired an auditor."
> Mullvad could have been, and maybe even still is, lying about how they operate
Could they? Sure.
Do they have anything on me?
* One BTC transfer
* IPs where I'm connecting from (if they are lying and storing them)
* My traffic (if they are lying and storing it)
* My unencrypted traffic (if they are lying and storing it)
Do they have ... on me?
* Email? - nope
* Phone number? - nope
* Credit card? - nope
* My first name, family name? - nope
* My address? - nope
* My mother's maiden name? - nope
Because I never provided it to them because they never asked for them.
Unless you're using another VPN/proxy/Tor/... to connect to the VPN, the IP where you're connecting from (respectively the full 4-tuple including source/destination port) likely does identify your address.
Of course. It doesn't help what I'm getting pretty much the same IPs from my provider.
Double (triple|quad) hop, tied to different entities is necessary if you want at least plausible deniability. Thankfully I don't do things what may be of the interest of someone who can raid Mullvad offices.
But I recently discovered a VPS provider who only needs an email address to confirm an order, so it can be used as a bootstrap for a something pretty anonymous. Still needs an email, but as I said in some other comment recently, you can do that (if you are okay with leaving some traces) with a Google device with WiFi only capability.
You can pay a Bitcoin lightning invoice on this site and get a redeemable Mullvad voucher instantly. Extremely convenient. Since you've only done 1 BTC transaction, I assume it was a large one for lots of time. However, when your time runs out, this option is great. It's an extra layer of privacy and you don't have to wait for the transaction to settle on chain.
Exchange has my CC number and the 'card holder' (though I never put my name there, lol). A non-business card is probably the most easy way to identify someone globally.
If someone comes to exchange - they could identify me (and they can just tap their server to listen to email which do have all the transaction info, including CC# in the plaintext, lol).
To establish a correlation between my wallet and Mullvad account someone needs to find that transaction in Mullvad customer data. Which - they claim they don't have.
So yes, someone can identity what I bought services from Mullvad and... nothing more?
You never know until you check. There is a lot of things to understand by viewing the metadata. Also don't underestimate incompetence with many of the self-proclaimed pro-privacy companies. They might be expert in the VPN software but not in all aspects of system and network administration.
> Once again this shows the huge disconnect between the government authorities and the tech industry.
Authorities have to follow their process and collect evidence, or document the absence of discovered evidence. They can’t simply read the website, shrug their shoulders, and decide not to investigate a key part of a criminal case because the website says the company won’t have the data.
They are obligated to explore the possibility of data existing and to document the fact that it could not be found. Assuming the evidence doesn’t exist isn’t an option. They have to document it.
I know Mullvad is generally trusted by the community, but you also have to remember that several VPN companies have claimed to not keep logs but were later found to have data useful to criminal cases.
I think the real disconnect is in the comments from people who think this is the government being dumb. They’re not, they’re just doing their job correctly.
> service provider may claim to not store any user data, but they could be lying.
As someone who ran a VPN in the past, this blog post is extremely strange as well as the purported described sequence of events.
Police in any jurisdiction aren’t jokes - especially not Sweden where they can absolutely walk in and take your stuff according to mullvads website [1].
It’s 2023 - if a VPN is how you’re doing your privacy you’re probably doing it wrong.
These are pretty serious allegations, and as the ex-CIO of PIA, you certainly have the credibility to make them. However, drip-feeding various circumstantial links do not really help your case, and HN comments is not the best medium to make them.
I'd suggest creating a website or page, and writing out your allegations in detail and instead linking that here.
I'm satisfied with the transparency Mullvad has shown by publishing its 9 audits[1] and with their efforts to ask for as little information from users as possible. I also appreciate how Mullvad releases up-to-date source code for all of its software clients, which I consider a bare minimum for any VPN to even be considered.[2]
Private Internet Access, on the other hand, does not release up-to-date source code for its software clients:
- PIA Android client: latest source release v3.14.0 (Mar 18, 2022) vs. latest Google Play release v3.18.0 (Feb 22, 2023)[3]
- PIA iOS client: latest source release v3.14.0 (Mar 18, 2022) vs. latest App Store release v3.20.0 (Mar 1, 2023)[4]
- PIA browser extension: latest source release v3.1.0 (May 31, 2021) vs. latest Chrome Web Store release v3.2.0 (March 8, 2022)[6]
It's not clear to me how much of a say you still have in PIA's operations, but if you have any influence, I kindly ask you to direct them to release the source code of PIA's clients on time, every time a new client version is released. Open sourcing PIA's clients was something you promised PIA would do to reassure customers after PIA was acquired by the former adware/malware distributor Kape Technologies.[7]
commoner - Thank you for this comment, and I think it's definitely fair to trust in Mullvad given these transparencies. The sequence of events are simply peculiar to me, and doesn't seem like a professional police operation. That said, I've been keenly watching Mullvad and agree with you that it's rock-solid in transparency which is the number one reason to use/not use a VPN service, if for privacy.
