When you choose to use a VPN service, you switch your trust from your internet service provider to your VPN provider. The big difference between internet service providers and VPN providers is that – unlike the internet service providers – VPN providers aren’t obliged by law (in Sweden and many other countries) to register and log your traffic. That’s why VPN services are able to handle the traffic with your privacy in focus. The problem is that they don’t all do that. So it’s important to think carefully about your choice when it’s time to pick a VPN service – at least if you want a VPN provider that cares about privacy, and if you want to reduce data collection.
Over the years, there has been one news article after another about how VPN companies have leaked their customers’ data despite claiming that they didn’t log their customers’ traffic. There have even been cases where it’s emerged that VPN companies have logged and mapped their customers’ traffic and sold it on to third parties. And when Consumer Reports carried out a major survey, they discovered that 12 out of 16 VPN services presented their services and technology in a misleading way and exaggerated how well their service protected their customers. You can read the whole report here.
In other words, when it’s time to choose a VPN service you’d do well to start by reading the type of independent reports we mentioned above. That’s a good start. Although another way to take the temperature of your potential future VPN service is to look at the other companies they surround themselves with. For example, how serious, relevant, and knowledgeable are the companies that carry out independent audits of their VPN service? Here there’s a big difference between allowing security companies from the tech world to do it and auditors – just a little example taken from reality. The same is true of partners. Do they collaborate with other organizations or companies that have a history of being credible and transparent?
Ultimately, it’s about putting the VPN providers to the test by looking for answers to the difficult questions. A good source is the survey carried out by the Center For Democracy & Technology in 2018, together with VPN companies who were even willing to answer the questions. It’s a few years old now, but the questions are still just as relevant for using to check your choice of VPN service. If you’d like to see the entire document, you can find it here. Now, let’s take a closer look at the questions and how Mullvad answered each one.
Number 1: Who owns the VPN service? Is there a parent company that earns money from data collection?
Why is this important when it comes to choosing a VPN service? Short answer: this is a classic auditing technique. If you follow the money you get answers that might not otherwise come to the surface. Since it’s important to be able to rely on your VPN provider, you might want to know if they’re part of a bigger company group where data collection is one of their major revenue sources. Or if they have owners who previously been involved in mass surveillance and data collection in one way or another.
Question from the Center For Democracy & Technology: What is the public facing and full legal name of the VPN service and any parent or holding companies?
The public-facing name is Mullvad VPN.
The legal name of the company is Mullvad VPN AB.
Parent company is Amagicom AB, which is directly owned by the founders Fredrik Strömberg and Daniel Berntsson. Both Mullvad VPN AB and Amagicom AB are incorporated in Sweden.
Neither Mullvad VPN, Amagicom AB, Fredrik Strömberg, nor Daniel Berntsson has ownership or economic stakes in other VPN services.
No other companies are directly involved in operating Mullvad VPN.
Number 2: Does the company own any sites that review VPN services?
It’s a scandal that this question needs to be asked. However the fact is that the entire VPN review market is swamped by affiliate marketing and bought influencers. Not to mention the fact that VPN companies often owned sites that review VPN services or “only” buy good placement on an external site. Here you can read more about how the media contacted Mullvad to sell us “a place in the top 5”.
Question from the Center For Democracy & Technology: Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?
Mullvad’s answer: No.
Number 3: What’s the business model behind the VPN service? Why you should watch out for “free VPN”.
Not all VPN companies make money by selling their actual VPN service. Clear evidence of this is all the “free” VPN services that exist. How do they make money? A wild guess is that they make money in exactly the same way that many tech giants make money today: selling your personal data, selling your internet behavior. It’s always a good idea to follow the money. This also applies to VPN companies that charge for their service. Does their income clearly exceed the money they receive from their customers?
Question from the Center For Democracy & Technology: What is the service’s business model (i.e., how does the VPN make money)?
Mullvad’s answer: All revenue comes from paying VPN customers.
Number 4: Does the VPN service log your traffic? Here you have to look closely at the details, and not just rely on the headlines.
