Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Technology Your Rights Online

Mullvad VPN Maker Says Police Tried To Raid Its Offices But Couldn't Find Any User Data (theverge.com) 81

Mullvad, the Swedish company behind Mullvad VPN (virtual private network), says police walked away with nothing after attempting to seize computers from its office. From a report: According to an update on Mullvad's site, the authorities left and didn't take anything after it informed them that the company doesn't store customer data. "We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law," Mullvad writes. "After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information." [...] Mullvad says this is the first time in its 14 years of operating a VPN that police have issued a search warrant, and company CEO Jan Jonsson tells The Verge he doesn't "know exactly what they were looking for." Even if the authorities had seized its servers, Jonsson says that police wouldn't have found anything due to its strict policies against keeping data. The Verge reached out to Swedish authorities with a request for more information but didn't immediately hear back.
This discussion has been archived. No new comments can be posted.

Mullvad VPN Maker Says Police Tried To Raid Its Offices But Couldn't Find Any User Data

Comments Filter:
  • by Thud457 ( 234763 ) on Friday April 21, 2023 @01:48PM (#63467728) Homepage Journal
    Expect a law to fix that oversight in the next Swedish Parliament session.
    • Existing law may already cover it in some countries, although i'm not sure about sweden.

      If someone commits a crime using your assets (be it a service, a vehicle etc) and the crime is traced to that asset and thus to you, then you are responsible to show who was using it at the time. If you're not able to prove someone else was using it, then it's assumed that you were and you are held liable for whatever the activity was.
      Think rental cars and traffic violations for example.

      • by RockDoctor ( 15477 ) on Friday April 21, 2023 @02:42PM (#63467900) Journal
        To extend your analogy, when you hire a car, the hire document has a start date/ time and an end date/time, and possibly your hire office has a CCTV image of you driving the vehicle off their premises, and back onto the drop-off point.

        But the hire company doesn't have a GPS log of where the vehicle went between those two times. It doesn't (generally) have a collection of waypoints of each collision as you bounced over a line of parked school kids. It may not even have a GPS log at all, if you put a strip of aluminised tape over the GPS radio receiver. (This may have been a violation of the rental agreement - RTFA before signing!)

        Ditto for a VPN. Your bean-counting department may have a record of a rental agreement. If it's "metered", it may also have a count of hours logged-in, or MB transferred. That count re-set each month as the invoices are generated, and the logs re-set when the invoice is paid. If you're on an unmetered connection, they don't even ened to keep that - for billing purposes. Possibly the date/time of the first log-in/ log-out pair for the month, to demonstrate that you used their service during that month. What other need does the company have of keeping additional data?

        • by Bert64 ( 520050 )

          A normal non-hired vehicle doesn't usually log all activities either, it will be down to some other entity (a witness, a camera etc) to see the act and record the license plate of the vehicle committing the act.
          The same is true of a typical home user router, it will not log all traffic flowing through it because it lacks the capability to do so, logs will come from the other end when some nefarious activity occurs.
          Even if the end user device like a car or router did log, the logs couldn't be trusted as the

          • by RockDoctor ( 15477 ) on Friday April 21, 2023 @04:16PM (#63468136) Journal

            A normal non-hired vehicle doesn't usually log all activities either,

            Actually, I gather that more modern cars are starting to do that, and to object if you drive out of cellphone coverage. I wouldn't buy such a machine (not that I'm expecting to afford or want another car in any case), and I gather that a lot of Slashdot commentators are aware of the issue, even if they're not prepared to do anything about it.

            any logs could easily have been tampered with.

            Therefore, cryptographically signed and encrypted logs will be coming soon.

        • Ditto for a VPN. Your bean-counting department may have a record of a rental agreement. If it's "metered", it may also have a count of hours logged-in, or MB transferred. That count re-set each month as the invoices are generated, and the logs re-set when the invoice is paid. If you're on an unmetered connection, they don't even ened to keep that - for billing purposes. Possibly the date/time of the first log-in/ log-out pair for the month, to demonstrate that you used their service during that month. What other need does the company have of keeping additional data?

