Mullvad VPN Maker Says Police Tried To Raid Its Offices But Couldn't Find Any User Data (theverge.com) 81
Mullvad, the Swedish company behind Mullvad VPN (virtual private network), says police walked away with nothing after attempting to seize computers from its office. From a report: According to an update on Mullvad's site, the authorities left and didn't take anything after it informed them that the company doesn't store customer data. "We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law," Mullvad writes. "After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information." [...] Mullvad says this is the first time in its 14 years of operating a VPN that police have issued a search warrant, and company CEO Jan Jonsson tells The Verge he doesn't "know exactly what they were looking for." Even if the authorities had seized its servers, Jonsson says that police wouldn't have found anything due to its strict policies against keeping data. The Verge reached out to Swedish authorities with a request for more information but didn't immediately hear back.
well now, we can't have that, can we? (Score:3)
Re:well now, we can't have that, can we? (Score:4)
Existing law may already cover it in some countries, although i'm not sure about sweden.
If someone commits a crime using your assets (be it a service, a vehicle etc) and the crime is traced to that asset and thus to you, then you are responsible to show who was using it at the time. If you're not able to prove someone else was using it, then it's assumed that you were and you are held liable for whatever the activity was.
Think rental cars and traffic violations for example.
Re:well now, we can't have that, can we? (Score:4, Interesting)
But the hire company doesn't have a GPS log of where the vehicle went between those two times. It doesn't (generally) have a collection of waypoints of each collision as you bounced over a line of parked school kids. It may not even have a GPS log at all, if you put a strip of aluminised tape over the GPS radio receiver. (This may have been a violation of the rental agreement - RTFA before signing!)
Ditto for a VPN. Your bean-counting department may have a record of a rental agreement. If it's "metered", it may also have a count of hours logged-in, or MB transferred. That count re-set each month as the invoices are generated, and the logs re-set when the invoice is paid. If you're on an unmetered connection, they don't even ened to keep that - for billing purposes. Possibly the date/time of the first log-in/ log-out pair for the month, to demonstrate that you used their service during that month. What other need does the company have of keeping additional data?
Re: (Score:3)
A normal non-hired vehicle doesn't usually log all activities either, it will be down to some other entity (a witness, a camera etc) to see the act and record the license plate of the vehicle committing the act.
The same is true of a typical home user router, it will not log all traffic flowing through it because it lacks the capability to do so, logs will come from the other end when some nefarious activity occurs.
Even if the end user device like a car or router did log, the logs couldn't be trusted as the
Re:well now, we can't have that, can we? (Score:4, Interesting)
Actually, I gather that more modern cars are starting to do that, and to object if you drive out of cellphone coverage. I wouldn't buy such a machine (not that I'm expecting to afford or want another car in any case), and I gather that a lot of Slashdot commentators are aware of the issue, even if they're not prepared to do anything about it.
Therefore, cryptographically signed and encrypted logs will be coming soon.
Re: (Score:2)
Ditto for a VPN. Your bean-counting department may have a record of a rental agreement. If it's "metered", it may also have a count of hours logged-in, or MB transferred. That count re-set each month as the invoices are generated, and the logs re-set when the invoice is paid. If you're on an unmetered connection, they don't even ened to keep that - for billing purposes. Possibly the date/time of the first log-in/ log-out pair for the month, to demonstrate that you used their service during that month. What other need does the company have of keeping additional data?
Mullvad allows you to purchase time via cards sold through Amazon. Mullvad has no idea what real person presented the card (user ids are simply strings of digits with no identifying features related to your actual identity). The only direct link to you is your source IP address, but they have no reason to maintain that for billing purposes.
Whether or not an indirect association between the top-up card and you can be traced through Amazon would depend on whether Amazon kept any records of the serial number o
Re: (Score:2)
Standa
Re:well now, we can't have that, can we? (Score:5, Insightful)
> If someone commits a crime using your assets (be it a service, a vehicle etc) and the crime is traced to that asset and thus to you, then you are responsible to show who was using it at the time. If you're not able to prove someone else was using it, then it's assumed that you were and you are held liable for whatever the activity was.
