Hadn't heard of Mullvad before reading this, figured I'd give it a try. That is hands down the BEST onboarding experience for an app (let alone a VPN) I've had in I don't know how long. Took me maybe 2 minutes to go from no account to a working VPN connection.
I love that everything is anonymous (down to the account credentials just being a randomly generated token).
I also like that they let you download the raw wireguard config files so that you can connect without having to use their client. You can just plop them onto your filesystem and use wg-quick to get going.
Since I'm also a ProtonMail user and I considered switching to them for VPN as well but their python client doesn't seem to work correctly on my Arch Linux install and it doesn't give me anything useful to debug it beyond "An unknown error has occured" so I couldn't be bothered to investigate beyond that.
i just set it up to try it out (on macOS): created a free config on the proton dashboard, downloaded it, stuck it in the wireguard client, and it worked (without downloading their vpn client app). make sure your firewall isn't blocking the traffic though (something that caught me at first).
Be aware, at least Nord clearly does something different with their client than with the OpenVPN files they provide ( https://news.ycombinator.com/item?id=21664692 ). When I dug into this, I found similar cases with other major VPN providers, but my notes are sufficiently out of date, they shouldn't be trusted anymore.
Sometimes the differences are subtle, sometimes they're rather complex like this case. Personally, sketchy stuff like this is why I've moved all of my VPN use to a personal cloud instance running WireGuard.
So, I do have two VPN servers running, one on my home connection, and one on AWS, for just the reason you state.
That said, I got back from a week long trip a few weeks ago. I kept my AWS tunnel up the entire trip. For the set of websites I visit for personal and work reasons, it was never an issue. I'm sure I could find some website that doesn't work, but for me, it's just not a problem.
It's also super useful, since I can whitelist my AWS instance's IP on services that demand such things, and never have to worry about where I am as I move from network to network. I've also reserved the Elastic IP so I can stop/terminate my server when I want without needing to whitelist the IP again when I spin it back up
I use whatbox.ca as my global/universal VPN. So far I haven’t seen any issues. It works in places where most VPNs are banned or heavily throttled (like Saudi/Abu Dhabi/Qatar, my workplace, AT&T cellular data, etc)
1) It’s the only VPN that worked in areas where they work hard to block most VPNs
2) it’s still not very expensive
3) it’s absurdly fast for a “VPN”! Like 400Mbit symmetric.
4) I also use it as a seedbox. Speaking of…does anyone have an invitation a private tracker to replace what.cd because I miss that. Or a no/low compression movie tracker.
I have no idea how right the author was about how Nord got ahold of the residential IPs. I was able to recreate the technical results, and noted at the time that the OpenVPN connection to the same Nord endpoint behaved differently (and, indeed, Disney+ blocked it).
Of course, that was a while ago .. long enough I assume my notes no longer reflect the current state of things. It'd be interesting to try and recreate it with the latest stuff, but all of my VPN providers accounts have lapsed by this point.
Been using protonmail on arch for years, you have to setup the configs a tad more manually and do some editing (I forget now); definitely doable and protonmail lets you download the configs (which work out of the box depending what you use).
I've read some articles online, but I still haven't managed to understand the hype around wireguard. It's lighter than OpenVPN, but has more obscure primitives? Doesn't seem like a great trade off...
Wireguard is your plumbing layer. OpenVPN is an entire application stack. Wireguard is super simple because it's low level. If you wanted to compare something (as a user in terms of feature parity, etc.) to OpenVPN a more accurate comparison would probably be nebula or tailscale (private/mesh network management tools that are built atop wireguard). I'm a wireguard fan and it's true that its crypto is much simpler, smaller, and harder to fuck up than OpenVPN but that is really only something that matters to the security hats.
It's not hub and spoke. Any existing network topology can be mirrored essentially 1:1 with wireguard. With hub and spoke VPNs the model constrains your deployment somewhat. Now I'm not saying key distribution with wireguard is easy, that's a different problem. But wireguard is literally like "let's take your existing network interface and give it modern fast impossible to fuck up encryption".
Traditionally you have a server and all clients connect to this server (Hub and spoke). Wireguard can connect clients like you would in your network. You can mesh clients if you like. The hard part is getting the keys to all peers in the network.
Mullvad has been tremendous and the ease of use is terrific. I use a VPN relatively infrequently, sometimes going months without turning it on, so the one-time payments have been wonderful. The app is simple to use, and it's so, so easy to reactivate for a month when I need it.
I can't speak to their privacy as my VPN usecase is usually just "I need an IP in another region," but to the best of my understanding they are one of if not the best in the business.
You can also easily pay with better anonymity with the Strike app, https://strike.me, which abstracts bitcoin mainnet and lightning network payments behind USD, so you don't have to worry about actually holding bitcoin or managing tax implications. You just use bitcoin as a globally agnostic payment rail, masked with your local fiat, so the price volatility doesn't affect you.
Mullvad even gives you a 10% discount for bitcoin, bitcoin cash, and monero payments.
I am a bit disappointed that they haven't yet integrated bitcoin lightning network. That would be a huge improvement for reduced transaction fees given the low value of transactions they deal with, as well as instant confirmation rather than 6 block (~1 hour) confirmations. You could even theoretically stream nanopayments for each minute of use with lightning, rather than pay for a whole month.
I also dismiss a project when it's still nascent. /s
Also, "Global payments for the internet" is really referring to bitcoin, not strike.
Strike isn't doing the magic here. It's just one of many possible APIs that can be built on top of bitcoin and the bitcoin lightning network. If you integrate with Strike with your company, anyone else on the planet with any other kind of bitcoin wallet can pay you.
Even with that though you'd still have to worry about them identifying you by your IP address. Are there any other VPN providers which support anonymous payments? It occurs to me that you could get some pretty decent anonymity by stringing two or three independent VPNs together, Tor-style, while avoiding many of the performance issues associated with Tor.
> I am a bit disappointed that they haven't yet integrated bitcoin lightning network. That would be a huge improvement ... as well as instant confirmation rather than 6 block (~1 hour) confirmations.
This is a known problem with blockchains and why naive projects like bitcoin cash that try to just pump up the layer one transaction volume for everyday merchant payments are doomed solutions.
The bitcoin lightning network payment experience is instant and magical, and constantly getting better.
What is "absurdly long" mean here? They say it can take up to 30 min, I didn't time it but I reupped for 1 year twice and it was right at or under 30min both times.
If the bitcoin network is currently congested, your transaction can potentially take hours before it's included in a block. Mullvad would wait at least until this point.
Bitcoin Cash does currently scale up to Paypal's daily number of transactions while keeping transaction fees below $0.01. [0]
Scalability tests are underway [1] to detect bottlenecks for increasing the block size further, which should take it closer to Visa's transaction capacity.
The scalability roadmap aims for eventually supporting 50 daily transactions for each human in the planet, again keeping fees low, which is key for Bitcoin to be used as cash. Check out [2] if you want to read about the technical feasibility of this (even with today's hardware, it will be even easier in the future).
I understand the skepticism about the ability to scale Bitcoin after the Bitcoin Core team has been pushing for years for keeping block sizes low, but please let's consider facts rationally and maintain a civil discussion.
> Bitcoin Cash does currently scale up to Paypal's daily number of transactions while keeping transaction fees below $0.01.
On this here website there was a talk a couple months ago that led me to believe that paying $150 worth of bitcoin costs ... $150 if you want it done at credit card speed. Have things changed?
Without any other information I must suppose you are talking about Bitcoin (BTC), which has limited scalability and therefore high transaction fees when there is high demand. Bitcoin Cash BCH has low fees, below $0.01 as I mentioned.
Credit cards take days to complete the transaction. Much like BTC, there are near-instant checks to make sure the desired transaction _will eventually and most likely_ be valid.
I signed up to Mullvad - my first VPN - literally about 12 hours ago, purely because of how simple, yet comprehensively-explained, their 'onboarding' process was.
I also particularly like the flat no-fuss EUR5 a month fee.
I can wholeheartedly recommend them after using their service the past few months.
They offer Linux configs with wireguard (a sore point with other VPN providers, who tend to either not support Linux at all or only offer openvpn), their Android App has worked flawless and it's just 5E/month.
Been a customer since they went to court for TPB and I read about their legal fee insurance and the lot. Too bad both are Swedish (I'm Swedish).
But yeah, I'd say Mullvad and OVPN has proven themselves over the years, met a mullvad employee in IRC discussing wireguard when it was still an earlybird, they're a good team.
That’s very good. But what do I know about “Cure53” other than they are saying “Yea, trust them bro”.
Is Cure53 incorruptible? Would there be any blip in the world if they were not and Mull was really an NSA op?
I’m not saying I don’t trust Mull over say, Nord. I am saying the nature of the whole thing is non-falsifiable with our existing technologies. We can only determine who was lying by looking back after an incident, and most are kept secret.
You could say the same about all auditing. A restaurant could have changed its food hygiene standards since it was audited. But a company with a history of periodic and successful audits is certainly a good trust marker for me.
Restaurants routinely can't uphold their standards and often get wildly different results on every inspection. But yes I do say the same about all audits.
PIA before the Kape acquisition was owned by parent company London Trust Media. The owner is Andrew Lee, who was best buddies with Mark Karpeles responsible for the MtGox collapse and defrauding all the users of the exchange. Unfortunately the Japanese government let him out of jail and Andrew Lee decided to make his old friend the CTO of the company. Andrew Lee is also the guy behind the shady "sale" of the nonprofit Freenode that caused everyone to jump ship to LiberaChat.
I feel like it's probably more trustworthy under Kape than a CEO and CTO surrounded by a long history of lies, fraud, and general scumbag behavior.
PIA continues to prove in court over and over again that they do not keep traffic logs. The extreme fear mongering over Kape has never been backed up by any evidence other than "they used to do bad things under their previous management." As I always say in these threads, all the people who shill Mullvad over everything probably just use them for web-browsing or adjacent activities, and not anything that requires a specialty product like p2p or bypassing national firewalls.
