As long as they abide by their VPN no-log policy and provide a good VPN service, that’s all I really care about. You should always browse the web as if you are being watched, especially if you are using a VPN, but I like a VPN provider that isn’t really in the picture. I don’t want to constantly think about the fact that I’m using a VPN and I just want it to work as intended.
Overall, this is a nothing burger for the most part.
Currently our email is being hosted on Gmail this is correct.
We are working on a self-hosted version based on our STBOOT ( Mullvad VPN | Privacy is a universal right ) project.
It’s in the final phase and being tested internally and the goal is to
move over email to this platform this year if the testing phase is going
We strongly suggest using pgp regardless of what email server is being
used, as any other means is basically unencrypted and not considered safe.
I’d agree. At the end of the day, Mullvad is a business, and running their own hosted e-mail server was probably not at their highest priority. Truth be told, I can’t imagine many business would even consider owning their own e-mail server in this day in age, so the fact that Mullvad is migrating to their own server (if they follow through) is at least some level of commitment to privacy. I think they likely omitted this fact as it clearly isn’t optimal, and its not particularly great it wasn’t more publicly disclosed, but pick and choose battles I suppose.
Not trying to be super pro Mullvad, but if anyone’s threat model is to be penetrated by sending an encrypted support e-mail to Mullvad that is hosted on a Gmail server, I just think there are bigger fish to fry.
That social media post is so gaslighting I have a hard time taking it seriously, even though it is pointing out a simple fact. The reality is that most people are not using privacy-preserving email services, and are most likely communicating with Mullvad support using a Gmail address anyway. Yes, it’s not a good lookout for Mullvad, but as a customer I am personally satisfied with their reply.
This is silly, PG already has decently strict criteria on what can even be considered for recommendations when it comes to VPNs. PG would look ridiculous not recommending Mullvad over something like this.
What would be the point of audits as a criteria, if they can still be removed due to their email provider?
Many email providers provide an option to use a custom domain name. It helps with portability (switching services is easy because your email doesn’t change). This feature is also one that PG requires that recommended email providers have.
The original post is misleading at best. They assert that the government can identify you based on this. The author lies by saying customer service will ask for account number and then the gov can see your IP by loging as you and hijacking Wireguard to see your ip or something like that . Mullvad support will not ask account number - except if you ask for a refund, in which case you will not use the service anymore. Furthermore anyone which a high threat model will not e-mail their VPN provider because that put them in a niche position, regardless of wheter the mail is private or not.
That being said, I did ask them why they wouldn’t swicth to something like Session and they say the mail workflow is more convenient. I overall which Mail was dumped for customers services, but it is still the most widely used communication. Every single country use mail.
I also think they should have been more transparent about this, but it remains overall a low key concern.
That is indeed interesting, but as long as you don’t send them any emails there shouldn’t be a problem.
If you really have to send them an email use an email alias, pay for it every month separately and replace your account from time to time.