Who Owns, Operates, and Develops Your VPN Matters
Posted4 months agoActive4 months ago
opentech.fundTechstoryHigh profile
skepticalmixed
Debate
80/100
VPNPrivacySecurity
Key topics
VPN
Privacy
Security
The article discusses the importance of transparency and anonymity in VPN providers, sparking a discussion on the trustworthiness of commercial VPNs and their potential ties to intelligence agencies.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
25m
Peak period
119
0-12h
Avg / period
26.7
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 3, 2025 at 12:51 PM EDT
4 months ago
Step 01 - 02First comment
Sep 3, 2025 at 1:15 PM EDT
25m after posting
Step 02 - 03Peak activity
119 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 10, 2025 at 1:43 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45117974Type: storyLast synced: 11/20/2025, 8:42:02 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
VPN companies often overpackage their offerings and overcharge -- this truism doesn't apply when shopping for VPNs.
The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.
If I was the US government, I'd push Google Play to offer compromised updates of Signal silently to a few people I was interested in. Even among the highly-technical, who is going to be inspecting binaries installed on a phone regularly?
Does Signal even have reproducible builds? How do I know the code matches the binary?
I'd make my own messenger.... but I don't have the money for that at all.
I wish these risks could be split up and handled separately - Suppose I run a private dark network for me and my friends, and then the GUI for chatting over it runs in a sandbox where it can only message servers that I control, using public/private keys that I control.
Conflating a million lines of Java GUI code with "Noise is a simple and secure protocol" seems like a big attack surface.
I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".
Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."
For those of us that are technical but unschooled, what resources would you recommend we learn from?
Or run Tailscale (and a self-hosted DERP relay).
Utility in that was that the traffic of all devices was routed through a "PiHoled VPN", so very little advertisements came through...
On what infra? Can you trust that one? Doesn't that solution just move the problem down one level?
I use a VPN to watch IPTV & download torrents without my ISP sending me nasty letters. Mullvad is great for that.
I would trust it in conjunction with Tor to protect me from low-level crimes. I wouldn't run trust either it or Tor, alone or in combination, to run a marketplace the DEA would become interested in.
If your threat model is obscuring your home IP to hide your IP from above board HTTPS sites, a DIY VPN probably is great. If it's to do low level crime, a cheap VPN is probably enough. Anything else, good luck.
Between the parent and the other one, it's almost like I specifically pointed out the limited utility of this approach and all of the Well Acktshually posters had to spell it out anyway.
I was responding to someone who said they were technical, so it should be assumed they can work this all out for themselves.
Again, threat model matters – hide your identity from whom?
You certainly won't hide it from someone who can seize payment records. You will struggle to hide it from someone who has control of enough of the internet to correlate data across sites, like Google or Cloudflare. But if you're looking to be pseudonymous in the face of a single site, or a small set of sites that don't conspire to unmask users? It might work just fine.
(unless as you rightly note they block your hosting service's ASN;-))
truly anonymous hosters are high profile targets for law enforcement, so in my opinion they are higher risk than even VPN providers. not interested in getting caught up with that crowd. and for the good VPN providers at least a court order is necessary, and if the VPN doesn't log usage, they can't prove anything.
there is no threat model where your own hosted proxy could ever provide better protection than any VPN. i use my own proxy because it's free, because i already have a server where i host my website, not because it provides me with any kind of protection. to get that, a VPN would be easier and cheaper.
You can't just say "threat model matters" and then treat security as an absolute gradient (poset?). That means you don't have a real threat model.
> using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server.
Bold claim – you've gotta show your work for this one.
> there is no threat model where your own hosted proxy could ever provide better protection than any VPN.
"no threat model [em-bee can imagine]", maybe :)
Here's one for you: how do you know your VPN provider doesn't log usage? You SSHed in and looked at /etc/syslog lately? Went to their hosting provider and opened door 641A?[0]
You sell a VPN and accept US cash? You are interacting with the US financial system and are open to all sorts of laws and enforcement levers that get to be pulled against the company that sold you that service & pinky swore they didn't log.
How sure are you about that "no log" claim if your VPN provider had a visit from a friendly FinCEN CI and some HSI folks who explained what a "US nexus" is?