>all the people who shill Mullvad over everything probably just use them for web-browsing or adjacent activities, and not anything that requires a specialty product like p2p or bypassing national firewalls.
On the contrary. Mullvad gives you more flexibility than PIA in that regard and doesn't limit you to whatever features are built into the client like PIA does. You can build tunnels to whatever endpoint in whichever country you want. You can associate multiple ports to your tunnel or separate tunnels for inbound connections. It's very convenient if you want a P2P tunnel where you can get a wireguard interface on the client and then configure your P2P application to only use that tunnel so that there's no chance of leaks (Up to you if you want to also configure the P2P service to use DNS over the VPN or just the system resolver if you don't care) and you don't have to tunnel everything over the same VPN. You can have multiple interfaces going to different applications if you wanted. You have the flexibility to configure your client in whatever way you want without having to deal with proprietary endpoints to request a temporary forwarded port for the connection like what PIA makes you use.
I used to use PIA before the owner hired con artist Mark Karpeles as the CTO and jumped ship when that happened. Even though I only picked Mullvad because it was recommended on HN and wasn't PIA, I much prefer it from a technical standpoint. If I knew how much better it was originally I never would have went for the cheaper more popular option of PIA. People shilling Mullvad are probably doing so because it has many technical advantages over traditional VPNs used by more casual customers. Mullvad also supports bridge servers for shadowsocks. I've never had an opportunity to test it but I'd expect Mullvad to be more reliable in China than PIA.
PIA is cheap, and they don't seem to keep traffic logs. That's basically all they have going for them.
Anecdotally PIA performance seemed to drop around then, port forwarding was frequently broken and Wireguard wasn't making much progress (looks like maybe they've finally rolled it out now)
Maybe things were already bad before Kape but it was around the same time
Someone hacked into their Malmoe server a year ago or so, and found that they indeed run everything in RAM disks and aren't logging at all. Happened via the management interface.
But please take this information with a grain of salt, as the write up for this exploitation has been vanished from the internet (or I am just unable to find it). *
However, there are still articles about how they've been raided multiple times [1][2][3] in the past, and the police never found any logs.
* Also, I believe that this kind of pwnage could've happened to every VPN provider. Always use VPN chains with multiple locations and always keep in mind that your VPN could have been compromised. Don't just rely on a single hoster which just shifts the liability from your ISP to another single point of failure. But this is probably still better than LE just having to call comcast. :)
Edit: ovpn.to is probably worth taking a look too. I remember that the admin grows cannabis in his basement (still illegal in Germany) and provides all users with access to warez via Usenet NNTP. Do with that info what you want.
> Someone hacked into their Malmoe server a year ago or so, and found that they indeed run everything in RAM disks and aren't logging at all
Hypothetically, without breaking into the network control plane, the hacker could have completely missed the existence of port mirror to a second read-only system that does logging for lawful intercepts.
I've been a mullvad user for the past couple of years. I only occasionally use them for privacy on open wifi networks or whatever, but the experience so far has generally been excellent. I initially used the official Wireguard iOS app to connect, but their iOS native app is freaking excellent. WAY more reliable and user friendly than the others I've used— ExpressVPN and some other. It's been quite some time since I used the other ones, however, and they may have equally good branded clients by now.
https://www.ivpn.net/ also generates a random userid and also accepts cash in the mail (only for large purchases unfortunately). I wasn't able to get mullvad's multihop to work on Android, but iVPN Pro does the trick. iVPN also has a nice server status page that helps you optimize for speed (low load server) or anonymity (high load server) as appropriate: https://www.ivpn.net/status/ They have a weird "anti-marketing" homepage which devotes almost equal space to explaining why you should not buy their product :-P
Perfect Privacy accepts a gift card (more convenient than mailed cash IMO) and has a nifty "neurorouting" feature which aims to be better than standard multihop (claims of speed, at least, I can attest to). They do ask for an email address, sadly, unlike iVPN/Mullvad. Also I just saw this and it looks a bit worrisome https://www.security.org/privacy-guide/perfect-privacy/
Both iVPN and PP let you block various trackers / MANGA corps at the network level.
I like Mullvad but it seems good to support a diversity of providers. Curious if anyone has any dirt on either of those two, or if they can make more recommendations.
...in exchange for knowing who you are. (If they couldn't de-dup you via some kind of identity verification, they wouldn't be able to offer a free promo, as some asshole could then just come and generate a million free accounts and lash them together to run a botnet/crypto-mining-farm/etc on.)
I believe the GP's question is "is there any public-web hosting platform that I can use entirely anonymously; where they allow me to sign up using a VPN; and where I don't ever have to pass them anything / sign in through anything / link anything that could be linked back to my identity?"
And I believe the answer to that question is "no."
(Well, okay, if you're fine with a static website, you could pin your data using FileCoin, and then set a domain up as a DNSLink pointer to [an IPFS gateway for] the relevant IPFS URN. That's how https://docs.ipfs.io works. But that's not quite what "web hosting" means to most people.)
I wish their scratch cards were available in Australia. Sounds easier than shipping money halfway across the word. I would just pay by card, threat level is not high enough to worry about that but their scratch card is a great idea. Must not be a popular enough option though, even a google search doesn't give you much information on them.
Of all their features, I love that they have an Android TV app so I can watch F1TV on my couch. They're worth more than the 5 euros I give them per month.
Aren't OTT streaming services notorious for blocking VPN IP ranges? How is Mullvad getting around those? Surely, they don't buy / lease / steal residential IP addresses [0]?
Be aware: I share an account with someone in a country with F1TV.
If you register from abroad and use your credit card, they'll see you're from AU, block your account and you'll have to contact customer services for a refund.
Best bet is to pay via App Store subscriptions instead of a credit card. It obscures the country so you are free to use a VPN without worrying about being banned.
I tried the Android TV App to watch HBO max though (in a different country vs the subscription's host country) and the HBO app did not even load (not even the splash screen). I had no such problems with some other VPN providers (although to be frank some other VPN providers fail in a different way).
Interestingly I tried to watch HBO Max (from a different country) using Mullvad but it failed me. While some other VPN providers succeeded. So it seems it's kind of a hit and miss what works.
> convenience comes at a cost and we no longer think this is an acceptable trade-off.
In an age where dissertations about what color and position to use for buttons go pages long, that's a courageous position that follows a clear strategy. Kudos!
> For example, the port-forwarding feature won't work if you have a recurring subscription.
Yep, I had to cancel my subscription recently to get port forwarding working. I've been a customer for a few years now and trusted that they were doing this because it made sense from a privacy standpoint.
Presumably there are details linking together payments coming from Paypal and the account number. And obviously there is a link between account number and forwarded port. So following with that, you'd be able to make the connection between the account number and Paypal account, which is definitely not private nor even pretending to protect your privacy.
I think the idea is that money reaches the company, the company then increments how much time you have left on the account, then deletes records linking payment to the account
Like you show up and give me $5, tell me it’s for account XYZ, I go into my admin console and increment the remaining usage time, but don’t write that you were the one giving me $5
There’s a window of time where the link exists of course! But you can get rid of it.
(I Hope that they are not storing things like an account start date or too many payment records… it could easily be deanonymized through time stamp correlation and the banks/stripe/PayPal have the data)
For a single payment, they can throw away all the metadata once the funds hit their bank account.
They _can't_ do that with recurring subscriptions, since they need something that links to your CC or PayPal details to re-bill it next month/year. They've chosen to not do that any more, possibly as performative privacy, also possibly as having real privacy concerns for their clients, and also also possibly so they can tell law enforcement and courts to stop bothering them when needed. (realistically, it'll be some combination of those three things, and possibly others I've not thought of, that triggered them into this)
Monero is a (practically) untraceable [1] cryptocurrency. I figured that I didn't really need the VPN, but when the news came out that they added support for Monero earlier this year, I decided to support them by giving them another 4.5 EUR deposit in Monero.
As far as I am aware, Mulvad only holds on to the payment details for a few weeks and then deletes it so the idea is that you 'age' the account for that time period and then can Torrent Linux ISO's on the forwarded port to your hearts content with any payment information long since deleted. I don't currently use them but am considering switching to them for this reason.
I normally don't use VPNs, so please correct me if I am wrong.
I think from a law enforcement/accountability standpoint, if an "actor" is accused of wrongdoing while using Mullvad's port forwarding service, Mullvad might have some evidence linking the "actor" to an actual identity, since they have the payment information. Depending on the laws of whatever territories, Mullvad may be compelled to leak that info to a judge. Without that information, then there's no information they can ever be forced to leak.
Are these benefits not eroding? Pressure on subscription models comes from both the public getting herd immunity against the underlying dark pattern and competitors chasing a diminishing supply of people to trick as world + dog has adopted the tactic.
In this particular case, with a privacy tailwind, it will be unsurprising if it ends up increasing their sales.
I think saying subscriptions are a dark pattern is going a bit far. In the case where you're offering an ongoing service that requires a cost to service, a subscription model is completely appropriate and in the best interest of both the subscriber and the issuer.
For sure there's some abuse of the model where you're selling something that should be a one-time item, but that's not the case here, and Mullvad is providing an ongoing service (and still billing by month / year / etc. for the service, just without automatic renewals).
I'd be willing to say that subscriptions are a dark pattern when they don't automatically stop if you stop using them.
A fundamental part of healthy business relationships is value for value. E.g., you give me money, I give you a sandwich, you take the sandwich, eat it, and are happy with it. If you keep paying me for sandwiches but I don't give them to you, that's not healthy. Ditto if I put them on the counter but you stop taking them.
Personally, I think there should be a law that all service/software subscriptions auto-suspend after 30 days of non-use. Because right now there's a big incentive for businesses to get you to sign up for things they think you're not going to use, and to keep on charging you even though they know you're not using it.
