[HN Gopher] We are removing the option to create new subscriptions ___________________________________________________________________ We are removing the option to create new subscriptions Author : mritzmann Score : 1009 points Date : 2022-06-20 13:27 UTC (9 hours ago) (HTM) web link (mullvad.net) (TXT) w3m dump (mullvad.net) | INTPenis wrote: | This is just like Mullvad to care about your privacy. | | But I think it's a bit overkill to completely remove the | subscription option. They could have accomplished the same | educating of end users with a simple recommendation or opt-out at | sign up. | | Still providing subscription for those users who find that most | convenient. | andrewmunsell wrote: | I've been using Mullvad ever since PIA was bought out. Never had | an issue with them (other than when I forget to top up and my VPN | connection dies :) ) with speed or reliability. I've always used | the top up functionality rather than a subscription, but it's | great to see how committed they are to reducing the attack | surface for the users that need the most privacy. | wyager wrote: | Earlier this year I was changing some firewall configs and my | torrent jail on my home server stopped working. I spent like an | hour debugging, only to realize that my 1-year mulvad | subscription had expired in the middle of messing with my | firewall. Oops! | | Mulvad is awesome and super fast. I reliably get in excess of | 300mbps while torrenting. | ascar wrote: | That's great news and they just got a huge boost in reputation | for me. Definitely the go to service if I need a good VPN again. | | Especially strong decision since this will certainly cost them a | lot of revenue and I don't think the boost in reputation will | counter that in the long run. | leaflets2 wrote: | I guess they'll notice after a month or a year | | What'll happen. I suppose there is a "middle" group of users | who want a VPN a bit but not super much, and long term now | might leave | | Anyway I like Mullvad's mindset | | Hi Mullvad, I hope you'll post a follow-up a year later :-) | | What if you, as part of the payment flow, included adding a | calendar reminder X months later | huslage wrote: | I, personally, care a large amount about convenience. I don't | want to think about bills at all. I've been a Mullvad subscriber | for years on a PayPal recurring payment. It works so well that I | don't even think about it. I just use it. | | Having to think about paying a bill every month is really a pain | to me. I get the privacy ideals, but the tradeoffs are not | ridiculous. I should be able to make a decision about how private | I want to be, not have Mullvad decide for me so that they can | feel better about themselves. | | I will probably move over to Mozilla VPN now, since they will | continue to rely on Mullvad for their infrastructure but allow me | to pay them in a convenient way. I guess compromises are in | order. | GekkePrutser wrote: | You don't have to pay every month. You can just pay them a lump | sum in advance. As far as I understand you can still do this | like before. | kbouck wrote: | > "Having to think about paying a bill every month" | | Others can correct me, but I believe each payment just adds a | month of time to your balance. So a number of months can be | added at once. | cmeacham98 wrote: | You can pre-pay an entire year at once as well. | flodcw wrote: | So just pay once for an entire year, if you use them often, or | the flat monthly rate, whenever you need. This doesn't sounds | too much of a hassle, especially considering the price. | dcow wrote: | Why are VPNs what people flock to when they think they want | privacy? Moreover they kinda break the internet so it's not a | scalable solution. It's cool to see a good one selling a privacy | message and doing it at level 11, but it seems kinda disingenuous | to me to tell users that they're more private because they use a | VPN. Private from your current ISP, sure, but not from Mullvad | (they're your new ISP, you're just moving the problem of who to | trust, not _acquiring privacy_ ) and especially not so much from | the service level tracking and collection of data which is | arguably the real problem short of being targeted by nation- | states. | | Also it seems all I need to do as an "attacker" is subpoena (or | whatever the Swedish equivalent is) Mullvad while your payment | record _is_ on file and I get the info I want. If Mullvad really | wanted to go hardcore why not only sell little top up cards cash- | only at kiosks? | | Now, choosing where you want your traffic to geographically | egress onto the public network does have marginal utility and | it's a perfectly sane feature for VPN providers to market and | consumers to pay for--VPNs aren't useless. It's just not | _privacy_. | | EDIT: add bit about how Mullvad is your new ISP to clarify the | point | GekkePrutser wrote: | It's just one of the many layers of good opsec of you care | about privacy. You shouldn't rely on this alone. | | And breaking the internet? I think centralisation by parties | like Amazon, Google, CloudFlare does that a lot more. | | And if you want you can even send them cash in an envelope. Or | monero or whatever. | dcow wrote: | I don't disagree that centralized services are also bad for | the internet, but that's not a rebuttal to my point (also, | what is a VPN service if not a "centralized ISP with | different egress options"). A VPN does not add a layer of | privacy. That's a misunderstanding of the concept and | unfortunately a popular one even among security folks and | even more-so among security marketing folks. A VPN allows you | to effectively choose a different ISP. You _are not private_ | from Mullvad. You just have their promise that they 're | better and more transparent than your alternatives and that | they won't sell your DNS queries and connection logs to | advertisers. It's not bad to align with an ISP that shares | your values, but it's not _privacy_ outright. | | > And if you want you can even send them cash in an envelope. | Or monero or whatever. | | So why not only allow payments in privacy perfect currency if | they're so concerned about privacy? | [deleted] | Yujf wrote: | > So why not only allow payments in privacy perfect | currency if they're so concerned about privacy? | | Because perfect is the enemy of good. Mulvad would lose | customers and that is not good for Mulvad, nor for the | customer. | dcow wrote: | Yet, here we are praising Mullvad for removing recurring | subscriptions which will certainly mean they lose some | predictable revenue and customers... | GekkePrutser wrote: | I agree that it's but a single tool in a complex mesh of | procedures to provide some privacy. | | But the reality is that it does work for a variety of | usecases. Try to torrent in Germany (of all places) and | you'll get blackmail letters from random lawyers. Do this | with a VPN and no problem. | | For this scenario it's the tool for the job. If you're an | insurgent trying to liberate Iran it's not. | | For general surfing privacy it doesn't add much value at | all because most of the identifying information is in the | session itself, not the IP. This is where the layered | approach comes in. | | But I definitely see a value in these services. | | And they do offer many anonymous payment options, but some | are heavily frowned upon in some regions (eg anonymous | crypto in India) and mailing bills is inconvenient and | risky. And I guess for some people it's worth the tradeoff. | dcow wrote: | Yeah I definitely _see value_ , don't get me wrong. I | think, slightly, that marketing privacy is the cheap shot | at best and kinda irresponsibly inaccurate at worst | because it glazes over so much of the actual problem. In | other words, if I start using Mullvad today I don't | incredibly become anonymous and private on the | internet... there's a lot more work to do to achieve that | posture. The way VPNs are touted though might lead you to | believe they keep you safe and private. | | Otherwise sounds like we mostly agree. | s__s wrote: | It's pretty simple. A VPN adds a layer of privacy between | you and the server you're accessing. You go from user A | with X home IP address originating from precise Y location, | to user A with generic shared IP originating from a vague | location likely nowhere near your real location. | | Beyond location, did you know there are services that can | sometimes accurately provide a users place of work based on | home IP? Their likely income level, and more. That becomes | impossible with a VPN. | | In short a VPN removes a key personal identifier that can | be used to ID you online. Your IP address. | dcow wrote: | But traditional ISPs reuse IP addresses too. You rarely | get a static IP from your ISP. Some even run carrier | grade NAT and you're literally sharing an IP with your | whole building or something. VPNs are not really | different in any regard. They do obfuscate location, I'll | give you that, and that's seems like the crux of the | issue with traditional ISPs: they are small and | distributed so people have created location maps. By | using a big centralized service you can obfuscate your | zip code. I'm all for people having that option, don't | get me wrong. Personally I'd rather see us pass strong | legislation that takes things a step further and | prohibits zip-code based profiling if that's considered | dangerous to society, or ya know solve the social problem | and create diverse zip codes in the first place so you | can't predict income based on it, rather than be fooled | into thinking that we can solve this problem by giving | everyone a VPN. It doesn't scale. | kadoban wrote: | > [...] it seems kinda disingenuous to me to tell users that | they're more private because they use a VPN. Private from your | ISP, sure [...] | | Bit of a contradiction there. It adds friction to at least some | attacks against your privacy. That's better privacy. | | Nothing will ever be perfect, and VPNs can easily be oversold | in terms of their benefits (especially since https became the | norm). But they have benefits in some common use-cases. | | > Also