I know Mullvad already allows you to e.g. send cash in an envelope for total privacy, but that's kind of a pain, it'll take a long time to arrive, if the envelope is lost there's nothing you can do, etc.
But by physically printing covered-up codes on cards, this actually uses Amazon to create the privacy/anonymity, which kind of feels ironic given how Amazon generally tries to hoover up all the data. You can get your code with fast Prime delivery, a tracking number, pay for it with your credit card, get a free replacement if it's lost in the mail...
These sort of plausible deniability arguments only work in people's heads. Judges and prosecutors never buy these arguments.
...and even if you think you can convince a jury, it's still enough to issue a search warrant, whereby the prosecutor will find more than enough charges to force you into a plea deal.
Your initial anonymity is your most important defense.
> These sort of plausible deniability arguments only work in people's heads. Judges and prosecutors never buy these arguments.
What exactly do you base this on?
First of all, Mullvad (like any serious VPN operator) do not log IP:s and one can probably safely assume they do not log who bought which gift card. They are also under no obligation to do so, as far as I’m aware.
But let’s assume for the sake of argument that they did: let’s assume they log IP:s and sales of gift cards down to the social security number of the person who bought it.
Now assume that I’m running a corner store where I sell among other things these gift cards, that I bought from Amazon at a small markup.
Someone uses these gift cards and the tracking (that doesn’t exist) leads back to my store.
I’m defending myself in court in a democratic western country where people are assumed innocent until proven otherwise.
The jury (in the US) or the judge (anywhere else) is informed that I buy these cards in bulk, I sell dozens of them a week, and the IP (that Mullvad doesn’t log) is a dead end.
Do you seriously believe that a judge or jury anywhere would sentence me for the crime brought forward, or that this would even hold water enough to be prosecuted in the first place?
This is almost exactly analogous to selling anonymous SIM cards (where they still exist). One is used for a drug deal. Me, the shop keeper, is prosecuted in this alternate universe because I’m selling the cards.
> In October of 2007, Elizabeth P. Coast, then seventeen, reported that when she was ten years old a neighborhood boy named “Jon” sexually assaulted her while the two were alone in her grandmother’s backyard
> [the trial court] tried and convicted Montgomery in a one-day bench trial for the assault of Coast. Coast testified under oath that Montgomery had sexually assaulted her in 2000.
> no other witnesses to the incident testified at Montgomery’s trial. Neither was any corroborating physical evidence that an assault occurred ever presented. The trial judge categorized this case as a “word against word situation.” In reaching his verdict, the trial judge concluded that Coast was more credible then Montgomery because she had “no motive whatsoever” to lie. The trial court then found Montgomery guilty of forcible sodomy, aggravated sexual battery, and object sexual penetration. On April 10, 2009, the trial judge sentenced Montgomery to 45 years in prison, with 37 years and 6 months suspended…
> On November 1, 2012, Coast voluntarily made a videotaped statement at the Hampton Police Department. After consulting with counsel and receiving Miranda warnings, Coast recounted how she had falsely testified that Montgomery had assaulted her.
> Coast explained that immediately before she accused Montgomery, her mother caught her looking at “sex stories” on the Internet. Out of fear of her mother, Coast said that she was looking at inappropriate material because she had been molested when she was ten years old. After she reluctantly named Montgomery as her attacker, the lie snowballed. Coast felt like she could not admit that the assault never happened
Generally speaking, "innocent until proven guilty" is a cornerstone in most legal systems. This has been the case, literally, for millennia, dating back to Roman times.
It is also one of the UN's human rights, and is enshrined in several countries' constitutions.
I disagree. The UN human rights items are regularly ignored and broken. In 2022. By multiple countries. And no one bats an eye except for the persecuted. There is no world police, no cosmic justice, just politics.
You could publish a dozen similar anecdotes every day for a decade. What's unusual about this one is that the girl was stupid enough to later admit she'd been lying.
> Generally speaking, "innocent until proven guilty" is a cornerstone in most legal systems. This has been the case, literally, for millennia, dating back to Roman times.
> It is also one of the UN's human rights, and is enshrined in several countries' constitutions.
> The Soviet Constitution included a series of civil and political rights. Among these were the rights to freedom of speech, freedom of the press, and freedom of assembly and the right to religious belief and worship. In addition, the Constitution provided for freedom of artistic work, protection of the family, inviolability of the person and home, and the right to privacy. In line with the Marxist-Leninist ideology of the government, the Constitution also granted social and economic rights not provided by constitutions in some capitalist countries. Among these were the rights to work, rest and leisure, health protection, care in old age and sickness, housing, education, and cultural benefits.
Of course, having the rights in the constitution didn't mean anyone was allowed to exercise those rights, and they most certainly weren't. "Innocent until proven guilty" is a set of words that people believe in saying, but it is not a set of beliefs that people are willing to put into practice. It has nothing to do with the legal system of any country in the world. For most crimes, proof of guilt cannot even theoretically exist. (As was true of Elizabeth Coast.)
This was covered fairly extensively in my first link:
> What’s doing the work in many of the convictions, I suspect, is that the very ubiquity of the risk makes factfinders realize that — if we were to constantly consider this generalized risk, in the absence of more specific information — a wide range of crimes couldn’t be effectively prosecuted. That’s especially true of child molestation and rape, but it’s also true of many sorts of felons’ possession of guns, robberies, and the like. It’s always possible, and not extremely unlikely, that a police officer was just trying to frame someone he already thought was a bad guy.
> But I think many people (again, deliberately or subconsciously) are unwilling to see acquittals in all such cases. A seemingly disinterested supposed victim’s testimony thus tends to be credited (unless the victim seems untrustworthy for other reasons, such as the victim’s own past criminal record). A police officer’s testimony tends to be credited, at least by many jurors. And this is so even though there is good reason for doubt, simply because whenever we are dealing with human testimony there is good reason for doubt.
