[HN Gopher] We are removing the option to create new subscriptions
___________________________________________________________________
We are removing the option to create new subscriptions
Author : mritzmann
Score : 1009 points
Date : 2022-06-20 13:27 UTC (9 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| INTPenis wrote:
| This is just like Mullvad to care about your privacy.
|
| But I think it's a bit overkill to completely remove the
| subscription option. They could have accomplished the same
| educating of end users with a simple recommendation or opt-out at
| sign up.
|
| Still providing subscription for those users who find that most
| convenient.
| andrewmunsell wrote:
| I've been using Mullvad ever since PIA was bought out. Never had
| an issue with them (other than when I forget to top up and my VPN
| connection dies :) ) with speed or reliability. I've always used
| the top up functionality rather than a subscription, but it's
| great to see how committed they are to reducing the attack
| surface for the users that need the most privacy.
| wyager wrote:
| Earlier this year I was changing some firewall configs and my
| torrent jail on my home server stopped working. I spent like an
| hour debugging, only to realize that my 1-year mulvad
| subscription had expired in the middle of messing with my
| firewall. Oops!
|
| Mulvad is awesome and super fast. I reliably get in excess of
| 300mbps while torrenting.
| ascar wrote:
| That's great news and they just got a huge boost in reputation
| for me. Definitely the go to service if I need a good VPN again.
|
| Especially strong decision since this will certainly cost them a
| lot of revenue and I don't think the boost in reputation will
| counter that in the long run.
| leaflets2 wrote:
| I guess they'll notice after a month or a year
|
| What'll happen. I suppose there is a "middle" group of users
| who want a VPN a bit but not super much, and long term now
| might leave
|
| Anyway I like Mullvad's mindset
|
| Hi Mullvad, I hope you'll post a follow-up a year later :-)
|
| What if you, as part of the payment flow, included adding a
| calendar reminder X months later
| huslage wrote:
| I, personally, care a large amount about convenience. I don't
| want to think about bills at all. I've been a Mullvad subscriber
| for years on a PayPal recurring payment. It works so well that I
| don't even think about it. I just use it.
|
| Having to think about paying a bill every month is really a pain
| to me. I get the privacy ideals, but the tradeoffs are not
| ridiculous. I should be able to make a decision about how private
| I want to be, not have Mullvad decide for me so that they can
| feel better about themselves.
|
| I will probably move over to Mozilla VPN now, since they will
| continue to rely on Mullvad for their infrastructure but allow me
| to pay them in a convenient way. I guess compromises are in
| order.
| GekkePrutser wrote:
| You don't have to pay every month. You can just pay them a lump
| sum in advance. As far as I understand you can still do this
| like before.
| kbouck wrote:
| > "Having to think about paying a bill every month"
|
| Others can correct me, but I believe each payment just adds a
| month of time to your balance. So a number of months can be
| added at once.
| cmeacham98 wrote:
| You can pre-pay an entire year at once as well.
| flodcw wrote:
| So just pay once for an entire year, if you use them often, or
| the flat monthly rate, whenever you need. This doesn't sounds
| too much of a hassle, especially considering the price.
| dcow wrote:
| Why are VPNs what people flock to when they think they want
| privacy? Moreover they kinda break the internet so it's not a
| scalable solution. It's cool to see a good one selling a privacy
| message and doing it at level 11, but it seems kinda disingenuous
| to me to tell users that they're more private because they use a
| VPN. Private from your current ISP, sure, but not from Mullvad
| (they're your new ISP, you're just moving the problem of who to
| trust, not _acquiring privacy_ ) and especially not so much from
| the service level tracking and collection of data which is
| arguably the real problem short of being targeted by nation-
| states.
|
| Also it seems all I need to do as an "attacker" is subpoena (or
| whatever the Swedish equivalent is) Mullvad while your payment
| record _is_ on file and I get the info I want. If Mullvad really
| wanted to go hardcore why not only sell little top up cards cash-
| only at kiosks?
|
| Now, choosing where you want your traffic to geographically
| egress onto the public network does have marginal utility and
| it's a perfectly sane feature for VPN providers to market and
| consumers to pay for--VPNs aren't useless. It's just not
| _privacy_.
|
| EDIT: add bit about how Mullvad is your new ISP to clarify the
| point
| GekkePrutser wrote:
| It's just one of the many layers of good opsec of you care
| about privacy. You shouldn't rely on this alone.
|
| And breaking the internet? I think centralisation by parties
| like Amazon, Google, CloudFlare does that a lot more.
|
| And if you want you can even send them cash in an envelope. Or
| monero or whatever.
| dcow wrote:
| I don't disagree that centralized services are also bad for
| the internet, but that's not a rebuttal to my point (also,
| what is a VPN service if not a "centralized ISP with
| different egress options"). A VPN does not add a layer of
| privacy. That's a misunderstanding of the concept and
| unfortunately a popular one even among security folks and
| even more-so among security marketing folks. A VPN allows you
| to effectively choose a different ISP. You _are not private_
| from Mullvad. You just have their promise that they 're
| better and more transparent than your alternatives and that
| they won't sell your DNS queries and connection logs to
| advertisers. It's not bad to align with an ISP that shares
| your values, but it's not _privacy_ outright.
|
| > And if you want you can even send them cash in an envelope.
| Or monero or whatever.
|
| So why not only allow payments in privacy perfect currency if
| they're so concerned about privacy?
| [deleted]
| Yujf wrote:
| > So why not only allow payments in privacy perfect
| currency if they're so concerned about privacy?
|
| Because perfect is the enemy of good. Mulvad would lose
| customers and that is not good for Mulvad, nor for the
| customer.
| dcow wrote:
| Yet, here we are praising Mullvad for removing recurring
| subscriptions which will certainly mean they lose some
| predictable revenue and customers...
| GekkePrutser wrote:
| I agree that it's but a single tool in a complex mesh of
| procedures to provide some privacy.
|
| But the reality is that it does work for a variety of
| usecases. Try to torrent in Germany (of all places) and
| you'll get blackmail letters from random lawyers. Do this
| with a VPN and no problem.
|
| For this scenario it's the tool for the job. If you're an
| insurgent trying to liberate Iran it's not.
|
| For general surfing privacy it doesn't add much value at
| all because most of the identifying information is in the
| session itself, not the IP. This is where the layered
| approach comes in.
|
| But I definitely see a value in these services.
|
| And they do offer many anonymous payment options, but some
| are heavily frowned upon in some regions (eg anonymous
| crypto in India) and mailing bills is inconvenient and
| risky. And I guess for some people it's worth the tradeoff.
| dcow wrote:
| Yeah I definitely _see value_ , don't get me wrong. I
| think, slightly, that marketing privacy is the cheap shot
| at best and kinda irresponsibly inaccurate at worst
| because it glazes over so much of the actual problem. In
| other words, if I start using Mullvad today I don't
| incredibly become anonymous and private on the
| internet... there's a lot more work to do to achieve that
| posture. The way VPNs are touted though might lead you to
| believe they keep you safe and private.
|
| Otherwise sounds like we mostly agree.
| s__s wrote:
| It's pretty simple. A VPN adds a layer of privacy between
| you and the server you're accessing. You go from user A
| with X home IP address originating from precise Y location,
| to user A with generic shared IP originating from a vague
| location likely nowhere near your real location.
|
| Beyond location, did you know there are services that can
| sometimes accurately provide a users place of work based on
| home IP? Their likely income level, and more. That becomes
| impossible with a VPN.
|
| In short a VPN removes a key personal identifier that can
| be used to ID you online. Your IP address.
| dcow wrote:
| But traditional ISPs reuse IP addresses too. You rarely
| get a static IP from your ISP. Some even run carrier
| grade NAT and you're literally sharing an IP with your
| whole building or something. VPNs are not really
| different in any regard. They do obfuscate location, I'll
| give you that, and that's seems like the crux of the
| issue with traditional ISPs: they are small and
| distributed so people have created location maps. By
| using a big centralized service you can obfuscate your
| zip code. I'm all for people having that option, don't
| get me wrong. Personally I'd rather see us pass strong
| legislation that takes things a step further and
| prohibits zip-code based profiling if that's considered
| dangerous to society, or ya know solve the social problem
| and create diverse zip codes in the first place so you
| can't predict income based on it, rather than be fooled
| into thinking that we can solve this problem by giving
| everyone a VPN. It doesn't scale.
| kadoban wrote:
| > [...] it seems kinda disingenuous to me to tell users that
| they're more private because they use a VPN. Private from your
| ISP, sure [...]
|
| Bit of a contradiction there. It adds friction to at least some
| attacks against your privacy. That's better privacy.
|
| Nothing will ever be perfect, and VPNs can easily be oversold
| in terms of their benefits (especially since https became the
| norm). But they have benefits in some common use-cases.
|
| > Also it seems all I need to do as an "attacker" is subpoena
| (or whatever the Swedish equivalent is) Mullvad while your
| payment record is on file and I get the info I want. If Mullvad
| really wanted to go hardcore why not only sell little top up
| cards cash-only at kiosks?
