A general rule for life is that companies making a big deal about military grade encryption or about how they are affiliated with Nordic countries are scams.
In general, Nordic countries are known for their extensive privacy laws, which in theory would make it harder for law enforcement to gain access to your traffic (and with a court order it is very easy to decloak your VPN traffic). However, as all Nordic countries are part of the Schengen Area, they are bound by European laws - and their enforcement. When Europol started cracking down on VPN providers that didn't comply, NordVPN (and all others who wanted to remain in the European market) were forced to admit [1] that they do comply with law enforcement orders. Today, all VPNs that you can legally buy are worthless in the aspects they advertise to you. You neither get extra security through encryption when browsing the web (https is already good enough for public wifi) nor actual privacy from your own government. There is exactly one use case for public commercial VPNs these days: If you want to easily access the internet from a different location to bypass geoblocking. But many big services like Netflix have started to simply block or otherwise limit access from traffic that comes from big VPN provider IP ranges, so even that use-case is becoming more worthless every year.
You are missing one valid use-case: avoiding three-strikes letters being sent to your ISP by the MPA. Unless you're part of a release group, the complaints from the MPA never rise to the level of actual legal action, so your VPN provider is free to bin them, whereas your actual ISP would almost certainly act on them.
Yes of course, if you're engaged in low level criminal behaviour, then even these low levels of obfuscation will keep some pressure off your back. But since copyright law is somewhat of a grey area in the EU, you technically don't even need a VPN for that. You could run a VPS somewhere and get the same results much cheaper. But this kind of use case is not something VPN providers can advertise with anyways, so my point remains unchanged.
HTTPS is not enough for public WiFi. Domain names get leaked due to how the TLS negotiation works, and unencrypted HTTP sites or ones with weak crypto are still more common than they should be.
Plus, many public WiFi networks exist which block SSH or specific websites to keep security auditors happy while allowing VPN to make business people happy. I used such a public WiFi quite recently, which blocked not only SSH but Hacker News - I assume some bad site database misunderstands the name of this site.
As for hiding from governments, I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government. So far, they can sometimes force silence, and can sometimes force a previously published canary notice not to be removed, but they haven’t yet had any right confirmed to uphold a compelled lie. So any Western provider that continues to publish suitably broadly worded canary notices on a verifiably still-updated basis (e.g. securely OpenPGP-signed together with a bit of new daily news headlines) is either telling the truth or is lying without being legally forced to do so.
>I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government
Depends on what things you think are likely to be true in secret or judicially determined in the future without an intervening legislative change. My impression of the law in most Western countries is that the courts would overturn any requirement to compel a company to affirmatively lie to the public through explicit speech of some kind, even in the national security context. Orders compelling silence or non-removal of past statements are a very different constitutional and human rights balance than compelled false speech.
>My impression of the law in most Western countries
Apparently you still didn't get it, so let me spell it out: Your entire point hinges on your own impression that your government won't abuse its power. An impression that will always be heavily influenced by PR and propaganda, no matter where you live - and one that seems eerily off considering the fact how often surveillance programs and attempts at destroying what privacy we have left make it to the surface. This kind of blind trust in your superiors is the straightest way to a 1984-esque dystopia.
So, should they be requested to do so by a formally issued court order, they would comply and start logging a user’s activity, but do not do so by default.
Calling them worthless at providing secure browsing seems far-fetched; calling them a scam is fully disingenuous.
*Tunneling* it through one hides the nature of that traffic from intermediary systems that it traverses from you up to that VPN exit point.
There is a lot of metadata in packets that can be viewed by any interim hop, like your ISP, workplace IT security, ARP-cache-poisoned coffeeshop router, etc.
You can answer the question yourself for any provider using this simple test: Can you legally buy access to it from inside the EU? If yes, they will suffer from the same problem as all other providers.
As I said above, a simple court order can destroy any attempt at privacy. All (serious) VPN providers claim they don't store logs. But that does not mean that a court can't force them to do so. When combined with a gag order you can have someone collecting all your traffic without you even realizing it. And that's just the VPN provider, which usually doesn't own any datacenters. The datacenter providers can also receive the orders to either monitor traffic or even install hardware to do so. If you want any hope of privacy, you steer clear of all big commercial "privacy" providers, because they are very high on every government agency's list. And you just need one component in the entire chain to be compromised.
Mullvad complies, but they go out of their way to keep very little information. If you don't have the information in the first place, you can't surrender it.
Beware that despite all marketing statements, VPN providers can easily be forced to store logs using court orders, even if they don't do it by default.
That still has value, it's much harder to do drag-net style surveillance if you need court orders to collect new information and can't scoop up old information.
My mistake, I did know they were one of the two. I should have double checked. In general I know the difference between the two just forgot which Migadu was based on.