I salute Mullvad and consider it to be the top VPN in the world today, and specifically, the only one I would recommend to anyone looking for a VPN.
In terms of PIA, I am no longer affiliated with the company, but I agree that getting the source out for the clients out on time is something they should try to address quickly.
gerbilly (another poster in parallel) - In 2023, I don't think a VPN is not private, but, for sure this cannot be the only tool in one's arsenal to secure their privacy. Depending on your threat-levels, there are different things you may want to do. To be clear, if you're being targeted, you cannot maintain privacy.
For the absolutist:
1. Get cash but not from an ATM (traceable)
2. Go buy a computer (must be Purism or something with trustworthy hardware) with said cash but wear a disguise when buying it. Disable all the location/etc. stuff at store parking lot.
3. Purchase a T-Mobile Prepaid Hotspot with cash.
4. Purchase mullvad, but wear gloves, mask and a hairnet when working with the envelope to send cash.
5. Never login to any service of any kind that would leak your identity.
Just trusting public claims would be pretty bad investigation. There are so many companies claiming not saving any logs and data, yet occasionally it's revealed that they lied and still stored something significant for the police to fetch. Looking deeper at reality is a relevant part of a good investigation. And in the first place, we don't even know whether the story is true or just marketing, until someone can back it with an official police-report.
Police got a warrant and went to service it, Mullvad explained why it was pointless, police agreed and left without further incident. It's not "a huge disconnect", it's the system working exactly as I'd hope for.
Police doesn't (can't) make these kinds of decisions, they communicated with the prosecutor and the prosecutor withdrew his warrant. Which actually does seem very out of the ordinary to me. Might've been the warrant was acquired on autopilot with no one actually checking the targeted entity (e.g. crime committed, IP traced, get warrant for IP "end-user", police show up, "oh we've gotten a warrant for an ISP oops").
Its funny, how the VPN providers basically become the avatars of the old anarchic web and the constant buisness and government overreach makes them ever stronger. Its basically a old "freedom" tax.
Tor exists, but realistically the overhead of using Tor is not acceptable to the general public. As long as Tor is sufficiently slow compared to everyday traffic it will remain a niche use case. A good VPN on the other hand gives you at least a little bit of privacy without much of a cost.
I've looked at Tor recently just out of curiosity for the tech and I found browsing to be plenty fast. Admittedly it was plain text sites with no images or whatever. And the installation/use of the Tor browser was easy.
The VPN industry is deserving of its bad reputation. Collecting user data in clear contravention of their TOS. Using hacked boxes as VPN endpoints to get people onto residential IP ranges. And whatever else.
I’m very confident in my completely baseless assertion that most people that use a “public” VPN are either bypassing geographical restrictions on a streaming service, or doing something outright shady.
There’s a reason that it’s common for VPN providers to take cash and cryptocurrency, as this one does. It does precisely zilch to thwart the sort of tracking that affects the vast vast vast majority of Internet users.
The VPN industry isn’t being propped up by nerds indulging their crypto libertarian / anarchism fetish but are just spending their time reading Hacker News (with JS off, obviously). There just aren’t enough of them.
This makes me highly suspicious that they’re setting up a sting on mullvlad. There doesn’t seem to be much other reasons to serve a physical warrant other then to establish non-compliance with some law they may interpret differently.
You don’t have a very rich imagination. It’s entirely possible this warrant was executed for no other reason than compliance, if requests come from foreign agencies for example obviously they have to be acted upon even if you are almost certain you will find nothing.
"After demonstrating that this is indeed how our service works..."