|
| They accept cash and at least some other privacy preserving
| payment methods already.
| dcow wrote:
| > They accept cash and at least some other privacy preserving
| payment methods already.
|
| So why even allow "traditional" KYC-ridden payments at all?
|
| > Bit of a contradiction there. It adds friction to at least
| some attacks against your privacy. That's better privacy.
|
| The nuance is that you're just moving the problem. You're
| _not_ private from Mullvad. You 're just trading one ISP for
| a different one. I could have phrased it better in my initial
| comment so as not to suggest a contradiction. Think of it
| this way, if Mullvad _was_ your ISP, would you still tell
| someone to get a VPN? You have to trust someone not to snoop
| on your DNS queries and connections. All adding a VPN does is
| give you more freedom to choose who to trust, which is not
| bad in its own right. It 's just not technically privacy
| manifest.
| kadoban wrote:
| > The nuance is that you're just moving the problem. You're
| not private from Mullvad. You're just trading one ISP for a
| different one.
|
| Another way of saying that is that you've gained a choice.
| Most people have essentially one option for an ISP, but
| _many_ for VPNs.
|
| > So why even allow "traditional" KYC-ridden payments at
| all?
|
| To allow user choice. Many probably don't really care about
| that aspect and just want to bypass region-locks.
| [deleted]
| Barrin92 wrote:
| >Private from your current ISP, sure, but not from Mullvad
|
| being private from your local ISP is what 99% of people care
| about because they use VPNs to send copyright infringement
| claims to /dev/null and watch netflix, not to smuggle nuclear
| secrets to Iran. It's privacy in a practical sense that's
| useful to people. If I go from an untrustworthy ISP to a
| trustworthy one I've gained privacy, there's no need to be
| overly academic about the term.
| dcow wrote:
| I'm not really trying to be pedantic for giggles.. perhaps I
| just think it's sad that 99% of ISPs are considered your
| privacy enemy and on top of that I don't consider VPNs a
| scalable solution to the problem at large so I'm more
| entertaining the "why is this the de facto solution" question
| in the "does it scale to society" solution space. It starts
| to look more like a social problem/solution than a technology
| problem/solution. That's more what this is about. If everyone
| used a VPN we'd really be in the same scenario we are today
| because to support that infrastructure you'd need exit nodes
| in every city and boom there goes your location advantage.
| Thorentis wrote:
| I don't consider my ISP my privacy enemy when it comes to
| paying my mortgage, or filling out my taxes. I do consider
| my ISP my enemy when it comes to downloading Linux ISOs,
| because the IP addresses issued by my ISP can be tied back
| to a geo location and are known to be the "last leg"
| address that would be targeted for infringement purposes.
| CodeBeater wrote:
| I'm curious, how does VPNs break the internet? The only angle I
| can immediately see is the shortage of IPV4s.
| dcow wrote:
| They break the practical solutions to content distribution
| and delivery that we've deployed. If everyone used a VPN,
| CDNs and caching would be rendered ineffective. Generally,
| VPN consumers use more bandwidth than necessary to acquire
| the same content which does impact the network.
| anderspitman wrote:
| One primary benefit I see vs trusting ISPs is there's lots of
| competition in the VPN space.
| jacooper wrote:
| Even though I use protonmail, I still bought Mullvad due to their
| Linux app which has actual per-App split tunneling.
| seibelj wrote:
| FYI they take monero, the most private cryptocurrency.
| pxeger1 wrote:
| That's a pretty sweeping statement to make with no evidence.
| heartbeats wrote:
| Monero has the largest anonymity set of any cryptocurrency,
| so the statement is true.
| syzygyhack wrote:
| It's not just about the anonymity set, there are more
| factors than that. That said, I concur with the conclusion.
| cmcconomy wrote:
| there is irrefutable evidence that they take monero
| ezfe wrote:
| And we both know that wasn't the point of issue here - "the
| most private cryptocurrency" was
| freiherr wrote:
| Tor -> buy mullvad for xmr -> use it for clearnet ip after Tor
| Best for privacy, best for abuse. Arent there any problems like
| captchas everywhere because the ip was overused? Or CP
| distribution lawsuits towards mullvad?
| syntaxing wrote:
| Serious question, what are people using their VPN for? I used PIA
| before the buyout then shifted to Windscribe but I don't think I
| will renew after this year. I rarely use it and if I want
| soemthing safe (like using public wifi), I use tailscale instead.
| AtNightWeCode wrote:
| These services will likely not be around in 5 years if things
| continue as they do today. I work with clients who ban any ASN
| that hosts these kinds of services. Not sure what Mullvad can do
| to not become a new Tor or North Korea. At many companies they
| already are.
|
| I am not for it. Just the way the lands lie right now.
| colinsane wrote:
| are your clients consumer ISPs? or are they like edge CDNs
| doing www stuff? the impact on these VPN services would be
| tremendously different in each case.
| CodesInChaos wrote:
| If they don't keep the link between accounts and payments,
| doesn't that mean they can't revoke an account when a chargeback
| happens?
| cmeacham98 wrote:
| Sure, but they can ban your payment method, and they care about
| privacy enough to eat this (probably small) cost.
|
| Also, they do actually keep a link for 40 days, but it seems
| like some card card networks allow chargebacks past that.
| bombcar wrote:
| > In order to provide refunds and the ability to recover lost
| accounts we need to store some record of a payment, at least
| for a short time. As soon as we do not need the data to enable
| refunding a payment we scrub the record of anything that can
| link the payment or the account to any personally identifiable
| information kept by the payment processor (this could be your
| bank, for example).
|
| So they hold your info and link for however long the chargeback
| period is (or the average one, probably 30-60 days is fine) and
| then lose it.
|
| If you're more worried about privacy than convenience they
| offer other payment methods:
|
| Which payment methods do you accept? We accept cash, Bitcoin,
| Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish,
| Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24.
|
| https://mullvad.net/en/pricing/
|
| And you can pay for a decade in advance.
|
| (What is Pretzel24 I wonder?)
| zulln wrote:
| Selecting Pretzel24 as payment method redirects to
| https://go.przelewy24.pl/ where in turn you choose between
| different banks. I guess it is a Polish service for direct
| bank payments?
| jwilk wrote:
| Wait, does it actually say "Pretzel" somewere, or did you
| both misspell it?
|
| "przelewy" means "wire transfers" in Polish:
| https://en.wiktionary.org/wiki/przelew Nothing to do with
| pretzels. :)
| bombcar wrote:
| I misread it as Pretzel the first time and couldn't
| resist, especially after clicking the page gave me a 'NOT
| FOUND' error. I assumed it was some sort of payment
| system.
| dustractor wrote:
| Heck of a convincing advertisement, even if it's not meant to be
| one.
| tr1ll10nb1ll wrote:
| I tried Mulvad, I love their outlook on privacy. However, maybe
| this is just my experience but the speed I was getting with
| Mulvad was slow, for some reason. Much slower than my regular
| ~200 mbps connection. Had to switch back to Nord (would not
| recommend it, though) again.
| jacooper wrote:
| I use mullvad and haven't had this issue, but the try
| ProtonVPN, which has many more servers with faster connections
| too.
|
| Its almost the same in terms of privacy protections.
| sph wrote:
| I can max out my 330 Mb connection with them, and latency is
| pretty good. I'm in Europe and I use a couple different
| countries as exit.
| hunter2_ wrote:
| For customers who don't go to great length to protect their own
| privacy when paying (i.e., all subscribers, I assume) Mullvad
| should persuade them to replace their subscription with the "bill
| pay" feature of most checking accounts -- maybe even offer
| tutorials for common banks. I'm not an expert in the implications
| of a subpoena and if banks get involved, but it seems like it
| would at least be a way to keep the revenue stream nearly as
| healthy (recurring automatically) while also meeting their goal
| of not maintaining subscription data.
| usr1106 wrote:
| Banking is highly national. It does not even work very
| uniformily in SEPA (Single European Payment Area). Of course
| there are mandatory SEPA features that every bank in every
| country must support. But there are other national features
| which are used in some countries by practically all businesses
| basically making everything incompatible again.
|
| And of course there are many countries completely outside of
| SEPA.
| hunter2_ wrote:
| I'm in the US and I'm not familiar with banking elsewhere,
| but the "bill pay" feature I'm talking about will try some
| electronic system first, and if the recipient doesn't support
| it, the bank simply mails a check. The recipient could be as
| small/offline as any person at a residential address. I
| assume writing a check and mailing it is a fairly typical
| thing everywhere, and having the bank do this on a repeating
| schedule doesn't seem like a huge hurdle, but I could be
| wrong.
| AnssiH wrote:
| > I assume writing a check and mailing it is a fairly
| typical thing everywhere
|
| It absolutely is not. The only time I've seen a check was a
| gift from my grandfather in the 00s, and I don't think
| paying bills by mailing checks was ever a thing here.
|
| Checks also often become very difficult and expensive to
| cash when going cross-border. E.g. most banks here
| (Finland) refuse to cash foreign checks altogether.