What you're doing here is trying to imagine how you think it SHOULD be according to your world view, and then passing that off as some sort of factual reporting of how things actually are. The same reasoning defect that gives us conspiracy theorists.
Is the postal service responsible for anonymous packages that hurt someone physically, or hurts their feelings?
Re: (Score:3)
If the postal service is used to deliver something like a bomb then they are indeed expected to provide as much information as they can about the origination of the package - ie where it was picked up from, how the shipment was paid for etc.
They can prove that the package entered the postal system and thus the postal service is not directly to blame, in the same way that a vehicle rental agency can demonstrate that someone had rented a vehicle and thus the rental agency was not responsible for the vehicle r
Re:well now, we can't have that, can we? (Score:4)
Re:well now, we can't have that, can we? (Score:5, Informative)
If the postal service is used to deliver something like a bomb then they are indeed expected to provide as much information as they can about the origination of the package - ie where it was picked up from, how the shipment was paid for etc.
Postal drop boxes do not verify the senders address, as long as postage is on it, it will get delivered to wherever. This is not a good example. If the postal service HAS the information, then yes, they have to comply, the same thing is true with a vpn provider, if they HAVE the information, they have to provide it. Retention laws don't cover this the way you think. If you pass traffic through a router, are ISPs required to track all connections, log all access and retain it for law enforcement? No it would provide undue burden to their operations to be able to work that way.
Same thing applies to a VPN. I'm not arguing if they should or shouldn't, that can go join whatever groups at screaming at each other until their faces turn blue. I'm just telling you how it currently is.
Re: (Score:2)
Seems like you are just rephrasing my point. They should hand over information they had if served a warrant to do so - EXACTLY the same situation as with Mullvad.
Your earlier reasoning claimed that if they could not identify the customer they would be liable.
Re:well now, we can't have that, can we? (Score:4, Informative)
> If someone commits a crime using your assets (be it a service, a vehicle etc) and the crime is traced to that asset and thus to you, then you are responsible to show who was using it at the time. If you're not able to prove someone else was using it, then it's assumed that you were and you are held liable for whatever the activity was.
What you're doing here is trying to imagine how you think it SHOULD be according to your world view, and then passing that off as some sort of factual reporting of how things actually are.
If you haven't read about civil forfeiture, I suggest you do so. The GP is describing the law as it applies, at least in the United States. The terminology used is wrong, however. You are not held *responsible*. You are held *liable*. Subtle distinction. It is possible for someone to not be the proximate cause of something (the responsible party) and still be forced to take on at least civil liability.
Is the postal service responsible for anonymous packages that hurt someone physically, or hurts their feelings?
Nope. But the USPS is a government entity, and can do a lot of things that private companies legally can't, so this is a problematic analogy. Also, the USPS limits the maximum weight of any package sent anonymously precisely to prevent that sort of situation. If you want to send something large enough to realistically be a bomb these days, you'll have to do it by going into the post office and interacting with a person, providing ID, being on camera, etc.
The same is true for private shipping companies. You're either paying with a credit card or showing ID or both. And you're on camera when you do so. And a lot of packages (and all packages that are going onboard any airplane) also get screened by X-ray or CT scanners.
So they go out of their way to minimize their risk of being held liable for loss of life. If there were no risk of such liability, they probably wouldn't do all of that. Are they guaranteed to be held liable? No. But those precautions reduce their risk of that happening.
Re: (Score:2)
Re: (Score:2)
"Think rental cars and traffic violations for example."
The rental agency KNOWS who is driving their cars, they know everything, even your credit card number.
Ditto if you give your car to a friend.
If the car is stolen and speeding, you won't get fined.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Incompetence goes a long way for law enforcement (Score:3)
The police often use organization's incompetence against them. Even if the VPN provider "says" they don't keep data, that doesn't mean they don't. They could either be lying about it or not have their systems configured properly.