> So... the “beyond a reasonable doubt” standard ends up being, in many cases, considerably less defendant-protective than one might think. Maybe that’s bad, or maybe it’s a necessary evil
>You could publish a dozen similar anecdotes every day for a decade. What's unusual about this one is that the girl was stupid enough to later admit she'd been lying.
So? Once again, they are anecdotes. I can similarly provide thousands of anecdotes showing presumption of innocence. It means nothing except that those cases happened.
Do you have any proof "it is not a set of beliefs that people are willing to put into practice" on a systematic scale?
>> You could publish a dozen similar anecdotes every day for a decade.
> So? Once again, they are anecdotes.
"Anecdote" doesn't just mean "something I'd prefer not to have to think about", you know. Being very common makes the event systematic.
> Do you have any proof "it is not a set of beliefs that people are willing to put into practice" on a systematic scale?
Yes, we've been talking about it for a while.
> I can similarly provide thousands of anecdotes showing presumption of innocence. It means nothing except that those cases happened.
That's... not how logic works. On the one hand, we have hundreds of thousands of cases of people being railroaded for crimes they didn't commit based on no solid evidence. On the other hand, we have tens of millions of cases of people being railroaded for crimes they did commit, also based on no solid evidence.
But let's assume that second group consists only of convictions where the defendant's guilt was somehow actually proved. That wouldn't mean the system operates on the principle that people are innocent until proven guilty -- that claim is already falsified by the existence of the first group. It would mean that proof of guilt is often provided even though it isn't required.
The thing is that when dealing with something on the scale of the justice system even a hundred examples don't mean it occurs more than a fraction of a percent of the time. When assessing anecdotes to try and determine event frequency you need to understand how the anecdotes were sampled.
The law and law enforcement are two different things. Law enforcement works roughly like this: they get an IP of a website, they go to an ISP, the ISP says its this reseller, they go to the reseller, the reseller says it is this customer, they go to the customer, the customer says this IP posted the bad thing, they take the new IP and go to the ISP, ISP hands over the original users details, they go knock on the users door.
It is basically a turd rolling down hill that nobody wants to touch and everyone wants to pass on to the next person. At each step YOU are responsible for the bad thing that happened until you give them a new person to look at.
If you think it works any differently, take a look at what happened to the "TheDonald" forum after January 6th. You can shout and scream about freedoms and rights all you want, but when your girlfriend has to explain to her boss why the FBI came around asking questions about you - you hand over the next guy down the line super quick.
> It is basically a turd rolling down hill that nobody wants to touch and everyone wants to pass on to the next person.
You’re just making assumptions without referring to the facts.
Mullvad is a Swedish company and falls under Swedish and EU jurisdiction.
ISPs in the EU are indeed required to keep track on what subscriber had what IP at what point in time. Some do this gladly and some try their absolute best to sabotage the process (like Bahnhof).
However, Mullvad is a VPN provider. They are not an ISP. If you claim that Mullvad is legally required to log IPs, then source that claim, because they clearly are not and if that claim is true that would mean they are breaking the law, which I doubt they would be willfully doing.
In your example, the buck stops with the VPN provider (which again, is not an ISP) because the info they provide is of no use.
In some cases, the buck even stops with the ISP without a VPN, because in many jurisdictions there are demands placed upon the seriousness of the alleged crime to allow personal data to be supplied to law enforcement.
40% of Mullvad's servers are located in the United States, which gives them a US nexus and makes them subject to US law. Sweden and the US have a bilateral extradition treaty, so the operators could be arrested and brought to the US to face charges.
US law has a concept of accessory-before-the-fact. Assisting in the concealment of a crime is in itself a crime. Unlike an accomplice, an accessory need not be aware of the specifics of the crime. This was a big stick wielded by US law enforcement against pre-paid phone operators in the early 2000s to compel cooperation.
> one can probably safely assume they do not log who bought which gift card. They are also under no obligation to do so, as far as I’m aware.
You bring up a very good point. Unlike an electronic payment system [0], I assume the amazon gift card is not linked to your account on Mullvad's servers, so probably Mullvad marks the account as paid, but doesn't log the Amazon card number
0. Even that should be safe. Mullvad made a recent decision to get rid of subscriptions. Now that your account is never linked to your payment method, and we can assume that it's safe to use your personal credit/debit card. But I'd be careful, if someone is important, there is a possibility of someone tracking and logging their activities, credit card use, IPs before Mullvad purchase and after they connect.
> Do you seriously believe that a judge or jury anywhere would sentence me for the crime brought forward, or that this would even hold water enough to be prosecuted in the first place?
In some jurisdictions, like Sweden (where Mullvad is based) there is such a thing as "help to commit a crime" that does get prosecuted
The crime you’re referring to, like many crimes, requires intent. You can’t charge someone giving a murderer a ride if that person had no idea they had committed a murder.
Unless you’re in an authoritarian regime where the courts simply follow the whims of the political leadership, selling SIM cards, gift cards for a VPN, knives or ski masks will hardly in separate cases by itself be considered obvious intent to assist criminal activity.
Strawman arguments are weird. Especially owning the corner store piece.
Nevermind the fact that you're at trial where a judge and jury is looking at this. Nevermind that the point the GP made was that if you have someone knocking on your door motivated to find something they will find something.
I am assuming if you are a nefarious actor, the goal is to not have this kind of attention, ever. You do this in all of the traditional ways - insulate and delegate.
How is it in any way a straw man argument? I was giving an example of exactly what the comment said was “not a thing”: plausible deniability when buying the cards.
If you buy these cards and re-sell them, you have plausible deniability. If you buy them from a re-seller you have increased anonymity.
Obviously the goal for a nefarious actor (or anyone, probably) is to not end up in court. But it’s objectively true that the idea of Amazon gift cards does in some scenarios actually give you increased anonymity compared to other payment options, if nothing else because of the timing offset if you want to disregard re-sellers.