All this said, I don't necessarily disagree with you: my personal threat model is that bigger fish exist than me, and a paid VPN provider fits the risks I take. Yours might be the same. But I don't see how you reasoned your way there.
[0]https://en.wikipedia.org/wiki/Room_641A
Sending all our data through an untrusted intermediary is a bad idea. Installing software from an unknown company (that hijacks the machine's entire network stack) is not a good way to protect data.
It all really depends on what you are protecting against. For the average person wanting to protect data and avoid being tracked, setting up thoughtful DNS infra, and a basic firewall, is probably more effective than using a commercial VPN from your home network.
For public networks, it's probably safer to set up a VPN server on your home network and use that in case you need to connect to public wifi or some other potentially hostile network.
I'm not aware of any authoritative article on this topic but I generally share writings by Schneier. This one touches on the subject: https://www.schneier.com/blog/archives/2021/06/vpns-and-trus...
It was actually tor (the threat came from tor), and harvard 'found' him by constantly logging what connections were going to known tor entries from on campus. As it turns out he was one or possibly the only one using tor that morning from harvard.
Bruce outlines it that he certainly could have stayed tight-lipped (all evidence was circumstantial) but, nevertheless confessed as soon as they approached him.
I'm looking forward to when VPNs always throw up chaff traffic.
Mullvads DAITA (Defense Against AI-guided Traffic Analysis) is going into that direction[0] and Mullvad is one of the better providers. Tor also has some protections against this afaik and the upcoming nym vpn is also doing some traffic obfuscation [1]. But as the saying goes: Correlation Attacks are a bitch.
[0] https://mullvad.net/de/vpn/daita [1] https://nym.com/
The first line on the landing page says:
"The world’s most private VPN 80% off today!"
Very intresting.
Correlation attacks are a bitch and i'm sure i'm on a shortlist already but calling a politician an idiot with a burner account made using a vpn should be fine.
https://hackread.com/private-internet-access-pia-vpn-sold-is...
Then on the other hand I feel that the real need are from people who come to find those Linux ISOs from public P2Ps and for that I think I will be booted off my VPS in a day or two. So eventually I think this will be better - dust off that old r-pi (or maybe get a new one), get a cheap HDD, get a VPN and let it stay at home and keep seeding.
1) I like Canadian shows in Netflix more than American
2) People in Silicon Valley get charged more on certain travel sites than people in Detroit.
I wonder how this compares to Florida vs Detroit... Hmmm...
But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".
I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.
The UK law is stipulating adult content can only be viewed if you are provably over 18. They are putting all of that responsibility onto the websites/platforms to enforce that.
If a child goes to a shop and tries to buy a pornographic magazine and they are denied, is that censorship?
If a child tries to see an 18 film at the Cinema and is denied, is that censorship?
The fact is both of these were freely and easily done on the Internet as most websites do not verify a users age.
I do not like the online safety act as it is, but it is not "censorship".
Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).
There used to be a Firefox addon that could warn you if the actual certificate changed, but it died with manifest addons.
Also, does HSTS have something to do with the authority? AFAIK it only forces the browser to use HTTPS and never plain HTTP for that domain, but if you switch from a legit Let's Encrypt to a legit ZeroSSL cert, HSTS won't care about it; only the browser if you have a not-trusted certificate from another CA (or self-signed).
Of course, an astonishing number of (even important, high-profile) websites don't bother with HSTS preloading ¯\_(ツ)_/¯
With browsers adopting DoH, a public WiFi should not be able to interfere with DNS much.
Of the big VPNs, the only one's that have ever felt shady to me are NordVPN and Private Internet Access. NordVPN because of the sheer amount of false advertising they pay YouTubers to do, and Private Internet Access because of how cheap they are and how poorly they maintain their infrastructure. Their .ovpn generated files haven't worked for 2+ years now because they include certificates with malformed revocation dates, and refuse to pay the certificate authority to update them.
Yep. And I use the VPN connection (and/or TOR) to re-up my Mullvad VPN when I run low.
Mostly I use the VPN to protect my privacy when posting with a throwaway account here and/or other sites. And of course for torrenting.
