In general, Nordic countries are known for their extensive privacy laws, which in theory would make it harder for law enforcement to gain access to your traffic (and with a court order it is very easy to decloak your VPN traffic). However, as all Nordic countries are part of the Schengen Area, they are bound by European laws - and their enforcement. When Europol started cracking down on VPN providers that didn't comply, NordVPN (and all others who wanted to remain in the European market) were forced to admit [1] that they do comply with law enforcement orders. Today, all VPNs that you can legally buy are worthless in the aspects they advertise to you. You neither get extra security through encryption when browsing the web (https is already good enough for public wifi) nor actual privacy from your own government. There is exactly one use case for public commercial VPNs these days: If you want to easily access the internet from a different location to bypass geoblocking. But many big services like Netflix have started to simply block or otherwise limit access from traffic that comes from big VPN provider IP ranges, so even that use-case is becoming more worthless every year.
You are missing one valid use-case: avoiding three-strikes letters being sent to your ISP by the MPA. Unless you're part of a release group, the complaints from the MPA never rise to the level of actual legal action, so your VPN provider is free to bin them, whereas your actual ISP would almost certainly act on them.
Yes of course, if you're engaged in low level criminal behaviour, then even these low levels of obfuscation will keep some pressure off your back. But since copyright law is somewhat of a grey area in the EU, you technically don't even need a VPN for that. You could run a VPS somewhere and get the same results much cheaper. But this kind of use case is not something VPN providers can advertise with anyways, so my point remains unchanged.
HTTPS is not enough for public WiFi. Domain names get leaked due to how the TLS negotiation works, and unencrypted HTTP sites or ones with weak crypto are still more common than they should be.
Plus, many public WiFi networks exist which block SSH or specific websites to keep security auditors happy while allowing VPN to make business people happy. I used such a public WiFi quite recently, which blocked not only SSH but Hacker News - I assume some bad site database misunderstands the name of this site.
As for hiding from governments, I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government. So far, they can sometimes force silence, and can sometimes force a previously published canary notice not to be removed, but they haven’t yet had any right confirmed to uphold a compelled lie. So any Western provider that continues to publish suitably broadly worded canary notices on a verifiably still-updated basis (e.g. securely OpenPGP-signed together with a bit of new daily news headlines) is either telling the truth or is lying without being legally forced to do so.
>I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government
Depends on what things you think are likely to be true in secret or judicially determined in the future without an intervening legislative change. My impression of the law in most Western countries is that the courts would overturn any requirement to compel a company to affirmatively lie to the public through explicit speech of some kind, even in the national security context. Orders compelling silence or non-removal of past statements are a very different constitutional and human rights balance than compelled false speech.
>My impression of the law in most Western countries
Apparently you still didn't get it, so let me spell it out: Your entire point hinges on your own impression that your government won't abuse its power. An impression that will always be heavily influenced by PR and propaganda, no matter where you live - and one that seems eerily off considering the fact how often surveillance programs and attempts at destroying what privacy we have left make it to the surface. This kind of blind trust in your superiors is the straightest way to a 1984-esque dystopia.
You’re assuming a lot of inaccurate things about my beliefs. I do not have blind trust in my government or other Western governments. In, fact, I expect them to actively abuse their power in myriad ways, many of which try to destroy privacy. I didn’t say otherwise; indeed, if I were to assume that the government would never try to compel affirmative lies, I would have never needed to discuss how the courts would react to such an attempt.
I don’t think it will be productive to continue this subthread if doing so would be as focused on clarifying misunderstandings as this exchange was, so do not be surprised if this ends up as my last reply in this subthread.
So, should they be requested to do so by a formally issued court order, they would comply and start logging a user’s activity, but do not do so by default.
Calling them worthless at providing secure browsing seems far-fetched; calling them a scam is fully disingenuous.
*Tunneling* it through one hides the nature of that traffic from intermediary systems that it traverses from you up to that VPN exit point.
There is a lot of metadata in packets that can be viewed by any interim hop, like your ISP, workplace IT security, ARP-cache-poisoned coffeeshop router, etc.
You can answer the question yourself for any provider using this simple test: Can you legally buy access to it from inside the EU? If yes, they will suffer from the same problem as all other providers.
As I said above, a simple court order can destroy any attempt at privacy. All (serious) VPN providers claim they don't store logs. But that does not mean that a court can't force them to do so. When combined with a gag order you can have someone collecting all your traffic without you even realizing it. And that's just the VPN provider, which usually doesn't own any datacenters. The datacenter providers can also receive the orders to either monitor traffic or even install hardware to do so. If you want any hope of privacy, you steer clear of all big commercial "privacy" providers, because they are very high on every government agency's list. And you just need one component in the entire chain to be compromised.
> All (serious) VPN providers claim they don't store logs. But that does not mean that a court can't force them to do so. When combined with a gag order you can have someone collecting all your traffic without you even realizing it. And that's just the VPN provider, which usually doesn't own any datacenters. The datacenter providers can also receive the orders to either monitor traffic or even install hardware to do so. If
None of this really matters unless you are doing something illegal enough that the government is interested in you and convinced a judge to get warrants.
That isn't 99% of people. 99% of people just want to try and stop being traced and their data being harvested with an easy solution that mostly works for that purpose.
>None of this really matters unless you are doing something illegal enough that the government is interested in you
The issue here is that how "illegal" something is depends heavily on where you live. In some places speaking against the government can get you killed [1]. In others, hosting movies can get your house raided by police helicopters [2].
> The issue here is that how "illegal" something is depends heavily on where you live.
The context of the discussion was the EU.
And the point stands. For 99% of people VPNs offer privacy even against the government, that would need to meet a high burden of proof and require a warrant to break that privacy.