          Mullvad allows you to purchase time via cards sold through Amazon. Mullvad has no idea what real person presented the card (user ids are simply strings of digits with no identifying features related to your actual identity). The only direct link to you is your source IP address, but they have no reason to maintain that for billing purposes.

          Whether or not an indirect association between the top-up card and you can be traced through Amazon would depend on whether Amazon kept any records of the serial number o

          • So, you buy the Amazon gift card from a hypermarket, using cash, at rush-hour, while wearing your (or your wife's) burkah, and apply it to the account using an internet cafe machine, still be-burkah'd. Petrol bombing the cafe that night may be a bit of overkill (there's a Dilbert/ Dogbert strip somewhere about doing a really hard reboot using a bazooka, a road tanker of petrol, and the parking lot of a nuclear power plant ... but I can't be bothered looking it up) which might attract undue attention.

            Standa

      • by VMaN ( 164134 ) on Friday April 21, 2023 @02:50PM (#63467936) Homepage

        > If someone commits a crime using your assets (be it a service, a vehicle etc) and the crime is traced to that asset and thus to you, then you are responsible to show who was using it at the time. If you're not able to prove someone else was using it, then it's assumed that you were and you are held liable for whatever the activity was.

        What you're doing here is trying to imagine how you think it SHOULD be according to your world view, and then passing that off as some sort of factual reporting of how things actually are. The same reasoning defect that gives us conspiracy theorists.

        Is the postal service responsible for anonymous packages that hurt someone physically, or hurts their feelings?

        • by Bert64 ( 520050 )

          If the postal service is used to deliver something like a bomb then they are indeed expected to provide as much information as they can about the origination of the package - ie where it was picked up from, how the shipment was paid for etc.
          They can prove that the package entered the postal system and thus the postal service is not directly to blame, in the same way that a vehicle rental agency can demonstrate that someone had rented a vehicle and thus the rental agency was not responsible for the vehicle r

          • by Xylantiel ( 177496 ) on Friday April 21, 2023 @04:13PM (#63468110)
            Records retention laws are a thing, and there are many things to which they do not apply. It is entirely possible that running the VPN service as mentioned in the article is not legal in many jurisdictions where records retention laws differ. The postal service example and the "use of property" examples don't seem very helpful because these types of laws are typically very specific to the type of business being conducted. I expect only an expert on applicable case law (not just written law) in the specific local jurisdiction in Sweden would be able to say whether the specific method of what they are doing is actually legal or not. It's also quite possible that the locality was chosen precisely because it has some sort of local loophole or a judge who regularly rules in a particular way.
          • by Tyr07 ( 8900565 ) on Friday April 21, 2023 @04:57PM (#63468280)

            If the postal service is used to deliver something like a bomb then they are indeed expected to provide as much information as they can about the origination of the package - ie where it was picked up from, how the shipment was paid for etc.

            Postal drop boxes do not verify the senders address, as long as postage is on it, it will get delivered to wherever. This is not a good example. If the postal service HAS the information, then yes, they have to comply, the same thing is true with a vpn provider, if they HAVE the information, they have to provide it. Retention laws don't cover this the way you think. If you pass traffic through a router, are ISPs required to track all connections, log all access and retain it for law enforcement? No it would provide undue burden to their operations to be able to work that way.

            Same thing applies to a VPN. I'm not arguing if they should or shouldn't, that can go join whatever groups at screaming at each other until their faces turn blue. I'm just telling you how it currently is.

          • by VMaN ( 164134 )

            Seems like you are just rephrasing my point. They should hand over information they had if served a warrant to do so - EXACTLY the same situation as with Mullvad.

            Your earlier reasoning claimed that if they could not identify the customer they would be liable.