I'm not saying the raid was right or justified, but who here 100% trusts any service or provider to represent themselves perfectly and also execute flawlessly? Especially for a service you likely pay ~$20/month to use?
Re: (Score:2)
"For example if using one of Mullvad's servers in AU it could easily be spied on with a warrant for that server due to local laws which Mullvad can't circumvent."
Yes, they'll find that the connection comes from Sweden.
Re: (Score:1)
Typical VPN user I see. That's not how VPN works. You're directly connected to the specific server and it acts as a gateway for your traffic. Whoever has control of the server can see everything your IP address is connecting to. So:
You ---> AU VPN Server ---> Your outbound traffic
In fact they don't even need access to the server. It's possible to do traffic correlation just by having access to the input and output traffic of the server (even encrypted).
It is possible to chain multiple VPN paths but I
Re: (Score:2)
Re: (Score:2)
"But they're still all servers subject to warrant."
And still have no data saved.
Re: (Score:2)
What about users? (Score:2)
Re: (Score:2)
Re: (Score:2)
Track what though? They have no logs of what any customer accessed. I'm pretty sure the authorities already know the customer they are looking for data on is a customer of this VPN service. They wanted info on where this user has visited. They don't care that they have an account, they already know that.
Who says this even happened? (Score:2, Interesting)
What if the CEO just made up a fake raid simply to "prove" how well they look out for customers? There's no way to prove or disprove his assertion, and he gets free press, and maybe more customers.
Re: (Score:3)
I mean, if I were the CIA and I were operating a VPN for the purpose of surveillance (and it would almost be intelligence malpractice if they were not) I would probably stage a raid like that to try instill confidence that there was no user information being collected. In that situation, they would probably only be exfiltrating the data of certain users anyway, so there wouldn't even have to be very many employees who know what was happening.
Re: (Score:3)
What data can they collect if they're using Perfect forward secrecy? This is a legitimate question. I'm not a knowledge expert but I thought Perfect forward means they never know the encryption.
By default Mullvad uses the following settings: Control channel: an AES-256-GCM cipher with RSA-4096 handshake encryption and HMAC SHA-1 hash authentication. Perfect forward secrecy is provided by a DHE-4096 Diffie Hellman key exchange, which is re-keyed every 60 minutes. Data channel: an AES-256-GCM cipher.
Re: (Score:2)
The GP is talking about the scenario in which Mullvad is operated by CIA, in which case the encryption between you and Mullvad doesn't matter as Mullvad is the other end that can by design read everything. They could also tap all your traffic like they would tap your internet line, better as they could do it even if you use some random wifi (as long as you use the VPN too).
What's more many people run their (quite nice) clients. If they're really nasty they could upgrade specific targets to some malware.
Re: (Score:1)
They could very easily collect data on the other side of that tunnel. That's just the security between the user and the VPN endpoint, but tracking user IP as well as sites visited via the VPN is still fully possible.
Re: (Score:2)
Re: (Score:2)
So let me get this straight, the CIA is operating a VPN service in a foreign country which means that they are conducting an illegal intelligence gathering operation but at the same time they have such good contact with the police authorities (who would otherwise arrest them as spies) that they can stage a search warrant raid? And they would perform the raid at the VPN company headquarters where no VPN servers are located?
You are also ignoring just how Mullvad operates, I mean even a quick look at their web
Re: (Score:2)
Re: (Score:2)
The Verge reached out to Swedish authorities with a request for more information but didn't immediately hear back.
This doesn't necessarily mean anything but the lack of a denial from Swedish authorities is interesting. Buuuuuuut... not sure I'd believe a denial if I heard it. hehe
Re: (Score:2)
Local Swedish news (the Swedish equivalent to BBC) has just had the police confirm that they had been to Mullvad : https://www.svt.se/nyheter/lok... [www.svt.se]
Google translate of the important part:
The police confirm via their press service that they have been on site at the company's men cannot give any details at the moment.
Re: (Score:2)
I appreciate the update, thanks man.
