Yes, indeed, if there is identifiable traffic coming from the OS, you're screwed. This is why I said "not all traffic is indeed personally identifiable". If you are doing things where you have to be anonymous, there are plenty of OSes you can run to not have all those things giving away your identity. If you think just adding a VPN on top of the OS you use for other things, you're screwed.
I think you're missing the point here. Even if you use Tor browser or a completely new OS installation of Tails or whatever, if your payment method can be tied to you, you're once again screwed. Being able to anonymously pay, removes that vector, it's as simple as that.
The point was exactly that – you are already screwed, irrespective of being able to pay anonymously. If you are the kind of actor who will (or needs to) take all the countermeasures needed to be truly anonymous at a whole machine traffic level, then you are likely not going to be using mullvad.
To a typical customer of mullvad who also reads hn I would say this – you aren't going to gain any additional privacy by using anonymous payments. Here's why: either you believe Sweden is a safe haven for user data privacy or not.
– If it is, then you have nothing to worry about even with payment method tied to you.
– If it is not, then a Swedish government agency can compel mullvad to reveal the customer details (like payment method details) based on the WireGuard UDP socketpair details. But then they can also very likely compel mullvad to give them a live dump of traffic within the tunnel.
For truly high-risk people (journalists/whistleblowers against powerful entities, not regular geeks who want to block ad tracking), I'm not sure if any vpn service like this is a net help or does it actually cause more harm.
> If you are the kind of actor who will (or needs to) take all the countermeasures needed to be truly anonymous at a whole machine traffic level, then you are likely not going to be using mullvad.
That's the wrong conclusion. The right one is: if you're the kind of actor who needs 100% privacy, mullvad is likely a part of solution (because of their track record), together with many other services and tooling. No one relies on one part to remain anonymous, as again, privacy and security depends on layers, not just a single layer.
> either you believe Sweden is a safe haven for user data privacy or not.
Even if Sweden is "a safe haven for user data privacy" or not, the government is not the only threat against mullvad. Mullvad themselves, the location they have their servers, their payment processors and many else can also be compromised. Paying Mullvad in cash (and protecting yourself in more ways) helps more than paying with a credit card attached to your full name, as any middleman can be compromised (and not just by a government).
> For truly high-risk people (journalists/whistleblowers against powerful entities, not regular geeks who want to block ad tracking), I'm not sure if any vpn service like this is a net help or does it actually cause more harm.
High-risk people don't rely on a single VPN service but again, layers of them in order to facilitate things like proxy chaining and multi-hop.
But, talking with you back and forward, makes it clear that you haven't actually engaged with any of these "high-risk people" you feel so sure to proclaim how things work for. I urge to actually talk to some of them and see what kind of setup they can tell you about, as you'll learn some more about how you can protect yourself and remain anonymous, if you really want to.
I think you're missing the point here. Even if you use Tor browser or a completely new OS installation of Tails or whatever, if your payment method can be tied to you, you're once again screwed. Being able to anonymously pay, removes that vector, it's as simple as that.