it seems all I need to do as an "attacker" is subpoena | (or whatever the Swedish equivalent is) Mullvad while your | payment record is on file and I get the info I want. If Mullvad | really wanted to go hardcore why not only sell little top up | cards cash-only at kiosks? | | They accept cash and at least some other privacy preserving | payment methods already. | dcow wrote: | > They accept cash and at least some other privacy preserving | payment methods already. | | So why even allow "traditional" KYC-ridden payments at all? | | > Bit of a contradiction there. It adds friction to at least | some attacks against your privacy. That's better privacy. | | The nuance is that you're just moving the problem. You're | _not_ private from Mullvad. You 're just trading one ISP for | a different one. I could have phrased it better in my initial | comment so as not to suggest a contradiction. Think of it | this way, if Mullvad _was_ your ISP, would you still tell | someone to get a VPN? You have to trust someone not to snoop | on your DNS queries and connections. All adding a VPN does is | give you more freedom to choose who to trust, which is not | bad in its own right. It 's just not technically privacy | manifest. | kadoban wrote: | > The nuance is that you're just moving the problem. You're | not private from Mullvad. You're just trading one ISP for a | different one. | | Another way of saying that is that you've gained a choice. | Most people have essentially one option for an ISP, but | _many_ for VPNs. | | > So why even allow "traditional" KYC-ridden payments at | all? | | To allow user choice. Many probably don't really care about | that aspect and just want to bypass region-locks. | [deleted] | Barrin92 wrote: | >Private from your current ISP, sure, but not from Mullvad | | being private from your local ISP is what 99% of people care | about because they use VPNs to send copyright infringement | claims to /dev/null and watch netflix, not to smuggle nuclear | secrets to Iran. It's privacy in a practical sense that's | useful to people. If I go from an untrustworthy ISP to a | trustworthy one I've gained privacy, there's no need to be | overly academic about the term. | dcow wrote: | I'm not really trying to be pedantic for giggles.. perhaps I | just think it's sad that 99% of ISPs are considered your | privacy enemy and on top of that I don't consider VPNs a | scalable solution to the problem at large so I'm more | entertaining the "why is this the de facto solution" question | in the "does it scale to society" solution space. It starts | to look more like a social problem/solution than a technology | problem/solution. That's more what this is about. If everyone | used a VPN we'd really be in the same scenario we are today | because to support that infrastructure you'd need exit nodes | in every city and boom there goes your location advantage. | Thorentis wrote: | I don't consider my ISP my privacy enemy when it comes to | paying my mortgage, or filling out my taxes. I do consider | my ISP my enemy when it comes to downloading Linux ISOs, | because the IP addresses issued by my ISP can be tied back | to a geo location and are known to be the "last leg" | address that would be targeted for infringement purposes. | CodeBeater wrote: | I'm curious, how does VPNs break the internet? The only angle I | can immediately see is the shortage of IPV4s. | dcow wrote: | They break the practical solutions to content distribution | and delivery that we've deployed. If everyone used a VPN, | CDNs and caching would be rendered ineffective. Generally, | VPN consumers use more bandwidth than necessary to acquire | the same content which does impact the network. | anderspitman wrote: | One primary benefit I see vs trusting ISPs is there's lots of | competition in the VPN space. | jacooper wrote: | Even though I use protonmail, I still bought Mullvad due to their | Linux app which has actual per-App split tunneling. | seibelj wrote: | FYI they take monero, the most private cryptocurrency. | pxeger1 wrote: | That's a pretty sweeping statement to make with no evidence. | heartbeats wrote: | Monero has the largest anonymity set of any cryptocurrency, | so the statement is true. | syzygyhack wrote: | It's not just about the anonymity set, there are more | factors than that. That said, I concur with the conclusion. | cmcconomy wrote: | there is irrefutable evidence that they take monero | ezfe wrote: | And we both know that wasn't the point of issue here - "the | most private cryptocurrency" was | freiherr wrote: | Tor -> buy mullvad for xmr -> use it for clearnet ip after Tor | Best for privacy, best for abuse. Arent there any problems like | captchas everywhere because the ip was overused? Or CP | distribution lawsuits towards mullvad? | syntaxing wrote: | Serious question, what are people using their VPN for? I used PIA | before the buyout then shifted to Windscribe but I don't think I | will renew after this year. I rarely use it and if I want | soemthing safe (like using public wifi), I use tailscale instead. | AtNightWeCode wrote: | These services will likely not be around in 5 years if things | continue as they do today. I work with clients who ban any ASN | that hosts these kinds of services. Not sure what Mullvad can do | to not become a new Tor or North Korea. At many companies they | already are. | | I am not for it. Just the way the lands lie right now. | colinsane wrote: | are your clients consumer ISPs? or are they like edge CDNs | doing www stuff? the impact on these VPN services would be | tremendously different in each case. | CodesInChaos wrote: | If they don't keep the link between accounts and payments, | doesn't that mean they can't revoke an account when a chargeback | happens? | cmeacham98 wrote: | Sure, but they can ban your payment method, and they care about | privacy enough to eat this (probably small) cost. | | Also, they do actually keep a link for 40 days, but it seems | like some card card networks allow chargebacks past that. | bombcar wrote: | > In order to provide refunds and the ability to recover lost | accounts we need to store some record of a payment, at least | for a short time. As soon as we do not need the data to enable | refunding a payment we scrub the record of anything that can | link the payment or the account to any personally identifiable | information kept by the payment processor (this could be your | bank, for example). | | So they hold your info and link for however long the chargeback | period is (or the average one, probably 30-60 days is fine) and | then lose it. | | If you're more worried about privacy than convenience they | offer other payment methods: | | Which payment methods do you accept? We accept cash, Bitcoin, | Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish, | Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24. | | https://mullvad.net/en/pricing/ | | And you can pay for a decade in advance. | | (What is Pretzel24 I wonder?) | zulln wrote: | Selecting Pretzel24 as payment method redirects to | https://go.przelewy24.pl/ where in turn you choose between | different banks. I guess it is a Polish service for direct | bank payments? | jwilk wrote: | Wait, does it actually say "Pretzel" somewere, or did you | both misspell it? | | "przelewy" means "wire transfers" in Polish: | https://en.wiktionary.org/wiki/przelew Nothing to do with | pretzels. :) | bombcar wrote: | I misread it as Pretzel the first time and couldn't | resist, especially after clicking the page gave me a 'NOT | FOUND' error. I assumed it was some sort of payment | system. | dustractor wrote: | Heck of a convincing advertisement, even if it's not meant to be | one. | tr1ll10nb1ll wrote: | I tried Mulvad, I love their outlook on privacy. However, maybe | this is just my experience but the speed I was getting with | Mulvad was slow, for some reason. Much slower than my regular | ~200 mbps connection. Had to switch back to Nord (would not | recommend it, though) again. | jacooper wrote: | I use mullvad and haven't had this issue, but the try | ProtonVPN, which has many more servers with faster connections | too. | | Its almost the same in terms of privacy protections. | sph wrote: | I can max out my 330 Mb connection with them, and latency is | pretty good. I'm in Europe and I use a couple different | countries as exit. | hunter2_ wrote: | For customers who don't go to great length to protect their own | privacy when paying (i.e., all subscribers, I assume) Mullvad | should persuade them to replace their subscription with the "bill | pay" feature of most checking accounts -- maybe even offer | tutorials for common banks. I'm not an expert in the implications | of a subpoena and if banks get involved, but it seems like it | would at least be a way to keep the revenue stream nearly as | healthy (recurring automatically) while also meeting their goal | of not maintaining subscription data. | usr1106 wrote: | Banking is highly national. It does not even work very | uniformily in SEPA (Single European Payment Area). Of course | there are mandatory SEPA features that every bank in every | country must support. But there are other national features | which are used in some countries by practically all businesses | basically making everything incompatible again. | | And of course there are many countries completely outside of | SEPA. | hunter2_ wrote: | I'm in the US and I'm not familiar with banking elsewhere, | but the "bill pay" feature I'm talking about will try some | electronic system first, and if the recipient doesn't support | it, the bank simply mails a check. The recipient could be as | small/offline as any person at a residential address. I | assume writing a check and mailing it is a fairly typical | thing everywhere, and having the bank do this on a repeating | schedule doesn't seem like a huge hurdle, but I could be | wrong. | AnssiH wrote: | > I assume writing a check and mailing it is a fairly | typical thing everywhere | | It absolutely is not. The only time I've seen a check was a | gift from my grandfather in the 00s, and I don't think | paying bills by mailing checks was ever a thing here. | | Checks