What's more, I had some monero (XMR) left over from some other transactions, so I use that to pay for the VPN connection.
As such, unless Mullvad is storing the IP address from which I connect (and they claim they do not), it would be difficult (but not impossible -- I don't always use VPN when posting anonymously/throwaway -- that isn't a challenge!) to identify me through my VPN connections.
What's the data/IP/etc retention logging situation of HN? Do they have a page on it?
no their not. protonvpn spends money to offer free account as form of advertisment. mullvd spend money on weird billboards.
protonvpn provide free privacy even for those from 3rld world country. you can create proton email anonymousley thats also protonvpn account
protonvpn is principled on privacy.
That doesn't mean they're datamining their customers, but it is terrible optics.
Proton is great, and in many ways they're doing great stuff. But in this case I wouldn't call them principled.
- protecting your privacy from your local ISP, WiFi, school, government etc
- protecting your privacy from some forms of online tracking
- circumventing censorship
- circumventing geographical restrictions
If you combine masking of your IP address with a web browser that protects you from various types of browser-based fingerprinting, you are more in control of your privacy online. You get to decide, to a greater extent, who you share very personal information with. That doesn't seem very silly.
(disclosure: I'm one of the deeply silly cofounders of Mullvad)
If you have time, I'd love to hear your thoughts on Mullvad's campaign here in Seattle.
For what it's worth, I suppose my perspective boils down to: the first three issues aren't issues here in town, or can be addressed in more direct ways (we have a wide choice of providers; 1st party browsers and services cover the gamut of tracking concerns; etc). Circumventing geographical restrictions is useful, but -- perhaps understandably! -- doesn't appear to be what Mullvad is advertising on the trains I ride.
Regarding tracking concerns, masking your IP address is a necessary but insufficient first step to improving your privacy online. ISPs typically don't allow their users to do that per-device in a UX-friendly way. Protecting against browser fingerprinting is something that Mullvad Browser does quite well, thanks to it being a fork of Tor Browser.
As for circumventing geo restrictions, you're absolutely right. We make an effort to get it to work, but ultimately privacy and censorship is much more of a priority for us. That's why we don't advertise it.
Finally, the campaign isn't just about getting more customers. We started Mullvad for political reasons, and now we have the resources to spread that message further. Governments around the world are warming up to the idea of mandatory device-side mass surveillance and backdooring E2E encryption. We're trying to build public opinion against that.
> We're trying to build public opinion against that.
Good on you!
But to be honest; it seems that it would be in Mullvads interest if the US starts requiring “open encryption” for internet services! Then more people would feel the need for VPNs
* https://youtube.com/watch?v=WVDQEoe6ZWY
Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.
latency/bandwidth: because of weird peering agreements between ISPs / ASes.
cost: there are networks where consumers pay per MB for international traffic, but not local traffic. Consumers can sometimes establish a VPN tunnel to the local data center and get an unmetered international connection, because the data center has a different agreement with the monopolistic consumer ISP.
Like, if only dissidents and malcontents use a VPN (or TOR or HTTPS or E2E encrypted messaging apps) then if you want to reduce dissent, you can just round up all the VPN users and have them shot. If everyone uses VPNs for normal internet use, that becomes impractical.
I find that using a VPN over starlink is quite a different experience than terrestrial. I can VPN through another country and the speed isn't affected nearly as much. My guess is that the route is satellite to satellite, so it is much faster.
Cool.
Also funny, but it would be nice if you addressed the specific objection. Here are some of the new ads: https://mullvad.net/en/blog/advertising-that-targets-everyon... . Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?
Usually the risk is you spend money you wouldn't have otherwise spend, but those profiles can also be used for future nefarious reasons. You're basically just relying on everyone running analytics to be good people, forever. Remember, anything on the internet is forever. And, even if they are, you're still relying on them having perfect security, forever. If a database breach happens and people now know everything data brokers and analytics services know... that's a problem.
IMO, nobody should browse the web without a reliable and trustworthy VPN, at all.
I'm pretty sure I did. I'll happily answer yours as well.
> Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?
Between those two options, definitely "it keeps me vaguely secure". None of the ads you link to are intended for customers that want to circumvent geographical restrictions. We don't market to that customer segment.
