The VPN Trap: Why Most "Privacy" Tools Are Actually Surveillance Hubs
The Architectural Reality: Shifting Trust, Not Eliminating It
Although we strongly recommend always using Tor for your anonymity and privacy, there are specific operational realities where Tor alone is insufficient or counterproductive.
Sometimes, you need to perform tasks that cannot be done on Tor due to blocking or performance constraints. More critically, you may find yourself in a jurisdiction where the mere act of using Tor, even with obfs4 bridges, draws suspicion from network administrators or state actors. In these scenarios, you might consider hiding your Tor activity behind a VPN (a "Tor-over-VPN" configuration).
But here is the hard truth: Choosing a VPN does not eliminate trust; it shifts it.
By connecting to a VPN, you are moving your point of vulnerability from your Internet Service Provider (ISP) to the VPN operator. And in the vast majority of cases, this shift makes your security situation worse, not better.
Why? Because the VPN industry is not a market of privacy advocates. It is a market of data harvesters, surveillance proxies, and corporate front groups.
This post is not a list of "top 5 VPNs." It is an architectural audit of the VPN landscape. We will expose why most commercial VPNs are dangerous, dissect the ownership structures that create illusions of competition, and finally, identify the only two services that meet the rigorous standards required for a Qubes OS workflow.
The Myth of the "Magic Wand"
For the average user, a VPN is marketed as a magic wand: one click, and you become invisible, untraceable, and protected from surveillance.
The reality is far more complex. A VPN does not provide a significant shield against sophisticated threats. Instead, you are merely transferring your monitoring and surveillance from your local ISP to a company operating VPN servers.
The problem is that this market is filled with operators who do not care about your security. In fact, many are active enemies of privacy. From data-harvesting "free" apps to large, well-known companies that prioritize shareholder profit over user protection, the industry is littered with landmines of false claims.
The Economic Reality: If It's Free, You Are the Product
The VPN world is astonishingly unregulated. Today, almost anyone can rent a server, create a flashy website, make grand claims like "military-grade encryption," and enter the business of collecting user data.
Maintaining a secure, reliable, and global VPN network is expensive. Servers, bandwidth, software development, and independent security audits require substantial capital. Therefore, whenever a VPN is completely free, lacks clear corporate identity, has vague logging policies, and has never undergone an independent audit, only one question arises:
How is this entire system being funded?
In most cases, the answer is simple: The product is not the VPN, you are.
Trustworthy services charge subscription fees to cover operational costs. Fraudulent "free" VPNs treat the user as the product. They collect:
Your real IP address and device identifiers.
Detailed browsing history and connection metadata.
Lists of installed applications.
Precise geolocation data.
Worse still, many of these applications install malware on the user's device, granting access to encrypted messages and local files. This data is sold to advertising networks and, in some cases, state intelligence agencies.
Because a VPN sits between the user and the internet, if it is storing logs, it knows everything. Even without full content, metadata (which IPs you contacted, when, and how often) is sufficient to build a detailed behavioral profile.
The Illusion of Competition: Consolidation and Ownership
The deception of VPN services extends beyond data collection into a complex web of ownership and control. Investigations reveal that the apparent diversity in the VPN world is often an illusion. Many popular "free" apps are not independent companies but subsidiaries of a few large corporations selling the same product under different names.
The Chinese Connection
Approximately one-third of all VPN apps on the internet are made by Chinese companies. These entities often lack clear public identities or ownership disclosure. Under Chinese policy, they maintain complete records of user activity and provide that information to the Chinese government, which in turn exchanges it with other intelligence agencies based on foreign policy interests.
Case Study: SuperSoftTech
Apps: Super VPN, Link VPN, LunaVPN.
The Danger: Super VPN is one of the most downloaded Android apps globally. Research by an Australian firm ranked it third in the world for installing malware on user devices.
Technical Failure: Beyond malware, it uses extremely weak encryption with hardcoded keys that never change. But the protocol is irrelevant when the client itself is a Trojan.
Case Study: Innovative (LemonClove / Autumn Breeze)
Apps: Turbo VPN, VPN Monster, VPN Master, Signal Secure VPN, HotspotVPN, and more.
The Deception: This single entity operates over a dozen apps under three different company names (Innovative, LemonClove, Autumn Breeze).
The Smoking Gun: All three "companies" use the same servers, are registered at the same building address, and use generic Gmail addresses for contact. They are a single data-harvesting operation masquerading as a competitive market.