also often become very difficult and expensive to | cash when going cross-border. E.g. most banks here | (Finland) refuse to cash foreign checks altogether. | brewdad wrote: | It is my understanding that checks are pretty much only | used regularly in the US at this point. Elsewhere, they are | reserved only for special cases outside the norm. | causality0 wrote: | Have Mullvad's privacy guarantees been tested by subpoena? | tacker2000 wrote: | They are based in Sweden, which could be an issue since they | are part of the 14-eyes alliance. | | https://www.cnet.com/tech/services-and-software/mullvad-revi... | INTPenis wrote: | Yeah I think that's why they're trying to minimize the amount | of data they have on store, because they know that a repeat | of the TPB raid can happen any time. | | If the Swedish courts find sufficient reason to do so, they | will go in without warning and seize what they feel like. | jacooper wrote: | Not a subporna, but a third party auditor. | mjmsmith wrote: | https://github.com/mullvad/mullvadvpn-app/tree/master/audits | znpy wrote: | This does not apply. They're european, a subpoena from the us | government wouldn't have any effect on them. | stjohnswarts wrote: | that's not true, the USA has agreements to exchange | information on citizens with the vast majority of European | countries. While a local yokel might have a rough time, the | federal government would only have to put in a request and | wait a while. The only cost is the effort to file for it. | bragr wrote: | Europe has courts, subpoenas, warrants, police, and all that | too so I don't see how that affects the question? The US as | mutual legal aid treaties with most European countries as | well. | wfhordie wrote: | If your threat model includes nation state intervention, a 5 | Euro VPN isn't going to help you. In fact, no VPN is going to | help you. The best you can get is probably Tor + Tails, but | even then you better be looking over your shoulder. | causality0 wrote: | That is true but not relevant to my question of whether | Mullvad's data retention policies have been tested in court. | One uses a commercial VPN to pirate HBO, not dodge the | alphabet boys. | spupe wrote: | That's not necessarily true. A lot of state surveillance | comes through having backdoor or legal access to lots of | services. Many VPNs have been tested in court on whether they | actually have information on you to disclose, and some even | have independent audits to verify that such information is | not even kept. | wfhordie wrote: | At best, you can hope to make surveilling you more | expensive or more inconvenient. But if Snowden taught us | anything, it's that whatever you needed to do to get | yourself tangled up in the 5/14 eyes trip-wire, you've | already done, long ago, and continue to do. | | VPNs don't mean shit. You're leaking data everywhere you | go. Browser fingerprinting, WiFi/BT signals, cell tower | signals, GPS. If you own a smart phone and a credit card | you're already fucked. | | Let's not confuse things for people by making them think if | they plop a 5 Euro VPN between them and their yahoo! email | account that this does anything at all to deter state level | actors. | | VPNs are good for a few things: | | (1) Evading state-sponsored censorship (which uses | technology minted in good old Silicon Valley) -- where the | state doesn't really care unless you're really bothering | them | | (2) Marginally disrupting the pan-opticon that is | surveillance capitalism by mixing the signals a bit, where | your ISP can't sell you out to data brokers. But even | then... DNS leaks, etc still happen and still fuck with the | plan. | | (3) Maybe not getting scooped up as badly in the state | dragnet, and maybe not being accused of something you | actually didn't have anything to do with. | | But brother, if you think you're gonna be the next Ross | Ulbrich with your Mullvad VPN, then you better be | memorizing your recipe for toilet wine because you're gonna | land in a fed pen. | spupe wrote: | Mate, I don't know if you realize this, but most people | here just want to hide due to minor privacy concerns, not | a plan to overthrow the government or some shit. Of | course if the FBI is after you, no, Mullvad won't protect | you. But in the more realistic scenario that Disney might | be after you, would Mullvad be a liability or not, that | is the question. | k8sToGo wrote: | or be in a state that is not an ally. | GekkePrutser wrote: | Really good initiative, they clearly care about privacy. Most | companies are going out of their way to introduce autorenewing | subscriptions. | | But here they make privacy more important than pleasing the | investors. Kudos. Glad I'm a customer. | mrshadowgoose wrote: | My paranoid interpretation of this is that they have already | been, or are expecting to be served with some kind of order | compelling them to silently hand over billing information. | | I will admit that I know absolutely nothing of the Swedish legal | system. | 1vuio0pswjnm7 wrote: | Another paranoid interpretation is that they may forsee going | out of business in the near term and fewer subscriptions means | fewer potential refunds. | shafyy wrote: | This is a great idea! In practice, how would you go about this | e.g. if you're using Stripe? After a few weeks, delete the | customer information in Stripe? | stjohnswarts wrote: | Mullvad deletes all transactions as soon as they are allowed by | law/contract with pay agent. That's 45 days for some things and | 60 for others I believe. They have more details on their site. | This assumes you trust them to shred that info though. They | also supposedly don't keep ip logs, but I assume their ISP | does, so I guess that's of limited value. | jaywalk wrote: | Why would it matter if their ISP keeps IP logs? Those logs | would not be able to link an IP address to anything of value. | stjohnswarts wrote: | sometime just having meta info is enough for 3LA orgs. They | would know the user is using mullvad services as the most | obvious which is enough to get you multiple year sentences | in some repressive countries. | Bilal_io wrote: | That's a very good question. I wonder why companies don't push | hard to disallow third-party services from storing their | customers' data. I had this issue as an employe. My employer | used a third-party service for onboarding. This service had a | breach and my data (including my SSN) was leaked. I've been | begging my employer (one reason I wish I lived in California) | to take action and have them remove my data, because another | breach is inevitable. They've finally sent a request to delete | all employees' data. Now I am waiting. | shafyy wrote: | If you accept payment, it's very hard not to relay _some_ | information to a third party, except if you build your own | payment provider service... But I 'd love to see Stripe make | more effort here and e.g. start allowing EU hosting for EU | customers and so on. | Bilal_io wrote: | I don't mind sending data to the service, but the moment | the information is no longer needed, we should have the | expectation that you delete the data. | londons_explore wrote: | Even if you delete it in Stripe, I very much doubt that stripe | or the credit card providers will be deleting the data. | | Someone will know that Mr Smith has a mulvad VPN subscription. | They just won't know his username on the service. | shafyy wrote: | Probably true. So, how does Mullvad handle this? | jeromegv wrote: | Handle what? Of course someone can go to Stripe and get | that info, but as OP just said, they won't be able to tie | it to a specific VPN account as that link is now broken. | | They also mentioned it's about less data, not about zero | data. The moment you use a credit card, of course it's | stored in a bunch of places. But this won't be stored with | them. | acallaghan wrote: | I suspect a temporary ID that links the two that lives for | just the time of the Payment Request and transmitted as | metadata? Once the payment is successful, it removes the ID | linking the payment to the account ID & severs the link - | just the account has the credit | ignoramous wrote: | I've done something similar to disassociate customer-ids | from their logs. | | See also: https://en.wikipedia.org/wiki/Tokenization_(dat | a_security) and https://en.wikipedia.org/wiki/Crypto- | shredding | pilgrimfff wrote: | I was so worried they were winding down or something. I really | love Mullvad and would hate to have to find a new VPN. | | This decision makes me like them even more. | generalizations wrote: | They took payment in BTC back when it was several orders of | magnitude less valuable. They can probably run the company | indefinitely off their crypto savings. | cmeacham98 wrote: | They almost certainly are converting the vast majority of | their crypto back to fiat money to pay their bills and | employees. | | Given the relative volatility I'd be surprised if they have | any meaningful long term holding of cryptocurrency. | Arubis wrote: | My only concern with Mullvad is that, as their profile and | reputation increase, they become a bigger target. That's mostly a | vote of confidence, though the concern is a real one. | INTPenis wrote: | But what is also great about Mullvad is that they're actively | working to make their remote and local security better. They're | involved in the stboot[1] project for example. | | 1. https://mullvad.net/en/blog/2022/1/12/diskless- | infrastructur... | kvathupo wrote: | Perhaps a Swede can chime in, but I'd imagine Sweden has a lax | regulatory approach, e.g. compare the fates of PRQ and | Megaupload. It's, admittedly inexplicably, concerning that | we've driven people to foreign companies (from American ones) | due to government surveillance. It begs the question: under | what conditions would a consumer be fine ceding privacy? | Transparency? Remuneration? | htgb wrote: | Not really. See the trial against the founders of The Pirate | Bay for example, and the controversies surrounding it. Also, | the FRA surveillance. Also, according to the ISP Bahnhof, the | police at least used to submit lots of data requests without | a court order and for non-serious crimes. | | AIUI, Bahnhof and other VPN providers stay in the clear by | avoiding storage of data in the first place. They can be | compelled to hand over any data they have, but not to log any | additional data. (ISPs etc are forced to log more data IIRC.) | | At least there's nothing like the Australian laws for forcing | and gagging developers. | nichch wrote: | Could you elaborate on the Australian laws? | xipho wrote: | Is it me (likely), or are a huge range of comments here exactly | what you'd expect from a company anticipating blow-back based on | their changes? I mean it could really be that good, but this | feels a little _too_ clean. I.e. are there shill posters here? I | suppose someone could look at all the users who posted, get their | karma, and created on dates, and build some estimation | calculation. Probably could be greatly improved by adding factor | such as wether the user has posted recently in other threads, | whether potential shills are responding to parent shills, etc. | Arms race ... | sixhobbits wrote: | "Please don't post insinuations about astroturfing, shilling, | bots, brigading, foreign agents and the like. It degrades | discussion and is usually mistaken. If you're worried about | abuse, email hn@ycombinator.com and we'll look at the data." | xipho wrote: | A completely rational guideline. My mistake, apologies. | arein3 wrote: | If I'll ever use a VPN I will check out mullvad, this kind of | attitude is almost non existent now | dijonman2 wrote: | I think Firefox resells a custom Mullvad product, which I would | probably use. I just don't have a need for security at this | layer. | einpoklum wrote: | So, I don't quite get it. They supposedly accept one-time | payments, but their pricing page only shows recurring periodic | payments. What gives? | jacooper wrote: | There is no automatic recurring payment, its 5EUR per month, | you can pay it in one go for a specific period, or monthly | manually. | gspr wrote: | I love those guys. I really wanna start using them, but there's | one missing feature for me: currently, I can mail them a few | hundred euros, and get a number of years of service. That's | great. But currently you only get one _block_ of service. I 'd | very much like to be able to _pause_ my credit. | | Now, I totally understand that letting people pause with super | fine temporal resolution would crush their business model. I'm | not asking for that. But I would like to buy say 30 months of | service, flick a switch draining say one month of my credit (and | having the service for a month), then pausing again. | wdb wrote: | I can't renew my plan. As I forgot my account number :( | jacooper wrote: | Its listed in the app. | fady wrote: | Been a mullvad user for more than 4 years and love it. Thanks | guys and keep up the good work. | LtdJorge wrote: | When I tried it, they didn't have an iPad app, but it was fine | because they give you the configuration and I plugged it into the | OpenVPN app. | maxxam wrote: | They have an iPad app now. Makes it easier to switch server but | aside of that, no major advantage over WireGuard app. I use | WireGuard app since it can auto connect on wifi or cellular. | toma_caliente wrote: | Wonder how this affects MozillaVPN subscriptions. | rlv-dan wrote: | Would it be possible to store subscription data without actually | linking it to the account that is affected? Sort of like a one | way encryption. | londons_explore wrote: | When the subscription was cancelled, you would have no way to | know which account to disable. | | Perhaps a better model is the client stores the necessary data, | and presents it when trying to connect? | bombcar wrote: | You'd have to have some form of connection, but it might be | possible to design it in such a way that it could be plausibly | denied. Holomorphic? | | All the ways I come up with (giving out keys) have the problem | of how do you renew the key, and how do you cancel it, without | knowing which is which. | heartbeats wrote: | Couldn't you give them short-lasting keys, that they can use | to sign session keys? | | e.g. | | 1. Connect to Mullvad over Tor, authenticate with real-world | user ID | | 2. Use this to sign a blinded token | | 3. Use this to connect to Mullvad anonymously after some | delay | | The first run would be kind of dodgy, but after that you | could get new session keys on a fixed schedule and switch | them out at a random interval. | | If they see that user A authenticates and 10 minutes later, | key A comes online, that can be traced, but if you then wait | a week, authorize key B, and then wait a few more days to | start using it, you should be good. | | In practice, this has way too many issues to work in | practice. It still requires you to trust them not to e.g. log | IPs and correlate it that way, so it's all just snake oil. | jaywalk wrote: | It seems like you're trying to solve a totally different | problem that doesn't exist. If you have a subscription, | that means Mullvad _must_ store information that ties your | account to the subscription payment processor. That is the | information they don 't want to store anymore, because they | want their users to be anonymous. Their system is already | setup so that users can't be correlated with VPN activity. | dredmorbius wrote: | At that point the question becomes one of search space and what | real-world data that information ties to. | | If Eve can determine the basis for which an account is | identified, and there is a small number of subscriptions,[1] | then the namespace may be exhaustively searched. | | Mind that _even if the resulting hash space is large_ , if the | _key_ space is small, the search is tractable. Just look for a | resulting valid hash. | | Even if a payment is required, if $0.01 is accepted, the cost | for testing 1 million keys is $10,000. For a sufficiently high- | value target, potentially reasonable. More so if you can create | your own money. | | ________________________________ | | Notes: | | 1. For computers, any value < 10 billion is arguably small, and | quite possibly somewhat larger than that. The present human | population is < 10 billion. The Mulvad subscription list is all | but certainly <<<10 billion, where '<<<' -> "very much smaller | than". | 2OEH8eoCRo0 wrote: | Mullvad is awesome from top to bottom. From strict adherence to | their values to the apps that they make and the service that they | provide. I've been an extremely happy customer for years. Keep up | the good work! | smoovb wrote: | I tried Mullvad for a year and loved the approach and onboarding. | Sadly the connectivity issues and mobile app don't measure up to | what I was used to with NordVPN. | | Not sure why a savvy someone would use a subscription with a VPN, | so not sure what the news is here. | toss1 wrote: | Awesome - someone in real life treating user-identifying data as | the toxic brew that it is!! | | Refreshing and definitely a good reason to switch. | seanw444 wrote: | Been using Mullvad for a year, give or take, and I'm very happy. | Zero care to find another VPN provider. Simple, fast, and | anonymous sign-up. The apps function perfectly. Never experienced | a bug in the Android or Linux apps. And the Wireguard profiles | work perfectly. Connections are fast and not throttled (IME). And | the UI of the website and apps is minimal and to-the-point. | | I hope Mullvad keeps on its current course. It's one of the most | respectable companies right now, with a respectable product, and | its one of the few I care to pay for on a consistent basis. | stjohnswarts wrote: | The only issue I have is on my phone. Whenever I leave my home | wifi, it gets slow as hell and I have to do a reconnect to get | to a new server. Usually the reconnect speeds things up a LOT. | kombucha13 wrote: | Very interesting. Mullvad seems to be the most extreme and | reputable VPN service out there when it comes to privacy. At | least it seems that way. | criddell wrote: | A VPN will hide you from your ISP, but that's about it, isn't | it? Does a VPN really provide that much real privacy? | kombucha13 wrote: | I mean a properly configured VPN can do a lot more Then hide | you from your ISP | dymk wrote: | Like what? Now you're just using their ISP. | advisedwang wrote: | Most allow you to chose where the VPN exit is located, so | you can have traffic originating in another country. | dcow wrote: | This is a nice feature and paying for it is a perfectly | sane thing to do if you need the utility. It's not | exactly _privacy_ , though. | 5e92cb50239222b wrote: | Some of us have really crappy ISPs (that also happen to | be monopolists) that do things like HTTPS MITM (when they | try to force you to install their root CA certificate and | HTTPS simply doesn't work unless you do it), block DNS | requests unless you use their DNS servers, or store all | your traffic (this is being done in Russia, but it's | close enough). I very much prefer to cover the precise | details of my communications from my ISP and 'outsource' | that stuff to Europe. | oaiey wrote: | I hope you go for a spying incompetent country in Europe | :). Especially one which is not partnered with the US .. | like the UK and others. | yjftsjthsd-h wrote: | It also stops sites you visit from seeing your real IP. | stjohnswarts wrote: | Sure but with fingerprinting that's only a minor nuisance | to most advertisers and sites who are tracking you. | oaiey wrote: | But the cast majority of users will not care about | fingerprinting by surveillance industry but about | illegally Dow loading stuff. And there, VPNs are quite | comfy. | pridkett wrote: | The newest version of Firefox goes a long way to prevent | this with Total Cookie Protection[0]. You're basically | left with fingerprinting as all cookies are site specific | - even third party cookies. Combine that with with a DNS | that does cname uncloaking like NextDNS and noscript and | you're about as good as you can get without extreme | measures. | | [0]: | https://blog.mozilla.org/en/products/firefox/firefox- | rolls-o... | Pakdef wrote: | ezfe wrote: | Well, yes and no. For most people, they're