2023 Review: Mullvad VPN
What is Mullvad VPN?
A VPN is a service that creates an encrypted tunnel between the device and the provider's server, protecting all your traffic from prying eyes along the way like your ISP or whoever owns the router (think public Wi-Fi, for example). After reaching the provider's server, your traffic continues on to your desired destination like normal. Mullvad is one such service, very popular in the privacy community for their low price, lack of required data at signup, and other privacy-first policies which will be discussed in this review.
Why Do You Need a VPN?
You may not, to be honest. I recommend you check out IVPN's site “Do I Need a VPN?” here). A lot of people really hype VPNs as one of those absolutely, must-have, life-changing things that will solve all your problems. In all honesty, while I do believe that VPNs are an essential piece of your privacy strategy, there are many other free or low-cost strategies that will give you significantly more protection. A VPN these days pretty much only has two purposes: changing your IP address and protecting your traffic from local snoops. Changing your IP address is a valuable part of avoiding tracking, but it’s just one way and a VPN won’t protect you against those others like browser fingerprinting, tracking pixels, cookies, and more. Likewise, while it can be great to protect your traffic from your Internet Service Provider or a local cybercriminal, from a security perspective you’re already pretty well covered so long as you enable your browser’s HTTPS-Only mode and make sure you’re using the correct sites and not spoofed or phishing sites. Having said all that, I do still consider a VPN to be a critical part of your privacy and security posture if you can afford one. It can bypass censorship, stop your ISP from selling your browsing data, help obscure your IP address from tracking and logging, and protect your traffic from local attackers.
Why Not Tor?
Some people prefer Tor over VPNs. I am an ardent fan and supporter of Tor. Tor is definitely right in certain situations, but not all of them. For one, many essential services – like banks – block known Tor IP addresses to prevent fraud and abuse, making using those services nearly impossible. Second, Tor loses almost – if not – all of its anonymity once you login to something. If you login to your email and then your Reddit account in the same session, they’re now tied to together and you’ve lost your anonymity benefit. For this reason, I recommend reputable VPNs for any services that are tied to your real identity (or blocked by Tor) and Tor for random searches, accounts that are not tied to your real identity, or pretty much anything else.
The Good
Mullvad has long had a lot of things to like about them, but this year they added even more. Let’s start from the beginning as if you were signing up for the first time: they require absolutely no identifying information to sign up. You are assigned a randomly-generated account number, you add however many months you want to your account, and you download the app for the device you wish to protect. That simple. When it comes to buying time, you can pay with several privacy-respecting options like Monero, privacy.com cards, or even cash, as well Bitcoin, PayPal, bank wire, the options are immense.
There’s a couple updates regarding this that are both good and bad. Mullvad no longer offers recurring subscriptions or refunds on cryptocurrency. You’ll have to top up your account every time it runs low. They’ve done this in an effort to avoid storing any unnecessary customer information. I’ll talk about this again in the “Bad” section, but for now the motives are – in my opinion – good and this will come into play later in this section.
The price is probably the most popular selling point for many people (tied with or second only to the privacy record which I’ll get to). Most VPN providers offer tiers that give you different features for different prices – access to more servers, better speeds, or things like P2P servers for using Bittorrent and other services, for example. Mullvad doesn't do this. They offer only a single plan at a (in my opinion) very reasonable €5/month. Most people reading this have €5/month to burn, and the fact that Mullvad is committed to offering a full-service VPN at a consistent price point is admirable. They never do sales and they don't do any kind of advertising or affiliate programs. Five Euros, no matter what. I admire that level of consistency.
Mullvad is based in Sweden. In the past I’ve put a small amount of weight into a service’s country of origin – and I still do but even less than before. On the good side, Sweden gone out of their way to build in strong consumer privacy laws. In addition to being accountable to the GDPR, Sweden has also determined that VPNs do not count as telecommunications providers and therefore are not subject to the usual wiretapping and surveillance laws and practices. Mullvad has an entire page here outlining all the various legal protections in place that make Sweden a good thing for VPNs. In fact, we saw this come into play just a few short months ago as I write this: Mullvad got searched for the first time in their history. However, due to Swedish law and their practices (which I’ll discuss shortly) Mullvad had nothing to turn over and insists that any seizure of hardware or data would’ve been illegal.