| brewdad wrote:
| It is my understanding that checks are pretty much only
| used regularly in the US at this point. Elsewhere, they are
| reserved only for special cases outside the norm.
| causality0 wrote:
| Have Mullvad's privacy guarantees been tested by subpoena?
| tacker2000 wrote:
| They are based in Sweden, which could be an issue since they
| are part of the 14-eyes alliance.
|
| https://www.cnet.com/tech/services-and-software/mullvad-revi...
| INTPenis wrote:
| Yeah I think that's why they're trying to minimize the amount
| of data they have on store, because they know that a repeat
| of the TPB raid can happen any time.
|
| If the Swedish courts find sufficient reason to do so, they
| will go in without warning and seize what they feel like.
| jacooper wrote:
| Not a subporna, but a third party auditor.
| mjmsmith wrote:
| https://github.com/mullvad/mullvadvpn-app/tree/master/audits
| znpy wrote:
| This does not apply. They're european, a subpoena from the us
| government wouldn't have any effect on them.
| stjohnswarts wrote:
| that's not true, the USA has agreements to exchange
| information on citizens with the vast majority of European
| countries. While a local yokel might have a rough time, the
| federal government would only have to put in a request and
| wait a while. The only cost is the effort to file for it.
| bragr wrote:
| Europe has courts, subpoenas, warrants, police, and all that
| too so I don't see how that affects the question? The US as
| mutual legal aid treaties with most European countries as
| well.
| wfhordie wrote:
| If your threat model includes nation state intervention, a 5
| Euro VPN isn't going to help you. In fact, no VPN is going to
| help you. The best you can get is probably Tor + Tails, but
| even then you better be looking over your shoulder.
| causality0 wrote:
| That is true but not relevant to my question of whether
| Mullvad's data retention policies have been tested in court.
| One uses a commercial VPN to pirate HBO, not dodge the
| alphabet boys.
| spupe wrote:
| That's not necessarily true. A lot of state surveillance
| comes through having backdoor or legal access to lots of
| services. Many VPNs have been tested in court on whether they
| actually have information on you to disclose, and some even
| have independent audits to verify that such information is
| not even kept.
| wfhordie wrote:
| At best, you can hope to make surveilling you more
| expensive or more inconvenient. But if Snowden taught us
| anything, it's that whatever you needed to do to get
| yourself tangled up in the 5/14 eyes trip-wire, you've
| already done, long ago, and continue to do.
|
| VPNs don't mean shit. You're leaking data everywhere you
| go. Browser fingerprinting, WiFi/BT signals, cell tower
| signals, GPS. If you own a smart phone and a credit card
| you're already fucked.
|
| Let's not confuse things for people by making them think if
| they plop a 5 Euro VPN between them and their yahoo! email
| account that this does anything at all to deter state level
| actors.
|
| VPNs are good for a few things:
|
| (1) Evading state-sponsored censorship (which uses
| technology minted in good old Silicon Valley) -- where the
| state doesn't really care unless you're really bothering
| them
|
| (2) Marginally disrupting the pan-opticon that is
| surveillance capitalism by mixing the signals a bit, where
| your ISP can't sell you out to data brokers. But even
| then... DNS leaks, etc still happen and still fuck with the
| plan.
|
| (3) Maybe not getting scooped up as badly in the state
| dragnet, and maybe not being accused of something you
| actually didn't have anything to do with.
|
| But brother, if you think you're gonna be the next Ross
| Ulbrich with your Mullvad VPN, then you better be
| memorizing your recipe for toilet wine because you're gonna
| land in a fed pen.
| spupe wrote:
| Mate, I don't know if you realize this, but most people
| here just want to hide due to minor privacy concerns, not
| a plan to overthrow the government or some shit. Of
| course if the FBI is after you, no, Mullvad won't protect
| you. But in the more realistic scenario that Disney might
| be after you, would Mullvad be a liability or not, that
| is the question.
| k8sToGo wrote:
| or be in a state that is not an ally.
| GekkePrutser wrote:
| Really good initiative, they clearly care about privacy. Most
| companies are going out of their way to introduce autorenewing
| subscriptions.
|
| But here they make privacy more important than pleasing the
| investors. Kudos. Glad I'm a customer.
| mrshadowgoose wrote:
| My paranoid interpretation of this is that they have already
| been, or are expecting to be served with some kind of order
| compelling them to silently hand over billing information.
|
| I will admit that I know absolutely nothing of the Swedish legal
| system.
| 1vuio0pswjnm7 wrote:
| Another paranoid interpretation is that they may forsee going
| out of business in the near term and fewer subscriptions means
| fewer potential refunds.
| shafyy wrote:
| This is a great idea! In practice, how would you go about this
| e.g. if you're using Stripe? After a few weeks, delete the
| customer information in Stripe?
| stjohnswarts wrote:
| Mullvad deletes all transactions as soon as they are allowed by
| law/contract with pay agent. That's 45 days for some things and
| 60 for others I believe. They have more details on their site.
| This assumes you trust them to shred that info though. They
| also supposedly don't keep ip logs, but I assume their ISP
| does, so I guess that's of limited value.
| jaywalk wrote:
| Why would it matter if their ISP keeps IP logs? Those logs
| would not be able to link an IP address to anything of value.
| stjohnswarts wrote:
| sometime just having meta info is enough for 3LA orgs. They
| would know the user is using mullvad services as the most
| obvious which is enough to get you multiple year sentences
| in some repressive countries.
| Bilal_io wrote:
| That's a very good question. I wonder why companies don't push
| hard to disallow third-party services from storing their
| customers' data. I had this issue as an employe. My employer
| used a third-party service for onboarding. This service had a
| breach and my data (including my SSN) was leaked. I've been
| begging my employer (one reason I wish I lived in California)
| to take action and have them remove my data, because another
| breach is inevitable. They've finally sent a request to delete
| all employees' data. Now I am waiting.
| shafyy wrote:
| If you accept payment, it's very hard not to relay _some_
| information to a third party, except if you build your own
| payment provider service... But I 'd love to see Stripe make
| more effort here and e.g. start allowing EU hosting for EU
| customers and so on.
| Bilal_io wrote:
| I don't mind sending data to the service, but the moment
| the information is no longer needed, we should have the
| expectation that you delete the data.
| londons_explore wrote:
| Even if you delete it in Stripe, I very much doubt that stripe
| or the credit card providers will be deleting the data.
|
| Someone will know that Mr Smith has a mulvad VPN subscription.
| They just won't know his username on the service.
| shafyy wrote:
| Probably true. So, how does Mullvad handle this?
| jeromegv wrote:
| Handle what? Of course someone can go to Stripe and get
| that info, but as OP just said, they won't be able to tie
| it to a specific VPN account as that link is now broken.
|
| They also mentioned it's about less data, not about zero
| data. The moment you use a credit card, of course it's
| stored in a bunch of places. But this won't be stored with
| them.
| acallaghan wrote:
| I suspect a temporary ID that links the two that lives for
| just the time of the Payment Request and transmitted as
| metadata? Once the payment is successful, it removes the ID
| linking the payment to the account ID & severs the link -
| just the account has the credit
| ignoramous wrote:
| I've done something similar to disassociate customer-ids
| from their logs.
|
| See also: https://en.wikipedia.org/wiki/Tokenization_(dat
| a_security) and https://en.wikipedia.org/wiki/Crypto-
| shredding
| pilgrimfff wrote:
| I was so worried they were winding down or something. I really
| love Mullvad and would hate to have to find a new VPN.
|
| This decision makes me like them even more.
| generalizations wrote:
| They took payment in BTC back when it was several orders of
| magnitude less valuable. They can probably run the company
| indefinitely off their crypto savings.
| cmeacham98 wrote:
| They almost certainly are converting the vast majority of
| their crypto back to fiat money to pay their bills and
| employees.
|
| Given the relative volatility I'd be surprised if they have
| any meaningful long term holding of cryptocurrency.
| Arubis wrote:
| My only concern with Mullvad is that, as their profile and
| reputation increase, they become a bigger target. That's mostly a
| vote of confidence, though the concern is a real one.
| INTPenis wrote:
| But what is also great about Mullvad is that they're actively
| working to make their remote and local security better. They're
| involved in the stboot[1] project for example.
|
| 1. https://mullvad.net/en/blog/2022/1/12/diskless-
| infrastructur...
| kvathupo wrote:
| Perhaps a Swede can chime in, but I'd imagine Sweden has a lax
| regulatory approach, e.g. compare the fates of PRQ and
| Megaupload. It's, admittedly inexplicably, concerning that
| we've driven people to foreign companies (from American ones)
| due to government surveillance. It begs the question: under
| what conditions would a consumer be fine ceding privacy?
| Transparency? Remuneration?
| htgb wrote:
| Not really. See the trial against the founders of The Pirate
| Bay for example, and the controversies surrounding it. Also,
| the FRA surveillance. Also, according to the ISP Bahnhof, the
| police at least used to submit lots of data requests without
| a court order and for non-serious crimes.
|
| AIUI, Bahnhof and other VPN providers stay in the clear by
| avoiding storage of data in the first place. They can be
| compelled to hand over any data they have, but not to log any
| additional data. (ISPs etc are forced to log more data IIRC.)