What you're asking for is a la carte access while still getting discounted subscription pricing, pushing all the risk onto the business. Consume as much as you want, but pay nothing when you don't. Sounds like a crap deal for the business.
And what businesses are hoping for are users that are paying without actually using their service. Produce nothing, but get paid every month. Sounds like a crap deal for the users.
> And what businesses are hoping for are users that are paying without actually using their service
All of them, from the local gym to Dropbox to Spotify. Subscription businesses can't make money if every consumer costs more to service than the revenue they generate. There's even an official accounting term for it, breakage.
> Produce nothing, but get paid every month
Failure to consume and get value from a subscription is your fault, not the business that fulfilled its obligation.
You're getting all-you-can-eat from the business for a fixed price in exchange for predictable revenue as opposed to pay-as-you-go. That you think that's exploitative just tells me you don't understand the business model. You want to have your cake and eat it, too.
Ah yes, the old "people who disagree with me must be ignorant" routine. Not a good sign, but I'll take one more swing at it.
An all-you-can-eat restaurant where customers don't eat anything and you still keep charging them until they notice months or years later is indeed exploitative.
For something like an apartment, there's reasonable justification for long-term contracts and continuing to charge people without regard to use, in that it's an expensive good that has exactly one user at a time and where it can take a while to find a new tenant.
But that entirely vanishes with most internet-based subscriptions. If I stop watching Netflix, they stop experiencing marginal costs for me. If I get excited about a NYT subscription but then stop reading, it's the same deal. Nobody went out and bought another server just because I signed up. I could cancel at any time and they'd have to let me go. If they keep charging me when I'm not getting any value, then it's not a mutually beneficial relationship; they're just exploiting me. And indeed, maybe they were exploiting me from the get-go if their intent was to just get my money in without regard for whether I was going to get anything out of it.
People who take money without providing value are at best economic parasites, but quite a lot of them are just scammers, grifters, and frauds. Which is exactly why a law would be especially valuable here, so that their time and attention were devoted to some socially positive activity.
If you eat a buffet and only have one plate, you don't get to complain and ask for a refund.
> keep charging them until they notice months or years later is indeed exploitative.
When is it the customer's fault for not cancelling? You're working very hard to avoid responsibility for the business contract you entered into.
> they stop experiencing marginal costs for me.
Which are a small part of the overall cost structure. So what?
> Nobody went out and bought another server just because I signed up
Absolutely they do. The business is managing its finances under the assumption of subscribers and LTV, and making investments accordingly based on those assumptions and forecasts.
> they're just exploiting me
For charging you for something you signed up for but were too lazy to manage properly?
> just get my money in without regard for whether I was going to get anything out of it
There you go passing the buck again. It's your responsibility to use the thing you signed up for.
> People who take money without providing value are at best economic parasites
You mean the money you're giving them as part of consensual business agreement?
You are an excellent example of how people who are abusive have consistent worldviews that justify the abuse. You are placing 100% of the responsibility on the weaker party in the contract, and 0% on the people who designed the contract plus everything that leads up to and comes after the contract. At the same time you clearly understand the human cognitive limitations that make people susceptible to carefully-designed exploitations, you act as if the people who design the scams are not just innocent but justified in taking advantage because money.
And with that, I'm done. You are very dedicated to both exploitation and victim-blaming as justification. I'm not going to convince you otherwise, presumably because you made or make your living from that. “It's difficult to get a man to understand something when his salary depends on not understanding it," said Upton Sinclair, and I have better things to do with my time.
>People who take money without providing value are at best economic parasites, but quite a lot of them are just scammers, grifters, and frauds. Which is exactly why a law would be especially valuable here, so that their time and attention were devoted to some socially positive activity.
Does that also apply to your car/home/health insurance as well?
If you don't have an accident/get robbed/go to the doctor, are you being exploited by the insurance company?
It of course does not apply, because you're getting risk-mitigation value every month. (If you don't think so, feel free to drop the insurance.)
That said, those are prime opportunities for parasitism and exploitation, because it's hard to measure risk reduction until actual harm comes along. That's why those sectors need heavy regulation.
And so how does that not apply to Netflix or The New York Times?
You said[0]:
"But that entirely vanishes with most internet-based subscriptions. If I stop watching Netflix, they stop experiencing marginal costs for me. If I get excited about a NYT subscription but then stop reading, it's the same deal. Nobody went out and bought another server just because I signed up. I could cancel at any time and they'd have to let me go. If they keep charging me when I'm not getting any value, then it's not a mutually beneficial relationship; they're just exploiting me. And indeed, maybe they were exploiting me from the get-go if their intent was to just get my money in without regard for whether I was going to get anything out of it."
A subscription with them provides access to the services they sell all the time as long as your subscription is current, in exactly the same way as as insurance provides risk mitigation.
You appear to be arguing that it's the subscription model that's the problem and not those who use it in an exploitative manner.
I'm not a fan of subscription models myself, which can be used in exploitative ways, but the fault isn't in the model, but in those who implement/administer it.
N.B.: I do have insurance, but not Netflix or NYT subscriptions.
Your theory is that Netflix isn't selling entertainment, they're selling boredom insurance? That somebody might have a sudden, unexpected, and catastrophic need for sitcom reruns that might cost them hundreds of thousands of dollars, so to mitigate that risk they pay Netflix just in case?
If you really can't tell those classes of product apart, I don't think I can help you.
>Your theory is that Netflix isn't selling entertainment, they're selling boredom insurance? That somebody might have a sudden, unexpected, and catastrophic need for sitcom reruns that might cost them hundreds of thousands of dollars, so to mitigate that risk they pay Netflix just in case?
Don't put words in my mouth. I never said anything even approaching that.
Netflix sells a service (a pretty useless one, in my view) -- video content -- for which they charge a monthly fee.
Insurance companies sell a service (more useful, in my view) -- covering (or at least reducing) the costs of bad stuff happening -- for which they charge a monthly fee.
One is (at least in my view) more useful than the other, but the business model is the same -- pay a monthly fee for some product/service.
As I said, it's not the model that's the problem, it's those who use it in an exploitative fashion.
Please do go ahead and set up another straw man you can knock down for your own satisfaction, but I won't participate further.
The business models are not the same. Insurance is deeply different in an economic sense than selling videos. Willfully ignoring that distinction is ridiculous, and I tried to make the difference apparent in the comment you're quoting. If you're not getting it, that's fine, you are free to carry on not getting it.
While the business models are different (obviously), the payment model is the same.
I was inexact (business vs. payment model) in my previous comment. My apologies.
But my point still stands: Subscription payment models aren't inherently exploitative; rather they can be implemented/administered (or not) in an exploitative fashion.
Don't like Netflix/NYT and others' implementation of said payment model? I'm not surprised. I'm not very high on them either.
But just because you don't like the specific implementation, doesn't make them a different payment model. That payment model being: "pay a monthly fee, get whatever product/service you've paid (and continue to pay) for.
You appear to be claiming that because different companies sell different stuff, that the payment models are not the same.
Which is akin to arguing that since automobiles with ICEs[0] serve a different purpose than automobiles with electric engines. They don't.
And likewise, subscription payment models are subscription payment models, regardless of the product/service being offered.
>If you're not getting it, that's fine, you are free to carry on not getting it.
And you're free to continue making wildly inaccurate statements. Have fun and a good day!
> If a company can't exist without tricking people into paying for something they get no value out of, maybe it shouldn't exist.
Sure, but this doesn't describe all subscription businesses, plenty of companies have healthy margins even with active users.
No one is saying there aren't subscription businesses that abuse subscription pricing to get recurring revenue from what should be one-time revenue, leave customers locked into something they're not getting value out of, etc. but that's not a truism of subscriptions (even the traditionally shady ones like gyms!)
Sure, and nowhere did I say I wanted to ban subscriptions, leases, and the like. I'm just saying that for online subscriptions, society should reduce the incentives to exploit people by requiring subscriptions to auto-suspend when they're not actually used.
Are you going to tell me the dead people are at fault for not taking advantage of services provided?
The point here is the relationship between (business) provider and consumer. It should be fair and balanced. No one is asking a business to provide services for nothing. But when the services aren't being used, the non-consumer shouldn't be charged either.
The only question remaining is - what is a fair way to go about this?
A reasonable time period of non-use before suspension of service seems ok. The business got money for nothing - but can't try to make that into a business plan.
Clearly businesses would rather have more "money for nothing" - so would everyone - but it isn't reasonable.
I also think there are systemic reasons to stop it. If you're running, say, a good streaming service, imagine a competitor coming along that makes a lot of use of dark patterns to get people to sign up and keep paying even though the value is much lower than your service. Now you have a choice: try to compete against a better-funded competitor or go for the same dirty money yourself?
As a society, we want companies to devote their capital and brainpower to making things better for customers that can freely choose the best products. And that's what most company founders want too, so that markets are competitive in fair ways and they can focus on the products that got them excited enough to start a company. So I think it's in the interests of everybody except the parasitically inclined to just rule out exploitative business models.
For anybody who offers a month-to-month subscription, I'm not asking for anything other than them not taking money they're not earning. You have a point with, say, annual subscriptions. But for services where there's no cost to the vendor for an unused subscription, maybe that's ok, as there an annual subscription could much more easily be a dark pattern.
I also think pushing the risk of "the customer doesn't actually get anything out of it" onto the business is where the risk should be. Who better to understand and manage that risk than the people making the product and who have great masses of data on how it actually gets used?
Absolutely there's cost to the business even if you don't use the service. There's marketing, salary, healthcare, leases, and any other number of expenses. Gym's pay rent regardless of you showing up. Netflix still has pay for content you don't watch.
The entire point of a subscription model is that a business can offer a steeply discounted price vs. pay-as-you-go in exchange for predictable, recurring revenue. That's the only way the model works.
