A $1.3T behemoth that readily reports Ring data to the pigs and runs large-scale cloud contracts with the Feds totally won't run these cards through a UV-B or X-ray scanner to correlate and log the activation codes.
You're 100% safe with Amazon. Hell, they even have a smile in their logo. Who could possibly doubt that?
The code must be scratched free first, so I assume Amazon doesn't know the code, and thus can't link it to a specific account. And I assume Mullvad themselves are not linking the code to an account either, but just checks validity and then charges up the account by the value.
There are probably indirect ways to force a linking, but they are probably also highly illegal. And people could also just exchange gift-cards or use more indirect ways to buy the cards, to dilute those data further. So overall this is a rather useful solution, as long as more than a handful people will buy them through amazon.
> The code must be scratched free first, so I assume Amazon doesn't know the code
This is the part I’m not following. Unless Amazon takes specific steps to intentionally not track the code (and this doesn’t sound very Amazon-like) , why would we assume Amazon doesn’t know the code?
The scratch off protection is to prevent shoppers from seeing the code in stores, and to provide assurance that the card hasn’t been used yet (“used” as in the number is now in someone’s possession).
Edit: I misinterpreted the nature of these cards and commented prematurely.
My understanding is that Amazon is not the one printing these cards. Unless they go out of their way to scratch the card off themselves and then cover it back up or create a knockoff, the pack of activation cards they receive are all effectively indistinguishable from Amazon's point of view. They could track which of the various indistinguishable cards was shipped where, but that doesn't help towards determining who was shipped any given code.
The above attack might be a possibility if you're already being actively tracked by the NSA, but at the very least this approach gets you some degree of forward privacy in case the NSA only starts hardcore snooping after the card was already delivered to your door. Whether or not it is a useful degree of privacy is out of my area of expertise.
On Mullvad's end, they also don't have to keep track of which gift card was used with which account, they just have to mark off that gift card as spent and credit the account, unlike payment methods where they have to retain billing-to-account linkage.