The Western Commercial Trap: Point Wild (USA)
Moving away from the Chinese sector, we encounter a different but equally dangerous model: the US-based commercial giant that leverages "legitimacy" to mask surveillance.
Case Study: Point Wild (formerly Pango Group)
Headquarters: United States.
Owned Brands: Hotspot Shield, Ultra VPN, Betternet, Touch VPN, Aura, OVPN, JustVPN.
The Malware Connection: Research by an Australian firm ranked Betternet (a Point Wild product) as fourth in the world for installing malware on user devices.
The Antivirus Conflict: This same company develops the antivirus software TotalAV and TotalSecurity. This creates a catastrophic conflict of interest: a company selling "protection" while simultaneously distributing malware through its own VPN suite. If one product in a suite installs malware, the entire trust model collapses.
Lack of Audit: None of Point Wild's products have ever undergone an independent security audit. Their "security" is a marketing claim, not a verified architectural reality.
Mainstream Commercial VPNs: The "Legitimate" Threat
After understanding the dangers of "free" apps and opaque commercial giants, we move to the major brands that dominate the privacy discourse. These are legally established companies with massive marketing budgets. However, from a serious threat modeling perspective, legal status is not enough.
Their profit-driven business structures, corporate affiliations, and need to satisfy shareholders often make them more dangerous for users requiring genuine confidentiality.
The VPN Trust Initiative (VTI) Scam
The VPN Trust Initiative (VTI) claims to be an alliance of providers "committed to advancing privacy, security, and responsible innovation."
In reality, it is a self-regulatory club where large corporations enroll their own subsidiaries to artificially inflate membership numbers and cement market dominance. Research shows the alliance is effectively owned by only three parent companies:
Kape Technologies
Nord Security
Ziff Davis
When these companies claim to be "committed to privacy," they are committed to increasing profits. The VTI is a stamp of approval for existing industry practices, diverting attention from the fact that these are commercial entities answerable to stakeholders, not users.
Deep Dive: Kape Technologies (Israel/US)
Kape Technologies is perhaps the most concerning entity in the privacy space due to its direct lineage to intelligence operations and its history of malicious software distribution.
Ownership & Jurisdiction: The company is owned by Israeli billionaire investor Teddy Sagi. Both the founder and the current owner are Israeli citizens, operating with significant ties to the US and Israel.
Intelligence Lineage:
Founder/Former CEO: Koby Menachemi served as a senior official in Unit 8200, Israel's premier signals intelligence agency (equivalent to the NSA). This is not a coincidence; it is a structural feature of the company.
Former CIO: The company's former Chief Information Officer was a former US military personnel who worked as a hacker for the United Arab Emirates in Project Raven. In this role, he developed Karma, a sophisticated hacking tool used to compromise targets.
The "Review Site" Cartel: Kape owns Vpnmentor.com and Wizcase.com. These sites present themselves as "independent" and "unbiased" review platforms, yet they consistently rank Kape's own products (ExpressVPN, CyberGhost, PIA) as the top choices. They receive millions of visitors monthly, creating a closed loop of manufactured authority.
History of Malware: Before rebranding to Kape Technologies in March 2018, the company was known as Crossrider. During this period, Crossrider was notorious for installing adware and malware on user devices, stealing sensitive information, and transmitting it to company servers. The rebranding was a strategic move to distance the company from its toxic reputation.
Financial Scandals: Owner Teddy Sagi was named in the Panama Papers (2016) and Pandora Papers (2021), revealing involvement in 60 tax fraud cases. In 1996, he was convicted in a Tel Aviv court for bribery, fraud, and stock manipulation, serving a nine-month prison sentence.
Threat Model Implication: Using a Kape product means trusting a company founded by an intelligence officer, led by a former state-sponsored hacker, owned by a convicted fraudster, and marketed by its own fake review sites.
Deep Dive: Nord Security (Poland/Global)
Nord Security presents a different risk profile: one of negligence, opacity, and reliance on surveillance infrastructure.
Owned Brands: NordVPN, NordLayer, Surfshark VPN.
The 2018 Breach & Cover-up: In 2018, a NordVPN server in Finland was hacked. The attacker gained access to user logs and information.
The Silence: NordVPN remained completely silent about the incident for months. They did not inform users that their data had been compromised.
The Exposure: The breach was only confirmed after the media exposed it. For a company selling "privacy," concealing a breach is a fundamental betrayal of trust. It suggests that protecting the company's stock price was prioritized over user safety.