Re: (Score:3)
Re: (Score:3)
I should add that yes, I understand that it might not be useful, but if user 123456789 paid them for an account, they have to at least keep track of that.
There is no reason to keep subscriber or payment information after the payment transaction is completed. All they need to remember is if the account is is good standing, not who paid for it. Companies that hold such data unnecessarily are why we have so many data breaches these days.
Re: (Score:3)
If the only information associated with the account is an id number and a hashed password, you lose the account if you forget the password since there is no additional metadata that can be used to prove your ownership for purposes of resetting the password.
Users may not be willing to accept this risk, especially if they paid up front for an extended time period (some of these providers offer 5 year subscriptions for instance).
It's also possible to loosely correlate account creation time with payment records
Re: (Score:3)
Re: (Score:2)
and a reference of some sort to the bank account that will pay for subsequent service periods (I-BAN number, whatever ; SWIFT is another. Paypal. Whatever.).
Auto renewal is obviously a big security hole if you don't want anyone to know you have a VPN account. That said, as long as your account with said VPN has no logged correlation to actual network activity it is probably secure enough for most people.
Re: (Score:2)
Which is why I mentioned Paypal - whose authentication is, IIRC, limited to validating if you can read emails to the address you gave, and whether the account gives and accepts money when prodded from their end. Which doesn't mean that it's in a country or jurisdiction that the prosecuting authorities have any association with. Then as someone else mentioned, there are "pre-paid" cards of various sorts. You could probably set up something through various "in game
Re: (Score:2)
Which is why I mentioned Paypal - whose authentication is, IIRC, limited to validating if you can read emails to the address you gave, and whether the account gives and accepts money when prodded from their end. Which doesn't mean that it's in a country or jurisdiction that the prosecuting authorities have any association with. Then as someone else mentioned, there are "pre-paid" cards of various sorts. You could probably set up something through various "in game" purchasing systems too - I've never used such, so "probably" is as strong as I can go, regardless of jurisdiction.
Agree pre-paid cards are the best way to go if you want to leave something on file, though not everyone accepts them. Pre-paid cellphones are useful for similar reasons as well if you are concerned about such things.
Re: (Score:2)
You can also buy prepaid account time cards like this for example. https://www.webhallen.com/se/p... [webhallen.com]
Re: (Score:2)
If the only information associated with the account is an id number and a hashed password, you lose the account if you forget the password since there is no additional metadata that can be used to prove your ownership for purposes of resetting the password.
Having them store identifiable information about you in case you forget your password (or your expiry date) is a huge hole if you use your VPN for anything that may draw attention. I don't use Mullvad so don't know if they do this or not.
since accounts have specific durations the creation time needs to be stored or at the very least can be calculated based on the expiry time.
Expiry times should always be midnight. If that means subscribers get part of a day for free that should not be a big deal.
Re: (Score:3)
Mullvad doesn't use passwords, just a randomized account number. If you tell your closest 1,000 friends your account number they have unfettered access to the service so long as you keep paying. So far, Mullvad doesn't seem to have any issues with this arrangement.
Mullvad accepts payment in some crypto currencies and even cash in various currencies. Of course, if (like me) you are only using the service to overcome geofencing you can also use more traditional payment methods such as a credit card or PayP
Re:What about users? (Score:5, Informative)
Re: (Score:2)
Re:What about users? (Score:4, Interesting)
Surely they must keep track of who has an account somehow. I see that they do take money from their customers, since they sell access.
Mullvad can do that without being able to provide police with any useful identifying info.
Undoubtedly the police are interested in correlating sessions to user ids to real people.
Say Mullvad is both truthful and competent in their claim of not logging user data then ...
- The company as a minimum will record payments to user ids but that does nothing to identify which real person did what online. Mullvad does not have to keep any payment provider info after the payment clears so connecting a userid to a real person via payments may not be possible. If the subscriber has used an anonymous payment method and has used a throw away email address then even if payment records exist, they may not be useful to id a real person.
- When a user turns up a VPN session, it's userid is validated against a subscription record and the session is allowed to be created without further need of the userid. There is no technical or billing requirement to log session-userid information.
