Mullvad Leta account requirement changed

Mullvad Leta appears to have been updated to only require that the search come from a Mullvad VPN IP address instead of requiring that a valid account number be entered. As it was made on the basis that searches could be tied to individual Mullvad accounts, does this change affect the current Mullvad Leta anti-recommendation? Or is correlation still a concern simply due to the fact that Mullvad controls both services?

5 Likes

Probably yes.

Probably. I mean, I guess so.

1 Like

Pinging @jonah since he had the most to say on this topic previously (in this thread).

1 Like

Hm, that is a neat update (i.e. definitely what they should’ve done in the first place). It’s technically still the same problem as before though, with the same entity controlling your entry into the network and having access to your search queries simultaneously.

I don’t think Mullvad is correlating this information (like they weren’t before either), but there’s also no technical barriers in place to stop them either :thinking:

2 Likes

Neat change. I was not comfortable putting my account number every time I want to do a quick search.

I don’t know if this was previously mentioned but you can use Mullvad through Tailscale AND use Leta now. This eliminates one of the downsides of using Mullvad through Tailscale.

3 Likes

I don’t think Mullvad is correlating this information (like they weren’t before either), but there’s also no technical barriers in place to stop them either

I don’t understand the issue. How is there a technical barrier to Mullvad knowing what I search when I use its VPN, browser, but not its search engine?

If I search “hello” through Mullvad browser via Duckduckgo, then Mullvad knows I accessed the URL: hello at DuckDuckGo

If I use Mullvad Leta instead, then Mullvad has an additional, more direct, way of associating my search queries with my account.

But this doesn’t matter, because it still knows what I search, regardless. Right?

Because of how HTTPS works, all Mullvad can see is that you accessed DuckDuckGo (so everything after the .com is hidden, same with any internet service provider in fact). Using their browser shouldn’t add any trust to this extent, as it is open-source and you can verify the fact that it’s not sending your history to Mullvad. With a search through Leta, all Mullvad on the VPN side would be able to see is that you accessed Leta at a certain time, but the concern is that Mullvad could (if they chose to log this, which they almost certainly don’t) see that someone made a specific search on Leta at that exact same time, connecting the two events. For this to be an issue with DuckDuckGo, the two companies would need to collude, which is even less likely.

Thank you, I did not know about HTTPS. Now I’m almost wondering if VPN is overkill…

1 Like

ISPs, governments, and network administrators can still use information from your traffic based on just the site URL

True. Mullvad subscription = Renewed.

1 Like