|
| At least there's nothing like the Australian laws for forcing
| and gagging developers.
| nichch wrote:
| Could you elaborate on the Australian laws?
| xipho wrote:
| Is it me (likely), or are a huge range of comments here exactly
| what you'd expect from a company anticipating blow-back based on
| their changes? I mean it could really be that good, but this
| feels a little _too_ clean. I.e. are there shill posters here? I
| suppose someone could look at all the users who posted, get their
| karma, and created on dates, and build some estimation
| calculation. Probably could be greatly improved by adding factor
| such as wether the user has posted recently in other threads,
| whether potential shills are responding to parent shills, etc.
| Arms race ...
| sixhobbits wrote:
| "Please don't post insinuations about astroturfing, shilling,
| bots, brigading, foreign agents and the like. It degrades
| discussion and is usually mistaken. If you're worried about
| abuse, email hn@ycombinator.com and we'll look at the data."
| xipho wrote:
| A completely rational guideline. My mistake, apologies.
| arein3 wrote:
| If I'll ever use a VPN I will check out mullvad, this kind of
| attitude is almost non existent now
| dijonman2 wrote:
| I think Firefox resells a custom Mullvad product, which I would
| probably use. I just don't have a need for security at this
| layer.
| einpoklum wrote:
| So, I don't quite get it. They supposedly accept one-time
| payments, but their pricing page only shows recurring periodic
| payments. What gives?
| jacooper wrote:
| There is no automatic recurring payment, its 5EUR per month,
| you can pay it in one go for a specific period, or monthly
| manually.
| gspr wrote:
| I love those guys. I really wanna start using them, but there's
| one missing feature for me: currently, I can mail them a few
| hundred euros, and get a number of years of service. That's
| great. But currently you only get one _block_ of service. I 'd
| very much like to be able to _pause_ my credit.
|
| Now, I totally understand that letting people pause with super
| fine temporal resolution would crush their business model. I'm
| not asking for that. But I would like to buy say 30 months of
| service, flick a switch draining say one month of my credit (and
| having the service for a month), then pausing again.
| wdb wrote:
| I can't renew my plan. As I forgot my account number :(
| jacooper wrote:
| Its listed in the app.
| fady wrote:
| Been a mullvad user for more than 4 years and love it. Thanks
| guys and keep up the good work.
| LtdJorge wrote:
| When I tried it, they didn't have an iPad app, but it was fine
| because they give you the configuration and I plugged it into the
| OpenVPN app.
| maxxam wrote:
| They have an iPad app now. Makes it easier to switch server but
| aside of that, no major advantage over WireGuard app. I use
| WireGuard app since it can auto connect on wifi or cellular.
| toma_caliente wrote:
| Wonder how this affects MozillaVPN subscriptions.
| rlv-dan wrote:
| Would it be possible to store subscription data without actually
| linking it to the account that is affected? Sort of like a one
| way encryption.
| londons_explore wrote:
| When the subscription was cancelled, you would have no way to
| know which account to disable.
|
| Perhaps a better model is the client stores the necessary data,
| and presents it when trying to connect?
| bombcar wrote:
| You'd have to have some form of connection, but it might be
| possible to design it in such a way that it could be plausibly
| denied. Holomorphic?
|
| All the ways I come up with (giving out keys) have the problem
| of how do you renew the key, and how do you cancel it, without
| knowing which is which.
| heartbeats wrote:
| Couldn't you give them short-lasting keys, that they can use
| to sign session keys?
|
| e.g.
|
| 1. Connect to Mullvad over Tor, authenticate with real-world
| user ID
|
| 2. Use this to sign a blinded token
|
| 3. Use this to connect to Mullvad anonymously after some
| delay
|
| The first run would be kind of dodgy, but after that you
| could get new session keys on a fixed schedule and switch
| them out at a random interval.
|
| If they see that user A authenticates and 10 minutes later,
| key A comes online, that can be traced, but if you then wait
| a week, authorize key B, and then wait a few more days to
| start using it, you should be good.
|
| In practice, this has way too many issues to work in
| practice. It still requires you to trust them not to e.g. log
| IPs and correlate it that way, so it's all just snake oil.
| jaywalk wrote:
| It seems like you're trying to solve a totally different
| problem that doesn't exist. If you have a subscription,
| that means Mullvad _must_ store information that ties your
| account to the subscription payment processor. That is the
| information they don 't want to store anymore, because they
| want their users to be anonymous. Their system is already
| setup so that users can't be correlated with VPN activity.
| dredmorbius wrote:
| At that point the question becomes one of search space and what
| real-world data that information ties to.
|
| If Eve can determine the basis for which an account is
| identified, and there is a small number of subscriptions,[1]
| then the namespace may be exhaustively searched.
|
| Mind that _even if the resulting hash space is large_ , if the
| _key_ space is small, the search is tractable. Just look for a
| resulting valid hash.
|
| Even if a payment is required, if $0.01 is accepted, the cost
| for testing 1 million keys is $10,000. For a sufficiently high-
| value target, potentially reasonable. More so if you can create
| your own money.
|
| ________________________________
|
| Notes:
|
| 1. For computers, any value < 10 billion is arguably small, and
| quite possibly somewhat larger than that. The present human
| population is < 10 billion. The Mulvad subscription list is all
| but certainly <<<10 billion, where '<<<' -> "very much smaller
| than".
| 2OEH8eoCRo0 wrote:
| Mullvad is awesome from top to bottom. From strict adherence to
| their values to the apps that they make and the service that they
| provide. I've been an extremely happy customer for years. Keep up
| the good work!
| smoovb wrote:
| I tried Mullvad for a year and loved the approach and onboarding.
| Sadly the connectivity issues and mobile app don't measure up to
| what I was used to with NordVPN.
|
| Not sure why a savvy someone would use a subscription with a VPN,
| so not sure what the news is here.
| toss1 wrote:
| Awesome - someone in real life treating user-identifying data as
| the toxic brew that it is!!
|
| Refreshing and definitely a good reason to switch.
| seanw444 wrote:
| Been using Mullvad for a year, give or take, and I'm very happy.
| Zero care to find another VPN provider. Simple, fast, and
| anonymous sign-up. The apps function perfectly. Never experienced
| a bug in the Android or Linux apps. And the Wireguard profiles
| work perfectly. Connections are fast and not throttled (IME). And
| the UI of the website and apps is minimal and to-the-point.
|
| I hope Mullvad keeps on its current course. It's one of the most
| respectable companies right now, with a respectable product, and
| its one of the few I care to pay for on a consistent basis.
| stjohnswarts wrote:
| The only issue I have is on my phone. Whenever I leave my home
| wifi, it gets slow as hell and I have to do a reconnect to get
| to a new server. Usually the reconnect speeds things up a LOT.
| kombucha13 wrote:
| Very interesting. Mullvad seems to be the most extreme and
| reputable VPN service out there when it comes to privacy. At
| least it seems that way.
| criddell wrote:
| A VPN will hide you from your ISP, but that's about it, isn't
| it? Does a VPN really provide that much real privacy?
| kombucha13 wrote:
| I mean a properly configured VPN can do a lot more Then hide
| you from your ISP
| dymk wrote:
| Like what? Now you're just using their ISP.
| advisedwang wrote:
| Most allow you to chose where the VPN exit is located, so
| you can have traffic originating in another country.
| dcow wrote:
| This is a nice feature and paying for it is a perfectly
| sane thing to do if you need the utility. It's not
| exactly _privacy_ , though.
| 5e92cb50239222b wrote:
| Some of us have really crappy ISPs (that also happen to
| be monopolists) that do things like HTTPS MITM (when they
| try to force you to install their root CA certificate and
| HTTPS simply doesn't work unless you do it), block DNS
| requests unless you use their DNS servers, or store all
| your traffic (this is being done in Russia, but it's
| close enough). I very much prefer to cover the precise
| details of my communications from my ISP and 'outsource'
| that stuff to Europe.
| oaiey wrote:
| I hope you go for a spying incompetent country in Europe
| :). Especially one which is not partnered with the US ..
| like the UK and others.
| yjftsjthsd-h wrote:
| It also stops sites you visit from seeing your real IP.
| stjohnswarts wrote:
| Sure but with fingerprinting that's only a minor nuisance
| to most advertisers and sites who are tracking you.
| oaiey wrote:
| But the cast majority of users will not care about
| fingerprinting by surveillance industry but about
| illegally Dow loading stuff. And there, VPNs are quite
| comfy.
| pridkett wrote:
| The newest version of Firefox goes a long way to prevent
| this with Total Cookie Protection[0]. You're basically
| left with fingerprinting as all cookies are site specific
| - even third party cookies. Combine that with with a DNS
| that does cname uncloaking like NextDNS and noscript and
| you're about as good as you can get without extreme
| measures.
|
| [0]:
| https://blog.mozilla.org/en/products/firefox/firefox-
| rolls-o...