Why? In almost all countries ISPs are at the very least legally required to block websites and even surveil there customers. I trust mullvad about 100 times more than any ISP beholden to governments and profit incentive.
Worse, some of these are tied to foreign nation state intelligence, who are now analyzing your data when before they couldn't because they didnt have a relationship with your ISP. Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Weird technical issues happen because a lot of services don't keep vpn's in mind. I saw a lot of people were having issues connecting to multiplayer game servers. The vpn provider broke something, maybe it was on a blacklisted IP, maybe increased latency, maybe the IP is in the wrong region and people are connecting to a NA server but are in LATAM, etc.
I really dont know the use case for a vpn, not to mention advertising snooping happens on the application level anyway. Its javascript running on my browser and html5 and heaven knows what else analyzing me for ads, not "what IP did you connect from."
Lastly, there are privacy tools like onion and running a browser with no js active. These vpn types dont do that. They're actually not getting the privacy and security they want because tor is slow and a no-js firefox is unfun. So this weird cargo cult of VPNs has appeared, similar to stuff like "disable UAC" and other "computer enthusiast" knowledge you see in gamer or low information forums. Its the blind leading the blind here and these capitalist opportunists absolutely are taking advantage of that. "I'm safe I have a vpn," is a normal thing to say even though its almost entirely wrong.
The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
Courts can order providers to keep logs on certain users. Wiretapping laws also allow for it. And all of that goes out the window if the government decides there's a threat to national security.
> Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Even the "friendly" international ones aren't in the clear. Sweden isn't in FVEY, but they're in Fourteen Eyes. And we know from the XKeyscore leaks that the NSA hoovers up metadata like there's no tomorrow. I'd bet my house that anyone who connects to a commercial VPN or _especially_ to Tor lights up like a Christmas tree on the NSAs board – so they might not know for sure what you're doing, but they know you are possibly doing something.
Apple's Private Relay is probably the best chance to actually blend in, but estimates are 1-2% usage for "average users" and 3-5% for Wikimedia editors who I'd assume to have a technical slant. That's an order of magnitude too low for a crowd to exist to blend into, and with two friendly US entities on both sides of the privacy equation, I wouldn't rely on it to stand up against significant scrutiny.
> The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
My analysis tends towards this: there's a gradient of behavior that is "tolerated" at each step. If you want to torrent, a cheap VPN is tolerated and your crimes will be overlooked... because it's far better to catch serious criminals through that VPN. If you want to buy LSD from a dark web site, Tor lets your crimes be overlooked, because the big fish are the sellers. If you want to commit a significant crime, TLAs know everything about you already and the DEA/HSI/FBI/USPIS/IRS-CI or your local equivalents are ready to parallel construct your ass to the wall when you become noticeable enough.
But maybe I'm not as pessimistic as you – the vast majority of people aren't at the far end of the spectrum, so if you want to infringe copyrights, $60 to Mullvad for a year is what you want.
1) I do believe it is quite private
2) the socksv5 proxy is useful to prevent qbittorrent connecting to the internet at work by mistake
3) if the network is spotty or a bit unstable the vpn hides the instability from apps
4) I don't trust my isp DNS
5) geoblocking (mullvad is not the best at this though)
In my estimation the main reason people use VPNs is for pr*n and piracy and they may not want to just flat out admit it.
I get the piracy part, but why would someone want/need VPN for pr0n? That's not a gotcha or snark, I don't understand why folks would "need" vpn for that (assuming it's not* non-consensual, which includes hidden cameras and/or animals or children -- neither of whom can actually provide meaningful consent) as long as it's legal.
Fair enough. And likely a host of other sites too, I guess.
I always assumed that was like head shops selling water pipes for "tobacco smoking"
A fig leaf, to keep their business respectable and the credit card processors off their backs.
VPNs work. I never got another single nasty letter from Suddenstink.
A few months back, I sat down for a week with a free trial of an obscure webapp, downloaded all of their data and formatted it into json via the javascript console, and pirated by first webapp. Since it's not making xhr calls constantly, it's even snappier than the official one. I'm inventing new piracy methodology. Some of us are more dedicated than the rest of you.