So you think that prosecution is going to go to court with just 1 piece of evidence and the entire case is going to hinge on the provenance of a Mullvad account?
We’re talking about hypotheticals. If you want to make up a new hypothetical where tying the suspect to the VPN account is irrelevant, what is even your point?
This goes beyond plausible deniability, unless I'm missing something.
Buying a Mullvad gift card makes you at most a Mullvad customer. The cards are presumably one SKU, none of Amazon nor Mullvad know which one is sent to a given person.
I'm not sure what the connection might be to warrants here? Surely if a judge will sign on "hey this guy uses a VPN can we grab his laptop?", that judge would sign on any other flimsy excuse.
This is exactly right. Commenters here seem to think that the prosecution needs an airtight sequence of steps to prove guilt. Doesn't work like that. They will say things like "we detected that Mullvad VPN was used to cover the perpetrator's tracks. Two days before the incident, the defendant bought a Mullvad VPN subscription over Amazon". They will then move on to the next piece of evidence.
Legal cases are not code, they are often fuzzy and loose, and rely on human interpretation, with all its biases and emotions, to draw a conclusion.
Indeed, it’s a “reasonable doubt” requirement not “100% undeniable proof”.
If the cops confiscate your computer and Mullvad is installed, and your Amazon account has a purchase history of Mullvad gift cards, your claim of “ive never used it before. Those cards were for someone else and I never used the software” won’t get you very far.
I will always assume that any kind of plausible deniability is lost just by design of the law unless they really can't pin it on an individual. The computer misuse act of my country is vaguely defined for this reason, as I imagine the same laws are in the US.
For example, "It wasn't me. A friend used my Wi-Fi!" and similar arguments will not fly as you can be seen as responsible as bill payer. Those kind of defenses could even be considered admissions of guilt.
It's concerning to see how many people suggest you claim your Wi-Fi was unprotected if accused of something. This will more likely be used against you if anything.
This. Honestly, these arguments for plausible "you can't technically prove it" deniability defenses are bizarre and comical. Prosecutions are based on circumstantial evidence all the time, these aren't going to fool anyone. They're the nerd version of Trump's rando cures for covid like bright light and bleach.
What can they technically prove in this case, though? That you bought a Mullvad card in the past? Big deal. Nobody knows who used which card, so they can't track it to you unless you are the only customer who has ever bought a card.
Even you get into account directly. You see the user using a code redeemed from gift card. And then?
You can't associate the code with anything at all even you also hack into mullvad's server. There is no way to tell that where the code was from even for Mullvad themselves let alone others as long as there is no serial number that also displays on card without scratch open it.
If it's only one card, then you can say that. But if there is a pattern of Amazon account X buying these cards to be used for Mullvad account Y, then it's harder to deny. Is it possible to redeem Amazon gift cards without an Amazon account? I suppose another thing you can do is buy and swap cards with other people. Each card can be up to 12 months so you don't actually need to do this that many times.
there's no way to prove that the cards bought on amazon account X were used for Mullvad account Y. That would require knowing the codes on the cards that amazon sold you, which no-one would.
all that can be said with certainty is:
1. that these people bought mullvad cards on amazon.
2. these mullvad accounts were paid with cards
All you can say is that 2 is a subset of 1.
If mullvad sells the cards literally anywhere else, then you can't even say that with certainty.
> If mullvad sells the cards literally anywhere else, then you can't even say that with certainty.
Mullvad doesn’t even have to sell them anywhere else: anyone who bought one on Amazon could have re-sold it, individually or in bulk. That’s the clever part.
If you want to re-sell for the explicit purpose of having plausible deniability, obviously the best way to go about that would be to actually re-sell and keep your books straight (like any business is expected to).
The point is that you don’t have to do this, someone else can do it for another reason (namely profit) and the increased anonymity still applies compared to the other payment options.
You're missing the point that Mullvad still has your connecting IP address.
There have been countless cases demonstrating that "no-log" VPN providers definitely do log, and even if by some miracle Mullvad doesn't, they can be compelled to start doing so, as the Protonmail case demonstrates.
This does nothing to reduce the paper trail.
If you really really really trust Mullvad (and you shouldn't), just use Monero.
The on-ramp to "just use Monero" isn't that simple for over 99% of users I'm guessing. Also, if they have your IP address logged, does it even matter how you paid?
The pattern cannot prove anything just because I buy cards every month can't prove I use them for Mullvad. If someone gets shot on my street and I have a gun and none of my neighbors do and they cannot match the ballistics there is almost no case.
Kind of surprised this hasn't been mentioned yet, but it's pretty commonplace to buy gift cards with cryptocurrencies. So there's yet another layer of anonymity if you buy an Amazon gift card from a stranger/service then use it for a physical Mullvad activation code.
This seems like a silly extra step to add when you can just purchase Mullvad service directly with monero for a 10% discount.
It might even be more likely to deanonymize you since you're forced to interact with a physical thing. It's an extra step in the obfuscation chain that adds personal information (mailing address at least) that wouldn't be added otherwise.
I suppose if you were forced to use a non anonymous crypto like bitcoin that can be easily tracked, there might be some value to this extra step.
It's also kind of silly when you're not anonymous to Mullvad or to the data centers Mullvad pays to run its services out of. They have your IP address, and it's not that hard to go from an IP address to an ISP to an identity.
Don't get me wrong. I think Mullvad is a great VPN service. But if people think it's a bullet-proof solution to the problem of anonymity, they're fooling themselves.
Here's the threat model that justifies uses a public VPN:
1. The VPN provider and its infrastructure is trusted.
2. Attackers (private or government) can access data the VPN stores some period of time after you use it, but not while you are using the VPN.
3. Given assumptions (1) and (2) are true, attackers should not be able to determine which websites you visited.
A VPN does nothing if you don't trust the VPN provider (since they can always be lying about keeping logs) or if the government can access the VPN's servers/data while you're using it. But it does protect against one of the most common ways a government/private party could gain access to your browsing history: the government/private party subpoenas the websites you visited or your ISP for all pages visited by a given IP.