over-rated. You | don't even need a VPN to securely pay your credit card bill | on public Wi-Fi. | | However, there are two cases where they are useful: - IP | address hiding (something like iCloud Private Relay for | iOS/Mac users does this at the browser level, VPN brings it | to the entire system) - Legal protections - Location | simulation | | If you want to hide your IP address, this could be to stay | more anonymous and less trackable, any system that relays | your connection is fine. | | If you want to break the law, you'll need something that has | safeguards in place against that. Most VPNs do the most they | can within the legal limits here. | | If you want to simulate your location, you'll need a VPN with | servers in those locations. | | --- | | So really, it just depends on what "real privacy" means to | you. | 5e92cb50239222b wrote: | You forgot the most important use case, unless you're | talking about Europeans and USians only. I use a VPN simply | because half the internet doesn't work without it (some guy | in a suit decided what you can and cannot read, and there's | nothing you can do about it). | | Free tiers provided by various "cloud" services work fine | for this one (Oracle is the most generous among them). | ezfe wrote: | "If you want to simulate your location, you'll need a VPN | with servers in those locations." | | While I did omit that justification, it is still just | simulating location. | Anunayj wrote: | and let me access sites blocked by my country/ISP! | stjohnswarts wrote: | Hiding your activity from your ISP is a Huge Deal in the USA. | Can't speak to other countries though. | Linda703 wrote: | mbg117 wrote: | I use this style of writing often, in conjunction with markdown | documents. | | Also, I find that using bullet points helps to visualize the | sentences better, especially when used hierarchically. | peddamat wrote: | You might be interested in logseq, a bullet-oriented MD editor: | https://logseq.com/ | 333c wrote: | Did you mean to post in | https://news.ycombinator.com/item?id=31808093 ? | pridkett wrote: | Thankfully, they still support my favorite way to pay: dropping | an envelope filled with various cash currencies and your account | number on a slip of paper in a mailbox at a random airport. | _fat_santa wrote: | Highly commendable position. Mullvad is leaving a ton of money on | the table by doing this, but in the sea of shady VPN providers, | having a provider do something proactive like this makes me want | to switch. | potency wrote: | Who are you using now? | iKlsR wrote: | Been using PIA for the past few years. Tried Proton but this | looks really good and having the entire thread sending +1s is | major. Will def give it a try. | nzgrover wrote: | re PIA, have you seen this? | https://restoreprivacy.com/kape-technologies-owns- | expressvpn... | WithinReason wrote: | What's wrong with Proton? | spacephysics wrote: | The few times where removing 'features' (re: privacy holes) is | good news | cersa8 wrote: | I like this a lot even though my primary reason is unexpected | subscription renewal. I started a membership site and tried to | use every single thing I would want as a customer. One of the | things was a reminder that my yearly membership was about to | expire, and by doing nothing this would indeed happen. No | automatic renewal (but keeping the account in an inactive state). | Confident customers can renew for 3 years with a discount, but | nothing will automatically renew. Turns out, customers love this | attitude and happily renew when it's time. | tailspin2019 wrote: | This is a nice approach. Have you considered giving customers | the option to turn on automatic renewal? | | There are certain specific things that I would want always to | auto renew (like domain names, hosting related stuff etc) | | If I ever get round to building a subscription SaaS I might | consider "off by default" auto-renewal and leave it to | customers to turn it on if want it... though this does add a | bit of complexity I guess. | cersa8 wrote: | Have considered and have been told many times this is costing | me revenue (which I think might be true). But I've never had | a customer ask for it. Which is an important signal for me to | consider a feature. Online payments are very easy for my | target audience (mostly Dutch retail customers) with iDEAL so | the benefits of automatic renewal is low. | shanecleveland wrote: | I use Stripe to manage payments for a subscription site with | both monthly and annual options. I have renewal reminders | turned off, because it seems like overkill for a monthly | renewal - no option to only have it on for yearly plans. I | worried about issues with yearly renewals, so I set up my own | service to send a renewal reminder for yearly subscribers. I | would rather have more customers not renew on friendly terms | than deal with surprise charges. And I figure it may prompt | some to check and update payment methods or spur them back into | actively using the service more. | zdkl wrote: | In some circles that'll count against you if you try to sell | the product/company. Investors are interested in recurring | revenue and will value it very differently than your loose- | relation clients. Not saying it's a thing you should always do, | but worth keeping in mind. | kalleboo wrote: | Right, if your product is your company, this is the wrong | attitude. But if you product is your product, then it's | fantastic. | Trias11 wrote: | Kudos! | rglover wrote: | Wow. | | Hadn't heard of Mullvad before reading this, figured I'd give it | a try. That is hands down the BEST onboarding experience for an | app (let alone a VPN) I've had in I don't know how long. Took me | maybe 2 minutes to go from no account to a working VPN | connection. | | I love that everything is anonymous (down to the account | credentials just being a randomly generated token). | detritus wrote: | I signed up to Mullvad - my first VPN - literally about 12 | hours ago, purely because of how simple, yet comprehensively- | explained, their 'onboarding' process was. | | I also particularly like the flat no-fuss EUR5 a month fee. | sdfhdhjdw3 wrote: | > Hadn't heard of Mullvad before reading this | | Just the only vpn with any integrity left remaining, no biggie. | UberFly wrote: | Your blanket statement isn't true. OVPN for instance has gone | to court to protect its data: | https://www.ovpn.com/en/blog/ovpn-wins-court-order | | They are a very good alternative among others. | knorker wrote: | What about ovpn.com? | SV_BubbleTime wrote: | Absolutely no way to know they are good and other is bad. The | entire VPN industry is "trust us bro". Which works until it | doesn't. | whatever1 wrote: | That is the entire tech industry. No audits, no | repercussions for screw ups. | slavak wrote: | Would a 3rd party audit work? | | https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy- | leak... | hihihihi1234 wrote: | Why do the other popular VPNs not have any integrity left? | nijave wrote: | A lot of them have been gobbled up by Kape or otherwise | proven to keep logs/data when they claim they don't | https://restoreprivacy.com/kape-technologies-owns- | expressvpn... | blakewatson wrote: | Oh man I thought Private Internet Access was still one of | the independent VPNs. I feel duped. :/ | Icathian wrote: | They got bought sometime last year. I was a very happy | customer until that announcement. | hprotagonist wrote: | and then freenode had a hard fork! weird week. | cyanydeez wrote: | Seems more like a reaction to inflation. | mechanical_bear wrote: | Protonvpn? | [deleted] | f1refly wrote: | That's just mullvad with a different name | Tmpod wrote: | I believe that would be Firefox/Mozilla VPN | sph wrote: | Of all their features, I love that they have an Android TV app | so I can watch F1TV on my couch. They're worth more than the 5 | euros I give them per month. | ignoramous wrote: | Aren't OTT streaming services notorious for blocking VPN IP | ranges? How is Mullvad getting around those? Surely, they | don't buy / lease / steal residential IP addresses [0]? | | [0] https://news.ycombinator.com/item?id=9614993 | simias wrote: | I also like that they let you download the raw wireguard config | files so that you can connect without having to use their | client. You can just plop them onto your filesystem and use wg- | quick to get going. | | Since I'm also a ProtonMail user and I considered switching to | them for VPN as well but their python client doesn't seem to | work correctly on my Arch Linux install and it doesn't give me | anything useful to debug it beyond "An unknown error has | occured" so I couldn't be bothered to investigate beyond that. | lukvol wrote: | I think you can also get the raw wireguard config files for | ProtonVPN: https://protonvpn.com/support/wireguard- | configurations/ | simias wrote: | I did not know that! Thanks a lot. I'll definitely give it | another try. | clairity wrote: | i just set it up to try it out (on macOS): created a free | config on the proton dashboard, downloaded it, stuck it in | the wireguard client, and it worked (without downloading | their vpn client app). make sure your firewall isn't | blocking the traffic though (something that caught me at | first). | citilife wrote: | Been using protonmail on arch for years, you have to setup | the configs a tad more manually and do some editing (I forget | now); definitely doable and protonmail lets you download the | configs (which work out of the box depending what you use). | banana_giraffe wrote: | Be aware, at least Nord clearly does something different with | their client than with the OpenVPN files they provide ( | https://news.ycombinator.com/item?id=21664692 ). When I dug | into this, I found similar cases with other major VPN | providers, but my notes are sufficiently out of date, they | shouldn't be trusted anymore. | | Sometimes the differences are subtle, sometimes they're | rather complex like this case. Personally, sketchy stuff like | this is why I've moved all of my VPN use to a personal cloud | instance running WireGuard. | rafale wrote: | What cloud do you use? A lot of websites will