Once again this shows the huge disconnect between the government authorities and the tech industry. Basic knowledge and a quick investigation would make clear that Mullvad is not storing any customer data.
I might be uninformed here, but on the surface Mullvad says they don't record customer data but there's always a chance they might be recording some data or lying.
So I figure that authorities still obtained a search warrant to atleast see what data they can get their hands on and to verify that this is true. In that case, it doesn't really illustrate any disconnect.
> Basic knowledge and a quick investigation would make clear that Mullvad is not storing any customer data.
This is something more along the lines of trust. Sure you don't have to provide PII but Mullvad could supppsedly still be recording other data which would count as customer data.
> So I figure that authorities still obtained a search warrant to atleast see what data they can get their hands on and to verify that this is true. In that case, it doesn't really illustrate any disconnect.
They also need to follow process and make a reasonable attempt to follow a lead.
They can’t just read a company’s website, assume that no evidence exists, and then give up on that line of exploration. Note that in several high profile cases, companies have publicly claimed to not be storing data but later been found to have incriminating logs.
It would be irresponsible for them to not follow up with Mullvad, despite what they advertise.
It doesn’t make sense to suggest that this is a disconnect with law enforcement.
> but there's always a chance they might be recording some data or lying.
As mentioned in another comment, at least they would have to be lying + the external companies who've done the third-party audits would have to be lying too (including companies like Cure53).
An audit is always just a point-in-time (or possibly periodic) snapshot.
A VPN company is also not a monolith: They have servers literally distributed around the globe. Ensuring physical security for all of them is not trivial, and I doubt that their auditors have visited every single data center. This is to say nothing of global traffic correlation capabilities of state-level actors; access to their servers network uplink is all that's needed to deanonymize many connections.
Besides that, they have human staff as well, and while it's possible to distribute permissions and require four eyes for all important changes, there's always loopholes in a complex system.
I have no reason to doubt that Mullvad is being truthful about any of their efforts or aspects of their service, but even if they're not, this is by no means equivalent to absolute security.
There's also usually another disconnect: between tech industry publicity and tech industry reality. Mullvad could have been, and maybe even still is, lying about how they operate, because it's good for business.
At least there have been some public and external audits that brings up the trust a bit, if you trust that those external companies are honest and putting their reputation on the line.
Government investigations pursue lots of avenues unlikely to be fruitful. It's basic due diligence to check all the boxes; you don't say "standard procedure is to issue a warrant, but we'll make an exception to our process in this case because their website suggests it won't get any data, plus they hired an auditor."
> Mullvad could have been, and maybe even still is, lying about how they operate
Could they? Sure.
Do they have anything on me?
* One BTC transfer
* IPs where I'm connecting from (if they are lying and storing them)
* My traffic (if they are lying and storing it)
* My unencrypted traffic (if they are lying and storing it)
Do they have ... on me?
* Email? - nope
* Phone number? - nope
* Credit card? - nope
* My first name, family name? - nope
* My address? - nope
* My mother's maiden name? - nope
Because I never provided it to them because they never asked for them.
Unless you're using another VPN/proxy/Tor/... to connect to the VPN, the IP where you're connecting from (respectively the full 4-tuple including source/destination port) likely does identify your address.
Of course. It doesn't help what I'm getting pretty much the same IPs from my provider.
Double (triple|quad) hop, tied to different entities is necessary if you want at least plausible deniability. Thankfully I don't do things what may be of the interest of someone who can raid Mullvad offices.
But I recently discovered a VPS provider who only needs an email address to confirm an order, so it can be used as a bootstrap for a something pretty anonymous. Still needs an email, but as I said in some other comment recently, you can do that (if you are okay with leaving some traces) with a Google device with WiFi only capability.
You can pay a Bitcoin lightning invoice on this site and get a redeemable Mullvad voucher instantly. Extremely convenient. Since you've only done 1 BTC transaction, I assume it was a large one for lots of time. However, when your time runs out, this option is great. It's an extra layer of privacy and you don't have to wait for the transaction to settle on chain.
Exchange has my CC number and the 'card holder' (though I never put my name there, lol). A non-business card is probably the most easy way to identify someone globally.
If someone comes to exchange - they could identify me (and they can just tap their server to listen to email which do have all the transaction info, including CC# in the plaintext, lol).
To establish a correlation between my wallet and Mullvad account someone needs to find that transaction in Mullvad customer data. Which - they claim they don't have.
So yes, someone can identity what I bought services from Mullvad and... nothing more?
You never know until you check. There is a lot of things to understand by viewing the metadata. Also don't underestimate incompetence with many of the self-proclaimed pro-privacy companies. They might be expert in the VPN software but not in all aspects of system and network administration.