In my opinion, that's the industry (at least here in .au) that are the poster-child worst example of dark patterns in manipulative subscription charging.
They are infamous here for doing fucked up things in an attempt to make it as difficult as possible to cancel your subscription. I had one friend who moved overseas, discovered his gym was still billing him monthly even though he'd emailed to cancel explaining they didn't have any locations in his new country of residence, and they tried to claim the only way to cancel his subscription was in-person at the location he signed up at. He had to lawyer up when he cancelled the credit card (and told them he'd done so), and they threatened to send his account to a collection agency. (On single lawyer letter got him a refund of all charges since the date of his original email saying he was cancelling, so they _knew_ they were legally in the wrong and wouldn't have a leg to stand on it of ever got to court.)
That's a really good example of the sort of exploitative thinking I'm talking about. They clearly knew what they were doing. As do all the companies who let you sign up easily, but where cancellation requires filing a form "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'" and then spending 30 minutes on the phone with an obtuse and obstreperous call center rep.
And it's all just such a waste for everybody. The first gym I joined was run by a very dedicated muscle-head who was at his gym a fair bit. You signed up for a fixed period, like a week or a month or a quarter. At the end of the period, you could renew if you wanted. And if you weren't coming to the gym often enough, he'd ask why you weren't coming. He believed in his product and wanted people to be successful at his gym.
But I'd guess part of the reason that doesn't dominate is that awful gym companies sucker people in, do everything they can to become credit card parasites, and then spend a lot of the extra money on marketing and on giving people good-looking deals that they know they won't use.
Sorry, I thought you'd understand I was talking about marginal cost. Yes, I understand that software companies have non-marginal expenses. And yes, gyms pay rent, but I clearly said I was talking about "service/software subscriptions".
I also disagree that's the point of subscription models. If I'm on a month-to-month subscription, there's no legal guarantee the revenue is predictable more than 30 days out. That would be just as true if auto-suspend were required for non-use.
> I understand that software companies have non-marginal expenses.
For most subscription businesses and SaaS companies, non-marginal costs are most of the costs. The pennies Netflix saves if you don't stream during the month are a pittance compared to other SG&A expenses like headcount and content production.
> I also disagree that's the point of subscription models.
What do you think the point is? Why would Jetbrain's move to a subscription model? Why does Spotify stream music and not sell tracks and albums? A subscription model is a fundamentally different business than one offering standard transactional sales.
I don't think so. Us privacy and control freaks abhor subscriptions, the mainstream just shrugs and pays what they're told to pay. I can even see them adopting rental models for a lot of stuff we purchase outright now (the "you will own nothing and you will be happy" great reset promoted by the world economic forum). I think this is pretty exploitative but I'm pretty sure I am in a minority. Obviously big business loves this because they have to do almost nothing and still get guaranteed income.
But to me their arguments sound too much like blackmail "With this model there is incentive for us to make longer-lasting products which is good for the environment". Well, sure but if you actually cared about the environment instead of money you'd be doing that right now. Why do we have to pay them more for less in order for them to do this?
To me this really sounds like a "pay us what we want or we'll mess up this environment of yours even more" extortion scheme.
The older generation is more against it but they tend to not trust tech very much anyway. They're not the ones buying a new phone every year, they use it for many years and even get it fixed when it breaks.
> mainstream just shrugs and pays what they're told to pay.
But mullvad isn't targeting mainstream!
It's mainstream compatible, as-in not too hard to use, but that's it.
Also mainstream only cares about VPNs because they believe it does magically things, like somehow better protecting all your privacy even if you are logged into Facebook or somehow making account hijacking or banking scams less likely :/
That's why they will go anyway with VPN providers which do a lot of ad advertisement to make them subconscious feel like it's doing all this magical things (even if they never explicitly claim it). Like NordVPN (you probably know what I mean if you use e.g. twitch in the EU ;=) ).
So no point in competing for this users without doing things like a ad powered free plan, free testing month, and tons of dark-ish patterns.
Instead mullvad has I think a good idea about what works with their customers.
I think it still will cost them money (who hasn't forgotten to cancel and abo) but also might save them money (not having to handle anything in support related to subscriptions going wrong). And maybe with things like people pre-paying for a year, but stop using it after a few month it will also not cost them anything. Really hard to say. I mean it was also guaranteed to end up on HN, so free advertisement to exactly the right audience. That's worth some money, too.
I agree, this is precisely why they're doing this. Putting their customers' privacy over their investors' wallets. This is a big ballsy move IMO. They're buying a lot of goodwill here. And taking a risk.
> Also mainstream only cares about VPNs because they believe it does magically things, like somehow better protecting all your privacy even if you are logged into Facebook or somehow making account hijacking or banking scams less likely :/
Also totally agreed lol. I often get questions from friends about VPNs. Always have to explain that privacy really doesn't work if you willingly give up your data :)
And no I don't use Twitch so not sure what you mean there, sounds like an interesting story.
> So no point in competing for this users without doing things like a ad powered free plan, free testing month, and tons of dark-ish patterns. Instead mullvad has I think a good idea about what works with their customers.
Exactly. They're not doing a tunnelbear.
> I think it still will cost them money (who hasn't forgotten to cancel and abo) but also might save them money (not having to handle anything in support related to subscriptions going wrong). And maybe with things like people pre-paying for a year, but stop using it after a few month it will also not cost them anything. Really hard to say. I mean it was also guaranteed to end up on HN, so free advertisement to exactly the right audience. That's worth some money, too.
I agree it's ballsy, this makes me respect the gesture even more. It's not the 'done thing' in this day and age. But they're still doing it and for the right reason.
Conspiracy no. But I don't like where the world is headed. Investors are demanding ever more markup on products and services. Nobody is happy with a 10% markup anymore in electronics. There seems to be a constant flow of money to the ultra-rich away from the poorer people, and this is something that has been constantly going on for the last decades. Because the squeeze is finally starting to hit the mainstream of the richer countries. Even the US is starting to see instability from this.
I think part of this is the free market which only really works on "MORE". More turnover, more customers, more products YoY. If you make a loss or invest in something for the common good a company isn't just frowned upon, they are putting themselves at liability of due diligence lawsuits. Most of the societal and environmental problems we are seeing stem from this, in my opinion. We need to fix the system before it's too late, not pamper to it.
I don't think there is a dark "SPECTRE" style gathering going on at Davos, no. I'm not a conspiracy theorist. However I do see there is zero incentive to improving the status quo if it doesn't make some rich people much richer yet again. This is why I see the WEF as a 'bad' entity, for promoting such things which are clearly undesirable. It's a very one-sided image.
For me as a tinkerer and maker the idea of renting my stuff and not being allowed to improve or repair it, is absolutely unthinkable and something that must be fought tooth and nail.
Disagree. If i have per-month subscription that does not have termination notice period, i could terminate it any time, next month effective.
If i have to pre-pay service, while i can still pay on per-month basis, that is usually such inconvenience that i would rather pay per-year or longer.
Considering privacy issues i assume that pre-paid account could not be cancelled and refunded earlier, i am implicitly forced to year-long contract with pay ahead.
absolutely not. people are wary of signing up for new subscriptions, because cancellation is not clearly protected in most jurisdictions, and people are aware that they can forget to cancel.
People dont forget to renew their world of warcraft membership because their game stops working if they do. if you use a VPN, you likely use it every day, and there will be no lost revenue.
Part of the advantage of the recurring subscription model is having predictable revenue every month due to it being recurring. And many businesses count on that "gym membership" effect, where people who don't use a service also don't take the time to cancel it for a while.
Do I keep my credits if I cancel my Audible Premium Plus membership?
No. If you end your Audible Premium Plus membership, your credits will be lost with your other membership benefits.
Incredibly evil. That's why I used up all my credits and then cancelled my account. I briefly flirted with "gift subscriptions" because I was still wanting new audio books a lot, but that has its own problems. So I gave up on them.
IIRC problem is the option of pausing subscriptions is well hidden & revealed only when you have fully made up your mind to cancel & drop all your credits. most folks would not do that instead maybe defer the decision another month in the hope they'll 'catch up'. then they'll forget about it for a few more months.
thats why I raced to buy up a bunch of books with my points and then cancelled immediately (you can keep the books). its one dark pattern after another, good riddance.
This is why I hate Audible and have never been tempted by their many attempts at entangling me in with their endless 'trials'. By comparison, Downpour.com had an easy on/off function for the monthly fees and the credits remain active for up to a year, with a prior warning, for one to use even after canceling the monthly subscription. Edit: also like the fact that the audio books are drm-free/downloadable and I am not beholden to their app to listen to them.
Just contact customer support and ask if you can get a refund. I've done this a few times when I was just accumulating points with nothing I wanted to buy, and it's always been quick and easy.
I've been using Mullvad ever since PIA was bought out. Never had an issue with them (other than when I forget to top up and my VPN connection dies :) ) with speed or reliability. I've always used the top up functionality rather than a subscription, but it's great to see how committed they are to reducing the attack surface for the users that need the most privacy.
Earlier this year I was changing some firewall configs and my torrent jail on my home server stopped working. I spent like an hour debugging, only to realize that my 1-year mulvad subscription had expired in the middle of messing with my firewall. Oops!
Mulvad is awesome and super fast. I reliably get in excess of 300mbps while torrenting.
Been using Mullvad for a year, give or take, and I'm very happy. Zero care to find another VPN provider. Simple, fast, and anonymous sign-up. The apps function perfectly. Never experienced a bug in the Android or Linux apps. And the Wireguard profiles work perfectly. Connections are fast and not throttled (IME). And the UI of the website and apps is minimal and to-the-point.
I hope Mullvad keeps on its current course. It's one of the most respectable companies right now, with a respectable product, and its one of the few I care to pay for on a consistent basis.
The only issue I have is on my phone. Whenever I leave my home wifi, it gets slow as hell and I have to do a reconnect to get to a new server. Usually the reconnect speeds things up a LOT.
