[sigmoid10]

In general, Nordic countries are known for their extensive privacy laws, which in theory would make it harder for law enforcement to gain access to your traffic (and with a court order it is very easy to decloak your VPN traffic). However, as all Nordic countries are part of the Schengen Area, they are bound by European laws - and their enforcement. When Europol started cracking down on VPN providers that didn't comply, NordVPN (and all others who wanted to remain in the European market) were forced to admit [1] that they do comply with law enforcement orders. Today, all VPNs that you can legally buy are worthless in the aspects they advertise to you. You neither get extra security through encryption when browsing the web (https is already good enough for public wifi) nor actual privacy from your own government. There is exactly one use case for public commercial VPNs these days: If you want to easily access the internet from a different location to bypass geoblocking. But many big services like Netflix have started to simply block or otherwise limit access from traffic that comes from big VPN provider IP ranges, so even that use-case is becoming more worthless every year.

[1] https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...

[NoGravitas]

You are missing one valid use-case: avoiding three-strikes letters being sent to your ISP by the MPA. Unless you're part of a release group, the complaints from the MPA never rise to the level of actual legal action, so your VPN provider is free to bin them, whereas your actual ISP would almost certainly act on them.

[sigmoid10]

Yes of course, if you're engaged in low level criminal behaviour, then even these low levels of obfuscation will keep some pressure off your back. But since copyright law is somewhat of a grey area in the EU, you technically don't even need a VPN for that. You could run a VPS somewhere and get the same results much cheaper. But this kind of use case is not something VPN providers can advertise with anyways, so my point remains unchanged.

[DEADMINCE]

You can get a good VPN for $5/month. I don't think you can get a decent VPN with enough bandwidth to use as a tunnel for the same price.

And as for infringement being grey in the EU, not really it goes by country. Nothing grey about it in Denmark for example.

[sigmoid10]

You can literally get a VPS with gigabit connection for free these days.

[DEADMINCE]

Link?

[sigmoid10]

Try (to) google (as in GCP). AWS, Azure and pretty much everyone else also has some kind of free tier.

[jkaplowitz]

HTTPS is not enough for public WiFi. Domain names get leaked due to how the TLS negotiation works, and unencrypted HTTP sites or ones with weak crypto are still more common than they should be.

Plus, many public WiFi networks exist which block SSH or specific websites to keep security auditors happy while allowing VPN to make business people happy. I used such a public WiFi quite recently, which blocked not only SSH but Hacker News - I assume some bad site database misunderstands the name of this site.

As for hiding from governments, I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government. So far, they can sometimes force silence, and can sometimes force a previously published canary notice not to be removed, but they haven’t yet had any right confirmed to uphold a compelled lie. So any Western provider that continues to publish suitably broadly worded canary notices on a verifiably still-updated basis (e.g. securely OpenPGP-signed together with a bit of new daily news headlines) is either telling the truth or is lying without being legally forced to do so.

[sigmoid10]

>I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government

Do you see the problem with this statement?

[jkaplowitz]

Depends on what things you think are likely to be true in secret or judicially determined in the future without an intervening legislative change. My impression of the law in most Western countries is that the courts would overturn any requirement to compel a company to affirmatively lie to the public through explicit speech of some kind, even in the national security context. Orders compelling silence or non-removal of past statements are a very different constitutional and human rights balance than compelled false speech.

[sigmoid10]

>My impression of the law in most Western countries

Apparently you still didn't get it, so let me spell it out: Your entire point hinges on your own impression that your government won't abuse its power. An impression that will always be heavily influenced by PR and propaganda, no matter where you live - and one that seems eerily off considering the fact how often surveillance programs and attempts at destroying what privacy we have left make it to the surface. This kind of blind trust in your superiors is the straightest way to a 1984-esque dystopia.

[jkaplowitz]

You’re assuming a lot of inaccurate things about my beliefs. I do not have blind trust in my government or other Western governments. In, fact, I expect them to actively abuse their power in myriad ways, many of which try to destroy privacy. I didn’t say otherwise; indeed, if I were to assume that the government would never try to compel affirmative lies, I would have never needed to discuss how the courts would react to such an attempt.

I don’t think it will be productive to continue this subthread if doing so would be as focused on clarifying misunderstandings as this exchange was, so do not be surprised if this ends up as my last reply in this subthread.

[DEADMINCE]

Mullvad at least doesn't seem to log :shrug_emoji:

[froddd]

So, should they be requested to do so by a formally issued court order, they would comply and start logging a user’s activity, but do not do so by default.

Calling them worthless at providing secure browsing seems far-fetched; calling them a scam is fully disingenuous.

