Comment by Aachen
3 days ago
Also based on your reply on a sibling thread, is this a legit question (you expect that there is a way but you're not sure how) or are you just waiting for someone to bite just so you can state your case about proving a negative?
Not sure which thread you're referring to, but yeah, it is a legit question. I genuinely wondered what made the OP state that it's proven that mullvad doesn't collect logs. While I don't think it's possible at all to prove that some software is running on a remote server, or that this software doesn't collect logs, some people try to find a way to do that, for example Signal claimed that one can verify code running on their servers by code attestation feature embedded in their Intel SGX enclaves, see https://signal.org/blog/private-contact-discovery/
Fair enough. I would just interpret this as an exaggeration / way of speaking. In the end you always have to trust someone, be it Mullvad's reputation, be it an auditor, be it a hardware vendor
Good comparison about the SGX contact discovery though, although Signal could afaik use one of the known SGX bugs to get our data anyway, or collude with Intel who has the private keys, so you trust third parties there as well