My only concern with Mullvad is that, as their profile and reputation increase, they become a bigger target. That’s mostly a vote of confidence, though the concern is a real one.
But what is also great about Mullvad is that they're actively working to make their remote and local security better. They're involved in the stboot[1] project for example.
Perhaps a Swede can chime in, but I'd imagine Sweden has a lax regulatory approach, e.g. compare the fates of PRQ and Megaupload. It's, admittedly inexplicably, concerning that we've driven people to foreign companies (from American ones) due to government surveillance. It begs the question: under what conditions would a consumer be fine ceding privacy? Transparency? Remuneration?
Not really. See the trial against the founders of The Pirate Bay for example, and the controversies surrounding it. Also, the FRA surveillance. Also, according to the ISP Bahnhof, the police at least used to submit lots of data requests without a court order and for non-serious crimes.
AIUI, Bahnhof and other VPN providers stay in the clear by avoiding storage of data in the first place. They can be compelled to hand over any data they have, but not to log any additional data. (ISPs etc are forced to log more data IIRC.)
At least there's nothing like the Australian laws for forcing and gagging developers.
> At least there's nothing like the Australian laws for forcing and gagging developers.
Actually I'm not so sure that's true. I'm pretty sure similar gag orders have been mentioned in episodes of P1's Gräns. Might want to double check that...
There are two major pieces of legislation [1][2] that have been enacted in the last few years that have eliminated any expectation of privacy and security in Australia.
The AABill introduced warrants that can be handed down without judicial oversight that compel the recipient (individual or institution) to grant (or, critically, develop the means to grant) read access to any system to the government; while simultaneously acting as a gag order preventing disclosure of the warrant's existence. Violating this gag order would incur jail time.
The IDBill introduced warrants that allow the government to "disrupt data by modifying, adding, copying or deleting data in order to frustrate the commission of serious offences online" and further allows them to impersonate the online profiles of a person deemed significant to a criminal investigation.
Both of these bills were rushed through parliament with minimal opportunity for public comment. Where public comment (from the legal, tech, and human rights arenas) was made, it was universally negative. We have just ousted the government that drove these bills, but the new government (supposedly considerably more left leaning) supported both these bills with minimal opposition and has made no public plans to repeal or amend this legislation.
A previous Prime Minister once said (not in regards to these particular laws): “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Why are VPNs what people flock to when they think they want privacy? Moreover they kinda break the internet so it's not a scalable solution. It's cool to see a good one selling a privacy message and doing it at level 11, but it seems kinda disingenuous to me to tell users that they're more private because they use a VPN. Private from your current ISP, sure, but not from Mullvad (they're your new ISP, you're just moving the problem of who to trust, not acquiring privacy) and especially not so much from the service level tracking and collection of data which is arguably the real problem short of being targeted by nation-states.
Also it seems all I need to do as an "attacker" is subpoena (or whatever the Swedish equivalent is) Mullvad while your payment record is on file and I get the info I want. If Mullvad really wanted to go hardcore why not only sell little top up cards cash-only at kiosks?
Now, choosing where you want your traffic to geographically egress onto the public network does have marginal utility and it's a perfectly sane feature for VPN providers to market and consumers to pay for--VPNs aren't useless. It's just not privacy.
EDIT: add bit about how Mullvad is your new ISP to clarify the point
>Private from your current ISP, sure, but not from Mullvad
being private from your local ISP is what 99% of people care about because they use VPNs to send copyright infringement claims to /dev/null and watch netflix, not to smuggle nuclear secrets to Iran. It's privacy in a practical sense that's useful to people. If I go from an untrustworthy ISP to a trustworthy one I've gained privacy, there's no need to be overly academic about the term.
I'm not really trying to be pedantic for giggles.. perhaps I just think it's sad that 99% of ISPs are considered your privacy enemy and on top of that I don't consider VPNs a scalable solution to the problem at large so I'm more entertaining the "why is this the de facto solution" question in the "does it scale to society" solution space. It starts to look more like a social problem/solution than a technology problem/solution. That's more what this is about. If everyone used a VPN we'd really be in the same scenario we are today because to support that infrastructure you'd need exit nodes in every city and boom there goes your location advantage.
I don't consider my ISP my privacy enemy when it comes to paying my mortgage, or filling out my taxes. I do consider my ISP my enemy when it comes to downloading Linux ISOs, because the IP addresses issued by my ISP can be tied back to a geo location and are known to be the "last leg" address that would be targeted for infringement purposes.
Code word for torrents. Linux ISOs are probably the most common large file legitimate use of torrents and so it's become a code word for pirated content.
I don't disagree that centralized services are also bad for the internet, but that's not a rebuttal to my point (also, what is a VPN service if not a "centralized ISP with different egress options"). A VPN does not add a layer of privacy. That's a misunderstanding of the concept and unfortunately a popular one even among security folks and even more-so among security marketing folks. A VPN allows you to effectively choose a different ISP. You are not private from Mullvad. You just have their promise that they're better and more transparent than your alternatives and that they won't sell your DNS queries and connection logs to advertisers. It's not bad to align with an ISP that shares your values, but it's not privacy outright.
> And if you want you can even send them cash in an envelope. Or monero or whatever.
So why not only allow payments in privacy perfect currency if they're so concerned about privacy?
I agree that it's but a single tool in a complex mesh of procedures to provide some privacy.
But the reality is that it does work for a variety of usecases. Try to torrent in Germany (of all places) and you'll get blackmail letters from random lawyers. Do this with a VPN and no problem.
For this scenario it's the tool for the job. If you're an insurgent trying to liberate Iran it's not.
For general surfing privacy it doesn't add much value at all because most of the identifying information is in the session itself, not the IP. This is where the layered approach comes in.
But I definitely see a value in these services.
And they do offer many anonymous payment options, but some are heavily frowned upon in some regions (eg anonymous crypto in India) and mailing bills is inconvenient and risky. And I guess for some people it's worth the tradeoff.
Yeah I definitely see value, don't get me wrong. I think, slightly, that marketing privacy is the cheap shot at best and kinda irresponsibly inaccurate at worst because it glazes over so much of the actual problem. In other words, if I start using Mullvad today I don't incredibly become anonymous and private on the internet... there's a lot more work to do to achieve that posture. The way VPNs are touted though might lead you to believe they keep you safe and private.
It’s pretty simple. A VPN adds a layer of privacy between you and the server you’re accessing. You go from user A with X home IP address originating from precise Y location, to user A with generic shared IP originating from a vague location likely nowhere near your real location.
Beyond location, did you know there are services that can sometimes accurately provide a users place of work based on home IP? Their likely income level, and more. That becomes impossible with a VPN.
In short a VPN removes a key personal identifier that can be used to ID you online. Your IP address.
But traditional ISPs reuse IP addresses too. You rarely get a static IP from your ISP. Some even run carrier grade NAT and you're literally sharing an IP with your whole building or something. VPNs are not really different in any regard. They do obfuscate location, I'll give you that, and that's seems like the crux of the issue with traditional ISPs: they are small and distributed so people have created location maps. By using a big centralized service you can obfuscate your zip code. I'm all for people having that option, don't get me wrong. Personally I'd rather see us pass strong legislation that takes things a step further and prohibits zip-code based profiling if that's considered dangerous to society, or ya know solve the social problem and create diverse zip codes in the first place so you can't predict income based on it, rather than be fooled into thinking that we can solve this problem by giving everyone a VPN. It doesn't scale.
Most residential ISPs reassign the same IP to the same account for months at a time. It's not technically static but is certainly used as a "mostly static" piece of data by profiling technologies.
> [...] it seems kinda disingenuous to me to tell users that they're more private because they use a VPN. Private from your ISP, sure [...]
Bit of a contradiction there. It adds friction to at least some attacks against your privacy. That's better privacy.
Nothing will ever be perfect, and VPNs can easily be oversold in terms of their benefits (especially since https became the norm). But they have benefits in some common use-cases.
> Also it seems all I need to do as an "attacker" is subpoena (or whatever the Swedish equivalent is) Mullvad while your payment record is on file and I get the info I want. If Mullvad really wanted to go hardcore why not only sell little top up cards cash-only at kiosks?
They accept cash and at least some other privacy preserving payment methods already.
> They accept cash and at least some other privacy preserving payment methods already.
So why even allow "traditional" KYC-ridden payments at all?
> Bit of a contradiction there. It adds friction to at least some attacks against your privacy. That's better privacy.
The nuance is that you're just moving the problem. You're not private from Mullvad. You're just trading one ISP for a different one. I could have phrased it better in my initial comment so as not to suggest a contradiction. Think of it this way, if Mullvad was your ISP, would you still tell someone to get a VPN? You have to trust someone not to snoop on your DNS queries and connections. All adding a VPN does is give you more freedom to choose who to trust, which is not bad in its own right. It's just not technically privacy manifest.
They break the practical solutions to content distribution and delivery that we've deployed. If everyone used a VPN, CDNs and caching would be rendered ineffective. Generally, VPN consumers use more bandwidth than necessary to acquire the same content which does impact the network.
Same bandwidth over my local connection, mildly more across backbone connections, not a big deal in total.
I feel like if the bandwidth used by content distribution really mattered, we'd see a lot more effort being put into multicasting. Even a basic stateless "multiple destination IPs" version could save so much bandwidth.
I think that you're right in that by using Mullvad you're transferring the trust from your current ISP to them.
It's also important to mention that you can pay Mullvad with cash, sent in an envelope, so that your (real) identity is never known to them.
My ISP accepts cash payments in an envelope with an account number written on it. They probably require an address during signup so they can service the physical lines but just pointing out that paying is cash is not exclusive to Mullvad.