[jhugo]

What, specifically, is the “secure browsing” that they offer and how does it improve on HTTP over modern TLS?

Funnelling your traffic through another entity doesn’t magically increase security.

[ang_cire]

*Tunneling* it through one hides the nature of that traffic from intermediary systems that it traverses from you up to that VPN exit point.

There is a lot of metadata in packets that can be viewed by any interim hop, like your ISP, workplace IT security, ARP-cache-poisoned coffeeshop router, etc.

[DEADMINCE]

> ARP-cache-poisoned coffeeshop router, etc.

Eh, that's not really a thing anymore.

[ang_cire]

Not for Starbucks, who does fancy per-user VLANs, but for your local spot that's using an AP-router-combo they bought at Best buy, it sure is.

[froddd]

Being able to cover/scramble your actual or virtual location can provide security in some contexts

[Shared404]

It also would prevent your ISP or local attackers from seeing the domains you are reaching out to, which is still visible over https.

It's all tradeoffs.

[stavros]

Even Mullvad?

[sigmoid10]

You can answer the question yourself for any provider using this simple test: Can you legally buy access to it from inside the EU? If yes, they will suffer from the same problem as all other providers.

[stavros]

What are these problems, exactly?

[sigmoid10]

As I said above, a simple court order can destroy any attempt at privacy. All (serious) VPN providers claim they don't store logs. But that does not mean that a court can't force them to do so. When combined with a gag order you can have someone collecting all your traffic without you even realizing it. And that's just the VPN provider, which usually doesn't own any datacenters. The datacenter providers can also receive the orders to either monitor traffic or even install hardware to do so. If you want any hope of privacy, you steer clear of all big commercial "privacy" providers, because they are very high on every government agency's list. And you just need one component in the entire chain to be compromised.

[DEADMINCE]

> All (serious) VPN providers claim they don't store logs. But that does not mean that a court can't force them to do so. When combined with a gag order you can have someone collecting all your traffic without you even realizing it. And that's just the VPN provider, which usually doesn't own any datacenters. The datacenter providers can also receive the orders to either monitor traffic or even install hardware to do so. If

None of this really matters unless you are doing something illegal enough that the government is interested in you and convinced a judge to get warrants.

That isn't 99% of people. 99% of people just want to try and stop being traced and their data being harvested with an easy solution that mostly works for that purpose.

[sigmoid10]

>None of this really matters unless you are doing something illegal enough that the government is interested in you

The issue here is that how "illegal" something is depends heavily on where you live. In some places speaking against the government can get you killed [1]. In others, hosting movies can get your house raided by police helicopters [2].

[1] https://www.unesco.org/en/safety-journalists/observatory

[2] https://www.youtube.com/watch?v=KmIPVrkN1hA

[Suppafly]

>When combined with a gag order you can have someone collecting all your traffic without you even realizing it.

Are such gag orders common in the EU? I know they are fairly common in the US, but don't know enough about EU laws to know if that's an actual concern there or not.

[lillecarl]

You're spreading FUD, the Swedish government can't do shit to Mullvad but take their servers offline. Possibly if it was a matter of national security, at which point our recommendations are useless either way.

[sigmoid10]

False. Like all member states, the Swedish government has officialy ceded jurisdiction and enforcement of certain laws to the EU. Only VPN providers who do not comply with such international court orders get shut down. Look at what happened to vpnlab: The police literally write on their seized domain that they have forcefully attained access to everything, because the provider would not give it away freely: https://vpnlab.net/

Consequently, you can assume that all other VPN providers who are still doing business in Europe are freely giving away their data to government agencies.

[actionfromafar]

Mullvad complies, but they go out of their way to keep very little information. If you don't have the information in the first place, you can't surrender it.

[sigmoid10]

Beware that despite all marketing statements, VPN providers can easily be forced to store logs using court orders, even if they don't do it by default.

[actionfromafar]

That still has value, it's much harder to do drag-net style surveillance if you need court orders to collect new information and can't scoop up old information.

[alexey-salmin]

> VPN providers can easily be forced to store logs using court orders

It's not grave if the provider is allowed to notify the user that logs are being collected from now on.

Is there a country where gag orders are unconstitutional or something of that sort?

[carbotaniuman]

You can always shut down rather than do so - it's happened in the US.

[sigmoid10]

This also happened with providers in Europe. So you can safely assume that any VPN provider who is still doing business in Europe is compromised in some way or another by the government.

[yaris]

"Compromised" is a wrong word to use, unless you consider any obedience to the law "compromise". VPN providers who are still doing business in EU (not Europe) do obey court orders - that would be more correct wording. Any non-compliance is a one-time occurence: either you decide to cease operations or you are forced to cease operations by LEA, as in vpnlab.net example.