Mullvad VPN has informed its users that the Swedish Police raided its office with a search warrant, but the company told them it hosts no user data.
“On April 18, at least six police officers from the National Operations Department (NOA) of the Swedish Police visited the Mullvad VPN office in Gothenburg with a search warrant. They intended to seize computers with customer data.”– Mullvad VPN
As the company’s statement explains, Mullvad told the law enforcement officers that if they proceeded to confiscate equipment, they would violate Swedish law, as the company’s policies clearly state that no user data is collected or hosted anywhere.
After producing proof of evidence on how its VPN service works, Mullvad says the police consulted the prosecutor and left the premise without taking anything. This means that no data was compromised, but Mullvad underlines that user data would still be safe even in the case of equipment seizure.
The statement closes by mentioning that in the 14 years of the VPN service’s operation, this was the first time that police visited their offices with a search warrant.
RestorePrivacy attempted to clarify some points about the incident, but a company spokesperson told us that they are also in the process of gathering more specific information about the police’s request at the moment.
Mullvad gave RestorePrivacy some information about the applicable laws that can lead to on-premise searchers, with the only one justifying the action being The Swedish Code of Judicial Procedure (1942:740) (RB), which presupposes that the police have reasonable expectations of finding evidence that will help in its investigation.
The Electronic Communications Act (2022:482) (LEK), which applies to electronic communications networks and services, does not apply to VPN service providers, while “know your customer laws” also do not apply in Mullvad’s case because the company does not offer financial, exchange, or trading services.
“Since Mullvad VPN is not required by law to collect any data related to our users’ activities online – and since the pure purpose of our service is to protect users from the collection of such data – it is in our interest, our customers’ interest, all our employees and owners interest to not collect any data and therefore there is no reasonable grounds to doubt that WE DO NOT COLLECT ANY DATA ABOUT OUR USERS ACTIVITIES ONLINE,” reads the additional comment the VPN provider sent to RestorePrivacy.
“It is also reasonable to understand that we delete any information we have about a user (even an e-mail to our support) as soon as possible.”
It should be noted that no-user-data retention promises are standard across all large VPN providers today and verifiable by multiple external audits. However, the applicable national laws often make a difference in what seizures and data extraction and examination can be conducted.