Why are VPNs what people flock to when they think they want privacy? Moreover they kinda break the internet so it's not a scalable solution. It's cool to see a good one selling a privacy message and doing it at level 11, but it seems kinda disingenuous to me to tell users that they're more private because they use a VPN. Private from your current ISP, sure, but not from Mullvad (they're your new ISP, you're just moving the problem of who to trust, not acquiring privacy) and especially not so much from the service level tracking and collection of data which is arguably the real problem short of being targeted by nation-states.
Also it seems all I need to do as an "attacker" is subpoena (or whatever the Swedish equivalent is) Mullvad while your payment record is on file and I get the info I want. If Mullvad really wanted to go hardcore why not only sell little top up cards cash-only at kiosks?
Now, choosing where you want your traffic to geographically egress onto the public network does have marginal utility and it's a perfectly sane feature for VPN providers to market and consumers to pay for--VPNs aren't useless. It's just not privacy.
EDIT: add bit about how Mullvad is your new ISP to clarify the point
>Private from your current ISP, sure, but not from Mullvad
being private from your local ISP is what 99% of people care about because they use VPNs to send copyright infringement claims to /dev/null and watch netflix, not to smuggle nuclear secrets to Iran. It's privacy in a practical sense that's useful to people. If I go from an untrustworthy ISP to a trustworthy one I've gained privacy, there's no need to be overly academic about the term.
I'm not really trying to be pedantic for giggles.. perhaps I just think it's sad that 99% of ISPs are considered your privacy enemy and on top of that I don't consider VPNs a scalable solution to the problem at large so I'm more entertaining the "why is this the de facto solution" question in the "does it scale to society" solution space. It starts to look more like a social problem/solution than a technology problem/solution. That's more what this is about. If everyone used a VPN we'd really be in the same scenario we are today because to support that infrastructure you'd need exit nodes in every city and boom there goes your location advantage.
I don't consider my ISP my privacy enemy when it comes to paying my mortgage, or filling out my taxes. I do consider my ISP my enemy when it comes to downloading Linux ISOs, because the IP addresses issued by my ISP can be tied back to a geo location and are known to be the "last leg" address that would be targeted for infringement purposes.
Code word for torrents. Linux ISOs are probably the most common large file legitimate use of torrents and so it's become a code word for pirated content.
I don't disagree that centralized services are also bad for the internet, but that's not a rebuttal to my point (also, what is a VPN service if not a "centralized ISP with different egress options"). A VPN does not add a layer of privacy. That's a misunderstanding of the concept and unfortunately a popular one even among security folks and even more-so among security marketing folks. A VPN allows you to effectively choose a different ISP. You are not private from Mullvad. You just have their promise that they're better and more transparent than your alternatives and that they won't sell your DNS queries and connection logs to advertisers. It's not bad to align with an ISP that shares your values, but it's not privacy outright.
> And if you want you can even send them cash in an envelope. Or monero or whatever.
So why not only allow payments in privacy perfect currency if they're so concerned about privacy?
I agree that it's but a single tool in a complex mesh of procedures to provide some privacy.
But the reality is that it does work for a variety of usecases. Try to torrent in Germany (of all places) and you'll get blackmail letters from random lawyers. Do this with a VPN and no problem.
For this scenario it's the tool for the job. If you're an insurgent trying to liberate Iran it's not.
For general surfing privacy it doesn't add much value at all because most of the identifying information is in the session itself, not the IP. This is where the layered approach comes in.
But I definitely see a value in these services.
And they do offer many anonymous payment options, but some are heavily frowned upon in some regions (eg anonymous crypto in India) and mailing bills is inconvenient and risky. And I guess for some people it's worth the tradeoff.
Yeah I definitely see value, don't get me wrong. I think, slightly, that marketing privacy is the cheap shot at best and kinda irresponsibly inaccurate at worst because it glazes over so much of the actual problem. In other words, if I start using Mullvad today I don't incredibly become anonymous and private on the internet... there's a lot more work to do to achieve that posture. The way VPNs are touted though might lead you to believe they keep you safe and private.
It’s pretty simple. A VPN adds a layer of privacy between you and the server you’re accessing. You go from user A with X home IP address originating from precise Y location, to user A with generic shared IP originating from a vague location likely nowhere near your real location.