In this case, providing an alternate way to pay protects against storing data that an attacker can use to connect your account to your identity.
They actually removed subscriptions just because of that: they were required to keep some info to process payments, but this was incompatible with their vision for privacy.
With single payments they don't need to keep it for so long.
Yeah I would say mailing in cash without a return address or using Monero are the best options. Shipping would be the most difficult to preserve privacy; even a P.O. box will at least indicate your locality. I'd definitely like to hear how the voucher cards work and if that leaves a trail on a Mullvad account.
Or any virtual mailbox, except Amazon lockers can only be used for Amazon packages (unless your place happens to have Amazon Hub). And I do admit postage stamps will add some bits of entropy in terms of datetime and country (couldn't find a list of countries Amazon lockers are located), though much less accurate than a monero or amazon transaction.
Use a reshipping services or just find a drop site you have mail access to and know that no one will be home when its likely to be delivered. In my carding days in the late 90s - early 00s, I would use houses being built that were not occupied yet or still under construction. Carded many Rolexes, Oakleys, and video games like Starcraft Brood War and The Sims this way lol.
The old trick is to find a house where the owner is on a long vacation or not around and mail it there. Of course you could lose your package, so adjust risk appropriately.
You can deliver the package to a amazon approved distribution center ( I dont know what they call them. Basically a shop where they hold your stuff until you come around and pick it up ). If you want to anonymize it, you can deliver it to some other state's distribution center and drive there to pick it up. Even better is to give a stranger your phone, to go and fetch it from the store, so that your face isnt visible in a CCTV cameras near the store, and while they come back to deliver it to you, you can fake a mugging and "steal" your own phone and the gift card while wearing a PPE kit or something, so that they dont know your dimensions.
Something is very rotten if we came to the point where one can not express speech freely in countries like UK. If that is the case VPNs are going to be a giant market.
>Other Brits who have been convicted under the same law as Kelly include a law student who was sentenced to community service for sending racist messages to a soccer player and a woman who posted songs about Holocaust denial on YouTube.
For more disturbing details of what is to come for UK, read this page:
While I generally believe it to be possible, I am very curious about how Mullvad is storing its payment records to avoid time-based correlations.
For gift cards it's more async, but given that payment processors keep records that can be correlated, if Mullvad isn't careful about timestamping, how it records crediting to accounts, or the like, it would be extremely easy to de-anonymize account relations IMO.
Yes, I definitely think that would be possible. Mullvad clearly lays out what information is stored and for how long depending on the payment method you use[1] and there are clearly trade-offs. If you want the most "anonymous" account possible it's going to take a few days while you wait for an envelope of cash to get to them. For other users it might not be a big deal to use a faster payment method. The important thing is disclosure so users can make their own assessments about their personal risks/rewards.
It's kinda funny that cash is mentioned because at least according to rules I see posted by the Japan post, you can't send over 100 Krone (~$15) via mail into Sweden from abroad.
I suppose if you're in the EU you might be able to get away with it but it is indeed tough.
The main thing that I think is missing in Mullvad's FAQ is about if they have backups of their data. If they do, then differential analysis is possible. Perhaps they only keep backups of past 14 days or something.
There are couple of risks involved using this service:
- adversary identifies that a Mullvad user is doing something, and activity started around X. They might be able to figure out what account number is associated to that.
- adversary identifies that Mullvad user X is doing something. Through payment records and differential analysis (along with other information from banks or the like) they could identify who user X is (modulo credit card theft and the like of course).
Given that Mullvad had accounts with payment processors and those processors have record keeping requirements, it feels like the second threat is very practically doable without very smart handling of backups. But it does seem like handling the first threat is done relatively well. The one risk is that someone starts doing something risky right as they sign up to the account.
Mullvad states 500k accounts. over 10 years that's 136 people/day. You're still looking at a pretty wide net if you can isolate payments from a certain time period.
I still have a little over a year left on my NordVPN subscription (bought 3 years for $80 awhile back), but as soon as that's over I'll be switching to Mullvad. I prefer their stance on privacy, and I like the private payment options.
NordVPN and all the other janky services in that space do a couple things adequately, you can pretend to be from another country and get some duck-and-cover on things like torrents, if your ISP doesn't like that kind of thing.
I'm in the same boat, basically. Would it be nice to have a VPN which takes actual security seriously? Sure, of course, but until the end of the year, what $VPN does do is paid for, and I don't care enough, in isolation, about what Mullvad offers vs what I'm getting for free.
Next time my wallet comes out is a different story.
What is the threat model where correlating the payment with the account number is the main threat? If you can relate the account number to Mullvad traffic, then isn't it far easier to monitor the traffic and see what IP is connecting through it (my local ISP IP)? And if you cannot, what harm is there in knowing someone uses Mullvad? I pay by bank card and I don't see the risk here.
Often times, some take the extra step of utilizing services such as rdp.sh or any other "instantly" deployable VM in the cloud (these are services that take monero/cryptos btw), sort of like a bastion host. Once connected to that instance, they would then deploy their mullvad that was bought via amazon to add yet another layer of obfuscation.
Home ISP ---> (optional VPN to connect to rdp.sh deployed VM in the cloud) ----> Mullvad VPN on the bastion host
This is of course, not viable for the long term and very cumbersome to deal with if you're doing this on the daily. Unless you are under threat of a nation-state threat actor... you'll be fine.
If you're already doing this and buying an instance with monero, you're just buying Mullvad service with monero as well for the 10% discount they offer for it.
Doesn't that just make rdp.sh a single point of failure? It has access to both your real IP and the contents of your private communications (it even terminates the TLS connection on your side).
Theoretically, chaining 2-3 VPNs together Tor-style would be far better (assuming they all support similar payment methods as Mulivad), but I don't know of any VPN clients that support that.