I'm curious how they demonstrated that. Did they just review their policies with them or did they some how technically demonstrate this? Latter seems not really possible to do, even if you had a technically-savvy member of the department there.
I predict a bold new operational exercise/publicity stunt for Mullvad or some other provider: every week they randomly pick a server/storage pod and send it to law enforcement.
That's how you get illegally compromised hardware. Better send the bootdisk image (which should be small given that their servers are diskless (Netboot?)
I also appreciate the lack of US-style warrant canary that might be necessary here, where depending on who comes asking, you're not allowed to post about it.
> Mullvad has been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant.
Does a search warrant detail the reason and justification for the warrant, or are you left in the dark about what all the hassle and disruption was even about?
Yes it does, but Mullvad may have good reasons for not sharing it. For example that it does nothing to improve their information to their customers (ie what exactly is being investigated is irrelevant for the public), while simultaneously damaging the investigation and therefore their relationship with the government.
I’m confused. You’re saying cops came to your office 6 deep and just left with nothing even though your privacy policy says you have data [1]? There was no court case or investigation of any kind?
This blog post concerns me deeply for a number of reasons especially given a VPNs only actual differentiating value/proposition is trust.
I don't have a dog in this matter, but I read through their privacy policy. The data they might have or have access to is if you pay with anything other than cash. That data they are saying lies with the payment processor. They link their no logging user activity policy which cover that further. But, at the end of the day it's like you said, it comes down to trust if we are not able to / not going to verify.
What legal process? The officers were pursuing some kind of case and got a warrant for a possible lead, the lead turned out to be cold, the officers moved on to other evidence. What's so complicated about that?
I don't see why it's so difficult to believe. As noted on Mullvad's "Swedish legislation" page that you linked to, search of premises in a case like this is only allowed if there is a reasonable expectation of finding items subject to seizure (or other evidence of the offense in question). For what it's worth, the law itself is very readable, if you know Swedish [1].
Given that Mullvad are highly public about what data they store and why, Mullvad would arguably be able to make a strong case that there could be no such reasonable expectation. So the police had to weigh the potential gain of doing the search anyway against the risk of opening themselves up to lawsuits by doing so.
I would not have been surprised if they had decided to do it anyway, but I'm not really surprised at this outcome either.
Just a speculation - if the story was true then the search warrant was just an excuse to seize remote admin access control key to some other server(likely RAM server). Also any one else noticed mullvad has a socks relay in russia(check the browser addon for firefox or Mullvad Browser > Switch location) .... well that might explain why /b
OR ... something more fishy is going on behind the scene.
With past experience with law enforcement, if they don't get what they want, they will continue to harass and needle and try to chip away at what they can until they get some semblance of what they wanted.
Is this a warrant canary? Maybe the police seized machines but they were blocked from commenting so they published this implausible claim the police went away empty handed.
I'm an American (keep that in mind) but I have been to Sweden many many times throughout my entire life (my dad worked there). It's a great place and somewhat famously the "Swedish Subway Cops"[0] highlighted the difference between US and Swedish policing seven years ago.
All of that said I find it highly, highly implausible that law enforcement anywhere in the world would show up with a warrant and just walk out with nothing saying "Oh ok, sorry for the confusion!" because a subject of the warrant told them "Oh we don't have that. Here's my logging configuration file - see line 45 where logs go /dev/null?" (or whatever).
Sweden is not the US and maybe I can't picture this because of our issues here but still - this narrative and explanation really strains credibility to me.
The people that attend when these warrants are executed are highly technically skilled, and obviously Swedish surveillance agencies know Mullvad very well, probably intimately (ie it wouldn’t surprise me if they even have an understanding of their infrastructure).
It’s not at all “highly implausible” that they showed up for a technical discussion to see if the data they wanted but were almost certain did not exist could be retrieved.
If they are confident that this data does not exist, why would they start seizing hardware? As I said: they probably have a basic understanding of how their infrastructure works (especially since Mullvad is fairly open about it), and they likely understand that the second they power off those servers and move them, they are never booting up the same again.
So yeah, what you describe as “look at line 45” is not a silly example, because it’s probably more access than they would ever get than if Mullvad met them with hostility.
"On April 18 at least six police officers from the National Operations Department (NOA) of the Swedish Police visited the Mullvad VPN office in Gothenburg with a search warrant."