> Once again this shows the huge disconnect between the government authorities and the tech industry.
Authorities have to follow their process and collect evidence, or document the absence of discovered evidence. They can’t simply read the website, shrug their shoulders, and decide not to investigate a key part of a criminal case because the website says the company won’t have the data.
They are obligated to explore the possibility of data existing and to document the fact that it could not be found. Assuming the evidence doesn’t exist isn’t an option. They have to document it.
I know Mullvad is generally trusted by the community, but you also have to remember that several VPN companies have claimed to not keep logs but were later found to have data useful to criminal cases.
I think the real disconnect is in the comments from people who think this is the government being dumb. They’re not, they’re just doing their job correctly.
> service provider may claim to not store any user data, but they could be lying.
As someone who ran a VPN in the past, this blog post is extremely strange as well as the purported described sequence of events.
Police in any jurisdiction aren’t jokes - especially not Sweden where they can absolutely walk in and take your stuff according to mullvads website [1].
It’s 2023 - if a VPN is how you’re doing your privacy you’re probably doing it wrong.
I'm satisfied with the transparency Mullvad has shown by publishing its 9 audits[1] and with their efforts to ask for as little information from users as possible. I also appreciate how Mullvad releases up-to-date source code for all of its software clients, which I consider a bare minimum for any VPN to even be considered.[2]
Private Internet Access, on the other hand, does not release up-to-date source code for its software clients:
- PIA Android client: latest source release v3.14.0 (Mar 18, 2022) vs. latest Google Play release v3.18.0 (Feb 22, 2023)[3]
- PIA iOS client: latest source release v3.14.0 (Mar 18, 2022) vs. latest App Store release v3.20.0 (Mar 1, 2023)[4]
- PIA browser extension: latest source release v3.1.0 (May 31, 2021) vs. latest Chrome Web Store release v3.2.0 (March 8, 2022)[6]
It's not clear to me how much of a say you still have in PIA's operations, but if you have any influence, I kindly ask you to direct them to release the source code of PIA's clients on time, every time a new client version is released. Open sourcing PIA's clients was something you promised PIA would do to reassure customers after PIA was acquired by the former adware/malware distributor Kape Technologies.[7]
commoner - Thank you for this comment, and I think it's definitely fair to trust in Mullvad given these transparencies. The sequence of events are simply peculiar to me, and doesn't seem like a professional police operation. That said, I've been keenly watching Mullvad and agree with you that it's rock-solid in transparency which is the number one reason to use/not use a VPN service, if for privacy.
I salute Mullvad and consider it to be the top VPN in the world today, and specifically, the only one I would recommend to anyone looking for a VPN.
In terms of PIA, I am no longer affiliated with the company, but I agree that getting the source out for the clients out on time is something they should try to address quickly.
gerbilly (another poster in parallel) - In 2023, I don't think a VPN is not private, but, for sure this cannot be the only tool in one's arsenal to secure their privacy. Depending on your threat-levels, there are different things you may want to do. To be clear, if you're being targeted, you cannot maintain privacy.
For the absolutist:
1. Get cash but not from an ATM (traceable)
2. Go buy a computer (must be Purism or something with trustworthy hardware) with said cash but wear a disguise when buying it. Disable all the location/etc. stuff at store parking lot.
3. Purchase a T-Mobile Prepaid Hotspot with cash.
4. Purchase mullvad, but wear gloves, mask and a hairnet when working with the envelope to send cash.
5. Never login to any service of any kind that would leak your identity.
These are pretty serious allegations, and as the ex-CIO of PIA, you certainly have the credibility to make them. However, drip-feeding various circumstantial links do not really help your case, and HN comments is not the best medium to make them.
I'd suggest creating a website or page, and writing out your allegations in detail and instead linking that here.
Just trusting public claims would be pretty bad investigation. There are so many companies claiming not saving any logs and data, yet occasionally it's revealed that they lied and still stored something significant for the police to fetch. Looking deeper at reality is a relevant part of a good investigation. And in the first place, we don't even know whether the story is true or just marketing, until someone can back it with an official police-report.
Police got a warrant and went to service it, Mullvad explained why it was pointless, police agreed and left without further incident. It's not "a huge disconnect", it's the system working exactly as I'd hope for.
Police doesn't (can't) make these kinds of decisions, they communicated with the prosecutor and the prosecutor withdrew his warrant. Which actually does seem very out of the ordinary to me. Might've been the warrant was acquired on autopilot with no one actually checking the targeted entity (e.g. crime committed, IP traced, get warrant for IP "end-user", police show up, "oh we've gotten a warrant for an ISP oops").
