[codethief]

I've been following Mullvad for a long time and my impression (from countless reviews and comments here on HN) has been quite positive. But here's what I don't understand: Why are the servers located in Sweden, a country that's known for online surveillance[0] like no other country in the EU? From the Wikipedia article[1]:

> The law permits the signals intelligence agency, National Defense Radio Establishment, to monitor the content of all cross-border cable-based Internet traffic to combat "external threats" such as terrorism and organized crime.

[0]: https://www.opendemocracy.net/en/can-europe-make-it/didier-b...

[1]: https://en.wikipedia.org/wiki/Internet_in_Sweden#Internet_ce...

[kfreds]

Thank you for asking.

> Why are the servers located in Sweden,

We have 762 servers spread across 38 countries. Less than 10% of our servers are located in Sweden [0].

> a country that's known for online surveillance

My cofounder and I started Mullvad as a protest against the growing mass surveillance of Sweden as well as other countries. Our intent was direct political action through entrepreneurship. Incorporating the company in Sweden was the obvious choice, since we are both Swedes. We felt that incorporating elsewhere would have been more risky, complicated, and costly.

Mullvad has excellent lawyers who continuously monitor the legal situation in Sweden. Right now there is no Swedish law that can compel Mullvad to start logging [1]. Should the situation change we have contingency plans.

[0]: https://mullvad.net/en/servers/ [1]: https://mullvad.net/en/help/swedish-legislation/

[codethief]

Thank you, this was the response I was looking for!

> Our intent was direct political action through entrepreneurship.

Again, I didn't mean to question your intent – as I said my impression of your company so far has been a very good one! :)

> We have 762 servers spread across 38 countries. Less than 10% of our servers are located in Sweden [0].

My apologies, it's been a few years since I last looked at your server locations (so I didn't remember) and I was probably getting the wrong impression from the fact that your post is only mentioning server locations in Sweden.

> Right now there is no Swedish law that can compel Mullvad to start logging [1].

But at the same time all cross-border traffic in and out of Sweden (so for anyone using Mullvad outside Sweden: virtually all traffic) is being monitored and (probably) logged, isn't it?

[rekoil]

I highly doubt your VPN traffic will pass Sweden if you're outside Sweden and signing onto a Mullvad VPN server located outside of Sweden. The server list may be fetched from Sweden I guess? I haven't looked at the apps traffic to be honest, I have huge respect for the Mullvad team.

[codethief]

Sorry, I should have been more precise: For everyone outside Sweden using Mullvad's Swedish servers. My point was just that the fact that "[r]ight now there is no Swedish law that can compel Mullvad to start logging" does not mean that Swedish intelligence agencies cannot collect any data about you (= the Mullvad user using their Swedish servers).

[hoppyhoppy2]

Locating all their servers in IndependiPrivastan probably wouldn't stop intelligence agencies from collecting data. The NSA, for example, does not care even a tiny bit about the privacy of non-US citizens and sets up equipment around the world to gather and analyze internet traffic.

[codethief]

I agree. But the NSA's resources are also vastly bigger than those of the Swedish intelligence agencies.

[gringo_flamingo]

I have so much respect for everyone at Mullvad. You are the only VPN provider I trust! I have been a user for years now, and it has always been 5 dollars a month, which is quite generous. It is so cheap that even the poor can afford privacy. You guys have put a ton of effort into making your service as privacy respecting as possible. Not only that, the tech is on the bleeding edge (WireGuard, socks5, etc.) built right in. As a cybersecurity researcher, I could not be happier with the product. I hope you stay true to your mission, thanks again!

[gringo_flamingo]

Also, will Monero ever become a supported payment method?

[runjake]

How is this nonsense the top comment?

OP's been doing a poor job of "following Mullvad for a long time" and apparently has never used Mullvad or visited its website. Heck, it's on their Wikipedia page[1].

If they had, it would be immediately apparent that Mullvad has servers all over the world. They have for many years -- perhaps since it's inception. It takes a bare minimum of effort to learn that.

1. https://en.wikipedia.org/wiki/Mullvad#Service

[infogulch]

Your annoyance is understandable, and yet this question and direct response from a founder is a very informative interaction to have recorded in this thread. Much more informative than if GP had simply stated the results of their Wikipedia research.

Sometimes a mediocre question is the landing pad for a great answer. No need to begrudge the question.

[runjake]

While I agree the founder's response was informative, it does not justify the completely erroneous statement/accusation that prompted it.

That most certainly should be called out -- especially when it was, at the time, the top voted comment.

[miamalkova]

People make mistakes. Maybe if you were less you combative your comments would get more upvotes.

[runjake]

I didn't feel like I was being combative, only pointing out OP was misinforming people. They didn't do even basic research, contrary to their statements. That negligence should be called out.

And I'm not here for upvotes. Who's being combative, again?

[codethief]

I have apologized for the factual incorrectness of my comment and explained how I had arrived at that conclusion / brain glitch: They are only mentioning Swedish servers in their blog post and for a second I had forgotten that, like any other big VPN provider, Mullvad of course has servers in many locations around the world.

What more do you want? Upvotes are not under my control and I also cannot edit my original comment anymore. No reason to get personal.

FWIW, I still think that it's important to raise awareness for the deficiencies of Swedish privacy law (irrespective of Mullvad and where their servers are located). I suspect that at least some of the upvotes were also given because people agreed with that.