If you think they sell millions of subscriptions to "prevent identity theft" I have a bridge to sell you.
Your friends and relatives aren't going to tell you that they are using it for p0rn, online dating, to buy taboo things online, etc. That's the main use case for VPN software and that's why people are buying it. Doesn't matter if it works the perception that it works is more than enough.
[1]
UNIVERSAL-->SECURE CONNECTION
https://youtube.com/v/zXyG_HncULU
It's the technical users whose myriad VPN use cases rather baffle me which in most cases eventually achieve little to none other than some sort of feeling of satisfaction or maybe placebo.
You mean the one owned by an Israeli billionaire? Hopefully they don’t find a way to make your monitor remotely explode.
https://hackread.com/private-internet-access-pia-vpn-sold-is...
This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now
https://hackread.com/private-internet-access-pia-vpn-sold-is...
(I read somewhere a while back that they don't refresh their IPs (unlike some other VPNs?) but I have no special insight into this.)
As for our long term goals, take a look at our owner's directive: https://mullvad.net/en/blog/ownership-and-future-mullvad-vpn
We want to make online mass surveillance and censorship ineffective. Mullvad is political action through entrepreneurship. We're reinvesting a lot of our profit into open-source software and hardware projects that benefit both Mullvad and the wider community.
I really don't want us to "corner the entire market" because that would make us a single point of failure. I would like to think that our hard work help push the market to keep improving.
May you continue to be the beacon of trustworthiness and hope that we all need right now
How where they ever even in anyway trusted??? They are literally peoples search results for sale and MITM as a service.
Whomever is responsible for your exit nodes actually gives you this functionality.
If it's tailscale itself then they use mullvad nodes as exit nodes which I welcome very much.
That's why I said tailscale lol. But I understand, I guess I said it in a confusing manner.
> If it's tailscale itself then they use mullvad nodes as exit nodes which I welcome very much.
You can also set on of your devices as an exit node for your Tailscale network. Kind of cool.
VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.
I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.
Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.
Stop trusting companies. They only care about 3 month profits.
Also, relying on its VPN for illegal activities is incredibly foolish since they log your IP and probably have your payment info.
[1] https://www.anonymous-proxies.net/products/
I don't know anything bad about Mullvad! That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
Is it even possible for them to do something like this for people who just use the OpenVPN/Wireguard configs and don't install an app?
If you weren't you, would you trust your service?
Where do you get residential proxies? I ask because I'm always reminded of https://sponsor.ajay.app/emails/.
Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.
And it's not even illegal, not even shady. I see nothing wrong with getting paid to help big companies compete with/destroy each other.
As a bonus you help rid the world of Cloudflare. Cloudflare serves more captchas to ISPs with more proxies. When every ISP is captcha'd, every user will hate Cloudflare.
It's not a get rich quick scheme - there's low demand for proxying at that kind of price.
I'm not going to shill specific companies, so just Google 'get paid to share mobile data' or something.
> Bright Data is the World’s Largest Residential Proxy IP Network providing companies the ability to emulate a real user in any country, city or carrier (ASN) in the world. [...] Bright Data has an SDK (software development kit) that is implemented into applications. Bright SDK provides an attractive alternative to advertisements by providing the app user with the choice to opt-in to Bright Data’s network instead. For every user that opts-in to the Bright Data network, Bright Data pays a monthly fee to the application vendor, who passes that value on to the user by not displaying ads.
I haven't heard of any of the VPN providers doing this, but it wouldn't really surprise me.
There are however a fair number of commercial proxies that do exactly that, sometimes via consumer malware. I know several startup founders who have used them as a way to scrape lots of data and not get banned. Usually the interface they provide to the customer is just a normal SaaS “pay us money and give us a list of URLs and we will give you the page content”, and the interface they provide to the end user is a game or marginally useful utility, and nobody but the company realizes they’re doing something dodgy.
I mean, this seems like the company name equivalent of the yellow and black stripes on a wasp. It is a _warning_.
That said, the few implementations I have test before seemed leaky and not as useful as they claim.
IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).
Almost everyone I know use VPNs only to bypass restrictions, not for fear or privacy.
33 more comments available on Hacker News