When Swedish police came to Mullvad's offices with a search warrant in April 2023, there was nothing to find. Mullvad doesn't know who its customers are (anonymous cash and crypto payments), doesn't log traffic, and runs RAM-only servers. The officers left empty-handed. Sweden's FRA intelligence agency can tap internet cables, but Mullvad's WireGuard encryption means the tapped data is unreadable. The system works as advertised. Mullvad dropped the older protocol that worked best in China and Iran. Their alternatives are newer and less proven.
First to rule Google Analytics illegal in EU. FRA Law allows signals intelligence on all cross-border cables
Spying
1/4 LOW
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
1/4 LOW
Can I trust what they say?
ACCEPTABLEModerate concerns. Standard privacy hygiene applies.
5Contradictions
0Critical
0High
4Medium
2Sources
Findings by concern
Spying1/4 LOW1 finding
⚫ mediumfirmware analysis vs regulatory findings
When Swedish police came to Mullvad's offices with a search warrant in April 2023, there was nothing to find. Mullvad doesn't know who its customers are (anonymous cash and crypto payments), doesn't log traffic, and runs RAM-only servers. The officers left empty-handed. Sweden's FRA intelligence agency can tap internet cables, but Mullvad's WireGuard encryption means the tapped data is unreadable. The system works as advertised.
What they claim: Sweden's legal framework doesn't require VPN logging.
What we found: Sweden is 14 Eyes. FRA can surveil cross-border cables. But Mullvad's encryption prevents access. Quantum-resistant tunnels address 'harvest now, decrypt later.' 2023 raid validated -- nothing to find.
Data Sharing2/4 MODERATE1 finding
⚫ mediumfirmware analysis vs policy claims
Mullvad dropped the older protocol that worked best in China and Iran. Their alternatives are newer and less proven.
What they claim: WireGuard-only provides sufficient protocol options.
What we found: OpenVPN removed Jan 2026. Some firewalls/censorship block WireGuard. Mullvad mitigates with UDP-over-TCP and Shadowsocks, less battle-tested than OpenVPN's 20-year record in censored environments.
Security2/4 MODERATE1 finding
⚫ mediumfirmware analysis vs app permissions
A serious bug found by auditors, but only exploitable with computer access. Fixed before anyone could use it.
What they claim: CVE-2024-55884 (CVSS 9.0): signal handler memory corruption.
What we found: Found via proactive audit. Required local access. Fixed in 2024.8/2024.9. Auditors: 'high security level.' No exploitation in the wild.
Honesty1/4 LOW2 findings
⚫ mediumregulatory findings vs firmware analysis
Mullvad depends on two people. If something happens to them, there's no backup. The code is open source but the servers can't be copied.
What they claim: Mullvad's architecture protects against all threats.
What we found: Single company risk: two founders, no succession plan. No federation. Open source could be forked but infrastructure can't. No bug bounty program.
✔️ lowpolicy claims vs firmware analysis
Mullvad doesn't work for Netflix, has fewer servers, and costs $5/month with no free option. They built a privacy tool, not an entertainment product.
What they claim: Mullvad is a complete privacy solution for all use cases.
What we found: Smaller network (~578 vs thousands). No streaming unblocking (by design). No free tier. WireGuard-only may not penetrate all censorship. Real limitations for some users.