I think the threat model is a three letter agency demanding a list of customers from Mullvad. Mullvad does their best to make sure no such list exists, but by having credit card info they are forced to know your identity.
I assume that all national security agencies monitor all traffic and can already see I only connect to Mullvad. And I'm sure they will have noticed I use it when going through the logs of several SaaS services and see that it is always a Mullvad IP that uses my account. No secret IMHO
Well yeah, but if it comes to a court case, someone will have to prove that the person that bought the card was also the one that used it. On top of evidence of actual crime, of course.
Yes, buy the Amazon gift card from a store with cameras, with an account set up with your burner SIM purchased from a place with cameras, and pick it up from an Amazon Locker blanketed with cameras. Use cash with fully-tracked serial numbers for all these purchases.
Sounds like a solid plan.
You guys don't seem to realize that tyranny won decades ago, and you're fighting a war that has long been lost.
Deep breath, no need to rain.
As for your point, in any challenge loss is assured by despairing and giving up. So no, winners haven't been declared yet.
Half the stories on HN about major cities involve their inability to prosecute crimes despite being provided evidence but now police are combing through grocery store CCTV feeds looking for people buying Amazon gift cards and Mullvad VPN vouchers? What kind of crime are they prosecuting that isn’t better investigated with a crowbar.
Do these VPN services actually work on consumer websites?
They conveniently list their providers here [1]. For an online shop we operate, we have blocked most of these ASNs because 99% of the traffic we saw from them was malicious.
To my knowledge there are three somewhat used rules that can have an impact on these types of services.
1. Only allow known/cleared bot traffic from any non-consumer ISP.
2. Block any ASN where bad traffic comes from especially if there is no good traffic.
3. Block any VPN services.
I don’t know if Mullvad have their own ASNs or if they are hosted at services with ASNs that is classified as consumer ISPs or not. It is probably a mix.
I know for instance that OVPN have servers at some shady non-consumer ISPs. So, it sometimes gets blocked. It is also, unfortunately, not uncommon that VPN connections are used for attacks. And if the VPN uses a smaller service provider, then that whole ISP may get blocked. If the VPN uses a shady service provider. The VPN may fall victim to other user activity from that ISP.
I have not worked with any site that blocks VPN all together. Tor is often blocked along with some countries. Some streaming services blocks VPN though. Most sites do not, I think.
The way things are going right now is that these types of services will become more difficult to use on legal commercial sites over time.
In the case of Mullvad, my experience is that something like 5% of websites get pissy about it, and I have to turn it off, or Tor, or whatever else to get around it.
95% of the time, sure. You will hit some companies that will ID it as VPN and refuse though. I just don't do business there and send them an email to update their security policy and I'll try again at some future date. I even have a template email that I keep just for that purpose.
If I received such an email I wouldn't do anything about it. 99.9% of the traffic we see from M247 is malicious and there is no chance that I would unblock this ASN on an online shop.
And that's fine! That's the beauty of the freedom of choice. I can take my business elsewhere and the company that banned the mullvad IP can have one less potential (but not really a) hacker to worry about.
I wonder how refund works. What if one buys the code, copies it and then ships the voucher back asking for refund? How do you invalidate the code without linking the code to the purchase?
I would imagine that Amazon either won't let you refund this (since it's basically a gift card), or if you try to refund it and return an opened package your refund will get denied.
No need to specifically invalidate the code inside to stop you from doing refund fraud.
It looks like a scratch-off code like on Netflix gift cards. Once you scratched it off there won't be a refund available would be my guess just like any other gift card and many digital purchases.
As someone who does handles a lot of gift cards, it's not hard at all to cover the code back up. They sell little peel and stick things online, or it's not hard to make your own. There are people that go around to stores, take unactivated giftcards, scratch off the sticker to get the code, and will then reapply another one and put it back in the store to be bought and activated by someone, meanwhile they are periodically checking whatever website you can see the balance on to see if it's been activated yet so they can use it or sell it out from under you.
So my guess would be Amazon doesn't take returns on giftcards in the first place.
Has anyone managed to get this setup at their router level? I am planning to go nomad, and I am trying to see if I can use USA VPN while I'm in Brazil. My employer doesn't allow working from non-US IPs.
I'd use "kill switch" software on your PC instead, which kills your access to the Internet if the VPN goes down. This way, if you accidentally disconnect from the VPN, your Internet also dies, and it's limited to your computer alone.
This is what I do - I can't use router-based VPN or piHole type stuff because people on my network work on ad-related products or use sites that don't play well with VPNs or DNS-block lists of advertisers, for example.
Of course, you can terminate the VPN software manually and the kill switch and access sites using no VPN if you want, which allows for mistakes, but pretty rare in my experience. Best is to simply have another machine that doesn't have VPN software on it and you use over the naked Internet.
I would not recommend doing that, you will need to be able to selectively turn it off or change it sometimes... VPN blocking is unfortunately becoming more common among popular services. I have to disable or at least switch servers quite often to access popular services.
Also if you are new to the game, make sure you use wiregaurd, it leaves the large complex VPN protocols of old in the dust. It adds almost no latency to my connection, sometimes speeds things up.
You've probably heard about them a lot on HN but i'd recommend Mullvad, they are also big on wiregaurd, lots of servers, lots of countries, well known for privacy focus... i don't even use their app, just download the wiregaurd configs and use wg-quick to bring them up from the cli, been using them for few years now I think.
I think a lot of people here are missing the point that you can buy these and give them to friends and family members that might otherwise never try a VPN. It’s a great usability and marketing move.
WTF? Because using a VPN is essentially trying to be shady? But the rampant data thieves aren't the shady ones? Would you want to protect mum from a peeping tom?
I just switched over from PIA to Mullvad like last month or so. Really surprised that Mullvad asked for literally no information from me - no username, password, email etc. I'm setting reminders on my calendar to remember to add more time to my account, but other than that, VPNs shouldn't have more info than that.