The Question: If they can hide information this sensitive, what else are they hiding?
Google Dependency: Despite claiming to protect privacy, the NordVPN application continually pings Google servers on Android, iOS, and desktop platforms. Users utilizing a VPN to escape surveillance are inadvertently sending telemetry to Google, the world's largest data collector and seller.
Marketing Over Substance: Nord Security spends enormous sums on advertising, paying social media influencers, YouTubers, and privacy bloggers to recommend their service as the "number one" choice. This creates a perception of superiority that is not backed by technical transparency.
Threat Model Implication: Nord Security has demonstrated a willingness to conceal security failures and relies on the very surveillance infrastructure (Google) that privacy users seek to avoid.
Defining the Gold Standard: Trust Minimization, Not Trust Maximization
After examining the exploitative traps of deceptive "free" apps and the attractive narratives of large commercial corporations, we arrive at the core architectural principle of this series:
Trust in the provider should be minimized, not maximized.
The goal is not to find a company that "promises" privacy. Promises are cheap; code and infrastructure are verifiable. The goal is to build a system where the provider possesses as little information about you as physically possible, information they could know, store, or be forced to disclose.
To be considered for a Qubes OS workflow, a VPN service must meet the following Five Pillars of Verification:
1. Anonymous Account Creation
Requirement: No email address, phone number, or personal information should be linked to the account.
Why: If you sign up with your real email, the VPN provider can link your entire browsing history to your real identity. If they are subpoenaed, that link is the first thing they hand over.
2. Open-Source Code
Requirement: Every line of client code must be publicly available for independent auditing.
Why: Closed-source clients are black boxes. They could contain backdoors, keyloggers, or telemetry that sends data to third parties. Open source allows the community to verify that the client does exactly what it claims to do.
3. RAM-Only Infrastructure
Requirement: Servers must run entirely on volatile memory (RAM). No data should be written to persistent disk storage.
Why: If a server is seized by authorities or physically compromised, a hard drive can be cloned and analyzed. RAM, however, is wiped instantly upon power loss or reboot. If the server is running on RAM-only, there is nothing to seize.
4. Transparent Ownership & Jurisdiction
Requirement: The company's leadership must be publicly known, and its legal jurisdiction must be clear and favorable to privacy (or at least not part of the "14 Eyes" intelligence alliance).
Why: Hidden ownership often hides hidden agendas. Knowing who owns the company tells you who they are legally obligated to serve.
5. Independent Audits
Requirement: Regular, third-party security audits of both the code and the "no-logs" claims.
Why: Self-certification is meaningless. An independent firm must verify that the infrastructure actually works as advertised.
The Contenders: Proton VPN vs. Mullvad VPN
Based on the criteria above, the vast majority of the VPN market is disqualified. Only two services consistently meet these strict standards: Proton VPN and Mullvad VPN.
While both are excellent, they serve slightly different threat models. Let's break them down architecturally.
1. Mullvad VPN: The Uncompromising Architect
Headquarters: Sweden (Outside 14 Eyes, but within EU GDPR)
Operational Since: 2009
Mullvad is the undisputed champion of trust minimization. They have taken the philosophy of "zero knowledge" to its absolute logical conclusion, offering a suite of advanced features designed to defeat not just human observers, but AI-driven traffic analysis and future quantum threats.
Core Identity & Payment
The Account Number System: You do not create an account with an email. You are assigned a random 16-digit account number. That number is your identity. There is no database linking you to an email, phone, or name. If you lose the number, you lose the account. There is no "password reset."
Anonymous Payment: You can pay via cash (mailed to their office), gift cards, bank transfer, or cryptocurrencies including Monero (XMR). Monero is crucial here because it leaves no transaction trail, unlike Bitcoin which is pseudonymous but traceable.
Advanced Traffic Analysis Protection (DAITA)
Standard VPNs encrypt content but leave metadata exposed: packet sizes, timing, and flow patterns. Researchers can use these characteristics to perform website fingerprinting.
DAITA (Defense Against AI-guided Traffic Analysis): Mullvad's proprietary system actively fights this. It pads packets, randomizes traffic patterns, and injects cover traffic to make your connection indistinguishable from noise.
Trade-off: Slightly higher bandwidth usage and latency, but essential for high-threat environments where AI-driven surveillance is a reality.
Future-Proofing: Quantum Resistance
Quantum Resistant Tunnels: Traditional WireGuard uses X25519 for key exchange. While secure today, future large-scale quantum computers could theoretically break this.