I said nothing that goes against the context. Again: When you are actually scared of getting cought for something, a commercial VPN very likely doesn't help. That goes for all jurisdictions.
You mentioned the EU as a whole but the point is it isn't and is indeed widely varied when it comes to the sorts of laws you are relying on to make your argument.
>When combined with a gag order you can have someone collecting all your traffic without you even realizing it.
Are such gag orders common in the EU? I know they are fairly common in the US, but don't know enough about EU laws to know if that's an actual concern there or not.
You're spreading FUD, the Swedish government can't do shit to Mullvad but take their servers offline. Possibly if it was a matter of national security, at which point our recommendations are useless either way.
False. Like all member states, the Swedish government has officialy ceded jurisdiction and enforcement of certain laws to the EU. Only VPN providers who do not comply with such international court orders get shut down. Look at what happened to vpnlab: The police literally write on their seized domain that they have forcefully attained access to everything, because the provider would not give it away freely: https://vpnlab.net/
Consequently, you can assume that all other VPN providers who are still doing business in Europe are freely giving away their data to government agencies.
You presume that a) all governments are bad, b) law is controlled by these governments and c) we only have to hide from governments.
Neither are absolutely true.
I mostly trust my (western european) government to not fuck me over when I am abiding the laws. Which I mightn't always do. I mostly trust them to be proportional: e.g. not beat me up or throw me in prison for smoking a spliff or drinking in public.
A court order is handled by courts. Which, at least in most European countries, is independent. This is shifting in some countries, but that's a rather big deal. "Cut of from EU benefits" big.
Regardless what police or governments want, they have to abide by laws. And courts decisions on allowing access to my internet usage.
While in many countries governments are truly life threatening to minorities, that's not the only privacy concern. I have much more to "fear" from my ISP selling out, my datacenter getting bought by a FAANG or just those FAANGs spying on my every move.
What I'm trying to say is: you are spreading FUD by inventing some absolutisms that are really a spectrum for most common VPN users.
Also: VPNs have always known to be detrimental to your security when browsing "really" secure: through TOR.
>Regardless what police or governments want, they have to abide by laws
I can't tell if this person actually believes what they wrote, or if it is some kind of attempted public social pressure technique meant to adjust the Overton Window from a rational place.
Be it 2024 or 1624, to assert that one trusts the gov to "not fuck them over" takes a special type of naivete. It certainly takes a general obliviousness to the news cycle, willful or otherwise. As well as an obliviousness to the logic of self-interest, bureaucratic expediency, State survival, profit motivation, corruption, party politics, and more. It takes an obliviousness to history.
I doubt that few people in law enforcement, public bureaucracies, or even in most elected offices would agree with the statement under discussion. In fact, the most best (or most just) system seems to be mostly built on fail-safes against being fucked over in this manner, even if all systems arguably eventually fall to corruption. Which underscores such government motivation.
If your take is that "in many countries governments are truly life threatening to minorities", then the rest of the Profession of Trust makes no logical sense for the population generally: if the bar is the threat to life. And while that is a sensible ceiling for a "do not trust" conclusion, I would argue that the bar doesn't need to be that high.
Do note that this applies to Western Europe (more precisely: the Netherlands). And do note that "to be f#ed over" is rather broad and personal. While one person might feel they are truly "f#d" by police" when they get a ticket driving their bike without lights at night, that's obviously not what I mean.
I am by conviction an Anarchist (though certainly not libertarian), and I do see the times and places where government did absolutely f# over minorities here¹. But: hear me out: those are cases where the government, through democratic mandate, made (extremely) bad laws. And then had to abide by their own laws. Sometimes forced by the -independent- courts². Democracy works: "we, the people, voted for incompetent and blasé governors, racists even, who then turned out to be imcompetent and blasé. And in doing so f*d minorities". It's not the government, really, but the will of the people!
Do I trust the police force (the institude)? Not really. But I don't need to, because it is kept in check by a functioning democratic system and courts. Again, this is not the US. Nor Somalia or South Africa. Do I trust a police officer (a human)? Quite probably; in the Netherlands a majority isn't power-tripping nazi scum but rather people with a (imo weird) calling to help.
Yes, because those cases are fortunately rather few. And usually (far!) fewer than in places with less democracy. So it seems plausible that they were caused by not enough (or otherwise "bad") democracy, not too much of it.
I absolutely think they were caused by too much democracy. Most people are not equipped and may never be so to vote or have a say on the most important issues. They need to be managed by those that are capable.
> I absolutely think they were caused by too much democracy. Most people are not equipped and may never be so to vote or have a say on the most important issues. They need to be managed by those that are capable.
Said all fascists and communists everywhere ever.
Oh, and probably all the Ayn-Randian libertariards too.
Mullvad complies, but they go out of their way to keep very little information. If you don't have the information in the first place, you can't surrender it.
Beware that despite all marketing statements, VPN providers can easily be forced to store logs using court orders, even if they don't do it by default.
That still has value, it's much harder to do drag-net style surveillance if you need court orders to collect new information and can't scoop up old information.
This also happened with providers in Europe. So you can safely assume that any VPN provider who is still doing business in Europe is compromised in some way or another by the government.
"Compromised" is a wrong word to use, unless you consider any obedience to the law "compromise". VPN providers who are still doing business in EU (not Europe) do obey court orders - that would be more correct wording. Any non-compliance is a one-time occurence: either you decide to cease operations or you are forced to cease operations by LEA, as in vpnlab.net example.
If you actually look at the vpnlab example, you'll find that the government got access to all their data, not just for specific cases. So you can assume that all remaining providers have yielded the same level of access.
[1] https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...