[y4mi]

Because it's a swedish company? The location of the servers is kinda irrelevant in that regard. They'd have to provide government access if there is a lawsuit that demands it. If there isn't one than your critique is entirely pointless

[codethief]

> Because it's a swedish company?

I'm not sure what point you're trying to make. If online privacy is as important to them as they say, they could have easily registered their company (or a subsidiary) in a different EU member state.

> They'd have to provide government access if there is a lawsuit that demands it.

IANAL but I am not entirely sure this is true in the EU. Either way, my question was "Why are the servers located in Sweden?" Whether or not this due to the company owning the servers being in Sweden is irrelevant.

[akerl_]

I think you’re overthinking this. The people who run the company are based in Sweden. So they registered the company in Sweden, because that’s where they are. Then they hosted the servers in Sweden, because that’s where they are and where the company is registered.

Registering the company somewhere else wouldn’t do them any good when they’re living in Sweden, because the legal system isn’t fooled by sleight of hand like that. Likewise, hosting the servers elsewhere from where they’re based. Both would expand the number of entities with the ability to compel them to disclose data, because as long as the company owners live in Sweden, Sweden has that ability.

Unless you’re asking why they didn’t move to another country to start their company, which is surely a larger ask than the “easily” you suggest.

[Chris2048]

You are allowed to start companies in other countries, and thereby avoid local laws, without moving i.e. changing you country of residence.

If you believe any different, please say why so. Just "wouldn’t do them any good" is pretty meaningless.

[akerl_]

I assumed it was pretty clear why it wouldn’t do them any good:

All of their executives and their staff are in Sweden. It doesn’t matter if the company is registered on Mars, the Swedish government can come knock on their doors, because Swedish laws apply to people in Sweden.

The most mundane way to demonstrate this is to imagine they don’t register a company at all. If a bunch of Swedish people get together and start doing business w/o registering a company, it’s clear that Swedish law applies to them. Why would filing some paperwork with a foreign entity grant them immunity from the laws in the country they live and work from?

[Chris2048]

A server in Sweden cannot easily be raided by the Swedish, is the first reason.

The second reason is "Swedish laws apply to people in Sweden" seem to make assumptions about what the government can force people to do, or specifically, punish people for not doing. In many cases, authorities just threaten/raid the data-centers so never have to bother take that route.

Lastly, I'm not sure this is true: "Swedish laws apply to people in Sweden" - I'm not sure this applies to Swedes working for foreign corps, there are a whole load of laws that apply to local corps only. In fact, that are laws that apply to Swedish corps even when their staff reside abroad - unless "government can come knock on their doors" is a reference to physical coercion.

[codethief]

> It doesn’t matter if the company is registered on Mars, the Swedish government can come knock on their doors, because Swedish laws apply to people in Sweden.

But it does matter. In most EU countries limited-liability companies (like the Swedish Aktiebolag) are legal entities that are completely separate from their owners and employees. Your idea of Swedish authorities "knocking" on people's doors (who own a company registered abroad) and "convincing" them to hand over customer data appears to be more along to lines of https://xkcd.com/538/ but in this case (in the particular case of a country like Sweden that has a well-respected legal system) it doesn't seem to be grounded in reality.

For instance, Swedish law likely compells companies to hand over customer data under certain circumstances. But if you're the "just" the owner of that (limited-liability) company, the company's customers are not your customers, so authorities cannot compell you to give them access to those customers' data (because you are a separate legal entity).

[eli]

Your theory is an American could start a company that violates US laws so long as they form the entity somewhere else?

[Chris2048]

Depends what you mean. US law takes into account the existence of foreign nations already; some explicitly end at the borders, others not so.

It also depends on which country, and to what extent agreements exist between those countries wrt policing their own territories. Those that don't have such agreements, are often also limited in what extent they can do business in the US.

[codethief]

GP didn't say anything like that. They were talking about

> avoid[ing] local laws

(i.e. legally) which is a whole different matter.

[dboreham]

Completely false.

[rosndo]

> Registering the company somewhere else wouldn’t do them any good when they’re living in Sweden, because the legal system isn’t fooled by sleight of hand like that

This isn’t true at all, at least as long as we assume that you’re dealing with the courts and not some secret police.

[Hnrobert42]

Really? How easy is it to create a company in another EU country.

In the US, it is mostly painless to create a company in another state. Fill out some forms online and pay a few hundred. If you don’t have a presence there, you have to pay for a registered agent in the state. That’s about $100/yr. You may also need a mailing address, but you can get a post office box that will accept and scan your mail for another hundred bucks a year. Star and local taxes.

What about the EU?

[codethief]

To my knowledge here in Germany registering a company is pretty much the same whether you're from Germany or from a different EU country. You don't need to live in Germany or anything.

Of course you still need to know your way around local taxes, legal obligations (of the shareholder, of the company) etc. etc. but that's the case anywhere in the world.

[pph]

In the EU you will find very different laws and tax systems depending on the country. Quite large differences in regards to culture as well.

One example: If you're a cross-border worker you'll likely have to file multiple tax decelerations (one for each country), which can be quite complicated if you don't speak the local language (and even if you do).

[codethief]

> If you're a cross-border worker you'll likely have to file multiple tax decelerations (one for each country)

Yes, if you have sources of income in multiple countries, you might have to. But if you're (only) working on the other side of the border and this is your only source of income, agreements on double taxation and tax harmonization between the EU member states should actually prevent that. Heck, I even worked in the US once, declared my taxes there and didn't have to do my taxes back home in the EU anymore.

[stjohnswarts]

You don't have to use the servers in Sweden if you don't want to.