More on topic: Doesn't say on the page, but does the card ever expire?
Nice! To be honest my reaction to removing subscriptions was a bit 'ehh, I get it, I know I should be pleased, but subscriptions are actually really convenient'.
But this is pretty much fine. Maybe/hopefully (I'm not too lazy to check - 'GB' is 'upcoming') I can Amazon-subscribe and the only difference will be a bit of code-entering admin.
I also was a little annoyed with having to manually manage something that was on auto-pilot for me but I found a happy medium I think. I bought 2 years in advance and then I have reminders every year to add another year. That way I should always keep a 1 year buffer if something slips a little. It's not perfect but I don't think it will be that bad.
I considered that, I haven't really used it enough yet to commit for so long though. Put it on my mental 'backlog' as it were for now while I have the existing subscription (good until the card its on expires iirc), and in the mean time this popped up.
I love Mullvad, but I fear that they will become a victim of their own success. The more prominent the service becomes, the bigger priority it will have for intelligence agencies, despotes and ad companies to undermine/hack/subpoena it.
You shouldn't use a vpn to protect you from 3-letter agencies. Assume they already have the access they need regardless. You should be using this to protect you from private companies hoovering up your data, for that, a vpn is essential.
Your ip address is hidden. For the case of my ISP (which I trust as far as I can throw them), my traffic is end to end encrypted. This also applies if you're using someone else's internet connection and do not trust them not to snoop on you (such as your employer's BYOD wifi, or a starbucks wifi, etc)
Your IP address isn’t really a primary fingerprinting method for anybody these days. People and devices are overwhelmingly mobile, and many users will connect via the same IP.
Starbucks snooping is resolved by more ubiquitous technologies like HTTPS, DOH, and encrypted SNI.
This isn't true in my experience at least for ad tech. Finger printing has moved from a deterministic process, to probabilistic models and IP plays a meaningful role in that. I believe it is why Apple spent the time building Private Relay for instance.
You are being downvoted but this is exactly my fear. They're almost too good, they're now the obvious best choice for a public VPN service and therefore an obvious target for the TLAs.
Been using Mullvad for over 6 months now. Really like it.
I wish they offer a way to whitelist streaming apps on iphone or atleast make a widget to make it easy to turn VPN on and off.
>The design of the activation code removes the possibility for third parties to link a payment to a Mullvad account, for privacy.
Considering that a primary use-case for a VPN is as one of the tools to help shield your data from the rampant data thieves, of which Amazon is a particularly powerful adversary, I would need a much clearer explanation of how this is a privacy enhancer.
Mullvad having a business relationship with Amazon is inherently troubling.
I think the idea is that what you are getting from Amazon is a card with a code on it. Amazon doesn't know which code it's sending you, you just get one at random. Mullvad likewise doesn't know which code Amazon sold you. So you get your card, enter the code into Mullvad, and none of that information is trackable to you. Amazon would know you bought a Mullvad card but would have zero way to link you to a specific code. Mullvad might know the code was purchased from Amazon, but not who was the purchaser. Worst case scenario is that Amazon rats you out to the police/CIA/NSA/etc and now you are on a list of people that purchased Mullvad VPN services.
Mullvad has been selling these cards at various retailers, one of them webhallen which is both an online and physical store in the nordics. However, many/most people in the US get a large fraction of their purchases through amazon. So to sell to people in the US they need some way of doing it. The important bit is that the actual account code is hidden behind on of those scratch panels. So amazon does not know your Mullvad account.
Now an adversary with enough geographic information about who connected and access to all of amazon's data could possibly correlate purchases with connections. 10 years ago I would have considered that infeasible, after Snowden I'm not so sure. If you live in a big city it is like still no issue, but if you are in some small town with a population of 1000 things might still be traced back to you. Still it's likely significantly superior than pretty much any other method including using crypto. If you are a possible target of a state actor you hopefully are thinking about this already.
Heck, if you live in a city with a techie population, then buy a bunch of cards, throw them in a bucket, then sell them for a 1% markup, in cash, at any tech meetup you attend. Buy more cards periodically and toss them into the bucket for people to pull at random, so there's no plausible correlation between time of issuance and time of use. This also covers your own tracks as well, if you ever need a VPN.
At least Webhallen in Sweden sells them in physical stores around the country. Not sure about other places though.
Weirdly enough it's also cheaper to buy a 12m card there (500SEK instead of the usual 600SEK). Checked, and they're listed as a reseller on Mullvad's page so they must've gotten a good deal / are selling at a loss.
See, this article made the hairs on the back of my neck stand on end; I don't believe this is aimed at legitimate users of the service, but aimed at people who are told to go and buy one of these cards for someone else.
So if you're paranoid, would you fund your account through a card that was bought on Amazon by a family/friend? Instead of linking back to you, it links back to someone close to you, who probably has no privacy/security skills and bought it by asking their Echo Speaker.
There is this really great South Park episode where one of the characters has the 'ability' to distinct between actual news content and advertisements disguised as news [1].
I feel like this is - sadly - more and more required as well when browsing HN as there seem to be more and more postings where an advertisement is disguised as 'hacker news'.
Can someone enlighten me how the availability of coupon codes for a VPN provider on Amazon is considered news?
It's not a coupon or a promotion. It's an alternative payment method so that Mulvad does not need to store any identifying information about its customers. See https://mullvad.net/en/blog/2022/6/20/were-removing-the-opti... for information about the situation they are mitigating.
I assume in this context it's because HN isn't just an aggregator but is instead also a community, a community in which Mullvad is rather popular with (given previous discussion on the topic). So yes it's an advertisement but it's also relevant news to this community, personally speaking the "News" post here about Mullvad supporting Monero is what finally made me switch over to it, so the news and ad were relevant to me as a part of this community. (and it was relevant without them tracking my every movement, how is that possible??)