        • by dgatwood ( 11270 ) on Friday April 21, 2023 @03:28PM (#63468002) Homepage Journal

          > If someone commits a crime using your assets (be it a service, a vehicle etc) and the crime is traced to that asset and thus to you, then you are responsible to show who was using it at the time. If you're not able to prove someone else was using it, then it's assumed that you were and you are held liable for whatever the activity was.

          What you're doing here is trying to imagine how you think it SHOULD be according to your world view, and then passing that off as some sort of factual reporting of how things actually are.

          If you haven't read about civil forfeiture, I suggest you do so. The GP is describing the law as it applies, at least in the United States. The terminology used is wrong, however. You are not held *responsible*. You are held *liable*. Subtle distinction. It is possible for someone to not be the proximate cause of something (the responsible party) and still be forced to take on at least civil liability.

          Is the postal service responsible for anonymous packages that hurt someone physically, or hurts their feelings?

          Nope. But the USPS is a government entity, and can do a lot of things that private companies legally can't, so this is a problematic analogy. Also, the USPS limits the maximum weight of any package sent anonymously precisely to prevent that sort of situation. If you want to send something large enough to realistically be a bomb these days, you'll have to do it by going into the post office and interacting with a person, providing ID, being on camera, etc.

          The same is true for private shipping companies. You're either paying with a credit card or showing ID or both. And you're on camera when you do so. And a lot of packages (and all packages that are going onboard any airplane) also get screened by X-ray or CT scanners.

          So they go out of their way to minimize their risk of being held liable for loss of life. If there were no risk of such liability, they probably wouldn't do all of that. Are they guaranteed to be held liable? No. But those precautions reduce their risk of that happening.

        • Comment removed based on user account deletion
      • "Think rental cars and traffic violations for example."

        The rental agency KNOWS who is driving their cars, they know everything, even your credit card number.

        Ditto if you give your car to a friend.

        If the car is stolen and speeding, you won't get fined.

      • If someone uses road under your repair responsibility and some carmakers produced car to kill someone, who has to be punished, you or the carmaker? Or both? Or whoever constructed the road with ill intent, that somebody will be killed on it? Or the road minister, that has not banned public roads? Maybe let's not stretch who is responsible for something beyond reason just because we do not understand the world.
      • That is called reverse burden of proof and that is not allowed in Swedish criminal law.
    • GDPR. Look it up.
    • The law that protects against these kind of things have been a thing in Sweden since 1250 so not something that are politically easy to change.
  • The police often use organization's incompetence against them. Even if the VPN provider "says" they don't keep data, that doesn't mean they don't. They could either be lying about it or not have their systems configured properly.

    I'm not saying the raid was right or justified, but who here 100% trusts any service or provider to represent themselves perfectly and also execute flawlessly? Especially for a service you likely pay ~$20/month to use?

  • Surely they must keep track of who has an account somehow. I see that they do take money from their customers, since they sell access.
    • I should add that yes, I understand that it might not be useful, but if user 123456789 paid them for an account, they have to at least keep track of that.
      • Track what though? They have no logs of what any customer accessed. I'm pretty sure the authorities already know the customer they are looking for data on is a customer of this VPN service. They wanted info on where this user has visited. They don't care that they have an account, they already know that.

        • by Anonymous Coward

          What if the CEO just made up a fake raid simply to "prove" how well they look out for customers? There's no way to prove or disprove his assertion, and he gets free press, and maybe more customers.

          • by jpatters ( 883 )

            I mean, if I were the CIA and I were operating a VPN for the purpose of surveillance (and it would almost be intelligence malpractice if they were not) I would probably stage a raid like that to try instill confidence that there was no user information being collected. In that situation, they would probably only be exfiltrating the data of certain users anyway, so there wouldn't even have to be very many employees who know what was happening.

            • What data can they collect if they're using Perfect forward secrecy? This is a legitimate question. I'm not a knowledge expert but I thought Perfect forward means they never know the encryption.

