The Sweden-based VPN provider Mullvad says that it was recently served with a search warrant by police that demanded the company turn over logs of user data. The only problem? Mullvad doesn’t appear to collect any such logs.
On Thursday, the company published a blog post about the incident, saying that two days earlier, on April 18, officers from the National Operations Department—Sweden’s top police force—visited the VPN provider’s headquarters with the intent to “seize computers with customer data.” Mullvad says that the cops walked away empty handed:
Swedish Police...intended to seize computers with customer data. In line with our policies such customer data did not exist. We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law. After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information.
The question of whether VPN companies collect and store logs of user data is a big issue for the industry. The whole point of a VPN is that it’s supposed to protect your privacy—and that means the ability to route your web traffic through a provider’s servers without the company collecting data that can later be turned over to police or sold to a third-party. Almost all companies swear that they don’t collect logs—and that they never would. However, incidents involving police have revealed multiple times that companies either have been collecting information unbeknownst to their users or that they have collected information about a specific user at the behest of police.
That’s what happened in the case of a provider called PureVPN in 2017. The U.S. Justice Department arrested a cyberstalker accused of despicable activity by grabbing IP address logs that had been collected by the privacy provider. Arresting a cyberstalker is a good thing, but what the arrest revealed was that PureVPN had been keeping information that a lot of users thought was private. (It should be noted that PureVPN has since committed to a “zero-logs” policy, and says it uses independent audits to verify this commitment).
There are obviously some pretty bad people out there and there are clearly times when cops really need access to a person’s web activity. Unfortunately, companies that collect user logs defeat the entire point of a VPN. The whole point is that nobody has access to your data but you.
Gizmodo reached out to Sweden’s National Operations Department to inquire about the incident involving Mullvad and will update this story if we hear back.