Now we come to a burning question. According to law, your internet supplier must register and save your traffic. Your VPN supplier doesn’t have to. This is the basic premise behind VPN services. Therefore many VPN companies state clearly that they are a “no logging” service, but the problem is that many VPN services have been caught lying about this. So what can you do? Well, for example, you can look at whether they are specific when they state what it is they don’t log. Are they evasive with their answer? Are they unable to be specific? This can be a warning sign. And a really big red flag is if they start to talk about collecting “anonymous data”. It is, as you can read here, impossible to keep big data anonymous.
Question from the Center For Democracy & Technology: Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated?
We log nothing whatsoever that can be connected to a numbered account’s activity:
- No logging of traffic
- No logging of DNS requests
- No logging of connections, including when one is made, when it disconnects, for how long, or any kind of timestamp
- No logging of IP addresses
- No logging of user bandwidth
Number 5: Does the VPN service save data in any other way?
When it comes to data collection, you have to be zealous. This isn’t the place to learn more about DNS, but you can read more about scenarios where your traffic can leak outside your VPN tunnel and Mullvad’s efforts to make sure that doesn’t happen.
Question from the Center For Democracy & Technology: Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?
Number 6: How does your VPN service handle inquiries from governments?
Where your VPN service is based in the world has an effect on how secure it is for you as a customer. Here you can read more about why Sweden is a good place for Mullvad from a legal point of view. This question is partly about the laws in the country where the VPN service is located and the government’s opportunities to pressurize the company, but it also involves how the VPN company handles data and the processes in place in case they get a visit from the police, for example.
In Mullvad’s case, in 2023 we had a real-life test of our process: here you can read more about how the National Operations Department (NOA) of the Swedish Police visited the Mullvad office with a search warrant, but how they left empty-handed (because we don’t save any data).
Question from the Center For Democracy & Technology: Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?
Mullvad’s answer: Yes, see our article “How we handle government requests for user data:”.
Number 7: How does your VPN make sure no unauthorized person can read your traffic?
When you choose a VPN service, it isn’t only about trust, but also competence. We’re getting into technical stuff here, but it’s important to check this out too. The question is what your VPN service does to keep your traffic and your data secure and private.
Question from the Center For Democracy & Technology: What do you do to protect against unauthorized access to customer data flows over the VPN?
Mullvad’s answer: Secure systems are required for privacy, and since Mullvad’s beginning, security has always been deeply ingrained in our culture.
- We only utilize the two best VPN protocols, OpenVPN and WireGuard (we were an early adopter of the former and we pioneered the latter).
- In our app we offer such security features as a kill switch, DNS leak protection, and IPv6 support, all of which we were either first or among the first to introduce.
- Because reliability is paramount, our app is built in Rust, a programming language made for building secure programs.
- We use code signing for app and server code.
- The code is reviewed by several people in our team before it goes into production.
- We enforce those that have access to production servers or customer correspondence to run the Qubes operating system.
- We work with segmentation of access (to the servers, for example).
- We also protect our workstations against tampering.
Number 8: Does your VPN supplier do their utmost to keep your data private?
If you choose your VPN provider from a privacy perspective it all comes down to this: do they do their utmost to keep your data private? Is their primary purpose to reduce data collection? For example, when we removed the subscription option for our customers, it was with privacy in mind. It wasn’t the most comfortable decision to take, but it was the right one. And our process for new customers works as it does for the same reason. We don’t ask for any personal information. No username, no password, no email address. Nothing. The only thing you do is to generate an account number – that’s all you need to start your Mullvad account.
Question from the Center For Democracy & Technology: What other controls does the service use to protect user data?
We offer a number of features to protect our users’ privacy, including these industry firsts:
- We accept payment with cash in the mail and cryptocurrencies (Bitcoin, Bitcoin Cash and Monero).
- In our account sign-up process, we ask for no personal information whatsoever, not even an email address.
- Our VPN app is open source (find an independent audit report of it on our website).