Beyond location, did you know there are services that can sometimes accurately provide a users place of work based on home IP? Their likely income level, and more. That becomes impossible with a VPN.
In short a VPN removes a key personal identifier that can be used to ID you online. Your IP address.
But traditional ISPs reuse IP addresses too. You rarely get a static IP from your ISP. Some even run carrier grade NAT and you're literally sharing an IP with your whole building or something. VPNs are not really different in any regard. They do obfuscate location, I'll give you that, and that's seems like the crux of the issue with traditional ISPs: they are small and distributed so people have created location maps. By using a big centralized service you can obfuscate your zip code. I'm all for people having that option, don't get me wrong. Personally I'd rather see us pass strong legislation that takes things a step further and prohibits zip-code based profiling if that's considered dangerous to society, or ya know solve the social problem and create diverse zip codes in the first place so you can't predict income based on it, rather than be fooled into thinking that we can solve this problem by giving everyone a VPN. It doesn't scale.
Most residential ISPs reassign the same IP to the same account for months at a time. It's not technically static but is certainly used as a "mostly static" piece of data by profiling technologies.
> [...] it seems kinda disingenuous to me to tell users that they're more private because they use a VPN. Private from your ISP, sure [...]
Bit of a contradiction there. It adds friction to at least some attacks against your privacy. That's better privacy.
Nothing will ever be perfect, and VPNs can easily be oversold in terms of their benefits (especially since https became the norm). But they have benefits in some common use-cases.
> Also it seems all I need to do as an "attacker" is subpoena (or whatever the Swedish equivalent is) Mullvad while your payment record is on file and I get the info I want. If Mullvad really wanted to go hardcore why not only sell little top up cards cash-only at kiosks?
They accept cash and at least some other privacy preserving payment methods already.
> They accept cash and at least some other privacy preserving payment methods already.
So why even allow "traditional" KYC-ridden payments at all?
> Bit of a contradiction there. It adds friction to at least some attacks against your privacy. That's better privacy.
The nuance is that you're just moving the problem. You're not private from Mullvad. You're just trading one ISP for a different one. I could have phrased it better in my initial comment so as not to suggest a contradiction. Think of it this way, if Mullvad was your ISP, would you still tell someone to get a VPN? You have to trust someone not to snoop on your DNS queries and connections. All adding a VPN does is give you more freedom to choose who to trust, which is not bad in its own right. It's just not technically privacy manifest.
They break the practical solutions to content distribution and delivery that we've deployed. If everyone used a VPN, CDNs and caching would be rendered ineffective. Generally, VPN consumers use more bandwidth than necessary to acquire the same content which does impact the network.
Same bandwidth over my local connection, mildly more across backbone connections, not a big deal in total.
I feel like if the bandwidth used by content distribution really mattered, we'd see a lot more effort being put into multicasting. Even a basic stateless "multiple destination IPs" version could save so much bandwidth.
I think that you're right in that by using Mullvad you're transferring the trust from your current ISP to them.
It's also important to mention that you can pay Mullvad with cash, sent in an envelope, so that your (real) identity is never known to them.
My ISP accepts cash payments in an envelope with an account number written on it. They probably require an address during signup so they can service the physical lines but just pointing out that paying is cash is not exclusive to Mullvad.
Browser and system configuration. Turn off tracking cookies, advertiser IDs, block tracking links/assets. I use a municipal ISP that doesn't sell my info. Stuff like that. But really I know that I'm not private from the services I access so I try to gravitate towards services that I trust with my personal information. My goal is not to make sure nothing ever lands in my advertising profile. It's to make sure that whatever my profile is looks so unlike my interests that it becomes a useless waste of money to build it.
Also it seems all I need to do as an "attacker" is subpoena (or whatever the Swedish equivalent is) Mullvad while your payment record is on file and I get the info I want. If Mullvad really wanted to go hardcore why not only sell little top up cards cash-only at kiosks?
Now, choosing where you want your traffic to geographically egress onto the public network does have marginal utility and it's a perfectly sane feature for VPN providers to market and consumers to pay for--VPNs aren't useless. It's just not privacy.
EDIT: add bit about how Mullvad is your new ISP to clarify the point