1) The government put together the cause/case for a warrant.
2) They got it issued.
3) They showed up with six cops from the national police.
That doesn't sound like the setting for a "technical discussion" between two old friends to me...
Have you ever seen a search warrant involving anything technical/electronic executed? They're looking for data and there's no way to know for sure where that data is/might be from anywhere from a single cell phone to a server farm. They show up and take anything/everything electronic (usually enumerated in the search warrant like "storage media, computing devices, etc, etc"). They walk out with it, take it back to a certified technician of some sort to clone/image it for evidentiary purposes, and then maybe give it back at some point (depending on the situation).
Outright dismissal without any substance says a lot too.
"The National Operations Department (Nationella operativa avdelningen) is tasked with assisting the local police regions and is in charge of international police cooperation and all national operations."[0]
So yes, this was above and beyond a few local cops.
Do you have a better way to summarize this other than saying "the national police"?
Warrants generally have to be for something. It’s possible that the police officers showed up with a warrant for user names and addresses, etc, and Mullvad was able to demonstrate that they don’t possess any data responsive to the warrant. At that point there may not have been anything to (lawfully) carry away.
It doesn’t necessarily mean that the cops won’t show up tomorrow with a more generic warrant, and Mullvad may have to hand over whatever information it does possess.
What if the law enforcement, instead of saying give me your logs, rephrase it slightly and says, start logging this IP address and then give me your logs?
A warrant can compel the seizure of existing evidence, but I don't know if it legally can compel the creation of new evidence by a 3rd party. At least in the US. I'm sure there are exceptions under various anti-terrorism laws, but in general it seems like the government can't compel corporations or individuals to assist in it's investigations.
unfortunately that's useless if you can't do anything about it... just think about the recent unfruitful millions-strong street protests in france, how powerless we are even in self-proclaimed democracies.
Even then, it's better to know you are being short-changed. Alas, France's problem is an old one, the executive has too much power. It was maybe good for people like de Gaulle, but most leaders can't burden the responsibility properly.
> But please tell me again how hard it is to comply with the GDPR
I like Mullvad (and been a paying customer on-and-off for years), but perhaps it's easier to comply with GDPR when your whole business is essentially not storing data?
Even if you are the most privacy conscious company ever, there is probably legitimate need storing more data than Mullvad in almost any other B2C scenario.
(Although it would be exciting buying e.g a TV online by sending cash in an envelope and writing the shipping address inside, the novelty probably wears of once the postal service looses your package and you can't do anything about it. Or when you loose your paper note with the ASCII armored PGP proof-of-purchase and you can't do a warranty claim)
A VPN provider who wouldn't be subject to a search warrant? I suppose only one operating from a country where warrants aren't required for a search by police, but that would presumably be much worse.
What's happened here is the best way it could possibly go. A warrant was needed which meant prosecutors / police had to meet a certain bar to conduct a search, and when the search happened the data does not exist anyway. That's exactly what you want from a VPN. This isn't "a shame", it's cause of celebration that the process actually worked and the provider can clearly demonstrate that.
I guess the only alternative would be a country which passes a law saying that VPN data (or something including VPN data) could never be searched, but that's extremely unlikely of any country at the moment.
To a legal inquiry via search warrant? Probably not unless it's operated in a country that doesn't have search warrants, but that sounds more like a lawless wasteland.
You'd need every government to agree not to peer with them, otherwise you'd just route to whoever has agreed to peer. You might get shit latency, but it'd still work.
Getting everyone to agree not to peer seems like a rather tall order.
Because the whole point of the article is that there was no data to be compromised. If anything this should make you more likely to go with Mullvad if you're looking for VPN services.
Reading no more than the title, making up the article content in your mind, and writing a comment based on that made up content is a pretty good recipe for downvotes.
I have to wonder what would have happened had the same thing occurred in the US. I'm really struggling to think of a scenario where the police have a warrant that says "$THING is on computers at this company, go get them" and you have literally any chance of convincing them that $THING is not anywhere.
I could see them taking all the computers then six months later saying "here you can have them back now, come pick them up at the precinct and here's the storage bill."
I think one issue is, anyone who maybe could avoid the legal process would be located in the country and/or operate in a way …. where are you might not trust the business anyway.
Mullvad and how they operate seem to be the best choice for consumer vpn.
