Hmmm… I dont know what the implications are for this, but they probably use Enterprise Gmail which might have better privacy guarantees (I’m not sure however if this is the case)???
As long as they abide by their VPN no-log policy and provide a good VPN service, that’s all I really care about. You should always browse the web as if you are being watched, especially if you are using a VPN, but I like a VPN provider that isn’t really in the picture. I don’t want to constantly think about the fact that I’m using a VPN and I just want it to work as intended.
Overall, this is a nothing burger for the most part.
Currently our email is being hosted on Gmail this is correct.
We are working on a self-hosted version based on our STBOOT ( Mullvad VPN | Privacy is a universal right ) project.
It’s in the final phase and being tested internally and the goal is to
move over email to this platform this year if the testing phase is going
smoothly.
We strongly suggest using pgp regardless of what email server is being
used, as any other means is basically unencrypted and not considered safe.
I’d agree. At the end of the day, Mullvad is a business, and running their own hosted e-mail server was probably not at their highest priority. Truth be told, I can’t imagine many business would even consider owning their own e-mail server in this day in age, so the fact that Mullvad is migrating to their own server (if they follow through) is at least some level of commitment to privacy. I think they likely omitted this fact as it clearly isn’t optimal, and its not particularly great it wasn’t more publicly disclosed, but pick and choose battles I suppose.
Not trying to be super pro Mullvad, but if anyone’s threat model is to be penetrated by sending an encrypted support e-mail to Mullvad that is hosted on a Gmail server, I just think there are bigger fish to fry.
I think using enterprise gmail isnt necessarily a bad thing.
I dont think they’ll be sending messages containing keys and personally identifying info?
I think its a responsible thing to do if you are not completely competent to do email yourself. I think its only fair because Mullvad never claimed theyre an email company.
This is an interesting point. We don’t really evaluate much outside the VPN product itself when evaluating VPN providers, but maybe we should look at and factor in things like this?
Using Google Workspace is obviously pretty questionable
On the other hand, this isn’t something a customer would have to interact with.
That social media post is so gaslighting I have a hard time taking it seriously, even though it is pointing out a simple fact. The reality is that most people are not using privacy-preserving email services, and are most likely communicating with Mullvad support using a Gmail address anyway. Yes, it’s not a good lookout for Mullvad, but as a customer I am personally satisfied with their reply.
This is silly, PG already has decently strict criteria on what can even be considered for recommendations when it comes to VPNs. PG would look ridiculous not recommending Mullvad over something like this.
What would be the point of audits as a criteria, if they can still be removed due to their email provider?
The domain can be purchased from any provider, anyone can register the domain in Google Workspace as a business email, which will be using Gmail to operate.
Many email providers provide an option to use a custom domain name. It helps with portability (switching services is easy because your email doesn’t change). This feature is also one that PG requires that recommended email providers have.
The original post is misleading at best. They assert that the government can identify you based on this. The author lies by saying customer service will ask for account number and then the gov can see your IP by loging as you and hijacking Wireguard to see your ip or something like that . Mullvad support will not ask account number - except if you ask for a refund, in which case you will not use the service anymore. Furthermore anyone which a high threat model will not e-mail their VPN provider because that put them in a niche position, regardless of wheter the mail is private or not.
That being said, I did ask them why they wouldn’t swicth to something like Session and they say the mail workflow is more convenient. I overall which Mail was dumped for customers services, but it is still the most widely used communication. Every single country use mail.
I also think they should have been more transparent about this, but it remains overall a low key concern.
That is indeed interesting, but as long as you don’t send them any emails there shouldn’t be a problem.
If you really have to send them an email use an email alias, pay for it every month separately and replace your account from time to time.