| Pakdef wrote:
| ezfe wrote:
| Well, yes and no. For most people, they're over-rated. You
| don't even need a VPN to securely pay your credit card bill
| on public Wi-Fi.
|
| However, there are two cases where they are useful: - IP
| address hiding (something like iCloud Private Relay for
| iOS/Mac users does this at the browser level, VPN brings it
| to the entire system) - Legal protections - Location
| simulation
|
| If you want to hide your IP address, this could be to stay
| more anonymous and less trackable, any system that relays
| your connection is fine.
|
| If you want to break the law, you'll need something that has
| safeguards in place against that. Most VPNs do the most they
| can within the legal limits here.
|
| If you want to simulate your location, you'll need a VPN with
| servers in those locations.
|
| ---
|
| So really, it just depends on what "real privacy" means to
| you.
| 5e92cb50239222b wrote:
| You forgot the most important use case, unless you're
| talking about Europeans and USians only. I use a VPN simply
| because half the internet doesn't work without it (some guy
| in a suit decided what you can and cannot read, and there's
| nothing you can do about it).
|
| Free tiers provided by various "cloud" services work fine
| for this one (Oracle is the most generous among them).
| ezfe wrote:
| "If you want to simulate your location, you'll need a VPN
| with servers in those locations."
|
| While I did omit that justification, it is still just
| simulating location.
| Anunayj wrote:
| and let me access sites blocked by my country/ISP!
| stjohnswarts wrote:
| Hiding your activity from your ISP is a Huge Deal in the USA.
| Can't speak to other countries though.
| Linda703 wrote:
| mbg117 wrote:
| I use this style of writing often, in conjunction with markdown
| documents.
|
| Also, I find that using bullet points helps to visualize the
| sentences better, especially when used hierarchically.
| peddamat wrote:
| You might be interested in logseq, a bullet-oriented MD editor:
| https://logseq.com/
| 333c wrote:
| Did you mean to post in
| https://news.ycombinator.com/item?id=31808093 ?
| pridkett wrote:
| Thankfully, they still support my favorite way to pay: dropping
| an envelope filled with various cash currencies and your account
| number on a slip of paper in a mailbox at a random airport.
| _fat_santa wrote:
| Highly commendable position. Mullvad is leaving a ton of money on
| the table by doing this, but in the sea of shady VPN providers,
| having a provider do something proactive like this makes me want
| to switch.
| potency wrote:
| Who are you using now?
| iKlsR wrote:
| Been using PIA for the past few years. Tried Proton but this
| looks really good and having the entire thread sending +1s is
| major. Will def give it a try.
| nzgrover wrote:
| re PIA, have you seen this?
| https://restoreprivacy.com/kape-technologies-owns-
| expressvpn...
| WithinReason wrote:
| What's wrong with Proton?
| spacephysics wrote:
| The few times where removing 'features' (re: privacy holes) is
| good news
| cersa8 wrote:
| I like this a lot even though my primary reason is unexpected
| subscription renewal. I started a membership site and tried to
| use every single thing I would want as a customer. One of the
| things was a reminder that my yearly membership was about to
| expire, and by doing nothing this would indeed happen. No
| automatic renewal (but keeping the account in an inactive state).
| Confident customers can renew for 3 years with a discount, but
| nothing will automatically renew. Turns out, customers love this
| attitude and happily renew when it's time.
| tailspin2019 wrote:
| This is a nice approach. Have you considered giving customers
| the option to turn on automatic renewal?
|
| There are certain specific things that I would want always to
| auto renew (like domain names, hosting related stuff etc)
|
| If I ever get round to building a subscription SaaS I might
| consider "off by default" auto-renewal and leave it to
| customers to turn it on if want it... though this does add a
| bit of complexity I guess.
| cersa8 wrote:
| Have considered and have been told many times this is costing
| me revenue (which I think might be true). But I've never had
| a customer ask for it. Which is an important signal for me to
| consider a feature. Online payments are very easy for my
| target audience (mostly Dutch retail customers) with iDEAL so
| the benefits of automatic renewal is low.
| shanecleveland wrote:
| I use Stripe to manage payments for a subscription site with
| both monthly and annual options. I have renewal reminders
| turned off, because it seems like overkill for a monthly
| renewal - no option to only have it on for yearly plans. I
| worried about issues with yearly renewals, so I set up my own
| service to send a renewal reminder for yearly subscribers. I
| would rather have more customers not renew on friendly terms
| than deal with surprise charges. And I figure it may prompt
| some to check and update payment methods or spur them back into
| actively using the service more.
| zdkl wrote:
| In some circles that'll count against you if you try to sell
| the product/company. Investors are interested in recurring
| revenue and will value it very differently than your loose-
| relation clients. Not saying it's a thing you should always do,
| but worth keeping in mind.
| kalleboo wrote:
| Right, if your product is your company, this is the wrong
| attitude. But if you product is your product, then it's
| fantastic.
| Trias11 wrote:
| Kudos!
| rglover wrote:
| Wow.
|
| Hadn't heard of Mullvad before reading this, figured I'd give it
| a try. That is hands down the BEST onboarding experience for an
| app (let alone a VPN) I've had in I don't know how long. Took me
| maybe 2 minutes to go from no account to a working VPN
| connection.
|
| I love that everything is anonymous (down to the account
| credentials just being a randomly generated token).
| detritus wrote:
| I signed up to Mullvad - my first VPN - literally about 12
| hours ago, purely because of how simple, yet comprehensively-
| explained, their 'onboarding' process was.
|
| I also particularly like the flat no-fuss EUR5 a month fee.
| sdfhdhjdw3 wrote:
| > Hadn't heard of Mullvad before reading this
|
| Just the only vpn with any integrity left remaining, no biggie.
| UberFly wrote:
| Your blanket statement isn't true. OVPN for instance has gone
| to court to protect its data:
| https://www.ovpn.com/en/blog/ovpn-wins-court-order
|
| They are a very good alternative among others.
| knorker wrote:
| What about ovpn.com?
| SV_BubbleTime wrote:
| Absolutely no way to know they are good and other is bad. The
| entire VPN industry is "trust us bro". Which works until it
| doesn't.
| whatever1 wrote:
| That is the entire tech industry. No audits, no
| repercussions for screw ups.
| slavak wrote:
| Would a 3rd party audit work?
|
| https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-
| leak...
| hihihihi1234 wrote:
| Why do the other popular VPNs not have any integrity left?
| nijave wrote:
| A lot of them have been gobbled up by Kape or otherwise
| proven to keep logs/data when they claim they don't
| https://restoreprivacy.com/kape-technologies-owns-
| expressvpn...
| blakewatson wrote:
| Oh man I thought Private Internet Access was still one of
| the independent VPNs. I feel duped. :/
| Icathian wrote:
| They got bought sometime last year. I was a very happy
| customer until that announcement.
| hprotagonist wrote:
| and then freenode had a hard fork! weird week.
| cyanydeez wrote:
| Seems more like a reaction to inflation.
| mechanical_bear wrote:
| Protonvpn?
| [deleted]
| f1refly wrote:
| That's just mullvad with a different name
| Tmpod wrote:
| I believe that would be Firefox/Mozilla VPN
| sph wrote:
| Of all their features, I love that they have an Android TV app
| so I can watch F1TV on my couch. They're worth more than the 5
| euros I give them per month.
| ignoramous wrote:
| Aren't OTT streaming services notorious for blocking VPN IP
| ranges? How is Mullvad getting around those? Surely, they
| don't buy / lease / steal residential IP addresses [0]?
|
| [0] https://news.ycombinator.com/item?id=9614993
| simias wrote:
| I also like that they let you download the raw wireguard config
| files so that you can connect without having to use their
| client. You can just plop them onto your filesystem and use wg-
| quick to get going.
|
| Since I'm also a ProtonMail user and I considered switching to
| them for VPN as well but their python client doesn't seem to
| work correctly on my Arch Linux install and it doesn't give me
| anything useful to debug it beyond "An unknown error has
| occured" so I couldn't be bothered to investigate beyond that.
| lukvol wrote:
| I think you can also get the raw wireguard config files for
| ProtonVPN: https://protonvpn.com/support/wireguard-
| configurations/
| simias wrote:
| I did not know that! Thanks a lot. I'll definitely give it
| another try.
| clairity wrote:
| i just set it up to try it out (on macOS): created a free
| config on the proton dashboard, downloaded it, stuck it in
| the wireguard client, and it worked (without downloading
| their vpn client app). make sure your firewall isn't
| blocking the traffic though (something that caught me at
| first).
| citilife wrote:
| Been using protonmail on arch for years, you have to setup
| the configs a tad more manually and do some editing (I forget
| now); definitely doable and protonmail lets you download the
| configs (which work out of the box depending what you use).
| banana_giraffe wrote:
| Be aware, at least Nord clearly does something different with
| their client than with the OpenVPN files they provide (
| https://news.ycombinator.com/item?id=21664692 ). When I dug
| into this, I found similar cases with other major VPN
| providers, but my notes are sufficiently out of date, they
| shouldn't be trusted anymore.