flag any AWS | or data center IP as a bot. | banana_giraffe wrote: | So, I do have two VPN servers running, one on my home | connection, and one on AWS, for just the reason you | state. | | That said, I got back from a week long trip a few weeks | ago. I kept my AWS tunnel up the entire trip. For the set | of websites I visit for personal and work reasons, it was | never an issue. I'm sure I could find some website that | doesn't work, but for me, it's just not a problem. | | It's also super useful, since I can whitelist my AWS | instance's IP on services that demand such things, and | never have to worry about where I am as I move from | network to network. I've also reserved the Elastic IP so | I can stop/terminate my server when I want without | needing to whitelist the IP again when I spin it back up | runnerup wrote: | I use whatbox.ca as my global/universal VPN. So far I | haven't seen any issues. It works in places where most | VPNs are banned or heavily throttled (like Saudi/Abu | Dhabi/Qatar, my workplace, AT&T cellular data, etc) | Pakdef wrote: | herbst wrote: | Crazy thing is, it was just as great already many years ago. | And yet people fall for absolutely weird fake privacy vpn | offers. | DrewADesign wrote: | I've been a mullvad user for the past couple of years. I only | occasionally use them for privacy on open wifi networks or | whatever, but the experience so far has generally been | excellent. I initially used the official Wireguard iOS app to | connect, but their iOS native app is freaking excellent. WAY | more reliable and user friendly than the others I've used-- | ExpressVPN and some other. It's been quite some time since I | used the other ones, however, and they may have equally good | branded clients by now. | misterdee wrote: | I can wholeheartedly recommend them after using their service | the past few months. They offer Linux configs with wireguard (a | sore point with other VPN providers, who tend to either not | support Linux at all or only offer openvpn), their Android App | has worked flawless and it's just 5E/month. | GekkePrutser wrote: | Yes and they even make double hopping easy. Many other VPNs | don't like this, presumably because they have to eat 3 times | the traffic. | HEHENE wrote: | Mullvad has been tremendous and the ease of use is terrific. I | use a VPN relatively infrequently, sometimes going months | without turning it on, so the one-time payments have been | wonderful. The app is simple to use, and it's so, so easy to | reactivate for a month when I need it. | | I can't speak to their privacy as my VPN usecase is usually | just "I need an IP in another region," but to the best of my | understanding they are one of if not the best in the business. | Cyph0n wrote: | As an additional data point, I've been using Mullvad as a | long-running VPN for a while now (hint: Linux ISOs) and it | has been working like a charm. | anonporridge wrote: | You can also easily pay with better anonymity with the Strike | app, https://strike.me, which abstracts bitcoin mainnet and | lightning network payments behind USD, so you don't have to | worry about actually holding bitcoin or managing tax | implications. You just use bitcoin as a globally agnostic | payment rail, masked with your local fiat, so the price | volatility doesn't affect you. | | Mullvad even gives you a 10% discount for bitcoin, bitcoin | cash, and monero payments. | | I am a bit disappointed that they haven't yet integrated | bitcoin lightning network. That would be a huge improvement for | reduced transaction fees given the low value of transactions | they deal with, as well as instant confirmation rather than 6 | block (~1 hour) confirmations. You could even theoretically | stream nanopayments for each minute of use with lightning, | rather than pay for a whole month. | mderazon wrote: | "Global payments for the internet" | | I was intrigued... | | Then | | "currently the Strike app is only available in the United | States*, El Salvador, and Argentina" | alexchamberlain wrote: | It's the "World" Series of Internet payments. | malfist wrote: | Mullvard is behind the mozilla vpn. They're crazy good about | privacy. You can mail them cash with account info and they'll | set you up. | kadoban wrote: | Mullvad accepts cash as well. In what way are they behind? | 7ewis wrote: | As in they power Mozilla's VPN: | | https://mullvad.net/en/blog/2019/12/3/mullvad- | partnerships-p... | kzrdude wrote: | Mullvad is the service provider, Moz just resells their | service | JonyEpsilon wrote: | Behind in the "controlling or responsible for (an event or | plan)" sense was meant, perhaps? | palata wrote: | Misunderstanding. The Mozilla VPN is Mullvad (rebranded). | kadoban wrote: | Ohhh, I see. I did not know that, thanks. | encryptluks2 wrote: | Great benefit. I also recommend to find a reputable masked card | service provider if you plan to use a credit/debit card. Autopay | is just another way for banks and providers to circumvent | overdraft protection legislation and hopefully new legislation | will remove any "perks" that providers offer for autopay | services. | capableweb wrote: | No need, just send them cash in an envelope, which works just | as well. | | I wish more services supported this, but I understand it adds a | lot of hassle for them as well. | TomGullen wrote: | How do they handle VAT via cash in an envelope? Do you need | to provide a billing address? | hedora wrote: | Why would you need to provide a billing address?!? It's | cash, and they don't generate bills anymore. | tzs wrote: | In the EU VAT for online products and services is based | on the buyer's location not the seller's location. They | need to know something about where the buying is to | determine the VAT rate and where to send the collected | VAT. | | I don't know what the rules are for sellers that are | inside the EU, but if they are at all like the rules for | sellers outside the EU selling to buyers in the EU they | are required to collect two pieces of evidence that | support their determination of which country's VAT to | collect. | | Where I work we use the country the person claims they | are in from the country drop down on our cart and what | country MaxMind says their IP address is from. This works | most of the time. If those don't match we look up the | first 6 digits of their credit card to see what bank | issued it and see what country that bank is in, and if | that matches either their selected country or the IP | country we go with that. If the bank is in a third | country, we look at their email address and if that is at | a service that is mostly just serving one of the three | countries we go with that. | | How would a company that accepts cash and keeps very | minimal customer information deal with this? | cmeacham98 wrote: | Mullvad's advertised pricing already includes VAT is my | understanding. | wasmitnetzen wrote: | They still have to pay different VAT rates to the buyer's | country, even if that is transparent to the customer. | nunez wrote: | Blur (dnt.abine.com) and Privacy provide fantastic masked card | services. | zahma wrote: | Is there such a thing as a truly private "masked card service?" | I'm genuinely curious because I use virtual cards supplied by | my online bank, but I'm sure they retain records for each | virtual card I use. Are there services that do not record this | information? | encryptluks2 wrote: | Good question. I doubt any of them are truly private but I | think it at least adds a layer of privacy and security from | the service provider, but as with most things it probably | won't protect you from a court order. | zahma wrote: | The only real masked card I can think of would be a gift | card paid for in cash. Tedious as it is, that seems like | the only way to use a debit card privately, and I think | some of those are rejected by online pay platforms. | danachow wrote: | > Is there such a thing as a truly private "masked card | service?" | | No - there's no way to support all the anti fraud mechanisms | of the major credit card networks without a thorough paper | trail. Masked card services help prevent unwanted charges and | inconvenience for the customer - they may give a fleeting | layer of privacy between the consumer and the merchant but | nothing more than that. | azalemeth wrote: | I would love to know if there are any of these in the EU - US | friends of mine have mentioned privacy.com but I am unaware of | a similar service in the UK. | pacifika wrote: | which is it, EU or UK? | Dracophoenix wrote: | Privacy.com abides by KYC. So it's not very private. | sascha_sl wrote: | Mullvad already did this for anyone who wanted port forwards, | because those people are more likely to be the target of legal | demands. | | They seem to never actually associate the account number with any | payments except at the moment the account gains time. This keeps | them from having to respond to any legal demands with useful | data. | | I wonder if the iOS subscriptions are affected. Technically they | could just not associate your payment with your account number. | Then the app can submit the transaction ID and your account | number that was stored locally to the service to extend your | time. | colesantiago wrote: | I wish more SaaS companies (especially VPN ones) did this, this | is a giant win for in the area of privacy. Go Mullvad! | nicce wrote: | The opposite is sadly still happening in everywhere else and no | change for that is probably coming in the foreseeable future. | With subscriptions, you guarantee the revenue. And making it | very difficult to unsubscribe, such as some unnamed companies, | even a little bit more money is collected. | mig39 wrote: | I've always loved that Mullvad wouldn't let you accidentally | compromise your own security. | | For example, the port-forwarding feature won't work if you have a | recurring subscription. | | This just extends that kind of thinking to the service in | general. | | Been a Mullvad customer for a long time now, and it's always been | awesome. | contravariant wrote: | What's the exact reasoning behind that? How does paying via | paypall impact the privacy of