I think people here are also interested in the steps Mullvad takes to improve user payment privacy, as again every time "news" about new methods of payment or concealment of user payment history is always met with high praise and interest. (as far as I've seen anyway)
The original blog post is an advertisement, they are advertising a new payment method. Whether or not this specific post on HN linking to the advertisement is also "just an ad" is what's up for debate.
Because mullvad has no info who bought this, so if they get any warrant or anything asking to track someone, they could say they can't technically do that.
But Amazon straight up gives camera access to Ring Doorbells to police without user consent or a court warrant. If you're paranoid and a Mullvad customer, you should probably treat Amazon as if it was a part of the US government.
Non sequiter. All the government could force Amazon to reveal is that you purchased that gift card. They can’t A) prove that you used it vs handing it out as a gift B) tie the purchase to a specific Mullvad account.
The government do get a limit number of potential users. Can this together with fingerprints, ping latency(?) etc. be used together with amazon info to narrow down the vpn user (in theory) or is that impossible?
For example, if mullvad only had 5 users in separate continents, could one measure the latency and crossreference with a amazon buy history to identify the vpn user?
Unless, the card has a visible QR/bar code that is 1 to 1 with the hidden code. Then we are f*ed. Not mentioning this a criticism, I like Mullvad, bought this card a couple of days ago and thought about that case when buying it.
Perhaps news to some, non-news to some. Why do we allow "product launches" on HN? Why let anything with a commercial motive ever appear on this forum? Because HN serves a very broad audience, and consequently allows information that might not pertain to everyone but still deemed valuable by some.
I sometimes find the things being advertised interesting. Not because I want to buy them but rather things being pushed and who pushes them can help stay abreast of what's happening in the world.
A specific example from a little while ago in my life--I saw an article advertisement for Microsoft's sovereign cloud offering. I thought this was interesting because I think the Internet is balkanizing over time and how megacorps try to play in that scenario interests me.
I still don't know that it qualifies as news, to your point, but Amazon involvement, however incidental, in Mullvad is a datapoint I'm glad to have.
The South Park episode discusses advertisements that are disguised as news to get clicks. That’s deceptive and bad.
This is a product announcement from a startup. HN is all about products and startups and this one in particular is popular here. Advertisements aren’t necessarily bad, and as far as ads go, this one is the best kind.
Fun fact: The original name of HN was actually “Startup News”.
HN is pretty explicitly about commerce and specifically tech related to commerce. It's one of the few places I frequent where self-promotion is encouraged.
This is part of what makes HN unique and great in terms of tech news sites.
I don't use a VPN, but am glad to know of product offerings like this. If this is an "ad" then bring it on, I say.
Mullvad VPN AB is owned by parent company Amagicom AB. The name Amagicom is derived from the Sumerian word ama-gi – the oldest word for “freedom” or, literally, “back to mother” in the context of slavery – and the abbreviation for communication. Amagicom stands for “free communication”.
The team
Mullvad VPN AB and its parent company Amagicom AB are 100% owned by founders Fredrik Strömberg and Daniel Berntsson who are actively involved in the company.
My impression of Fredrik and Daniel is that they are passionated about the technology - not making a startup exit. If they did an exit, which i don't think they do, it would probably be because they want to go back to a smaller company again. They would just start a new smaler vpn service after they got paid.
disclaimer: I'm a random dude on the internet that thinks he know more than he does.
I think it is increasingly likely they will have to shut down (or at least move) the company to remain principled. Just in recent years Sweden haphazardly requested to joined NATO (and is kowtowing to Turkey), sim cards started requiring registration and it became illegal not to register where you live. And there is very little in terms of developments, politics or people to suggest that it will stop anytime soon.
I’m not sure what insinuation you’re trying to make by saying that Sweden’s request to join NATO is ”haphazard”, but I’m pretty certain I don’t like it.
SIM cards requiring registrations is a development in the direction towards less privacy, I’ll give you that.
Lastly, since when has it been optional to be folkbokförd in Sweden?
It was always required but not illegal. Which made it impractical but still an option not to do so. It wasn't uncommon for people living with their friend, partner or in a bad neighborhood to remain registered somewhere else. Now it is illegal and people actually get sentenced in court for living a month with their girlfriend without letting the government know. And it is already being selectively enforced against those the government doesn't like but can't prosecute for something else.
You might not like it but it is true. Finland had a plan to join NATO in case they felt they had to. And when that happened they had plenty of political and public debates and support. Sweden's plan was to cooperate with Finland. In the declaration of government from late last year it was declared that Sweden shouldn't join NATO. So when Finland wanted to join NATO Sweden no longer had a plan and therefor without convincing debate or support also requested to join NATO.
This is important because laws, policy and principles aren't worth much if you can quickly change them. Sweden has shown itself capable of changing fundamental things if it is sufficiently freaked out. And to do so without much resistance or recourse. As Sweden had no alternatives, and with many even stating so publicly, it also isn't in much of a position to resist demands from the US or other countries like long standing members would. It is likely that Sweden will become a "Nine Eyes" country like Denmark which has resulted in numerous incidents for them in recent years.
And these are not the only examples. It's everything from Swedish police using teargas for the first time in history with barely anyone noticing to not being able to publish scenic drone footage without approval.
You don't have to buy from anywhere, you can scribble your account number on some newspaper wrapped around cash, send it in, and they credit you. I'd be surprised if you couldn't get some credits for a batch of chocolate chip cookies or something, they accept so many forms of payment.
I have been (and still am) a long term supporter and subscriber of Mullvad services. I don't forsee that changing.
One concern though, is the blanket blockade of their IP addresses accross multiple services; I'm not talking about the avalanche of captcha's one must deal with, but for example: I wasn't even able to update a fresh install of ubuntu via sudo apt-get update && sudo apt-get upgrade... it refused to connect to mullvad IPs.
I've been running into this problem more and more, first it was linux distro issues, then, my gaming client, and perhaps the worst, Github itself.
