I use them because it's the best I can do, but I'm very suspicious. I would think the NSA is misappropriating my tax dollars if they hadn't compromised all of the VPN providers years ago. We also know the US has a history of selling compromised security equipment (https://www.washingtonpost.com/graphics/2020/world/national-...)
Don't get me wrong, I wish the NSA wasn't what it is, but if I'm paying for the federal government to be doing work, I expect them to do it exceedingly well.
So what's the case the United States is so incompetent as to let Mullvad go untapped?
Edit: the answer is that there apparently is no case. maqp was writing up the answer to my question in a response to another comment while I was writing mine.
Edit 2: My personal threat model largely accepts that the NSA, CIA, and FBI can have their way with me in the unlikely event that they notice my existence. I can live with that because they have no reason to take notice. Despite my annoying moral values, I'm not a threat to the state. However, I find the focus on nation-state actors in an ad for a service that clearly can't protect from them to be distressingly dishonest.
The correct level of paranoia is behaving in such a way that all your systems could be fully compromised and it would still never link to your real identity. If you're scared of anything short of a signal locator van you're doing it wrong.
People that used that method have been caught.
I guess the best way to be anonymous is to be schizophrenic.
Real "vs. NSA" security is nigh impossible right now for any persistent operation. Especially given ARGUS style eye-in-the-sky citywide object tracking.
Maybe the most successful model would be an actual homeless person who wanders by walking and hitchiking and never sleeps in the same area twice.
One of the benefits of mass surveillance(for the state) is that people of interest have no way of communicating with the world securely/secretly, they have to assume that everything is tapped and actively hostile to their communication setups.
That means that you could be recognized as a part of shortest path to undermine some person of interest, and there is no reason for you to assume that they will hesitate to harm you and your safety/comfort
What's interesting about CALEA is it (essentially) requires compliance via devices with "LI" (lawful intercept) functionality and/or third party providers to provide "tap/trace" functionality in such a way that it's not even visible/detectable to the network provider, network admins, etc.
This LI functionality is typically implemented at the network device/operating system level as defined by an ETSI standard. I've never implemented it personally but from what I understand it basically allows for an LI provider to siphon off tap/trace data with something like a VPN back to the LI provider, who is also the contact for response to warrants, etc.
So what happens is the LI provider gets a warrant for something like "give us everything to/from this device or phone number". The provider verifies the legality of the warrant, uses the ETSI standard to one or more devices on the provider network, receives the data, and then provides it to law enforcement (in real time). The network provider isn't even aware of the court order.
The old trope in Mafia movies of "I got a guy inside the phone company to tip us off" hasn't been accurate since CALEA came into effect in 1995.
Or, maybe, it's just slightly inept at lobbying for their cause? It should really end with a specific call to action, or at least mention if there's any legislation going through the process right now that needs support or opposition?
I guess the call-to-action is to use Mullvad (which I happen to do, and can't complain about). For Germany, I will add http://freiheitsrechte.org/ as the local equivalent of ACLU & EFF that one might want to join.
Mullvad and other VPNs only provide trivial layer of IP address masking, they don't automatically block the endless list of tracking elements from HTTP headers to web bugs, LSOs, JWTs, cookies, webRTC, or canvas fingerprinting, and user actions on the site.
It's also the case simply downloading a bunch of browser plugins will probably make your browser look unique, if it wasn't already.
The best protection you have for anonymous browsing is with the Tor Browser, where every Tor user falls into three buckets depending on the privacy slider setting.
Commercial VPN to access the Internet is mostly a "feel good" service that offloads trust under foreign jurisdiction that might not e.g. have laws wrt. torrenting, but don't think for a second it provides safeguards against governments. It's not that Wireguard isn't excellent protocol, it's that the server is performance aside, just an ordinary computer that can be compromised invisibly with one expensive zero-day and a persistent rootkit, and there's nothing the companies can do about it.
I’ve been a Mullvad user for a few years now and I’ve been quite happy with them but one thing I’ve noticed is that, no matter how I’ve got Mullvad or my browser configured, BBC/Channel 4 knows I’m not actually in the UK. If anyone has any idea how they’re getting my location I’d be curious to know.
Plenty ways to figure out you're connecting from behind a VPN. Aggressively filtering for well known residential address space, detecting suspicious changes in traffic patterns from shared blocks/IPs used by VPN companies, detecting split DNS behaviour, detecting much higher latency and/or lower TTL between the client and server than what's expected/average within that public address space, detecting unexpectedly low MSS/MTU on the segment behind NAT, ...
I bet there are a few other areas this localization information leaks.
>If you would like to communicate in a truly safe manner, do not trust any 3rd party – encrypt yourself. Do not use any US-based service for anything secret, especially if you are a company or government handling PII information.
I wonder what 5/9/14 eyes actually do with the intercepted data? Isn't mere processing of the said data, a gargantuan task? Is this where Palantir comes to play or is it more like of a `cat atlantic_pipeline | grep bomb` thing?
For what us ordinary people know, there are "selectors", something similar in purpose to regular expressions, that can filter out data out of the streams (not just raw IP communications, but also phone call metadata and PIR datasets from airlines) for storage and human inspection. Think of stuff like the phone numbers, names or email addresses of known or suspected "terrorists", drug dealers, organized criminals, or whomever else ends up on one of the flag lists.
EG, we suspect person 1. Now, do a deep search on 1, find associates, do deep search one those.
I think most VPN users just want something to access different Netflix catalogues though, and Mullvad doesn't play that cat and mouse game.
Please suport them with an annual donation, they seem very dedicated and the work they're doing is very worthwhile (and have already gotten significant results).
This was almost 2 decades ago, but on mobiles, they had a custom portal where you put in a phone number, and all traffic is logged, location, etc. Also they had a department to handle just warrants for data for mobiles.
This is almost the same way we did for child porn cases about 10 years later in photo hosting. Either a photo matched a known md5 sum of content, or a cop would submit a warrant, legal would contact operations and ask us to run the warrant script. The script would zip up the entire user's data and burn to dvd. The cop would walk into the data center and pick it up.
No chain of custody would include an employee. I'm assuming facebook/twitter has portals for feds now, since they already have government portals for cities/state employees.
I’m more concerned about my privacy being utterly raped for advertising purposes. That’s why I use a paid VPN, paid privacy-focused DNS, paid ProtonMail account, use Signal, etc. I could probably be better served from self hosting some of these things, but this is a good balance for me. It seems to me that this concern - hiding data from Google, Microsoft, Verizon, etc. - is secondary to hiding from the NSA/CIA in many open privacy conversations.
Note - I am sympathetic to the fact that there are hostile governments all over the world and privacy-tooling is mandatory for whistle blowers, activists, protestors, journalists, etc.