a forwarded port? | | Is this something to do with state-level actors? | capableweb wrote: | Presumably there are details linking together payments coming | from Paypal and the account number. And obviously there is a | link between account number and forwarded port. So following | with that, you'd be able to make the connection between the | account number and Paypal account, which is definitely not | private nor even pretending to protect your privacy. | Cyph0n wrote: | > For example, the port-forwarding feature won't work if you | have a recurring subscription. | | Yep, I had to cancel my subscription recently to get port | forwarding working. I've been a customer for a few years now | and trusted that they were doing this because it made sense | from a privacy standpoint. | yieldcrv wrote: | Do they take crypto? | | I've funded some virgin addresses from Tornado Cash notes, | running from my own local node | | Thats sufficient and definitely less cumbersome than Monero. | johnbatch wrote: | Yes. [0] | | " Which payment methods do you accept? We accept cash, Bitcoin, | Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish, | Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24. " | | also Cash | | "Can I really pay with cash? You bet, and please! Stay | anonymous all the way. Just put your cash and payment token | (randomly generated on our website) in an envelope and send it | to us. We accept the following currencies: EUR, USD, GBP, SEK, | DKK, NOK, CHF, CAD, AUD, NZD. " | | [0] https://mullvad.net/en/pricing/ | yieldcrv wrote: | Ohh ok so no Ethereum or EVM assets | | With virgin addresses I can get bitcoin and monero (or | anything incl cash) anonymously from the tornado cash notes | via the bridges, or via exchanges and staying below KYC | limits | | But Tornado Cash notes decrypt only to EVMs where Tornado | Cash is deployed. It would be more convenient for Ether and | some ERC20 tokens to also be used directly, instead of | bridges or exchanges. | | Are you all beholden to a specific payment processor or | implementation? People pay the most to use Ethereum for over | half a decade now, which is best projection we have for | activity and potential interest in merchants that aren't | crypto native services. | irusensei wrote: | I buy mullvad vouchers from this website paying with Bitcoin | through the lightning network: | https://vpn.sovereign.engineering/ | 5e92cb50239222b wrote: | Man, checking this one takes like 10 seconds. Not only they do | take "crypto", they also have a 10% discount if you pay with | it. | yieldcrv wrote: | I actually did take 10 seconds, scrolled down and saw the | pricing page, decided not to click that because so many | services only show the janky crypto payment option during a | janky checkout process so decided not to bother and just ask | here in the remaining 2 seconds. It worked. | nunez wrote: | yes, with a discount even | hairofadog wrote: | Anyone have thoughts about the privacy and security aspects of | TunnelBear? I've been using them for a few years, wondering if I | should switch to Mullvad. | jacooper wrote: | The top porper privacy focused VPNs are in no specific order: | | - ProtonVPN - Mullvad - IVPN | | More details here on why: https://www.privacyguides.org/vpn | | I personally picked Mullvad even though i use Proton Mail | because they have a fully featured Linux app, unlike Proton's | which is very very basic and they support IPv6. | potency wrote: | That's amazing. When so many companies go in the opposite | direction, it's incredibly refreshing to see a company make | strides toward reducing their customer's identifiable data | footprint. | corytheboyd wrote: | Mullvad is badass, tried it out for a month and it was glorious, | so I just recently pre-paid a full year. | oaiey wrote: | Clickbait .. but a rightfull one :) | skeeter2020 wrote: | If you're familiar with the sizeable benefits of the subscription | model for a business you'll recognize this is a big deal. | ouid wrote: | absolutely not. people are wary of signing up for new | subscriptions, because cancellation is not clearly protected in | most jurisdictions, and people are aware that they can forget | to cancel. | | People dont forget to renew their world of warcraft membership | because their game stops working if they do. if you use a VPN, | you likely use it every day, and there will be no lost revenue. | meltedcapacitor wrote: | Are these benefits not eroding? Pressure on subscription models | comes from both the public getting herd immunity against the | underlying dark pattern and competitors chasing a diminishing | supply of people to trick as world + dog has adopted the | tactic. | | In this particular case, with a privacy tailwind, it will be | unsurprising if it ends up increasing their sales. | GekkePrutser wrote: | I don't think so. Us privacy and control freaks abhor | subscriptions, the mainstream just shrugs and pays what | they're told to pay. I can even see them adopting rental | models for a lot of stuff we purchase outright now (the "you | will own nothing and you will be happy" great reset promoted | by the world economic forum). I think this is pretty | exploitative but I'm pretty sure I am in a minority. | Obviously big business loves this because they have to do | almost nothing and still get guaranteed income. | | But to me their arguments sound too much like blackmail "With | this model there is incentive for us to make longer-lasting | products which is good for the environment". Well, sure but | if you actually _cared_ about the environment instead of | money you 'd be doing that right now. Why do we have to pay | them more for less in order for them to do this? | | To me this really sounds like a "pay us what we want or we'll | mess up this environment of yours even more" extortion | scheme. | | The older generation is more against it but they tend to not | trust tech very much anyway. They're not the ones buying a | new phone every year, they use it for many years and even get | it fixed when it breaks. | dathinab wrote: | > mainstream just shrugs and pays what they're told to pay. | | But mullvad isn't targeting mainstream! | | It's mainstream compatible, as-in not too hard to use, but | that's it. | | Also mainstream only cares about VPNs because they believe | it does magically things, like somehow better protecting | all your privacy even if you are logged into Facebook or | somehow making account hijacking or banking scams less | likely :/ | | That's why they will go anyway with VPN providers which do | a lot of ad advertisement to make them subconscious feel | like it's doing all this magical things (even if they never | explicitly claim it). Like NordVPN (you probably know what | I mean if you use e.g. twitch in the EU ;=) ). | | So no point in competing for this users without doing | things like a ad powered free plan, free testing month, and | tons of dark-ish patterns. | | Instead mullvad has I think a good idea about what works | with their customers. | | I think it still will cost them money (who hasn't forgotten | to cancel and abo) but also might save them money (not | having to handle anything in support related to | subscriptions going wrong). And maybe with things like | people pre-paying for a year, but stop using it after a few | month it will also not cost them anything. Really hard to | say. I mean it was also guaranteed to end up on HN, so free | advertisement to exactly the right audience. That's worth | some money, too. | GekkePrutser wrote: | > But mullvad isn't targeting mainstream! | | I agree, this is precisely why they're doing this. | Putting their customers' privacy over their investors' | wallets. This is a big ballsy move IMO. They're buying a | lot of goodwill here. And taking a risk. | | > Also mainstream only cares about VPNs because they | believe it does magically things, like somehow better | protecting all your privacy even if you are logged into | Facebook or somehow making account hijacking or banking | scams less likely :/ | | Also totally agreed lol. I often get questions from | friends about VPNs. Always have to explain that privacy | really doesn't work if you _willingly_ give up your data | :) | | And no I don't use Twitch so not sure what you mean | there, sounds like an interesting story. | | > So no point in competing for this users without doing | things like a ad powered free plan, free testing month, | and tons of dark-ish patterns. Instead mullvad has I | think a good idea about what works with their customers. | | Exactly. They're not doing a tunnelbear. | | > I think it still will cost them money (who hasn't | forgotten to cancel and abo) but also might save them | money (not having to handle anything in support related | to subscriptions going wrong). And maybe with things like | people pre-paying for a year, but stop using it after a | few month it will also not cost them anything. Really | hard to say. I mean it was also guaranteed to end up on | HN, so free advertisement to exactly the right audience. | That's worth some money, too. | | I agree it's ballsy, this makes me respect the gesture | even more. It's not the 'done thing' in this day and age. | But they're still doing it and for the right reason. | mechanical_bear wrote: | > you will own nothing and you will be happy | | Too easy and lazy to blame this on some grand conspiracy. | Reality is much more complicated, and cuts to heart of | human behavior. | GekkePrutser wrote: | Conspiracy no. But I don't like where the world is | headed. Investors are demanding ever more markup on | products and services. Nobody is happy with a 10% markup | anymore in electronics. There seems to be a constant flow | of money to the ultra-rich away from the poorer people, | and this is something that has been constantly going on | for the last decades. Because the squeeze is finally | starting to hit the mainstream of the richer countries. | Even the US is starting to see instability from this. | | I think part of this is the free market which only really | works on "MORE". More turnover, more customers, more | products YoY. If you make a loss or invest in something | for the