The VPN company Mullvad mouths off “privacy is a right”, but deep down they really don’t give a shit. They don’t even bother to host their own emails for critical technical support, and point their MX email record to Google. (See attached image)
This is a potential privacy risk because many times people will not bother to use PGP and the technical support will ask for their account number. And you’re assuming the people who need VPN technical support even know how to use PGP, and they likely aren’t hiding their IP address because they need support. Often people may use their real email, so they don’t miss the reply on burners, and that leaks their name. Now Google, and therefore the government, know your mullvad account number…
From here, the government can sign in to Mullvad’s site as you, and see the timestamp of first sign-in on each device with the wireguard public key. Although Mullvad masks it will bullshit names, the government can sign-out of the device so when you re-sign in thinking it’s a random technical error, they now know which is which. This enables at a minimum, the identification of your other devices. Maybe you signed in at another location? For example your cellphone.
When you’re out using WiFi anonymously at a public location, the government signs you out of Mullvad. So then when you sign back in, they identify the public location traffic as you. If this is not enough, now the government knows which account to demand a court order for. What are you going to request technical support? Sounds like more info gathering.
Even if none of this is relevant to you. The basic fact remains that Mullvad is using primarily Google to talk to customers, and the customers aren’t even aware of it because it’s a vanity domain. I don’t think people realize just how difficult it is to avoid Google. It’s not voluntary dude, these companies are forcing me out to the fringe of society, to not have everything I’m doing piped into a company I so vehemently hate.
Google is literally paid by the US government to manipulate search results through their Jigsaw division and Moonshot CVE. They aren’t just doing ads dude, it’s a for-profit propaganda machine.
Other privacy influencers always recommend Mullvad, and for the most part I do agree with this for the “average joe”. But let’s keep it real here, if you check the servers, they use many of the same 3rd party providers. Mullvad, IVPN, and TorGuard all use M247 for New York and Los Angeles. So if you connected to LA Mullvad, then switch to LA IVPN, thinking you’re getting a “new identity” you’re not. It’s NSA passive surveillance on the size of data packets going in and out of places like M247 that reveal you, and NOT Mullvad backstabbing you.
Does using Gmail mean Mullvad is compromised? No! You’re twisting my words…
What I’m saying is that very few people genuinely care about privacy, and when you realize just how involuntary Google is, only then can you actually take steps to free yourself.
Is the point of this to smear Mullvad? Sort of. I want to create negative consequences for all companies that force Big Tech on us. All of them think they can cut costs because the public doesn’t care.
Well, I’m here today to say that I care. And even if I stand alone. Even if I’m shadow banned by search engines off the face of the earth. I stand my ground.
But I got a feeling I’m not alone. So if you spread this message, maybe… just maybe, we can get Mullvad to change.