The Solution: Mullvad adds a post-quantum key exchange layer alongside WireGuard. This protects against "harvest now, decrypt later" attacks, where adversaries store encrypted traffic today to decrypt it once quantum computers become viable.
Recommendation: Enable this unless you have a specific reason to prioritize raw speed over long-term secrecy.
API Access Methods
The Mullvad application must contact Mullvad infrastructure for server information, account validation, updates, and connectivity. Three methods exist:
Direct: The app communicates with Mullvad servers directly without intermediaries. Best for uncensored networks where privacy is the primary concern.
Using Mullvad Bridges: Connection is routed through a bridge before reaching Mullvad infrastructure.
Benefits: Helps bypass VPN blocking, hides direct connections to Mullvad infrastructure.
Best For: Anti-censorship and VPN-blocking environments.
Trade-off: More latency and complexity.
Using Encrypted DNS Proxy: DNS lookups to Mullvad services are performed through encrypted DNS.
Benefits: Prevents local DNS monitoring, faster than bridges, less overhead.
Best For: Normal privacy use, networks without active VPN blocking.
Trade-off: Does not hide the final connection to Mullvad infrastructure; less effective against IP-based VPN blocking.
The Anti-Censorship Arsenal (Transport Protocols)
Mullvad does not rely on a single protocol. It offers a modular toolkit to bypass Deep Packet Inspection (DPI) and restrictive firewalls:
WireGuard (Standard): Fastest speeds, lowest latency, modern cryptographic design, small codebase. Drawback: Relatively easy for sophisticated DPI systems to fingerprint. Best for normal VPN usage.
WireGuard with Custom Ports: Allows WireGuard on ports 53, 123, 4000–33433, 33565–51820, 52001–60000.
Benefits: Helps bypass simple firewall rules.
Limitation: Changing ports does not significantly change the WireGuard protocol fingerprint itself. Advanced DPI can still identify WireGuard traffic.
LWO (Mullvad Obfuscation): A specialized WireGuard obfuscation layer that makes traffic more difficult to classify.
Benefits: Better censorship resistance than plain WireGuard, maintains relatively good performance.
Drawback: Additional overhead.
QUIC Transport: Leverages the QUIC protocol (used by HTTP/3, Google services, Cloudflare, modern CDNs).
Benefits: Blends into normal internet traffic, high collateral damage if broadly blocked, often one of the most effective anti-censorship options.
Drawback: Not invisible to advanced DPI, slight overhead compared to plain WireGuard.
Best For: Many censorship environments where QUIC remains widely allowed.
Shadowsocks: An encrypted proxy technology designed specifically for censorship circumvention.
Benefits: Designed for anti-censorship use, difficult to distinguish from ordinary encrypted traffic, proven deployment history.
Drawback: Additional complexity, usually slower than plain WireGuard.
Shadowsocks on Port 443: Runs on the standard HTTPS port.
Benefits: Blends into one of the most common internet ports, often survives restrictive firewall policies, can resemble ordinary encrypted web traffic patterns.
Important Note: It does not literally become HTTP/3 traffic, but it can be significantly harder to distinguish from normal encrypted internet traffic.
UDP over TCP: Encapsulates UDP-based VPN traffic inside TCP.
Benefits: Useful when UDP is blocked, works on networks that only allow TCP traffic.
Drawback: Higher latency, lower throughput, TCP-over-TCP inefficiencies.
UDP over TCP with Custom Ports: Adds port flexibility on top of UDP-over-TCP.
- Benefits: Can bypass additional firewall restrictions, useful on corporate, hotel, airport, and public Wi-Fi networks.
Multihop Architecture
Double Hop: Routes traffic through two separate Mullvad servers (Entry → Exit → Internet).
Benefit: The exit server never sees your real IP; the entry server never sees your destination.
Trade-off: Increased latency and reduced throughput. Recommended for high-risk threat models. Most users do not strictly need it.
DNS Content Filtering
Mullvad applies filtering at the resolver level, allowing granular control over what you see:
Malware: Blocks known malicious domains, phishing sites, and command-and-control servers. (Strongly Recommended).
Trackers: Blocks analytics and cross-site tracking infrastructure.
Ads: Reduces bandwidth consumption and tracking.
Social Media/Gambling/Adult: Optional filters for distraction reduction or family environments.