common good a company isn't just frowned upon, | they are putting themselves at liability of due diligence | lawsuits. Most of the societal and environmental problems | we are seeing stem from this, in my opinion. We need to | fix the system before it's too late, not pamper to it. | | I don't think there is a dark "SPECTRE" style gathering | going on at Davos, no. I'm not a conspiracy theorist. | However I do see there is zero incentive to improving the | status quo if it doesn't make some rich people much | richer yet again. This is why I see the WEF as a 'bad' | entity, for promoting such things which are clearly | undesirable. It's a very one-sided image. | | For me as a tinkerer and maker the idea of renting my | stuff and not being allowed to improve or repair it, is | absolutely unthinkable and something that must be fought | tooth and nail. | ryanbrunner wrote: | I think saying subscriptions are a dark pattern is going a | bit far. In the case where you're offering an ongoing service | that requires a cost to service, a subscription model is | completely appropriate and in the best interest of both the | subscriber and the issuer. | | For sure there's some abuse of the model where you're selling | something that should be a one-time item, but that's not the | case here, and Mullvad is providing an ongoing service (and | still billing by month / year / etc. for the service, just | without automatic renewals). | 3wolf wrote: | Yeah, I'd say the term dark pattern only applies when | services make it unnecessarily difficult to cancel your | subscription. _cough cough_...NY Times | wpietri wrote: | I'd be willing to say that subscriptions are a dark pattern | when they don't automatically stop if you stop using them. | | A fundamental part of healthy business relationships is | value for value. E.g., you give me money, I give you a | sandwich, you take the sandwich, eat it, and are happy with | it. If you keep paying me for sandwiches but I don't give | them to you, that's not healthy. Ditto if I put them on the | counter but you stop taking them. | | Personally, I think there should be a law that all | service/software subscriptions auto-suspend after 30 days | of non-use. Because right now there's a big incentive for | businesses to get you to sign up for things they think | you're not going to use, and to keep on charging you even | though they know you're not using it. | tomnipotent wrote: | What you're asking for is a la carte access while still | getting discounted subscription pricing, pushing all the | risk onto the business. Consume as much as you want, but | pay nothing when you don't. Sounds like a crap deal for | the business. | lolc wrote: | To me, a dark pattern is when the service doesn't announce | in advance when the subscription is going to renew. | bcrosby95 wrote: | These emails always annoy me. To each their own I guess. | yreg wrote: | They still use a subscription model it's just a non-recurring | one. | karaterobot wrote: | Part of the advantage of the recurring subscription model is | having predictable revenue every month due to it being | recurring. And many businesses count on that "gym membership" | effect, where people who don't use a service also don't take | the time to cancel it for a while. | disiplus wrote: | that's me and my audible subscription. i should cancel it, | but before that i have to use the credits. | krallja wrote: | Holy cow, that's evil. | | https://help.audible.com/s/article/do-i-keep-my-credits- | if-i... | | Do I keep my credits if I cancel my Audible Premium Plus | membership? No. If you end your Audible Premium Plus | membership, your credits will be lost with your other | membership benefits. | shever73 wrote: | It's exceptionally evil! I had the same issue and | couldn't understand why I was losing credits I thought I | had "bought". | | This and other privacy-related issues (see my comment | history) is why I won't consciously use Amazon again. | yurishimo wrote: | If you sign up on iOS in app, you get to keep your | credits after cancelling. One of the things Apple does | right imo in regards to consumer protection. | dfinninger wrote: | I wind up pausing my subscription when I get too many | credits. It's not a full cancellation, but I don't have | to pay. | DesiLurker wrote: | IIRC problem is the option of pausing subscriptions is | well hidden & revealed only when you have fully made up | your mind to cancel & drop all your credits. most folks | would not do that instead maybe defer the decision | another month in the hope they'll 'catch up'. then | they'll forget about it for a few more months. | | Dark patterns all over. | matrix12 wrote: | Hint: OpenAudible backup before you terminate. | wccrawford wrote: | Incredibly evil. That's why I used up all my credits and | then cancelled my account. I briefly flirted with "gift | subscriptions" because I was still wanting new audio | books a lot, but that has its own problems. So I gave up | on them. | buildbot wrote: | Hmm, that might be illegal in Washington State | DesiLurker wrote: | thats why I raced to buy up a bunch of books with my | points and then cancelled immediately (you can keep the | books). its one dark pattern after another, good | riddance. | [deleted] | mkroman wrote: | Just contact customer support and ask if you can get a | refund. I've done this a few times when I was just | accumulating points with nothing I wanted to buy, and | it's always been quick and easy. | roldie wrote: | Another happy Mullvad customer. Been using them for a couple | years now, and couldn't be happier with the ease, speed, and | privacy. | ouid wrote: | This is PR and the comments are astroturfed to absolute hell. VPN | is the most heavily advertised business I am aware of. There are | a lot of reasons to mistrust this behavior. | | 1) it doesn't cost mullvad very much to not autorenew | subscriptions. People dont forget to renew their subscriptions to | a service that breaks your connection to youtube when you forget | to pay. It's closer to the world of warcraft model. | | 2) Customers are now rightfully wary of renewing subscriptions. | Given horror stories of how difficult it is to cancel your | subscription to a service, I suspect that you lose upwards of 50% | of potential customers if you only offer subscription models. | | 3) No VPN has any incentive at all to "protect your privacy". It | is perfectly legal for them to lie to you about not keeping logs | and then turn them over to state actors, provided they are | operating out of the right state. In fact, state actors would | encourage such a thing. Perhaps some of these VPNs do something | to protect your privacy, but it is not because they are | incentivized to. | colonwqbang wrote: | In which state is it legal to lie about the service you are | delivering? I.e. in your marketing say that you will deliver | something and then instead deliver something less valuable. | ouid wrote: | Its possible you dont know what state means. But the US has | plenty of mass warrants that require companies to keep logs | even in the presence of promises that they dont. In fact, | they are obligated not to reveal that they are now keeping | logs. Warrants supercede contract. | colonwqbang wrote: | Even in the US I think you can't advertise a service that | you are not legally allowed to provide. Does the first | warrant make you immune to fraud allegations? | | I'm not an expert and am ready to accept that I may be | wrong. If you know any sources on the matter, it would be | interesting to read. | exyi wrote: | Mullvad is based in Sweden, they seem to be privacy | friendlier in general (even allowing sites like sci-hub on | their TLD) | sixhobbits wrote: | "Please don't post insinuations about astroturfing, shilling, | bots, brigading, foreign agents and the like. It degrades | discussion and is usually mistaken. If you're worried about | abuse, email hn@ycombinator.com and we'll look at the data. " | ouid wrote: | i flagged the post, but VPNs are not "unlikely" sources of | astroturfing. I do not particularly trust the startup | incubator that launched many of these VPNs to take a | particularly critical view of astroturfing, so i have chosen | to ignore this forum rule | throwaway287391 wrote: | > it doesn't cost mullvad very much to not autorenew | subscriptions. People dont forget to renew their subscriptions | to a service that breaks your connection to youtube when you | forget to pay. It's closer to the world of warcraft model. | | I might be in a tiny minority of users (genuinely not sure) but | I only enable my VPN when I want to get around IP geolocation | (e.g. to stream something only available in another country) | and otherwise turn it off when I'm done to minimize latency. I | sometimes go a week or two without using it so I could easily | not notice at least for days if my subscription didn't | autorenew. | k8sToGo wrote: | You forgot the last conspiracy reason which I always read in | comments like this: | | 4) It is probably state funded and run by the CIA. | ouid wrote: | this is a weird double standard. The only reason to use a vpn | is because of fears of the CIA or whatever in the first | place. | charles_f wrote: | > convenience comes at a cost and we no longer think this is an | acceptable trade-off. | | In an age where dissertations about what color and position to | use for buttons go pages long, that's a courageous position that | follows a clear strategy. Kudos! | onelovetwo wrote: | I think its also good for Mullvad, they push people towards the | 1y plan instead. No one is going to put their payment info in | every single month. | charles_f wrote: | They only have a monthly pricing option I believe | | https://mullvad.net/en/pricing/ | prophesi wrote: | With one-time payments, you'd send them 5 euros for one | month, or 60 for a year, etc. | skrebbel wrote: | Nop, you choose how many months you wanna pay ahead for | tgsovlerkhgsel wrote: | Pricing yes, but you can buy multiple months in advance. | You don't get any advantage except convenience. ___________________________________________________________________ (page generated 2022-06-20 23:00 UTC)