Browser and system configuration. Turn off tracking cookies, advertiser IDs, block tracking links/assets. I use a municipal ISP that doesn't sell my info. Stuff like that. But really I know that I'm not private from the services I access so I try to gravitate towards services that I trust with my personal information. My goal is not to make sure nothing ever lands in my advertising profile. It's to make sure that whatever my profile is looks so unlike my interests that it becomes a useless waste of money to build it.
My paranoid interpretation of this is that they have already been, or are expecting to be served with some kind of order compelling them to silently hand over billing information.
I will admit that I know absolutely nothing of the Swedish legal system.
I wonder if a lower cost service like VPNs could reasonably create an “endowed” account: basically pay enough up front that when invested, the returns on the up front cost are about the same as the monthly cost. If you’d need to make €60/yr, you could probably achieve this with a one-time €1,500 payment. Does it make sense for anyone to pay that much up front? Maybe not. But for people that REALLY want to see the business model succeed and/or are way too wealthy considering their mental laziness, adding an option to pay a totally absurd amount once and then forget about it might be useful, even if that payment is way higher than any normal person would pay.
I like this a lot even though my primary reason is unexpected subscription renewal. I started a membership site and tried to use every single thing I would want as a customer. One of the things was a reminder that my yearly membership was about to expire, and by doing nothing this would indeed happen. No automatic renewal (but keeping the account in an inactive state). Confident customers can renew for 3 years with a discount, but nothing will automatically renew. Turns out, customers love this attitude and happily renew when it's time.
This is a nice approach. Have you considered giving customers the option to turn on automatic renewal?
There are certain specific things that I would want always to auto renew (like domain names, hosting related stuff etc)
If I ever get round to building a subscription SaaS I might consider “off by default” auto-renewal and leave it to customers to turn it on if want it… though this does add a bit of complexity I guess.
Have considered and have been told many times this is costing me revenue (which I think might be true). But I've never had a customer ask for it. Which is an important signal for me to consider a feature. Online payments are very easy for my target audience (mostly Dutch retail customers) with iDEAL so the benefits of automatic renewal is low.
In some circles that'll count against you if you try to sell the product/company. Investors are interested in recurring revenue and will value it very differently than your loose-relation clients.
Not saying it's a thing you should always do, but worth keeping in mind.
I use Stripe to manage payments for a subscription site with both monthly and annual options. I have renewal reminders turned off, because it seems like overkill for a monthly renewal – no option to only have it on for yearly plans. I worried about issues with yearly renewals, so I set up my own service to send a renewal reminder for yearly subscribers. I would rather have more customers not renew on friendly terms than deal with surprise charges. And I figure it may prompt some to check and update payment methods or spur them back into actively using the service more.
The newest version of Firefox goes a long way to prevent this with Total Cookie Protection[0]. You’re basically left with fingerprinting as all cookies are site specific - even third party cookies. Combine that with with a DNS that does cname uncloaking like NextDNS and noscript and you’re about as good as you can get without extreme measures.
But the cast majority of users will not care about fingerprinting by surveillance industry but about illegally Dow loading stuff. And there, VPNs are quite comfy.
"That's about it" corresponds to large swathes of the Internet for some of us living in parts of the world with arbitrarily censored and restricted Internet access.
We've had numerous cases of ISPs spying on the domains that you are using and throttling your network usage according to that activity at least in the United States, so a VPN goes a long way towards ameliorating this particular issue.
Some of us have really crappy ISPs (that also happen to be monopolists) that do things like HTTPS MITM (when they try to force you to install their root CA certificate and HTTPS simply doesn't work unless you do it), block DNS requests unless you use their DNS servers, or store all your traffic (this is being done in Russia, but it's close enough). I very much prefer to cover the precise details of my communications from my ISP and 'outsource' that stuff to Europe.
Well, yes and no. For most people, they're over-rated. You don't even need a VPN to securely pay your credit card bill on public Wi-Fi.
However, there are two cases where they are useful:
- IP address hiding (something like iCloud Private Relay for iOS/Mac users does this at the browser level, VPN brings it to the entire system)
- Legal protections
- Location simulation
If you want to hide your IP address, this could be to stay more anonymous and less trackable, any system that relays your connection is fine.
If you want to break the law, you'll need something that has safeguards in place against that. Most VPNs do the most they can within the legal limits here.
If you want to simulate your location, you'll need a VPN with servers in those locations.
---
So really, it just depends on what "real privacy" means to you.
You forgot the most important use case, unless you're talking about Europeans and USians only. I use a VPN simply because half the internet doesn't work without it (some guy in a suit decided what you can and cannot read, and there's nothing you can do about it).
Free tiers provided by various "cloud" services work fine for this one (Oracle is the most generous among them).
> unless you're talking about Europeans and USians only
Nah. As Europeans we're getting more and more censorship. Just think that most Russian news outlets have been blocked, youtube channels and so on.
Plus until recently I couldn't read a good chunk of US news due to them refusing to adapt to GDPR.
Thankfully, they still support my favorite way to pay: dropping an envelope filled with various cash currencies and your account number on a slip of paper in a mailbox at a random airport.
For customers who don't go to great length to protect their own privacy when paying (i.e., all subscribers, I assume) Mullvad should persuade them to replace their subscription with the "bill pay" feature of most checking accounts -- maybe even offer tutorials for common banks. I'm not an expert in the implications of a subpoena and if banks get involved, but it seems like it would at least be a way to keep the revenue stream nearly as healthy (recurring automatically) while also meeting their goal of not maintaining subscription data.
Banking is highly national. It does not even work very uniformily in SEPA (Single European Payment Area). Of course there are mandatory SEPA features that every bank in every country must support. But there are other national features which are used in some countries by practically all businesses basically making everything incompatible again.
And of course there are many countries completely outside of SEPA.
I'm in the US and I'm not familiar with banking elsewhere, but the "bill pay" feature I'm talking about will try some electronic system first, and if the recipient doesn't support it, the bank simply mails a check. The recipient could be as small/offline as any person at a residential address. I assume writing a check and mailing it is a fairly typical thing everywhere, and having the bank do this on a repeating schedule doesn't seem like a huge hurdle, but I could be wrong.
> I assume writing a check and mailing it is a fairly typical thing everywhere
It absolutely is not. The only time I've seen a check was a gift from my grandfather in the 00s, and I don't think paying bills by mailing checks was ever a thing here.
Checks also often become very difficult and expensive to cash when going cross-border. E.g. most banks here (Finland) refuse to cash foreign checks altogether.
So if you wanted to give money to another individual (not a company which offers card payments) and you didn't want to use the internet, is cash the only option?
You fill-in in a bank transfer form and mail it to your bank (if you don't carry it in person to a branch office). The money gets transferred from the account of the receiver to the account of the recipient within a day. That's a standardized service every bank has to offer in the SEPA area and the price must be same regardless where the recipient's account is. No difference whether business or individual on either end. You need to know the recipient's account number (IBAN). Of course banks prefer that customers use the internet to initiate such transfer, but other methods exist (often at a higher price).
Frankly, this sounds like a long-winded way of saying "you write a check," with a technical difference being that the transaction is a push from the sender rather than a pull from the recipient. If this form has an option for recurring on a (e.g.) monthly basis, then it's what Mullvad could suggest subscribers switch to, if both parties have a SEPA presence.
Yes, monthly SEPA payments (with a static amount and static reference/message) are a commonly used service at least in Finland, for e.g. paying rent between private individuals, and it works as-is with Mullvad wire transfers.
It is my understanding that checks are pretty much only used regularly in the US at this point. Elsewhere, they are reserved only for special cases outside the norm.
Mullvad is awesome from top to bottom. From strict adherence to their values to the apps that they make and the service that they provide. I've been an extremely happy customer for years. Keep up the good work!
Note that a major issue with Mullvad is the long standing open issue which prevents iCloud syncing on macOS [1]
I've noticed this is not really a Mullvad specific issue, as the same thing happens when i apply their "killswitch" config (= pfctl firewall rules under the hood) while using other VPN services, like ProtonVPN.
Apple seems to be blocking some of the proxy ip's or some iCloud service process is misbehaving somehow.
That's amazing. When so many companies go in the opposite direction, it's incredibly refreshing to see a company make strides toward reducing their customer's identifiable data footprint.
I'd pay a lot of money for an Ethernet device that sits between the jack and the router that would make a tunnel for me. Is that what this is for WiFi??
No need to pay good money, just replace your router with something more configurable with OpenWRT / OPNSense / Mikrotik and set it up so that all routing goes through the VPN
It sits between your router and your endpoints (computers, laptops).
It can connect directly via ethernet cable or broadcast it's own WiFi SSID's to which you can connect.
You configure it to always connect to VPN of your choice using OpenVPN or WireGuard protocols.
Then you may connect to this device SSID and your traffic always be routed via VPN connection.
This is way better, secure and more reliable than "VPN software" or "VPN apps" solutions.
Good news, you need less than $250. Just buy a Protectli appliance, install OPNSense on it with the wireguard plugin. Setup Mullvad config and route all traffic through the tunnel. That's it!
I've been running a similar setup for a couple years now. It's been great.
Is there an easy way for regular consumers to set up recurring payments in a "push" configuration (i.e. from my bank to someone else's) rather than "pull" configuration (i.e. most subscriptions where the service charges a credit card on an interval)?
I split a T-Mobile multi-line plan with a few friends where I'm the payer, and I remember looking into this a while back to help them pay their share on time and without hassle, but coming up empty.
Feels like it would be useful for paying for something like Mullvad too, but I feel like there are benefits to that model that reaches beyond the individual use cases I mentioned.
It'd allow me to manage money going out of my account from 1 centralized location, making money flow more predictable and less chaotic than the status quo where a random amount of money is pulled out of my account from various credit cards every month, and I have to log into each account separately to figure out how much.