- The active session of necessity knows the user's source ip but this will only persist for the duration of the connection and of course there is no need to log the ip-session info. The real time session connection information will be available to a sysadmin in some form, although I suppose this could be obfuscated. This would not be useful for historical sessions.
To find the real session userid, the police would have to either have a warrant to force the provider to give them access to active VPN information while the target is online or they would have to enlist NSA level sniffing of the provider's internet connections for command and control, and the vpn node.
Again, even if they get a userid for a session that may not be sufficient to connect to a real person.
Re:What about users? (Score:5, Informative)
Mullvad uses random numbers for user accounts. You make a one off payment to a number, that's it. They don't store payment data so you have to do it manually every time. Cash and bitcoin accepted, as well as credit cards.
Their servers don't have fixed disks. They network boot and everything is in RAM.
Re: (Score:2)
That is the way it should be.
Good info. Thanks!
Re: (Score:2)
You can buy prepaid Mullvad account time, like this: https://www.webhallen.com/se/p... [webhallen.com]
Re: (Score:2)
The article says that they don't keep account email addresses, each account is given a random ID. So if they don't retain anything after processing the payment, then they would literally have nothing. They don't have any way to initiate contact with any of their users and if a user loses their authentication information they just have to open a new account under a new random ID. Their billing processor probably has a lot of information that the police might be interested in, but they don't. There are se
Re: (Score:2)
Bribery (Score:3)
Well if you want the VPN company to turn coat and betray the customers, you either need to threaten them or bribe them. Then the VPN company can either: Stay in operation doing nothing, Stay in operation while secretly betraying the customers, or shut down. Then the question becomes whether threats or bribery is more likely to lead to getting the data you want from VPN company.
Not Buying It (Score:2)
How does the CEO not know what they were in search of? The warrant very specifically spells exactly that out. It would have very clearly stated exactly what type of data and for who, the police were after.
Re: (Score:3)
You assume that a Swedish warrant has to say what they're looking for. I used Google to translate a relevant text:
"Unlike a record of a seizure, the record of a house search will not include the decision to search the house itself, as these are drawn up on separate occasions.
In addition to the content of the decision, it must also be stated who made the decision and the time of this. A decision on the house search is of course drawn up before the measure has been taken. When a house search is concluded, a r
Re: (Score:2)
Mozilla VPN is a branded Mullvad (Score:3)
Fun things to know and tell: Mozilla VPN is a branded whitebox Mullvad.
They're lucky ... (Score:3)
Re:They're lucky ... (Score:5, Informative)
^ This.
In the US, it does not matter what you say when they show up with a warrant, they are going to take whatever they want. It goes like this:
1. Announce yourself, but breakdown the door as you finish that sentence.
2. Shoot the dog and anything else that moves.
3. Throw warrant papers at someone being pushed to the floor and cuffed.
4. Ransack the place, take what you want, break everything.
5. Oops, wrong address, our bad, Qualified Immunity!
Policing the US is completely broken.
Re: (Score:3)
I completely forgot...
6. Despite showing up at the wrong house, we are keeping the cash we found under your mattress as we believe without evidence the cash came from illegal activities, Civil forfeiture!
Re: (Score:3)
Or the Swedish police are way behind the times! I too was quite surprised that none of the usual American Police tactics occurred. They listened? They asked questions? They nodded and quietly left? Amazing, absolutely amazing.
Brainless Servers (Score:3)
I once built a computer system that needed to be easily sanitized after processing sensitive data. Nearly all the systems had no hard drive. Just a TFTP boot that downloaded the image from a single master node and ran the system off a RAM disk. The master node even had the drive mounted read only while in operation and we had a few of them so even if they took the drive we'd be back online in the time a reboot took. Once power dropped all data was lost. We debated even using a read-only DVD as the boot disk so there was no non-volatile storage in the entire system. Nothing to take and we were absolutely confident pulling the plug would sanitize the system.
Re: (Score:2)