According to Mullvad’s cookie policy:
__stripe_mid (expires after one year) – is implemented by Stripe to identify and track a specific user’s device during the payment process for security purposes and is created when you proceed to the Stripe payment page.
But my concern is the info that is logged by Mullvad so there is a link back to the user. That’s a problem for anonymity.
I understand everyone has a different threat model so
If you have a problem with stripe and the IP Linking. Just generate a fresh account via tor, associate that one with mail-in cash payment.
Even if you pay anonymously, it’s always going to be a matter of trust. You can’t prove that mullvad doesn’t log your traffic. You trust that they keep their word. I personally trust them because they don’t seem to have any overly good reasons to betray their reputation and trust.
- You are paying for privacy in the first place. They are expected legally to hold up their end of the deal (via providing VPN service)
- I believe any breach of privacy or maybe terms of service has potential legal repercussions for them so if I were mullvad, I wouldn’t want that. (Some GDPR shit I don’t understand)
Anyone could believe the a service like Proton mail or Mullvad is an NSA honeypot or whatever. I’m open to the idea that anything is possible, however, the probability of a three letter agency infiltrating major VPN providers just to build a surveillance network sounds absurdly unlikely to me.
Here’s the problem with your logic, there is absolutely no anonymity. Anybody can find out, including your ISP, that you are using a VPN. It is publicly available knowledge and there’s nothing you can do to stop that from happening. They can see your IP address connecting to Mullvad. They can’t see what kind of traffic you are doing, but they most definitely know you, as a customer, are using a VPN.
Pay with cash if you don’t like it. Using a credit card is the worst option for privacy.
Paying with a credit card can compromise your privacy, because Mullvad and their payment processor need to save your payment data for some time, and that is linked to your account ID.
You could buy vouchers on Amazon and let them sit for a while (at least a month) before redeeming them.
The voucher code itself is not saved, only an internal ID and the fact that it’s been used. Letting them sit after purchase prevents correlation of the time of purchase with the change of the account balance (which is stored of course).
Please can folks stop downvoting leigitmate privacy concerns. Mullvad themselves would probably appreciate this issues being flagged so they can address them where possible
I don’t think it’s a coincidence that someone flagged Mullvad using Gmail and then they switched to their own self hosted service, for example
XMR - Privacy Coin. Download cake wallet. Set up a BTC, ETH or LTC and XMR wallet inside cake. XMR is hard to obtain in alot of jurisdictions, so buy one of the other three cryptos and do an internal flip to XMR. Use a free VPN app to make the purchase, I’d recommend getting a proton mail account, I think they provide a limited version of their VPN (which also isn’t a bad service). You’d download Proton VPN from Play Store.
For extra anonymity get the official APK if your using Android direct from Proton.com website. Your basically side loading it without Google tracking the download. DM if you need any further assistance.
How does setting up an account with Tor help given you’ll be connecting to the same account via your IP day to day?
You’re assuming that Stripe is not involved if you pay with cash. I can’t quickly confirm that. Even if it wasn’t, there would still be a link back to me via the voucher code.
It isn’t a coincidence, it was them handling a PR situation before it became stupid and ridiculous. Anybody that took issue with them using Gmail has zero knowledge of security. Your use of a VPN is publicly accessible information.
How else do you propose connecting to a VPN service? Mullvad has laid out their logging policies and their audit results, either you trust them or you don’t. If you don’t trust that they’re immediately sending that information to /dev/null, don’t use them. Speculation is pointless.
Huh? It’s cash. Why would a merchant be involved? The only thing Mullvad knows about you in this situation is the IP address linked to the account number who just paid with cash.
lol did you actually read what I wrote?
“the IP address linked to the account number who just paid with cash.”
That seems like a problem. What am I missing?
You’re presumably concerned that the anonymity of getting an account through the Tor network will be rendered moot by the fact that you’re connecting to Mullvad using your true IP anyway, which is a valid concern to have.
However, my point is that if you want to use a VPN service, them having knowledge of your true IP address, even if it is for a fraction of a millisecond before the logs are sent to /dev/null and RAM is cleared, is inevitable. There is no way that I know of to prevent this. If we are to accept Mullvad’s claims as true (wether you do or not is entirely up to you and I’m not going to be drawn on a debate about that because it’s pointless), then this poses an extremely low risk and using Tor to sign up would still offer some form of anonymity, in that there would be no way for Mullvad to associate that account number with your true IP at the point of generation, and your ISP would not be aware that you’re accessing Mullvad’s website. Otherwise, it’s a question of who do you trust more, Mullvad or your ISP?
That’s how VPNs work. Regardless of how you pay Mullvad will always know your IP address.
Exactly. So what’s the point of using Tor in the first place. That’s a the question.
Maybe Tor/Tails is better.
Well as I said, it comes down to whether or not you trust Mullvad and/or your ISP. If you believe that they do what they say they do, it ensures that they have no meaningful knowledge of your true IP from all angles, wether it’s through account creation, payment or actually using the service. It also means that your ISP has no record of you visiting the Mullvad website to sign up, which I imagine is important if you live somewhere where VPNs are regulated or illegal to use for privacy purposes. If you don’t…well I don’t know why you would use a service you don’t trust.
Sure you can use Tor. But it’s incredibly slow. It’s virtually impossible to be 100% private online.