Your bank/financial institution should be able to do this at least from a bank account to a bank account. I have "pull" payments for organisations I'm ok with and "push" for others. The only issue I have is the "push" amounts are fixed and must be renewed every two years. (Edit: I don't think this will work with the VPN though as it needs a domestic account to push to, otherwise fees are high)
Great benefit. I also recommend to find a reputable masked card service provider if you plan to use a credit/debit card. Autopay is just another way for banks and providers to circumvent overdraft protection legislation and hopefully new legislation will remove any "perks" that providers offer for autopay services.
Is there such a thing as a truly private “masked card service?” I’m genuinely curious because I use virtual cards supplied by my online bank, but I’m sure they retain records for each virtual card I use. Are there services that do not record this information?
> Is there such a thing as a truly private “masked card service?”
No - there’s no way to support all the anti fraud mechanisms of the major credit card networks without a thorough paper trail. Masked card services help prevent unwanted charges and inconvenience for the customer - they may give a fleeting layer of privacy between the consumer and the merchant but nothing more than that.
Good question. I doubt any of them are truly private but I think it at least adds a layer of privacy and security from the service provider, but as with most things it probably won't protect you from a court order.
The only real masked card I can think of would be a gift card paid for in cash. Tedious as it is, that seems like the only way to use a debit card privately, and I think some of those are rejected by online pay platforms.
In the EU VAT for online products and services is based on the buyer's location not the seller's location. They need to know something about where the buying is to determine the VAT rate and where to send the collected VAT.
I don't know what the rules are for sellers that are inside the EU, but if they are at all like the rules for sellers outside the EU selling to buyers in the EU they are required to collect two pieces of evidence that support their determination of which country's VAT to collect.
Where I work we use the country the person claims they are in from the country drop down on our cart and what country MaxMind says their IP address is from. This works most of the time. If those don't match we look up the first 6 digits of their credit card to see what bank issued it and see what country that bank is in, and if that matches either their selected country or the IP country we go with that. If the bank is in a third country, we look at their email address and if that is at a service that is mostly just serving one of the three countries we go with that.
How would a company that accepts cash and keeps very minimal customer information deal with this?
I would love to know if there are any of these in the EU – US friends of mine have mentioned privacy.com but I am unaware of a similar service in the UK.
These services will likely not be around in 5 years if things continue as they do today. I work with clients who ban any ASN that hosts these kinds of services. Not sure what Mullvad can do to not become a new Tor or North Korea. At many companies they already are.
I am not for it. Just the way the lands lie right now.
are your clients consumer ISPs? or are they like edge CDNs doing www stuff? the impact on these VPN services would be tremendously different in each case.
Consumer services. Not uncommon for companies to sign enterprise deals that includes subsidiaries. Then sec provision firewall rules across many different sites even for just a single customer.
If your threat model includes nation state intervention, a 5 Euro VPN isn't going to help you. In fact, no VPN is going to help you. The best you can get is probably Tor + Tails, but even then you better be looking over your shoulder.
That's not necessarily true. A lot of state surveillance comes through having backdoor or legal access to lots of services. Many VPNs have been tested in court on whether they actually have information on you to disclose, and some even have independent audits to verify that such information is not even kept.
At best, you can hope to make surveilling you more expensive or more inconvenient. But if Snowden taught us anything, it's that whatever you needed to do to get yourself tangled up in the 5/14 eyes trip-wire, you've already done, long ago, and continue to do.
VPNs don't mean shit. You're leaking data everywhere you go. Browser fingerprinting, WiFi/BT signals, cell tower signals, GPS. If you own a smart phone and a credit card you're already fucked.
Let's not confuse things for people by making them think if they plop a 5 Euro VPN between them and their yahoo! email account that this does anything at all to deter state level actors.
VPNs are good for a few things:
(1) Evading state-sponsored censorship (which uses technology minted in good old Silicon Valley) -- where the state doesn't really care unless you're really bothering them
(2) Marginally disrupting the pan-opticon that is surveillance capitalism by mixing the signals a bit, where your ISP can't sell you out to data brokers. But even then... DNS leaks, etc still happen and still fuck with the plan.
(3) Maybe not getting scooped up as badly in the state dragnet, and maybe not being accused of something you actually didn't have anything to do with.
But brother, if you think you're gonna be the next Ross Ulbrich with your Mullvad VPN, then you better be memorizing your recipe for toilet wine because you're gonna land in a fed pen.
Mate, I don't know if you realize this, but most people here just want to hide due to minor privacy concerns, not a plan to overthrow the government or some shit. Of course if the FBI is after you, no, Mullvad won't protect you. But in the more realistic scenario that Disney might be after you, would Mullvad be a liability or not, that is the question.
That is true but not relevant to my question of whether Mullvad's data retention policies have been tested in court. One uses a commercial VPN to pirate HBO, not dodge the alphabet boys.
Yeah I think that's why they're trying to minimize the amount of data they have on store, because they know that a repeat of the TPB raid can happen any time.
If the Swedish courts find sufficient reason to do so, they will go in without warning and seize what they feel like.
Europe has courts, subpoenas, warrants, police, and all that too so I don't see how that affects the question? The US as mutual legal aid treaties with most European countries as well.
that's not true, the USA has agreements to exchange information on citizens with the vast majority of European countries. While a local yokel might have a rough time, the federal government would only have to put in a request and wait a while. The only cost is the effort to file for it.
I tried Mulvad, I love their outlook on privacy. However, maybe this is just my experience but the speed I was getting with Mulvad was slow, for some reason. Much slower than my regular ~200 mbps connection. Had to switch back to Nord (would not recommend it, though) again.
I love those guys. I really wanna start using them, but there's one missing feature for me: currently, I can mail them a few hundred euros, and get a number of years of service. That's great. But currently you only get one block of service. I'd very much like to be able to pause my credit.
Now, I totally understand that letting people pause with super fine temporal resolution would crush their business model. I'm not asking for that. But I would like to buy say 30 months of service, flick a switch draining say one month of my credit (and having the service for a month), then pausing again.
> At Mullvad VPN we strive to know as little as possible about our users. We are constantly looking for ways to reduce the amount of data we store while still providing a usable service.
Mullvad already did this for anyone who wanted port forwards, because those people are more likely to be the target of legal demands.
They seem to never actually associate the account number with any payments except at the moment the account gains time. This keeps them from having to respond to any legal demands with useful data.
I wonder if the iOS subscriptions are affected. Technically they could just not associate your payment with your account number. Then the app can submit the transaction ID and your account number that was stored locally to the service to extend your time.
I would love to look at Mullvad. Every time I try to connect to their website using Firefox 101 it fails with Error code: SSL_ERROR_RX_RECORD_TOO_LONG. Is anyone else experiencing this?
I had the same and found out that my router was messing with the connection. I had to deactivate the Malicious Content Filter from Trend Micro to be able to connect.
This is a great idea! In practice, how would you go about this e.g. if you're using Stripe? After a few weeks, delete the customer information in Stripe?
I suspect a temporary ID that links the two that lives for just the time of the Payment Request and transmitted as metadata? Once the payment is successful, it removes the ID linking the payment to the account ID & severs the link - just the account has the credit
Handle what? Of course someone can go to Stripe and get that info, but as OP just said, they won't be able to tie it to a specific VPN account as that link is now broken.
They also mentioned it's about less data, not about zero data. The moment you use a credit card, of course it's stored in a bunch of places. But this won't be stored with them.
That's a very good question. I wonder why companies don't push hard to disallow third-party services from storing their customers' data.
I had this issue as an employe. My employer used a third-party service for onboarding. This service had a breach and my data (including my SSN) was leaked. I've been begging my employer (one reason I wish I lived in California) to take action and have them remove my data, because another breach is inevitable. They've finally sent a request to delete all employees' data. Now I am waiting.
If you accept payment, it's very hard not to relay some information to a third party, except if you build your own payment provider service... But I'd love to see Stripe make more effort here and e.g. start allowing EU hosting for EU customers and so on.
Mullvad deletes all transactions as soon as they are allowed by law/contract with pay agent. That's 45 days for some things and 60 for others I believe. They have more details on their site. This assumes you trust them to shred that info though. They also supposedly don't keep ip logs, but I assume their ISP does, so I guess that's of limited value.
sometime just having meta info is enough for 3LA orgs. They would know the user is using mullvad services as the most obvious which is enough to get you multiple year sentences in some repressive countries.
They took payment in BTC back when it was several orders of magnitude less valuable. They can probably run the company indefinitely off their crypto savings.
Why not just subscriptions with random persistent pay reference?
They could be safe against adversary that has access to Mullvad data, while still offering convenience of subscriptions. It is not safe against adversary that has access to banking data, but even independent payments are not safe against that adversary, if they are often enough.
The opposite is sadly still happening in everywhere else and no change for that is probably coming in the foreseeable future.
With subscriptions, you guarantee the revenue.
And making it very difficult to unsubscribe, such as some unnamed companies, even a little bit more money is collected.
This is just like Mullvad to care about your privacy.
But I think it's a bit overkill to completely remove the subscription option. They could have accomplished the same educating of end users with a simple recommendation or opt-out at sign up.
Still providing subscription for those users who find that most convenient.
Sweden is part of 14-eyes. I realize this may be naive or already answered, but I don't see why I should trust any service in one of those 14 countries. When things are down to the wire, can anything in Sweden really guarantee any greater level of privacy?
I'd like to know which email provider(s) you use outside the 14-eyes, assuming you're not self-hosting. There are some privacy focused and relatively cheaper ones that avoid the five-eyes, but end up being in the nine-eyes or 14-eyes countries.
Note: I'm not considering ProtonMail (Switzerland) as relatively cheap. I came to know about CTemplar (Iceland), but that shutdown a month ago.
$4.22 (USD) a month is really not that bad for Protonmail, fwiw. (12 month, cheaper for 24-month) That's nothing compared to a Netflix or HBO max subscription.
That's great news and they just got a huge boost in reputation for me. Definitely the go to service if I need a good VPN again.
