While I generally believe it to be possible, I am very curious about how Mullvad is storing its payment records to avoid time-based correlations.
For gift cards it's more async, but given that payment processors keep records that can be correlated, if Mullvad isn't careful about timestamping, how it records crediting to accounts, or the like, it would be extremely easy to de-anonymize account relations IMO.
Yes, I definitely think that would be possible. Mullvad clearly lays out what information is stored and for how long depending on the payment method you use[1] and there are clearly trade-offs. If you want the most "anonymous" account possible it's going to take a few days while you wait for an envelope of cash to get to them. For other users it might not be a big deal to use a faster payment method. The important thing is disclosure so users can make their own assessments about their personal risks/rewards.
It's kinda funny that cash is mentioned because at least according to rules I see posted by the Japan post, you can't send over 100 Krone (~$15) via mail into Sweden from abroad.
I suppose if you're in the EU you might be able to get away with it but it is indeed tough.
The main thing that I think is missing in Mullvad's FAQ is about if they have backups of their data. If they do, then differential analysis is possible. Perhaps they only keep backups of past 14 days or something.
There are couple of risks involved using this service:
- adversary identifies that a Mullvad user is doing something, and activity started around X. They might be able to figure out what account number is associated to that.
- adversary identifies that Mullvad user X is doing something. Through payment records and differential analysis (along with other information from banks or the like) they could identify who user X is (modulo credit card theft and the like of course).
Given that Mullvad had accounts with payment processors and those processors have record keeping requirements, it feels like the second threat is very practically doable without very smart handling of backups. But it does seem like handling the first threat is done relatively well. The one risk is that someone starts doing something risky right as they sign up to the account.
Mullvad states 500k accounts. over 10 years that's 136 people/day. You're still looking at a pretty wide net if you can isolate payments from a certain time period.
For gift cards it's more async, but given that payment processors keep records that can be correlated, if Mullvad isn't careful about timestamping, how it records crediting to accounts, or the like, it would be extremely easy to de-anonymize account relations IMO.