Mullvad offers servers in 43 countries (up from last year’s 38), and (as far as I can tell) uses very strong, state of the art security measures (see “The technical stuff” here). Finally, Mullvad has a long track record of being early-adopters for strong privacy and security technology. They were among the first commercial VPNs to offer Wireguard – a new protocol that’s supposed to be faster, lighter, and potentially more secure – as well as quantum-resistant tunnels, RAM-only servers, and more. Things like this increase user security and stay a step ahead of emerging trends and possible threats. Personally this is perhaps my favorite thing about Mullvad. It’s my personal perspective that from an end-user perspective, Mullvad doesn’t offer anything unique or groundbreaking. Sure the price is good, the features are competitive, and the apps are modern and functional, but it’s all the behind-the-scenes work that they do that really sets them apart.
Finally, I’d be remiss if I didn’t at least mention the Mullvad Browser. This isn’t strictly VPN-related, but it does show Mullvad’s continuing dedication to the privacy movement. The Mullvad Browser is basically “The Tor Browser without Tor” and is designed to be used with any VPN to create a pool of users who are hard to fingerprint and look the same. Both Techlore and I created our own videos on the browser which I think complement each other quite nicely and offer additional information for those who’d like to know more. It’s definitely become one of my daily browsers on Windows – and sometimes Linux when I remember to open it (my workflow can be a bit rigid sometimes). It’s a powerful offering available even for those who don’t use Mullvad. (It’s also worth mentioning that their DNS is available for free to the public, too. So even if you don’t use any VPN, you can still have access to a trustworthy, private DNS resolver.)
The Bad
Truthfully there's not much bad to say about Mullvad, but there’s a few things. For starters, as I mentioned above, some of their hardcore privacy measures have resulted in a slight hit to user-friendliness. “Slight” is the key word here. I don’t think it’s huge, but it’s definitely there. Their desire to stop storing user data, for example, means that I have to manually top up my account each year (or month or whatever). While that’s not the worst thing it the world, I personally very much prefer to “set and forget” my payment options rather than log in one day and go “oops, I’m out of time and need to top up.” To be fair, it does give you a warning, but I’m already in a position where I could easily miss that warning. (For those who care: I use Qubes and using Mullvad on Qubes doesn’t require the app, meaning I could easily run out of time and never get a notification since Mullvad doesn’t have my email address.) This also extends to their money-back guarantee: it doesn’t apply to cryptocurrency since honoring it would require them to store data about what addresses sent them how much money. While I realize that the price point is extremely low and for most people would not really present a worthwhile loss if they were disatisfied with the service, it still presents a point of friction for potential users who may be on the fence.
In the past I expressed concern about Mullvad being based in Sweden because Sweden is part of the 14-Eyes surveillance network. I’m still concerned by this, but not as much as I used to be. My original logic went like this: Sweden is part of the 14-Eyes intelligence sharing agreement. Even if they do have good privacy laws in place, they as a country have – by entering into that agreement – expressed a level of comfort with secret surveillance intelligence sharing at the expense of the right to privacy for their citizens. In my opinion, it's that tone that makes it a bad thing when a country is part of a surveillance agreement. I’m no longer concerned by this for several reasons. The main crux comes down to “is the service really prioritizing user privacy and security?” I trust that Mullvad wants to protect the privacy of their users, and I hope that if Sweden ever took a more invasive turn that Mullvad would respond accordingly. The choice to stay in Sweden at this time should not be a dealbreaker for those considering Mullvad, but it does mean you should be keeping up-to-date on current events. Though personally, I think that's true of any service.
Conclusion
Mullvad is a company that grows on me more and more with each passing year. Each year I see posts from them about the new ways they’re working hard to innovate on protecting user privacy, even in niche areas one normally wouldn’t think to consider (such as auditing their payment processes or their search engine). They really do set a high bar for the privacy community. If you're looking for a VPN – or browser or DNS – you'd be remiss not to consider Mullvad. They offer a 30-day money-back guarantee (crypto not included), so you've got nothing to lose, and I suspect you’ll likely be impressed.
You can learn more and sign up for Mullvad VPN here. No affiliate link available.
Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...