|
| Sometimes the differences are subtle, sometimes they're
| rather complex like this case. Personally, sketchy stuff like
| this is why I've moved all of my VPN use to a personal cloud
| instance running WireGuard.
| rafale wrote:
| What cloud do you use? A lot of websites will flag any AWS
| or data center IP as a bot.
| banana_giraffe wrote:
| So, I do have two VPN servers running, one on my home
| connection, and one on AWS, for just the reason you
| state.
|
| That said, I got back from a week long trip a few weeks
| ago. I kept my AWS tunnel up the entire trip. For the set
| of websites I visit for personal and work reasons, it was
| never an issue. I'm sure I could find some website that
| doesn't work, but for me, it's just not a problem.
|
| It's also super useful, since I can whitelist my AWS
| instance's IP on services that demand such things, and
| never have to worry about where I am as I move from
| network to network. I've also reserved the Elastic IP so
| I can stop/terminate my server when I want without
| needing to whitelist the IP again when I spin it back up
| runnerup wrote:
| I use whatbox.ca as my global/universal VPN. So far I
| haven't seen any issues. It works in places where most
| VPNs are banned or heavily throttled (like Saudi/Abu
| Dhabi/Qatar, my workplace, AT&T cellular data, etc)
| Pakdef wrote:
| herbst wrote:
| Crazy thing is, it was just as great already many years ago.
| And yet people fall for absolutely weird fake privacy vpn
| offers.
| DrewADesign wrote:
| I've been a mullvad user for the past couple of years. I only
| occasionally use them for privacy on open wifi networks or
| whatever, but the experience so far has generally been
| excellent. I initially used the official Wireguard iOS app to
| connect, but their iOS native app is freaking excellent. WAY
| more reliable and user friendly than the others I've used--
| ExpressVPN and some other. It's been quite some time since I
| used the other ones, however, and they may have equally good
| branded clients by now.
| misterdee wrote:
| I can wholeheartedly recommend them after using their service
| the past few months. They offer Linux configs with wireguard (a
| sore point with other VPN providers, who tend to either not
| support Linux at all or only offer openvpn), their Android App
| has worked flawless and it's just 5E/month.
| GekkePrutser wrote:
| Yes and they even make double hopping easy. Many other VPNs
| don't like this, presumably because they have to eat 3 times
| the traffic.
| HEHENE wrote:
| Mullvad has been tremendous and the ease of use is terrific. I
| use a VPN relatively infrequently, sometimes going months
| without turning it on, so the one-time payments have been
| wonderful. The app is simple to use, and it's so, so easy to
| reactivate for a month when I need it.
|
| I can't speak to their privacy as my VPN usecase is usually
| just "I need an IP in another region," but to the best of my
| understanding they are one of if not the best in the business.
| Cyph0n wrote:
| As an additional data point, I've been using Mullvad as a
| long-running VPN for a while now (hint: Linux ISOs) and it
| has been working like a charm.
| anonporridge wrote:
| You can also easily pay with better anonymity with the Strike
| app, https://strike.me, which abstracts bitcoin mainnet and
| lightning network payments behind USD, so you don't have to
| worry about actually holding bitcoin or managing tax
| implications. You just use bitcoin as a globally agnostic
| payment rail, masked with your local fiat, so the price
| volatility doesn't affect you.
|
| Mullvad even gives you a 10% discount for bitcoin, bitcoin
| cash, and monero payments.
|
| I am a bit disappointed that they haven't yet integrated
| bitcoin lightning network. That would be a huge improvement for
| reduced transaction fees given the low value of transactions
| they deal with, as well as instant confirmation rather than 6
| block (~1 hour) confirmations. You could even theoretically
| stream nanopayments for each minute of use with lightning,
| rather than pay for a whole month.
| mderazon wrote:
| "Global payments for the internet"
|
| I was intrigued...
|
| Then
|
| "currently the Strike app is only available in the United
| States*, El Salvador, and Argentina"
| alexchamberlain wrote:
| It's the "World" Series of Internet payments.
| malfist wrote:
| Mullvard is behind the mozilla vpn. They're crazy good about
| privacy. You can mail them cash with account info and they'll
| set you up.
| kadoban wrote:
| Mullvad accepts cash as well. In what way are they behind?
| 7ewis wrote:
| As in they power Mozilla's VPN:
|
| https://mullvad.net/en/blog/2019/12/3/mullvad-
| partnerships-p...
| kzrdude wrote:
| Mullvad is the service provider, Moz just resells their
| service
| JonyEpsilon wrote:
| Behind in the "controlling or responsible for (an event or
| plan)" sense was meant, perhaps?
| palata wrote:
| Misunderstanding. The Mozilla VPN is Mullvad (rebranded).
| kadoban wrote:
| Ohhh, I see. I did not know that, thanks.
| encryptluks2 wrote:
| Great benefit. I also recommend to find a reputable masked card
| service provider if you plan to use a credit/debit card. Autopay
| is just another way for banks and providers to circumvent
| overdraft protection legislation and hopefully new legislation
| will remove any "perks" that providers offer for autopay
| services.
| capableweb wrote:
| No need, just send them cash in an envelope, which works just
| as well.
|
| I wish more services supported this, but I understand it adds a
| lot of hassle for them as well.
| TomGullen wrote:
| How do they handle VAT via cash in an envelope? Do you need
| to provide a billing address?
| hedora wrote:
| Why would you need to provide a billing address?!? It's
| cash, and they don't generate bills anymore.
| tzs wrote:
| In the EU VAT for online products and services is based
| on the buyer's location not the seller's location. They
| need to know something about where the buying is to
| determine the VAT rate and where to send the collected
| VAT.
|
| I don't know what the rules are for sellers that are
| inside the EU, but if they are at all like the rules for
| sellers outside the EU selling to buyers in the EU they
| are required to collect two pieces of evidence that
| support their determination of which country's VAT to
| collect.
|
| Where I work we use the country the person claims they
| are in from the country drop down on our cart and what
| country MaxMind says their IP address is from. This works
| most of the time. If those don't match we look up the
| first 6 digits of their credit card to see what bank
| issued it and see what country that bank is in, and if
| that matches either their selected country or the IP
| country we go with that. If the bank is in a third
| country, we look at their email address and if that is at
| a service that is mostly just serving one of the three
| countries we go with that.
|
| How would a company that accepts cash and keeps very
| minimal customer information deal with this?
| cmeacham98 wrote:
| Mullvad's advertised pricing already includes VAT is my
| understanding.
| wasmitnetzen wrote:
| They still have to pay different VAT rates to the buyer's
| country, even if that is transparent to the customer.
| nunez wrote:
| Blur (dnt.abine.com) and Privacy provide fantastic masked card
| services.
| zahma wrote:
| Is there such a thing as a truly private "masked card service?"
| I'm genuinely curious because I use virtual cards supplied by
| my online bank, but I'm sure they retain records for each
| virtual card I use. Are there services that do not record this
| information?
| encryptluks2 wrote:
| Good question. I doubt any of them are truly private but I
| think it at least adds a layer of privacy and security from
| the service provider, but as with most things it probably
| won't protect you from a court order.
| zahma wrote:
| The only real masked card I can think of would be a gift
| card paid for in cash. Tedious as it is, that seems like
| the only way to use a debit card privately, and I think
| some of those are rejected by online pay platforms.
| danachow wrote:
| > Is there such a thing as a truly private "masked card
| service?"
|
| No - there's no way to support all the anti fraud mechanisms
| of the major credit card networks without a thorough paper
| trail. Masked card services help prevent unwanted charges and
| inconvenience for the customer - they may give a fleeting
| layer of privacy between the consumer and the merchant but
| nothing more than that.
| azalemeth wrote:
| I would love to know if there are any of these in the EU - US
| friends of mine have mentioned privacy.com but I am unaware of
| a similar service in the UK.
| pacifika wrote:
| which is it, EU or UK?
| Dracophoenix wrote:
| Privacy.com abides by KYC. So it's not very private.
| sascha_sl wrote:
| Mullvad already did this for anyone who wanted port forwards,
| because those people are more likely to be the target of legal
| demands.
|
| They seem to never actually associate the account number with any
| payments except at the moment the account gains time. This keeps
| them from having to respond to any legal demands with useful
| data.
|
| I wonder if the iOS subscriptions are affected. Technically they
| could just not associate your payment with your account number.
| Then the app can submit the transaction ID and your account
| number that was stored locally to the service to extend your
| time.
| colesantiago wrote:
| I wish more SaaS companies (especially VPN ones) did this, this
| is a giant win for in the area of privacy. Go Mullvad!
| nicce wrote:
| The opposite is sadly still happening in everywhere else and no
| change for that is probably coming in the foreseeable future.
| With subscriptions, you guarantee the revenue. And making it
| very difficult to unsubscribe, such as some unnamed companies,
| even a little bit more money is collected.
| mig39 wrote:
| I've always loved that Mullvad wouldn't let you accidentally
| compromise your own security.
|
| For example, the port-forwarding feature won't work if you have a
| recurring subscription.
|
| This just extends that kind of thinking to the service in
| general.
|
| Been a Mullvad customer for a long time now, and it's always been
| awesome.
