Can bet 99.99% that Mullvad throws the envelope in the trash and just forgets about it.
So, yes, there is a theory that someone may go in the trash in Sweden, finds the envelope, the stamp (and it has to be a british one), investigate who bought the stamp, get the assistance of the shopkeeper in UK (without raising suspicions), successfully reviews tons of security cameras footage to find who bought, etc.
And still don't know which activity to link it to.
A perfect waste of public resources if the NSA really does that, when all they needed to do is to purchase a VPN provider or fund Tor and claim to be no-logs VPN ;)
> So, yes, there is a theory that someone may go in the trash in Sweden, finds the envelope[...]
Presumably the theory is more like [1] - that the postal service, when they scan the envelope to read the address, save the scanned image and give it to the cops.
I agree that the NSA would be better off just running their own VPN services - or indeed intercepting everything on major backbones and just seeing what source IPs connect to Mullvad's servers.
> Can bet 99.99% that Mullvad throws the envelope in the trash and just forgets about it.
Storage is cheap - really cheap. I bet automatically capturing images of all mail during sorting and archiving that for years is not only viable, but a vital investigation/intelligence tool. One would ask Mullvad for the cash payment dates[1], and cross-reference with all mail sent to a Mullvad postal address. One city-level datapoint on where user was, cross-checked with the latest IP address, where stamps were bought[2], and you've massively trimmed the list of suspects, especially if they are behind a NAT and sharing the IP.
1. They have to keep track of payment dates, which is a side channel.
2. Where and when stamps were bought. I'm certain GCHQ can keep track of individual stamp IDs, the batches they belonged to, when they were procured by the retailer and have a reasonable guess when that specific stamp was bought by mail-sender.
Wow, looks like you lost that bet! They indeed shred that envelope.
"Put the money in an envelope together with the payment token and send it to us. We will open the envelope, add time to the account (corresponding to the amount of cash sent), and then use a shredder to destroy the envelope and its non-money contents."
The UK will know with certainty that a specific stamp was used to send a specific envelope to Mullvad. (e.g., America has been logging images of every envelope that passes through its postal service for over two decades).
It would also be trivial for the UK to know:
- When and where that stamp was initially sold (and to whom, if buying online!)
- When and where an envelope bearing that stamp entered the postal system
- When and where envelopes with other stamps from the same booklet entered the postal system
> Not really very realistic is it though? I can only imagine this sort of thing is only done if the suspect is someone like Bin Laden, not the average Joe using a VPN for pirating Photoshop.
This is a misconception caused by the scale of surveillance today. In the old days you were right. To do this kind of tracing they'd have to assign someone to do it which takes human resources and is not infinitely scalable. So they'd only do it to people deemed interesting enough, so average Joe was safe.
Today the scope has changed completely. Everything can be correlated all the time, so it is. No suspicion or probable cause needed.
And all of this is null and void if you buy your stamps from aliexpress and for the low low effort of simply driving to a different city to throw the envelope into the postbox.
Not really very realistic is it though? I can only imagine this sort of thing is only done if the suspect is someone like Bin Laden, not the average Joe using a VPN for pirating Photoshop.
To make this happen each stamp would during product have to know where it would will be sold. Is that actually how it works? Can you show me the evidence for that.
If they scan the stamp's code at time of purchase, and associate it with your debit card, that'd be an obvious way of tracking you.
If they don't do that, if they meet the stamp along the letter's journey, they can scan the code and check which batch it's from, and there could be a database of which post office got which batch, and then it's a matter of checking that post office's purchases/security cameras.
If all stamps are indistinguishable from each other, then you could've bought the stamp months ago on the Isle of Skye and used it in London, they wouldn't be able to tell the difference.