I'm not sure what the solution is here, since Mullvad provides unparalleled respect of privacy; but the IP's they use are almost always associated with the highest levels of fraud.
Perhaps, this is the price I am willing to pay for privacy done right. Props to Mullvad, for being the best in that regard.
This is arguably one of the big problems with the Internet today.
On the one hand, browser automation is extremely effective and nearly indistinguishable from human traffic, and bot traffic often eclipses that of human visitors, depending on what you're serving, consuming an enormous amount of resources.
On the other hand, using IP-reputation to decide who gets a captcha is one of the few methods that undeniably works. It's really unfair and I wish it didn't have to be that way, but at least for my websites, I can't serve traffic to human visitors if I don't discriminate against these IP blocks with captchas and whatever. I just don't have the hardware. The bot traffic I get is something like 50x that of sitting at #1 on the HN front page.
I've been thinking a bit abut trying out something different here. What I have in mind would be an alternative method that the user can opt for instead of the captcha (if flagged). It would be for those privacy people on Tor or Mullvad or what have you and will not compromise on privacy but may be a bit more techy/involve some form of crypto (no investments or new coins etc tho).
So you'd still have the CAPTCHA of today but with an alternative.
Assuming it's something that would seem to be a usable and smoother solution for those people you are today locking out or providing a hassle for without significant increase of malicious bots (maybe you'll even get less if it works all right and it means you can tune up the aggressiveness in the rest of the system), about how much willing would you be to try something out?
(I'm aware of PrivacyPass but IME while I did have it work at times, most of the time it works extremely poorly to the point of being unusable on both Cloudflare and hCapctcha, while maintenance and support seem on the backburner)
Anecdotal point of data: M247 seems to run a lot of bad-faith traffic as well - while a service I run tries to keep block lists minimal even for frequently abused endpoints (eg credential stuffing) their ASNs are a mainstay in there.
> since Mullvad provides unparalleled respect of privacy
This is both their selling point and their main problem; privacy means criminal abuse. This is true for all kinds of anonymity, hiding your tracks, hiding your payments, etc; TOR, cryptocurrencies, encrypted chat, they all suffer reputation damage due to criminal abuse.
And there is no obvious solution that does not impede users' privacy, as far as I know.
Almost every site I've seen blocked on Mullvad seems to show a Cloudflare 'access denied' page. Since most sites using Cloudflare still work, I assume there's an option for site owners to block known VPN addresses.
Privacy. Privacy is Mullvad's whole central thesis. When you use a credit card to sign up, they're legally required to keep tabs on you. If you buy a gift card off Amazon and use that to pay for your VPN, Mullvad will have no idea who you are and can't give much information on you even when forced by a court.
A $1.3T behemoth that readily reports Ring data to the pigs and runs large-scale cloud contracts with the Feds totally won't run these cards through a UV-B or X-ray scanner to correlate and log the activation codes.
You're 100% safe with Amazon. Hell, they even have a smile in their logo. Who could possibly doubt that?
The code must be scratched free first, so I assume Amazon doesn't know the code, and thus can't link it to a specific account. And I assume Mullvad themselves are not linking the code to an account either, but just checks validity and then charges up the account by the value.
There are probably indirect ways to force a linking, but they are probably also highly illegal. And people could also just exchange gift-cards or use more indirect ways to buy the cards, to dilute those data further. So overall this is a rather useful solution, as long as more than a handful people will buy them through amazon.
> The code must be scratched free first, so I assume Amazon doesn't know the code
This is the part I’m not following. Unless Amazon takes specific steps to intentionally not track the code (and this doesn’t sound very Amazon-like) , why would we assume Amazon doesn’t know the code?
The scratch off protection is to prevent shoppers from seeing the code in stores, and to provide assurance that the card hasn’t been used yet (“used” as in the number is now in someone’s possession).
Edit: I misinterpreted the nature of these cards and commented prematurely.
My understanding is that Amazon is not the one printing these cards. Unless they go out of their way to scratch the card off themselves and then cover it back up or create a knockoff, the pack of activation cards they receive are all effectively indistinguishable from Amazon's point of view. They could track which of the various indistinguishable cards was shipped where, but that doesn't help towards determining who was shipped any given code.
The above attack might be a possibility if you're already being actively tracked by the NSA, but at the very least this approach gets you some degree of forward privacy in case the NSA only starts hardcore snooping after the card was already delivered to your door. Whether or not it is a useful degree of privacy is out of my area of expertise.
On Mullvad's end, they also don't have to keep track of which gift card was used with which account, they just have to mark off that gift card as spent and credit the account, unlike payment methods where they have to retain billing-to-account linkage.
If you are like me who subscribes to Jim Browning’s channel you know this technology would eventually be misused by scammers. Does Mullvad has any plans to counter it?
The technology is the same as any other gift card (cash-like instrument identified by code that can be transferred over the internet or phone). Scammers also use regular bank transfers, wire transfers, cryptocurrencies, and payment services like Zelle and Venmo. Gift cards are convenient because they're cash-like, but they don't enable scams.
ATM, it doesn’t seem like mullvad is selling these in stores. If a scammer wants a quick payout with less chance to get found out, they will get the gift cards from a physical store.
It’s a great compromise. It allows Mullvad to sell physical cards without becoming a logistics company, and anyone who doesn’t want cards (or doesn’t want to support Amazon) can use one of the numerous other options available, including paying with cash.
I know Mullvad already allows you to e.g. send cash in an envelope for total privacy, but that's kind of a pain, it'll take a long time to arrive, if the envelope is lost there's nothing you can do, etc.
But by physically printing covered-up codes on cards, this actually uses Amazon to create the privacy/anonymity, which kind of feels ironic given how Amazon generally tries to hoover up all the data. You can get your code with fast Prime delivery, a tracking number, pay for it with your credit card, get a free replacement if it's lost in the mail...
I love this.