​The M247/DataPacket Problem With Mullvad VPN

This article acts as a sequel to my 2020 blog post; The German Problem with Tor. That blog post detailed how many Tor nodes were within Germany and risks associated with the centralisation of Tor Relays in that country.

This blog post will cover a slightly different topic, but one very much related. That is another type of services, promoted to the pro-privacy community; VPNs. One provider that pro-privacy influencers, such as Techlore and Mental Outlaw promote, is Mullvad VPN.

A provider who loves to talk about how privacy is a human right and how their VPN is a good first step to becoming a “privacy ninja”. That’s are well, you have a VPN provider who doesn’t require any personal information to register, who doesn’t log, supports WireGuard multi-hop and doesn’t make false claims about making the user anonymous.

Sounds fantastic, right, of course? The problem of aiming to be a privacy focused service means a high level of scrutiny is required. We are not talking about meme providers like NordVPN here; we are talking about a company who needs to do better.

There are two fundamental problems stopping Mullvad VPN from being as pro-privacy as they claim. One involves them using dedicated servers, rented rather than co-locating their own hardware. Hardware you don’t own can’t be trusted.

​The Upstream Problem for Mullvad VPN

With Tor by default, 3 hops are used. A Entry node (known as a Guard) , middle node and exit node. Meaning, the entry and exit nodes don’t know each other’s IP address. That makes network monitoring of the Tor network extremely difficult.

However, Mullvad is by default a single-hop service (Double-hop optionally available). That means the exit node either knows your IP address or of the entry node. Another difference is with Tor, a different route is chosen around once every 10 minutes. You could be connected to the same VPN for days, weeks, or months.

That means spying by an upstream is a far-higher to privacy risk with VPN than with Tor. A VPN provider serious about user privacy needs to choose their upstream carefully. Mullvad VPN, however, uses two British providers for around 50% of their servers (Even M247 Romania is ultimately part of the Manchester-based parent). Those are M247 and DataPacket.

M247 is extremely popular with VPN providers. A pro-privacy VPN provider should know to avoid upstream’s known for hosting large amounts of VPN traffic. Passing user traffic though M247 is like painting a target on their back to be more heavily spied by security services, such as GCHQ and NSA.

All it takes is a few black-boxes and the privacy of Mullvad uses (connected to a M247 location) is worse-off than not bothering with a VPN. That might be even worse with DataPacket, who openly advertises to VPN providers.

Even worse, Mullvad VPN is not upfront with their customers about these risks.

​The British problem with Mullvad VPN

Following up from the last section. Perhaps the biggest problem with M247 and DataPacket is not their attraction to VPN providers. As alluded to in the last section; these that control around 50% Mullvad’s servers are controlled by British companies (directly or a subsidy of a British company).

This is Mullvad VPN handing ultimately control of much of their VPN network to the British authorities and courts can order M247 and DataPacket to spy on, censor or remove those nodes. From the country that requires internet service providers to log every website a user visits for a year. A country that has proposed that social media and ISPs block posts containing “legal but harmful content”. Including the so-call independent regulator Ofcom (read, not independent) that will force censorship of anything it considers being misinformation or disinformation (Just like China and Russia).

It would be easy for either Ofcom or government to consider M247 and DataPacket as ISPs rather than web hosts and forcing them to censor their international networks or be fined 10% of global turnover. M247 literally offers internet services to businesses in the UK, while in a weaker case, DataPacket actively advertising to VPN providers could be considered being offering an internet service.

This is a VPN provider who, in emails to me, said that Mullvad VPN is subject to Swedish Laws and is not required to censor. Though, as mentioned in the above sections, the use of British providers means that might not matter. Not even the above mentioned spying that upstream’s who commonly deal with VPNs will be at risk of.

All in all, Mullvad VPN appears to have put expanding the number of locations over user privacy. That points to a bigger problem in the VPN industry. That is a lack of a perfect provider. Mullvad VPN has multiple hops available but AzireVPN chooses their upstream carefully, runs everything from RAM and uses a custom made TPM-Level Rootkit that blocks common network monitoring features in Linux but does not offer real Multi-hop (Only though Socks5 proxy).

Published: 22nd July 2022