Especially strong decision since this will certainly cost them a lot of revenue and I don't think the boost in reputation will counter that in the long run.
Serious question, what are people using their VPN for? I used PIA before the buyout then shifted to Windscribe but I don't think I will renew after this year. I rarely use it and if I want soemthing safe (like using public wifi), I use tailscale instead.
Refunds and disputes can happen way after a week right? I've seen disputes 120+ days after a transaction.
I mean, maybe they won't be affected by this but they sort of suggest after a few weeks you could dispute the charge and they would have no idea it was you.
So I read through this, and it appears pretty clear that stripe holds all the normal transaction data on your behalf, and they store just the link to the transaction. But they mention removing the stripe charge I'd from their records so I guess that could mean they would have no idea how to respond to disputes, hence lose them all.
Maybe that is fine, just a cost of doing business for them. But it is definitely atypical. Never heard of someone who would be completely unable to respond to disputes before.
I’m curious, too. I want to test it on a throwaway account and card.
One thought is that their offering is so uniform that they could provide the same information in response to every request, regardless of days passed since the transaction. They would only need to mark pre- and post- certain changes to terms and screens, which they could record without keeping identifying information.
They may also be using Stripe’s chargeback insurance, which relieves the need for the merchant to respond at all.
I've been using Mullvad for years as a permanently-connected VPN and I find it excellent. I do use a subscription, but I have a friend who sends them cash in an envelope by snail mail and loves it.
Is it me (likely), or are a huge range of comments here exactly what you'd expect from a company anticipating blow-back based on their changes? I mean it could really be that good, but this feels a little too clean. I.e. are there shill posters here? I suppose someone could look at all the users who posted, get their karma, and created on dates, and build some estimation calculation. Probably could be greatly improved by adding factor such as wether the user has posted recently in other threads, whether potential shills are responding to parent shills, etc. Arms race ...
"Please don't post insinuations about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and we'll look at the data."
Anyone have thoughts about the privacy and security aspects of TunnelBear? I've been using them for a few years, wondering if I should switch to Mullvad.
I personally picked Mullvad even though i use Proton Mail because they have a fully featured Linux app, unlike Proton's which is very very basic and they support IPv6.
They have an iPad app now. Makes it easier to switch server but aside of that, no major advantage over WireGuard app. I use WireGuard app since it can auto connect on wifi or cellular.
> In order to provide refunds and the ability to recover lost accounts we need to store some record of a payment, at least for a short time. As soon as we do not need the data to enable refunding a payment we scrub the record of anything that can link the payment or the account to any personally identifiable information kept by the payment processor (this could be your bank, for example).
So they hold your info and link for however long the chargeback period is (or the average one, probably 30-60 days is fine) and then lose it.
If you're more worried about privacy than convenience they offer other payment methods:
Which payment methods do you accept?
We accept cash, Bitcoin, Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish, Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24.
Selecting Pretzel24 as payment method redirects to https://go.przelewy24.pl/ where in turn you choose between different banks. I guess it is a Polish service for direct bank payments?
I misread it as Pretzel the first time and couldn't resist, especially after clicking the page gave me a 'NOT FOUND' error. I assumed it was some sort of payment system.
At that point the question becomes one of search space and what real-world data that information ties to.
If Eve can determine the basis for which an account is identified, and there is a small number of subscriptions,[1] then the namespace may be exhaustively searched.
Mind that even if the resulting hash space is large, if the key space is small, the search is tractable. Just look for a resulting valid hash.
Even if a payment is required, if $0.01 is accepted, the cost for testing 1 million keys is $10,000. For a sufficiently high-value target, potentially reasonable. More so if you can create your own money.
________________________________
Notes:
1. For computers, any value < 10 billion is arguably small, and quite possibly somewhat larger than that. The present human population is < 10 billion. The Mulvad subscription list is all but certainly <<<10 billion, where '<<<' -> "very much smaller than".
Couldn't you give them short-lasting keys, that they can use to sign session keys?
e.g.
1. Connect to Mullvad over Tor, authenticate with real-world user ID
2. Use this to sign a blinded token
3. Use this to connect to Mullvad anonymously after some delay
The first run would be kind of dodgy, but after that you could get new session keys on a fixed schedule and switch them out at a random interval.
If they see that user A authenticates and 10 minutes later, key A comes online, that can be traced, but if you then wait a week, authorize key B, and then wait a few more days to start using it, you should be good.
In practice, this has way too many issues to work in practice. It still requires you to trust them not to e.g. log IPs and correlate it that way, so it's all just snake oil.
It seems like you're trying to solve a totally different problem that doesn't exist. If you have a subscription, that means Mullvad must store information that ties your account to the subscription payment processor. That is the information they don't want to store anymore, because they want their users to be anonymous. Their system is already setup so that users can't be correlated with VPN activity.
"
Which payment methods do you accept?
We accept cash, Bitcoin, Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish, Giropay, Eps transfer, Bancontact, iDEAL, and Przelewy24.
"
also Cash
"Can I really pay with cash?
You bet, and please! Stay anonymous all the way. Just put your cash and payment token (randomly generated on our website) in an envelope and send it to us. We accept the following currencies: EUR, USD, GBP, SEK, DKK, NOK, CHF, CAD, AUD, NZD.
"
With virgin addresses I can get bitcoin and monero (or anything incl cash) anonymously from the tornado cash notes via the bridges, or via exchanges and staying below KYC limits
But Tornado Cash notes decrypt only to EVMs where Tornado Cash is deployed. It would be more convenient for Ether and some ERC20 tokens to also be used directly, instead of bridges or exchanges.
Are you all beholden to a specific payment processor or implementation? People pay the most to use Ethereum for over half a decade now, which is best projection we have for activity and potential interest in merchants that aren't crypto native services.
I actually did take 10 seconds, scrolled down and saw the pricing page, decided not to click that because so many services only show the janky crypto payment option during a janky checkout process so decided not to bother and just ask here in the remaining 2 seconds. It worked.
I tried Mullvad for a year and loved the approach and onboarding. Sadly the connectivity issues and mobile app don't measure up to what I was used to with NordVPN.
Not sure why a savvy someone would use a subscription with a VPN, so not sure what the news is here.
payments are truly one of the areas where privacy suffers most. I hope this decision inspires more privacy-focused companies to not store payment information continuosly.
Tor -> buy mullvad for xmr -> use it for clearnet ip after Tor
Best for privacy, best for abuse.
Arent there any problems like captchas everywhere because the ip was overused?
Or CP distribution lawsuits towards mullvad?
Highly commendable position. Mullvad is leaving a ton of money on the table by doing this, but in the sea of shady VPN providers, having a provider do something proactive like this makes me want to switch.
Been using PIA for the past few years. Tried Proton but this looks really good and having the entire thread sending +1s is major. Will def give it a try.
I, personally, care a large amount about convenience. I don't want to think about bills at all. I've been a Mullvad subscriber for years on a PayPal recurring payment. It works so well that I don't even think about it. I just use it.
Having to think about paying a bill every month is really a pain to me. I get the privacy ideals, but the tradeoffs are not ridiculous. I should be able to make a decision about how private I want to be, not have Mullvad decide for me so that they can feel better about themselves.
I will probably move over to Mozilla VPN now, since they will continue to rely on Mullvad for their infrastructure but allow me to pay them in a convenient way. I guess compromises are in order.
So just pay once for an entire year, if you use them often, or the flat monthly rate, whenever you need. This doesn't sounds too much of a hassle, especially considering the price.
This is PR and the comments are astroturfed to absolute hell. VPN is the most heavily advertised business I am aware of. There are a lot of reasons to mistrust this behavior.
1) it doesn't cost mullvad very much to not autorenew subscriptions. People dont forget to renew their subscriptions to a service that breaks your connection to youtube when you forget to pay. It's closer to the world of warcraft model.
2) Customers are now rightfully wary of renewing subscriptions. Given horror stories of how difficult it is to cancel your subscription to a service, I suspect that you lose upwards of 50% of potential customers if you only offer subscription models.
3) No VPN has any incentive at all to "protect your privacy". It is perfectly legal for them to lie to you about not keeping logs and then turn them over to state actors, provided they are operating out of the right state. In fact, state actors would encourage such a thing. Perhaps some of these VPNs do something to protect your privacy, but it is not because they are incentivized to.
"Please don't post insinuations about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and we'll look at the data. "
i flagged the post, but VPNs are not "unlikely" sources of astroturfing. I do not particularly trust the startup incubator that launched many of these VPNs to take a particularly critical view of astroturfing, so i have chosen to ignore this forum rule
> it doesn't cost mullvad very much to not autorenew subscriptions. People dont forget to renew their subscriptions to a service that breaks your connection to youtube when you forget to pay. It's closer to the world of warcraft model.
I might be in a tiny minority of users (genuinely not sure) but I only enable my VPN when I want to get around IP geolocation (e.g. to stream something only available in another country) and otherwise turn it off when I'm done to minimize latency. I sometimes go a week or two without using it so I could easily not notice at least for days if my subscription didn't autorenew.
In which state is it legal to lie about the service you are delivering? I.e. in your marketing say that you will deliver something and then instead deliver something less valuable.
Its possible you dont know what state means. But the US has plenty of mass warrants that require companies to keep logs even in the presence of promises that they dont. In fact, they are obligated not to reveal that they are now keeping logs. Warrants supercede contract.
Even in the US I think you can't advertise a service that you are not legally allowed to provide. Does the first warrant make you immune to fraud allegations?
I'm not an expert and am ready to accept that I may be wrong. If you know any sources on the matter, it would be interesting to read.
Hadn't heard of Mullvad before reading this, figured I'd give it a try. That is hands down the BEST onboarding experience for an app (let alone a VPN) I've had in I don't know how long. Took me maybe 2 minutes to go from no account to a working VPN connection.
I love that everything is anonymous (down to the account credentials just being a randomly generated token).