Thank you for the compliment! We are indeed for real, but I don't expect this comment will convince you. I'd love to know what we could do that would change your mind.
The same goes for anyone else reading this. Are you worried that we are too good to be true? What could we do to become more trustworthy in your eyes?
I don't know. Disclaimer: just a happy customer. What I do know is that all you know about me is the account number you gave me and the IP address I'm connecting from. I always pay cash, so that would be hard to trace back.
So I know you do the absolute maximum you can do to know as little about me as possible. As far as not keeping logs and not spying on me, I suppose I'll have to trust the audit reports.
Not much more you can do in my opinion. It's definitely good enough for me! Thanks for this great service!
This isn't meant to be criticism just curious. Why did it take so long to add monero support? For the past several years there's only ~2 other VPNs that tick all the privacy boxes, and you're the most preferable - other then lack of monero support. It always seemed weird that you went so far for privacy, but didn't support monero.
Was it just on the backlog and took a bit of time to implement? I appreciate that you built your own implementation for crypto by the way.
Thanks for the great service.
EDIT: I've heard a rumor that you've shared a user IP because of a government subpoena (live during a connection, so it wasn't logged). Has this happened? I think according to your swedish-legislation page says "However, the Swedish police authority may have access to information by way of coercive measures such as seizure and search of premises." which would allow for this to happen in theory? I.E. intercepting or seizing control of your router to see what IP a connection is on?
EDIT: One other question - is there plans to add more IPs? Services seem to flag most mullvad IPs but I'm not sure there's much you can do about that.
Some third-parties did sell gift-codes using Monero before Mullvad had native support although I had no experience with them.
> I've heard a rumor that you've shared a user IP because of a government subpoena (live during a connection, so it wasn't logged).
Got any details?
FWIW: Correlating the origin IP with real-time traffic out of a single-hop VPN tunnel can be done using traffic-analysis by third-parties that are not the VPN provider themselves.
> Why did it take so long to add monero support? It always seemed weird that you went so far for privacy, but didn't support monero. Was it just on the backlog and took a bit of time to implement?
I don't work with payments and the surrounding systems so I don't know the details of the project itself. As an organization we've certainly been aware of the feature request, but until now we've prioritized other projects.
> EDIT: I've heard a rumor that you've shared a user IP because of a government subpoena (live during a connection, so it wasn't logged). Has this happened?
To my knowledge it has never happened in the history of our service.
> EDIT: One other question - is there plans to add more IPs? Services seem to flag most mullvad IPs but I'm not sure there's much you can do about that.
I'm sure my colleagues in the Operations and Support teams are aware of it. You'll get a better answer from support@mullvad.net.
Paradoxically, the most trustworthy thing you could do as a VPN provider is explain why most people don't need and won't actually benefit from a VPN. Outside of a few limited use cases (accessing location-restricted content, connecting to legacy services) and with almost-ubiquitous end-to-end TLS encryption deployed on the Internet, there's really not a lot of good reasons to use a VPN (and many good reasons not to). Reasoning about this in a transparent and objective way is something I've never seen VPN providers do, and for this reason I struggle with trusting them.
DNS queries are still leaked (from most users) regardless of end-to-end TLS. There is of course DNSSEC and DNS over HTTPS, but those are not used by the majority.
Another use case you missed is downloading/uploading pirated/copywrited content. Good VPNs receive DMCA notices and throw them in the garbage.
You are right that VPNs are not useful for many use cases and they can give users a false sense of security.
You mean it helps record integrity. The "security" story with DNSSEC is much more of a mixed bag than that; there's a reason it's very rarely deployed in the industry.
You're definitely right to point out that DoH helps with the VPN DNS privacy problem and DNSSEC doesn't.
I disagree with your assessment of the use cases for a VPN. Just one example: Your IP address is often a great identifier, making a VPN or Tor a useful starting point for online privacy. This is more or less what we say on our website as well.
Based on your comment however I think you might find the follwing links to IVPN refreshing:
> Your IP address is often a great identifier, making a VPN or Tor a useful starting point for online privacy.
See, this is exactly why I don't trust you. This is used car salesman talk. IP addresses are only one minor tracking mechanism out of many which defeat obscuring originating IP by means of VPN altogether (canvas fingerprint, cookies, font/screen tracking, etc.) You're trying to say if I use a VPN, I get privacy because websites don't know my IP, but this isn't even remotely accurate. Do you explain this anywhere in your marketing materials? If not, it doesn't really help me, it just helps you sell the product.
> IP addresses are only one minor tracking mechanism out of many which defeat obscuring originating IP by means of VPN altogether (canvas fingerprint, cookies, font/screen tracking, etc.)
I agree. This is why I said "useful starting point". A user looking for browsing privacy needs to do more than just use a VPN or Tor. Obscuring your IP address somehow is necessary but not sufficient. This is what I meant.
Category: [Misunderstanding]
> You're trying to say if I use a VPN, I get privacy because websites don't know my IP, but this isn't even remotely accurate.
No, I said it's a "useful starting point". I did not say it's sufficient. I could have been more clear, but I was in a hurry when I wrote it.
Category: [Misunderstanding]
> Do you explain this anywhere in your marketing materials?
We do! On our landing page you are met with this:
"... a ... VPN is a good first step toward reclaiming [your right to privacy]."
Right below is a button ("What is a VPN?"), which leads to a page containing a header ("How a VPN protects your privacy"), which explains further:
"Using a VPN is a great first step toward protecting your privacy, but it's not the ultimate solution (we wish it was!). However, it's easy to improve your privacy ninja skills."
With this reply I believe I have shown you that we (Mullvad) do "reason about this in a transparent and objective way", both on your website, and with people giving us feedback.
As an aside I think IVPN's approach might be more to your liking, but nevertheless none of your stated concerns apply to us. As I've shown above they came down to two misunderstandings and a question.
If you have any other concerns I'd love to hear them. I appreciate your feedback. If we only spoke with people who gave us positive feedback we wouldn't improve as much.
Essentially, you're giving people knives and saying you can be a chef, because knives are a "useful starting point". It's going to result in some cut up fingers and knuckles, for sure. Cooking is about a lot more than handling knives, but a knife seller won't really explain this, just as you haven't sufficiently done with VPNs.
My only feedback is that Mullvad is based out of Sweden which is a member of Fourteen Eyes. I don’t expect you to move your location but it is the only detractor I can think of.
The same goes for anyone else reading this. Are you worried that we are too good to be true? What could we do to become more trustworthy in your eyes?
Cheers, Fredrik Stromberg (cofounder of Mullvad)