Back to the blog

News — 2018/10/17

Signals of trustworthy VPNs – a multilateral initiative

What makes a VPN provider trustworthy, and how do you know?

Users reasonably expect their VPN provider to be honest with them and that the VPN provider is, in turn, worthy of its users' trust. The user has to trust that any personal information is not misused, that their web browsing habits won’t be abused, and that their data is not unexpectedly handed to external parties.

In short, VPN providers are in a great position of power over their users. To that end, users deserve more honest behavior and transparency from their VPNs.

Working together with the Center for Democracy & Technology (CDT) – a non-profit organization working to strengthen online civil liberties and human rights – and a few other VPN providers, we have developed a list of questions that we believe a trustworthy VPN service should be able to answer truthfully and thoroughly. These questions address issues around VPNs’ corporate accountability and business models, privacy practices, and security protocols and protections.

A trustworthy provider is characterized by consistent actions that show transparency, honesty, and conscientiousness. The purpose of these questions is to increase trustworthy behavior in VPN providers and to help consumers recognize such behavior in order to make more informed decisions when choosing a provider.
 

Questions Trustworthy VPNs Should Be Able to Answer

Below you can read our answers. You can also find them and other providers' unedited answers on the CDT's website.
 

What is the public facing and full legal name of the VPN service and any parent or holding companies? Do these entities have ownership or economic stakes in in other VPN services, and if so, do they share user information? Where are they incorporated? Is there any other company or partner directly involved in operating the VPN service, and if so, what is its full legal name?

The public-facing name is Mullvad VPN.

The legal name of the company is Amagicom AB which is directly owned by the founders Fredrik Strömberg and Daniel Berntsson. Amagicom AB is incorporated in Sweden.

Neither Amagicom AB nor Fredrik Strömberg nor Daniel Berntsson has ownership or economic stakes in other VPN services.

No other companies are directly involved in operating Mullvad VPN.
 

Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?

No.
 

What is the service’s business model (i.e. how does the VPN make money)? For example, is the sole source of the service’s revenue from consumer subscriptions?

All revenue comes from VPN customer subscriptions.
 

Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated? If so what data?

No. For details, see our privacy policy.
 

Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?

No. For details, see our privacy policy.
 

Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?

Yes, see our article “How we handle government requests for user data”.
 

What do you do to protect against unauthorized access to customer data flows over the VPN?

Secure systems are required for privacy, and since Mullvad’s beginning, security has always been deeply ingrained in our culture.

  • In our app we offer such security features as a kill switch, DNS leak protection, and IPv6 support, all of which we were either first or among the first.
  • We only utilize the two best VPN protocols, OpenVPN and WireGuard (we were an early adopter of the former and we pioneered the latter).
  • Because reliability is paramount, our app is built in Rust, a programming language made for building secure programs.
  • We use code signing for app and server code.
  • All of our sysadmins use the Qubes operating system, as does most of our team.
  • We also protect our laptops against tampering.
     

What other controls does the service use to protect user data?

We offer a number of features to protect our users’ privacy, including these industry firsts:

  • We accept payment with cash in the mail and Bitcoin.
  • In our account sign-up process, we ask for no personal information whatsoever, not even an email address.
  • Our VPN app is open source (find an independent audit report of it on our website).

We are also contributors to the privacy and security communities at large. When we discovered that OpenVPN was vulnerable to Heartbleed and later Shellshock, our warning to the community benefited many other VPN services who took action based on our advice.

In addition, we are the only VPN service to currently offer VPN tunnels with experimental post-quantum security.