Verdict: If you live in a restrictive jurisdiction, face state-level surveillance, or require absolute anonymity where even the fact of using a VPN is dangerous, Mullvad is the only choice. Its feature set is not just a VPN; it is a comprehensive anti-surveillance toolkit.
2. Proton VPN: The Balanced Powerhouse
Headquarters: Switzerland (Strong privacy laws, outside 14 Eyes)
Operational Since: 2016 (as a VPN)
Proton VPN is owned by Proton AG, the same Swiss company behind Proton Mail. They bring a slightly different philosophy: Accessibility without compromising core security.
Strengths
The Free Tier: Proton offers a limited free service that retains privacy features (no logs, open source). This is rare in the industry and allows users to test the waters without financial commitment.
Massive Infrastructure: Nearly 20,000 servers across 145 countries. This offers unparalleled flexibility for geo-spoofing and load balancing.
Open Source & Audits: All apps are open source and undergo annual independent audits by Securitum.
Stealth Protocol: Proton offers a proprietary "Stealth" protocol designed to hide VPN usage by making traffic look like HTTPS.
- Note: While effective, it is less robust against advanced DPI than Mullvad's multi-layered approach (Shadowsocks, QUIC, LWO).
NetShield: Built-in domain filtering for ads, malware, and trackers.
Anonymous Payments: Supports cash by mail and Bitcoin. (See Weaknesses for Monero).
Weaknesses
Email Requirement: To create an account, you must provide an email address.
- Mitigation: You can use an anonymous email (e.g., a Proton Mail alias or a temporary address), but the average user often uses their personal email, creating a link between their identity and the VPN account.
No Monero Support: Proton does not accept Monero (XMR). While they accept Bitcoin, Bitcoin transactions are traceable on the blockchain.
Stealth Limitations: In countries with advanced DPI (Deep Packet Inspection), the Stealth protocol may be detected and blocked more easily than Mullvad's multi-layered obfuscation.
Lack of Advanced Features: No native support for Quantum Resistance, DAITA, or the granular protocol switching (QUIC, Shadowsocks, UDP-over-TCP) that Mullvad offers.
Verdict: If you do not live in a heavily censored country, and your primary goal is to hide your activities from your ISP and general surveillance (rather than hiding the fact that you are using a VPN), Proton VPN is the superior choice due to its speed, server variety, and free tier.
Comparison Matrix: Choosing Your Weapon
| Feature | Mullvad VPN | Proton VPN |
|---|---|---|
| Account Identity | Random 16-digit number (No Email) | Requires Email Address |
| Anonymous Payment | Cash, Gift Cards, Monero (XMR), Crypto | Cash, Bitcoin (No Monero) |
| Traffic Analysis | DAITA (AI-resistant padding) | Standard Encryption |
| Future Proofing | Quantum Resistant Tunnels | Standard Cryptography |
| API Access | Direct, Bridges, Encrypted DNS Proxy | Standard |
| Anti-Censorship | Extensive: QUIC, Shadowsocks, LWO, UDP/TCP, Custom Ports | Limited: Stealth Protocol only |
| Server Count | ~578 (50 Countries) | ~20,000 (145 Countries) |
| Free Tier | No | Yes (Limited) |
| Best For | High-risk users, Censorship evasion, Max Anonymity | General privacy, Geo-spoofing, Streaming, Budget users |
| Jurisdiction | Sweden | Switzerland |
Integrating VPNs into Qubes OS
To properly integrate these services into your secure workflow, we will provide step-by-step, architectural guides in the next two posts:
How to Install and Configure Mullvad VPN in Qubes OS
How to Install and Configure Proton VPN in Qubes OS
These guides will cover the creation of dedicated sys-vpn qubes, network routing configurations and kill-switch implementation Stay tuned for the technical deep dives.
Conclusion: The Reality of the Stack
We have exposed the VPN industry: a landscape of data harvesters, intelligence-linked corporations, and false promises. We have established that Mullvad and Proton are the only viable options for a serious security posture.
But remember the core lesson of this series: A VPN is not a magic wand.
If your device is infected with malware, the VPN cannot stop the exfiltration of your data.
If you log into your real Google account while connected to Mullvad, you have just de-anonymized yourself.
If you use a browser with a unique fingerprint, your VPN is useless.
True security is not about the tool you use; it is about the architecture you build around it. In Qubes OS, we isolate the risk. We compartmentalize the trust. We accept that mistakes will happen, and we engineer the system so that a mistake in one qube does not destroy the whole.