| contravariant wrote:
| What's the exact reasoning behind that? How does paying via
| paypall impact the privacy of a forwarded port?
|
| Is this something to do with state-level actors?
| capableweb wrote:
| Presumably there are details linking together payments coming
| from Paypal and the account number. And obviously there is a
| link between account number and forwarded port. So following
| with that, you'd be able to make the connection between the
| account number and Paypal account, which is definitely not
| private nor even pretending to protect your privacy.
| Cyph0n wrote:
| > For example, the port-forwarding feature won't work if you
| have a recurring subscription.
|
| Yep, I had to cancel my subscription recently to get port
| forwarding working. I've been a customer for a few years now
| and trusted that they were doing this because it made sense
| from a privacy standpoint.
| yieldcrv wrote:
| Do they take crypto?
|
| I've funded some virgin addresses from Tornado Cash notes,
| running from my own local node
|
| Thats sufficient and definitely less cumbersome than Monero.
| johnbatch wrote:
| Yes. [0]
|
| " Which payment methods do you accept? We accept cash, Bitcoin,
| Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish,
| Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24. "
|
| also Cash
|
| "Can I really pay with cash? You bet, and please! Stay
| anonymous all the way. Just put your cash and payment token
| (randomly generated on our website) in an envelope and send it
| to us. We accept the following currencies: EUR, USD, GBP, SEK,
| DKK, NOK, CHF, CAD, AUD, NZD. "
|
| [0] https://mullvad.net/en/pricing/
| yieldcrv wrote:
| Ohh ok so no Ethereum or EVM assets
|
| With virgin addresses I can get bitcoin and monero (or
| anything incl cash) anonymously from the tornado cash notes
| via the bridges, or via exchanges and staying below KYC
| limits
|
| But Tornado Cash notes decrypt only to EVMs where Tornado
| Cash is deployed. It would be more convenient for Ether and
| some ERC20 tokens to also be used directly, instead of
| bridges or exchanges.
|
| Are you all beholden to a specific payment processor or
| implementation? People pay the most to use Ethereum for over
| half a decade now, which is best projection we have for
| activity and potential interest in merchants that aren't
| crypto native services.
| irusensei wrote:
| I buy mullvad vouchers from this website paying with Bitcoin
| through the lightning network:
| https://vpn.sovereign.engineering/
| 5e92cb50239222b wrote:
| Man, checking this one takes like 10 seconds. Not only they do
| take "crypto", they also have a 10% discount if you pay with
| it.
| yieldcrv wrote:
| I actually did take 10 seconds, scrolled down and saw the
| pricing page, decided not to click that because so many
| services only show the janky crypto payment option during a
| janky checkout process so decided not to bother and just ask
| here in the remaining 2 seconds. It worked.
| nunez wrote:
| yes, with a discount even
| hairofadog wrote:
| Anyone have thoughts about the privacy and security aspects of
| TunnelBear? I've been using them for a few years, wondering if I
| should switch to Mullvad.
| jacooper wrote:
| The top porper privacy focused VPNs are in no specific order:
|
| - ProtonVPN - Mullvad - IVPN
|
| More details here on why: https://www.privacyguides.org/vpn
|
| I personally picked Mullvad even though i use Proton Mail
| because they have a fully featured Linux app, unlike Proton's
| which is very very basic and they support IPv6.
| potency wrote:
| That's amazing. When so many companies go in the opposite
| direction, it's incredibly refreshing to see a company make
| strides toward reducing their customer's identifiable data
| footprint.
| corytheboyd wrote:
| Mullvad is badass, tried it out for a month and it was glorious,
| so I just recently pre-paid a full year.
| oaiey wrote:
| Clickbait .. but a rightfull one :)
| skeeter2020 wrote:
| If you're familiar with the sizeable benefits of the subscription
| model for a business you'll recognize this is a big deal.
| ouid wrote:
| absolutely not. people are wary of signing up for new
| subscriptions, because cancellation is not clearly protected in
| most jurisdictions, and people are aware that they can forget
| to cancel.
|
| People dont forget to renew their world of warcraft membership
| because their game stops working if they do. if you use a VPN,
| you likely use it every day, and there will be no lost revenue.
| meltedcapacitor wrote:
| Are these benefits not eroding? Pressure on subscription models
| comes from both the public getting herd immunity against the
| underlying dark pattern and competitors chasing a diminishing
| supply of people to trick as world + dog has adopted the
| tactic.
|
| In this particular case, with a privacy tailwind, it will be
| unsurprising if it ends up increasing their sales.
| GekkePrutser wrote:
| I don't think so. Us privacy and control freaks abhor
| subscriptions, the mainstream just shrugs and pays what
| they're told to pay. I can even see them adopting rental
| models for a lot of stuff we purchase outright now (the "you
| will own nothing and you will be happy" great reset promoted
| by the world economic forum). I think this is pretty
| exploitative but I'm pretty sure I am in a minority.
| Obviously big business loves this because they have to do
| almost nothing and still get guaranteed income.
|
| But to me their arguments sound too much like blackmail "With
| this model there is incentive for us to make longer-lasting
| products which is good for the environment". Well, sure but
| if you actually _cared_ about the environment instead of
| money you 'd be doing that right now. Why do we have to pay
| them more for less in order for them to do this?
|
| To me this really sounds like a "pay us what we want or we'll
| mess up this environment of yours even more" extortion
| scheme.
|
| The older generation is more against it but they tend to not
| trust tech very much anyway. They're not the ones buying a
| new phone every year, they use it for many years and even get
| it fixed when it breaks.
| dathinab wrote:
| > mainstream just shrugs and pays what they're told to pay.
|
| But mullvad isn't targeting mainstream!
|
| It's mainstream compatible, as-in not too hard to use, but
| that's it.
|
| Also mainstream only cares about VPNs because they believe
| it does magically things, like somehow better protecting
| all your privacy even if you are logged into Facebook or
| somehow making account hijacking or banking scams less
| likely :/
|
| That's why they will go anyway with VPN providers which do
| a lot of ad advertisement to make them subconscious feel
| like it's doing all this magical things (even if they never
| explicitly claim it). Like NordVPN (you probably know what
| I mean if you use e.g. twitch in the EU ;=) ).
|
| So no point in competing for this users without doing
| things like a ad powered free plan, free testing month, and
| tons of dark-ish patterns.
|
| Instead mullvad has I think a good idea about what works
| with their customers.
|
| I think it still will cost them money (who hasn't forgotten
| to cancel and abo) but also might save them money (not
| having to handle anything in support related to
| subscriptions going wrong). And maybe with things like
| people pre-paying for a year, but stop using it after a few
| month it will also not cost them anything. Really hard to
| say. I mean it was also guaranteed to end up on HN, so free
| advertisement to exactly the right audience. That's worth
| some money, too.
| GekkePrutser wrote:
| > But mullvad isn't targeting mainstream!
|
| I agree, this is precisely why they're doing this.
| Putting their customers' privacy over their investors'
| wallets. This is a big ballsy move IMO. They're buying a
| lot of goodwill here. And taking a risk.
|
| > Also mainstream only cares about VPNs because they
| believe it does magically things, like somehow better
| protecting all your privacy even if you are logged into
| Facebook or somehow making account hijacking or banking
| scams less likely :/
|
| Also totally agreed lol. I often get questions from
| friends about VPNs. Always have to explain that privacy
| really doesn't work if you _willingly_ give up your data
| :)
|
| And no I don't use Twitch so not sure what you mean
| there, sounds like an interesting story.
|
| > So no point in competing for this users without doing
| things like a ad powered free plan, free testing month,
| and tons of dark-ish patterns. Instead mullvad has I
| think a good idea about what works with their customers.
|
| Exactly. They're not doing a tunnelbear.
|
| > I think it still will cost them money (who hasn't
| forgotten to cancel and abo) but also might save them
| money (not having to handle anything in support related
| to subscriptions going wrong). And maybe with things like
| people pre-paying for a year, but stop using it after a
| few month it will also not cost them anything. Really
| hard to say. I mean it was also guaranteed to end up on
| HN, so free advertisement to exactly the right audience.
| That's worth some money, too.
|
| I agree it's ballsy, this makes me respect the gesture
| even more. It's not the 'done thing' in this day and age.
| But they're still doing it and for the right reason.
| mechanical_bear wrote:
| > you will own nothing and you will be happy
|
| Too easy and lazy to blame this on some grand conspiracy.
| Reality is much more complicated, and cuts to heart of
| human behavior.
| GekkePrutser wrote:
| Conspiracy no. But I don't like where the world is
| headed. Investors are demanding ever more markup on
| products and services. Nobody is happy with a 10% markup
| anymore in electronics. There seems to be a constant flow
| of money to the ultra-rich away from the poorer people,
| and this is something that has been constantly going on
| for the last decades. Because the squeeze is finally
| starting to hit the mainstream of the richer countries.
| Even the US is starting to see instability from this.
