Mullvad Using Gmail

There’s full text on Nostr: SimplifiedPrivacy.com: Mullvad uses Gmail The VPN company Mullvad mouths...

Mullvad using gmail for their email, my points are:

  • Google has access to all Mullvad’s emails and their customers’ information.
  • Even they’re encrypted Google can Harvest now, decrypt later.
    • Which also means they’re indirectly lying about no logs policy.
  • Even someone never e-mails the Mullvad its ridiculous a privacy company using gmail, they can just self host or use better e-mail services.

would like to hear other opinions and correct me if I am wrong.

6 Likes

Hmmm… I dont know what the implications are for this, but they probably use Enterprise Gmail which might have better privacy guarantees (I’m not sure however if this is the case)???

1 Like

It’s not great that they’re using gmail, but according to one of the users on primal they said they are working on their own email server. If this is true and not just hearsay, I’m willing to give them a pass on it given they don’t require an email address for registration to begin with and you can just use PGP with an email address specifically created for the Mullvad account, e.g. Cock.li (Tor: http://rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion/) or Cyberfear (Tor: http://cyberfe3gvh7cvq2nhuqtaghjxebhcnqafnfvalwvq6mxrinep7m7xqd.onion/).

As long as they abide by their VPN no-log policy and provide a good VPN service, that’s all I really care about. You should always browse the web as if you are being watched, especially if you are using a VPN, but I like a VPN provider that isn’t really in the picture. I don’t want to constantly think about the fact that I’m using a VPN and I just want it to work as intended.

Overall, this is a nothing burger for the most part.

2 Likes

Mullvad’s customer support response:

Currently our email is being hosted on Gmail this is correct.
We are working on a self-hosted version based on our STBOOT (
Mullvad VPN | Privacy is a universal right ) project.
It’s in the final phase and being tested internally and the goal is to
move over email to this platform this year if the testing phase is going
smoothly.

We strongly suggest using pgp regardless of what email server is being
used, as any other means is basically unencrypted and not considered safe.

3 Likes

Another provider that wannabe taken seriously, but is caught lying.

3 Likes

I’d agree. At the end of the day, Mullvad is a business, and running their own hosted e-mail server was probably not at their highest priority. Truth be told, I can’t imagine many business would even consider owning their own e-mail server in this day in age, so the fact that Mullvad is migrating to their own server (if they follow through) is at least some level of commitment to privacy. I think they likely omitted this fact as it clearly isn’t optimal, and its not particularly great it wasn’t more publicly disclosed, but pick and choose battles I suppose.

Not trying to be super pro Mullvad, but if anyone’s threat model is to be penetrated by sending an encrypted support e-mail to Mullvad that is hosted on a Gmail server, I just think there are bigger fish to fry.

7 Likes

I think using enterprise gmail isnt necessarily a bad thing.

I dont think they’ll be sending messages containing keys and personally identifying info?

I think its a responsible thing to do if you are not completely competent to do email yourself. I think its only fair because Mullvad never claimed theyre an email company.

2 Likes

This is an interesting point. We don’t really evaluate much outside the VPN product itself when evaluating VPN providers, but maybe we should look at and factor in things like this?

Using Google Workspace is obviously pretty questionable :thinking:

On the other hand, this isn’t something a customer would have to interact with.

5 Likes

That social media post is so gaslighting I have a hard time taking it seriously, even though it is pointing out a simple fact. The reality is that most people are not using privacy-preserving email services, and are most likely communicating with Mullvad support using a Gmail address anyway. Yes, it’s not a good lookout for Mullvad, but as a customer I am personally satisfied with their reply.

1 Like

This is silly, PG already has decently strict criteria on what can even be considered for recommendations when it comes to VPNs. PG would look ridiculous not recommending Mullvad over something like this.

What would be the point of audits as a criteria, if they can still be removed due to their email provider?

4 Likes

When I check Mullvad VPN - Free the internet I see support@mullvad.net

It seems the domain is registered in Google Workspace email, thus used Gmail to operate.

Doesn’t look like it to me.

The domain can be purchased from any provider, anyone can register the domain in Google Workspace as a business email, which will be using Gmail to operate.

See: What is Google Workspace & Other FAQs | Google Workspace

2 Likes

Many email providers provide an option to use a custom domain name. It helps with portability (switching services is easy because your email doesn’t change). This feature is also one that PG requires that recommended email providers have.

The original post is misleading at best. They assert that the government can identify you based on this. The author lies by saying customer service will ask for account number and then the gov can see your IP by loging as you and hijacking Wireguard to see your ip or something like that . Mullvad support will not ask account number - except if you ask for a refund, in which case you will not use the service anymore. Furthermore anyone which a high threat model will not e-mail their VPN provider because that put them in a niche position, regardless of wheter the mail is private or not.

That being said, I did ask them why they wouldn’t swicth to something like Session and they say the mail workflow is more convenient. I overall which Mail was dumped for customers services, but it is still the most widely used communication. Every single country use mail.

I also think they should have been more transparent about this, but it remains overall a low key concern.

1 Like

That is indeed interesting, but as long as you don’t send them any emails there shouldn’t be a problem.
If you really have to send them an email use an email alias, pay for it every month separately and replace your account from time to time.

1 Like

Google enterprise != free gmail

Is everyone here IT resistant?

Well I obviously agree with this. Proton uses Zendesk, I am not sure if that is any better than Google Workspace.

2 Likes

what do you mnean by this?