              By default Mullvad uses the following settings: Control channel: an AES-256-GCM cipher with RSA-4096 handshake encryption and HMAC SHA-1 hash authentication. Perfect forward secrecy is provided by a DHE-4096 Diffie Hellman key exchange, which is re-keyed every 60 minutes. Data channel: an AES-256-GCM cipher.

              • The GP is talking about the scenario in which Mullvad is operated by CIA, in which case the encryption between you and Mullvad doesn't matter as Mullvad is the other end that can by design read everything. They could also tap all your traffic like they would tap your internet line, better as they could do it even if you use some random wifi (as long as you use the VPN too).

                What's more many people run their (quite nice) clients. If they're really nasty they could upgrade specific targets to some malware.

              • by CAIMLAS ( 41445 )

                They could very easily collect data on the other side of that tunnel. That's just the security between the user and the VPN endpoint, but tracking user IP as well as sites visited via the VPN is still fully possible.

            • Which free VPN is the CIA running? Since I'm not committing any crimes I might be interested in their service.
            • So let me get this straight, the CIA is operating a VPN service in a foreign country which means that they are conducting an illegal intelligence gathering operation but at the same time they have such good contact with the police authorities (who would otherwise arrest them as spies) that they can stage a search warrant raid? And they would perform the raid at the VPN company headquarters where no VPN servers are located?

              You are also ignoring just how Mullvad operates, I mean even a quick look at their web

          • The Verge reached out to Swedish authorities with a request for more information but didn't immediately hear back.

            This doesn't necessarily mean anything but the lack of a denial from Swedish authorities is interesting. Buuuuuuut... not sure I'd believe a denial if I heard it. hehe

          • The problem with your theory is that yes it is possible to prove his assertion, namely by asking the police if they had been there and guess what local Swedish news did? Yes they did ask just that and the police did confirm that they had been to the location in order to conduct a search warrant.
      • I should add that yes, I understand that it might not be useful, but if user 123456789 paid them for an account, they have to at least keep track of that.

        There is no reason to keep subscriber or payment information after the payment transaction is completed. All they need to remember is if the account is is good standing, not who paid for it. Companies that hold such data unnecessarily are why we have so many data breaches these days.

        • by Bert64 ( 520050 )

          If the only information associated with the account is an id number and a hashed password, you lose the account if you forget the password since there is no additional metadata that can be used to prove your ownership for purposes of resetting the password.
          Users may not be willing to accept this risk, especially if they paid up front for an extended time period (some of these providers offer 5 year subscriptions for instance).

          It's also possible to loosely correlate account creation time with payment records

          • Reasonably true, so most likely you have a UID (user ID, probably related to the sequence in which people signed up for the service), a log-on name ("1amgr8te-97", chosen by you ; "1amgr8te" who signs up 30 seconds later finds they have to be the 98th of that name); a log-on password (whatever you want), and a reference of some sort to the bank account that will pay for subsequent service periods (I-BAN number, whatever ; SWIFT is another. Paypal. Whatever.). So if you lose two pieces of the data, the knowl
            • and a reference of some sort to the bank account that will pay for subsequent service periods (I-BAN number, whatever ; SWIFT is another. Paypal. Whatever.).

              Auto renewal is obviously a big security hole if you don't want anyone to know you have a VPN account. That said, as long as your account with said VPN has no logged correlation to actual network activity it is probably secure enough for most people.