|
| I think part of this is the free market which only really
| works on "MORE". More turnover, more customers, more
| products YoY. If you make a loss or invest in something
| for the common good a company isn't just frowned upon,
| they are putting themselves at liability of due diligence
| lawsuits. Most of the societal and environmental problems
| we are seeing stem from this, in my opinion. We need to
| fix the system before it's too late, not pamper to it.
|
| I don't think there is a dark "SPECTRE" style gathering
| going on at Davos, no. I'm not a conspiracy theorist.
| However I do see there is zero incentive to improving the
| status quo if it doesn't make some rich people much
| richer yet again. This is why I see the WEF as a 'bad'
| entity, for promoting such things which are clearly
| undesirable. It's a very one-sided image.
|
| For me as a tinkerer and maker the idea of renting my
| stuff and not being allowed to improve or repair it, is
| absolutely unthinkable and something that must be fought
| tooth and nail.
| ryanbrunner wrote:
| I think saying subscriptions are a dark pattern is going a
| bit far. In the case where you're offering an ongoing service
| that requires a cost to service, a subscription model is
| completely appropriate and in the best interest of both the
| subscriber and the issuer.
|
| For sure there's some abuse of the model where you're selling
| something that should be a one-time item, but that's not the
| case here, and Mullvad is providing an ongoing service (and
| still billing by month / year / etc. for the service, just
| without automatic renewals).
| 3wolf wrote:
| Yeah, I'd say the term dark pattern only applies when
| services make it unnecessarily difficult to cancel your
| subscription. _cough cough_...NY Times
| wpietri wrote:
| I'd be willing to say that subscriptions are a dark pattern
| when they don't automatically stop if you stop using them.
|
| A fundamental part of healthy business relationships is
| value for value. E.g., you give me money, I give you a
| sandwich, you take the sandwich, eat it, and are happy with
| it. If you keep paying me for sandwiches but I don't give
| them to you, that's not healthy. Ditto if I put them on the
| counter but you stop taking them.
|
| Personally, I think there should be a law that all
| service/software subscriptions auto-suspend after 30 days
| of non-use. Because right now there's a big incentive for
| businesses to get you to sign up for things they think
| you're not going to use, and to keep on charging you even
| though they know you're not using it.
| tomnipotent wrote:
| What you're asking for is a la carte access while still
| getting discounted subscription pricing, pushing all the
| risk onto the business. Consume as much as you want, but
| pay nothing when you don't. Sounds like a crap deal for
| the business.
| lolc wrote:
| To me, a dark pattern is when the service doesn't announce
| in advance when the subscription is going to renew.
| bcrosby95 wrote:
| These emails always annoy me. To each their own I guess.
| yreg wrote:
| They still use a subscription model it's just a non-recurring
| one.
| karaterobot wrote:
| Part of the advantage of the recurring subscription model is
| having predictable revenue every month due to it being
| recurring. And many businesses count on that "gym membership"
| effect, where people who don't use a service also don't take
| the time to cancel it for a while.
| disiplus wrote:
| that's me and my audible subscription. i should cancel it,
| but before that i have to use the credits.
| krallja wrote:
| Holy cow, that's evil.
|
| https://help.audible.com/s/article/do-i-keep-my-credits-
| if-i...
|
| Do I keep my credits if I cancel my Audible Premium Plus
| membership? No. If you end your Audible Premium Plus
| membership, your credits will be lost with your other
| membership benefits.
| shever73 wrote:
| It's exceptionally evil! I had the same issue and
| couldn't understand why I was losing credits I thought I
| had "bought".
|
| This and other privacy-related issues (see my comment
| history) is why I won't consciously use Amazon again.
| yurishimo wrote:
| If you sign up on iOS in app, you get to keep your
| credits after cancelling. One of the things Apple does
| right imo in regards to consumer protection.
| dfinninger wrote:
| I wind up pausing my subscription when I get too many
| credits. It's not a full cancellation, but I don't have
| to pay.
| DesiLurker wrote:
| IIRC problem is the option of pausing subscriptions is
| well hidden & revealed only when you have fully made up
| your mind to cancel & drop all your credits. most folks
| would not do that instead maybe defer the decision
| another month in the hope they'll 'catch up'. then
| they'll forget about it for a few more months.
|
| Dark patterns all over.
| matrix12 wrote:
| Hint: OpenAudible backup before you terminate.
| wccrawford wrote:
| Incredibly evil. That's why I used up all my credits and
| then cancelled my account. I briefly flirted with "gift
| subscriptions" because I was still wanting new audio
| books a lot, but that has its own problems. So I gave up
| on them.
| buildbot wrote:
| Hmm, that might be illegal in Washington State
| DesiLurker wrote:
| thats why I raced to buy up a bunch of books with my
| points and then cancelled immediately (you can keep the
| books). its one dark pattern after another, good
| riddance.
| [deleted]
| mkroman wrote:
| Just contact customer support and ask if you can get a
| refund. I've done this a few times when I was just
| accumulating points with nothing I wanted to buy, and
| it's always been quick and easy.
| roldie wrote:
| Another happy Mullvad customer. Been using them for a couple
| years now, and couldn't be happier with the ease, speed, and
| privacy.
| ouid wrote:
| This is PR and the comments are astroturfed to absolute hell. VPN
| is the most heavily advertised business I am aware of. There are
| a lot of reasons to mistrust this behavior.
|
| 1) it doesn't cost mullvad very much to not autorenew
| subscriptions. People dont forget to renew their subscriptions to
| a service that breaks your connection to youtube when you forget
| to pay. It's closer to the world of warcraft model.
|
| 2) Customers are now rightfully wary of renewing subscriptions.
| Given horror stories of how difficult it is to cancel your
| subscription to a service, I suspect that you lose upwards of 50%
| of potential customers if you only offer subscription models.
|
| 3) No VPN has any incentive at all to "protect your privacy". It
| is perfectly legal for them to lie to you about not keeping logs
| and then turn them over to state actors, provided they are
| operating out of the right state. In fact, state actors would
| encourage such a thing. Perhaps some of these VPNs do something
| to protect your privacy, but it is not because they are
| incentivized to.
| colonwqbang wrote:
| In which state is it legal to lie about the service you are
| delivering? I.e. in your marketing say that you will deliver
| something and then instead deliver something less valuable.
| ouid wrote:
| Its possible you dont know what state means. But the US has
| plenty of mass warrants that require companies to keep logs
| even in the presence of promises that they dont. In fact,
| they are obligated not to reveal that they are now keeping
| logs. Warrants supercede contract.
| colonwqbang wrote:
| Even in the US I think you can't advertise a service that
| you are not legally allowed to provide. Does the first
| warrant make you immune to fraud allegations?
|
| I'm not an expert and am ready to accept that I may be
| wrong. If you know any sources on the matter, it would be
| interesting to read.
| exyi wrote:
| Mullvad is based in Sweden, they seem to be privacy
| friendlier in general (even allowing sites like sci-hub on
| their TLD)
| sixhobbits wrote:
| "Please don't post insinuations about astroturfing, shilling,
| bots, brigading, foreign agents and the like. It degrades
| discussion and is usually mistaken. If you're worried about
| abuse, email hn@ycombinator.com and we'll look at the data. "
| ouid wrote:
| i flagged the post, but VPNs are not "unlikely" sources of
| astroturfing. I do not particularly trust the startup
| incubator that launched many of these VPNs to take a
| particularly critical view of astroturfing, so i have chosen
| to ignore this forum rule
| throwaway287391 wrote:
| > it doesn't cost mullvad very much to not autorenew
| subscriptions. People dont forget to renew their subscriptions
| to a service that breaks your connection to youtube when you
| forget to pay. It's closer to the world of warcraft model.
|
| I might be in a tiny minority of users (genuinely not sure) but
| I only enable my VPN when I want to get around IP geolocation
| (e.g. to stream something only available in another country)
| and otherwise turn it off when I'm done to minimize latency. I
| sometimes go a week or two without using it so I could easily
| not notice at least for days if my subscription didn't
| autorenew.
| k8sToGo wrote:
| You forgot the last conspiracy reason which I always read in
| comments like this:
|
| 4) It is probably state funded and run by the CIA.
| ouid wrote:
| this is a weird double standard. The only reason to use a vpn
| is because of fears of the CIA or whatever in the first
| place.
| charles_f wrote:
| > convenience comes at a cost and we no longer think this is an
| acceptable trade-off.
|
| In an age where dissertations about what color and position to
| use for buttons go pages long, that's a courageous position that
| follows a clear strategy. Kudos!
| onelovetwo wrote:
| I think its also good for Mullvad, they push people towards the
| 1y plan instead. No one is going to put their payment info in
| every single month.
| charles_f wrote:
| They only have a monthly pricing option I believe
|
| https://mullvad.net/en/pricing/
| prophesi wrote:
| With one-time payments, you'd send them 5 euros for one
| month, or 60 for a year, etc.
| skrebbel wrote:
| Nop, you choose how many months you wanna pay ahead for
| tgsovlerkhgsel wrote:
| Pricing yes, but you can buy multiple months in advance.
| You don't get any advantage except convenience.
___________________________________________________________________
(page generated 2022-06-20 23:00 UTC)