              • Auto renewal is obviously a big security hole

                Which is why I mentioned Paypal - whose authentication is, IIRC, limited to validating if you can read emails to the address you gave, and whether the account gives and accepts money when prodded from their end. Which doesn't mean that it's in a country or jurisdiction that the prosecuting authorities have any association with. Then as someone else mentioned, there are "pre-paid" cards of various sorts. You could probably set up something through various "in game

                • Auto renewal is obviously a big security hole

                  Which is why I mentioned Paypal - whose authentication is, IIRC, limited to validating if you can read emails to the address you gave, and whether the account gives and accepts money when prodded from their end. Which doesn't mean that it's in a country or jurisdiction that the prosecuting authorities have any association with. Then as someone else mentioned, there are "pre-paid" cards of various sorts. You could probably set up something through various "in game" purchasing systems too - I've never used such, so "probably" is as strong as I can go, regardless of jurisdiction.

                  Agree pre-paid cards are the best way to go if you want to leave something on file, though not everyone accepts them. Pre-paid cellphones are useful for similar reasons as well if you are concerned about such things.

            • by Shinobi ( 19308 )

              You can also buy prepaid account time cards like this for example. https://www.webhallen.com/se/p... [webhallen.com]

          • If the only information associated with the account is an id number and a hashed password, you lose the account if you forget the password since there is no additional metadata that can be used to prove your ownership for purposes of resetting the password.

            Having them store identifiable information about you in case you forget your password (or your expiry date) is a huge hole if you use your VPN for anything that may draw attention. I don't use Mullvad so don't know if they do this or not.

            since accounts have specific durations the creation time needs to be stored or at the very least can be calculated based on the expiry time.

            Expiry times should always be midnight. If that means subscribers get part of a day for free that should not be a big deal.

          • by Calibax ( 151875 )

            Mullvad doesn't use passwords, just a randomized account number. If you tell your closest 1,000 friends your account number they have unfettered access to the service so long as you keep paying. So far, Mullvad doesn't seem to have any issues with this arrangement.

            Mullvad accepts payment in some crypto currencies and even cash in various currencies. Of course, if (like me) you are only using the service to overcome geofencing you can also use more traditional payment methods such as a credit card or PayP

          • Re:What about users? (Score:5, Informative)

            by Cardcaptor_RLH85 ( 891550 ) on Saturday April 22, 2023 @12:01AM (#63468976) Homepage
            With Mullvad your username is your account number and the password is a lowercase m. It's pretty hard to lose. Also, they offer 1, 3, 6, and 12-month subs, which end at a random time up to a day after when it should be up to avoid the method you mention (my current one is about half a day extra). They don't even track what length sub you bought and don't discount for more length. I'd imagine that using payment processor metadata to track the purchase would be quite difficult.
      • "An account exists" is one thing. What that account does is another thing.
    • Re:What about users? (Score:4, Interesting)

      by dogsbreath ( 730413 ) on Friday April 21, 2023 @02:42PM (#63467902)

      Surely they must keep track of who has an account somehow. I see that they do take money from their customers, since they sell access.

      Mullvad can do that without being able to provide police with any useful identifying info.

      Undoubtedly the police are interested in correlating sessions to user ids to real people.

      Say Mullvad is both truthful and competent in their claim of not logging user data then ...

      - The company as a minimum will record payments to user ids but that does nothing to identify which real person did what online. Mullvad does not have to keep any payment provider info after the payment clears so connecting a userid to a real person via payments may not be possible. If the subscriber has used an anonymous payment method and has used a throw away email address then even if payment records exist, they may not be useful to id a real person.

      - When a user turns up a VPN session, it's userid is validated against a subscription record and the session is allowed to be created without further need of the userid. There is no technical or billing requirement to log session-userid information.

      - The active session of necessity knows the user's source ip but this will only persist for the duration of the connection and of course there is no need to log the ip-session info. The real time session connection information will be available to a sysadmin in some form, although I suppose this could be obfuscated. This would not be useful for historical sessions.

      To find the real session userid, the police would have to either have a warrant to force the provider to give them access to active VPN information while the target is online or they would have to enlist NSA level sniffing of the provider's internet connections for command and control, and the vpn node.

      Again, even if they get a userid for a session that may not be sufficient to connect to a real person.

    • by Shinobi ( 19308 )

      You can buy prepaid Mullvad account time, like this: https://www.webhallen.com/se/p... [webhallen.com]

    • The article says that they don't keep account email addresses, each account is given a random ID. So if they don't retain anything after processing the payment, then they would literally have nothing. They don't have any way to initiate contact with any of their users and if a user loses their authentication information they just have to open a new account under a new random ID. Their billing processor probably has a lot of information that the police might be interested in, but they don't. There are se

    • Mullvad users have account numbers and are identified by such. They don't even keep the payment receipts beyond a couple of weeks. If Mullvad doesn't log usage by account number, then even if the cops have the users account number, there's still nothing for them to get.
  • by Dwedit ( 232252 ) on Friday April 21, 2023 @02:40PM (#63467890) Homepage

    Well if you want the VPN company to turn coat and betray the customers, you either need to threaten them or bribe them. Then the VPN company can either: Stay in operation doing nothing, Stay in operation while secretly betraying the customers, or shut down. Then the question becomes whether threats or bribery is more likely to lead to getting the data you want from VPN company.

  • How does the CEO not know what they were in search of? The warrant very specifically spells exactly that out. It would have very clearly stated exactly what type of data and for who, the police were after.

    • by andersh ( 229403 )

      You assume that a Swedish warrant has to say what they're looking for. I used Google to translate a relevant text:

      "Unlike a record of a seizure, the record of a house search will not include the decision to search the house itself, as these are drawn up on separate occasions.

      In addition to the content of the decision, it must also be stated who made the decision and the time of this. A decision on the house search is of course drawn up before the measure has been taken. When a house search is concluded, a r

    • Now this is not the US but even in the US I don't think that the search warrant would be more specific than the "this is for the servers that contain the customer logs" which this particular search warrant was for.
  • by kriston ( 7886 ) on Friday April 21, 2023 @03:45PM (#63468054) Homepage Journal

    Fun things to know and tell: Mozilla VPN is a branded whitebox Mullvad.

  • by PPH ( 736903 ) on Friday April 21, 2023 @03:46PM (#63468056)

    ... they are in Sweden. In the USA, the police would have taken all the office computers and servers. And then broken them on the pretext of searching them.

    • Re:They're lucky ... (Score:5, Informative)

      by awwshit ( 6214476 ) on Friday April 21, 2023 @04:20PM (#63468156)

      ^ This.

      In the US, it does not matter what you say when they show up with a warrant, they are going to take whatever they want. It goes like this:
      1. Announce yourself, but breakdown the door as you finish that sentence.
      2. Shoot the dog and anything else that moves.
      3. Throw warrant papers at someone being pushed to the floor and cuffed.
      4. Ransack the place, take what you want, break everything.
      5. Oops, wrong address, our bad, Qualified Immunity!

      Policing the US is completely broken.

      • I completely forgot...

        6. Despite showing up at the wrong house, we are keeping the cash we found under your mattress as we believe without evidence the cash came from illegal activities, Civil forfeiture!

      • by Toad-san ( 64810 )

        Or the Swedish police are way behind the times! I too was quite surprised that none of the usual American Police tactics occurred. They listened? They asked questions? They nodded and quietly left? Amazing, absolutely amazing.

  • by wagnerer ( 53943 ) on Friday April 21, 2023 @05:39PM (#63468388)

    I once built a computer system that needed to be easily sanitized after processing sensitive data. Nearly all the systems had no hard drive. Just a TFTP boot that downloaded the image from a single master node and ran the system off a RAM disk. The master node even had the drive mounted read only while in operation and we had a few of them so even if they took the drive we'd be back online in the time a reboot took. Once power dropped all data was lost. We debated even using a read-only DVD as the boot disk so there was no non-volatile storage in the entire system. Nothing to take and we were absolutely confident pulling the plug would sanitize the system.

Let's organize this thing and take all the fun out of it.

Working...