I have only used the free version of proton in the past, and have no further personal experience with either. But what I can tell you is...

The most important Privacy aspect is that Proton at the deepest level is vulnerable to government data requests. They have also complied with the government in one known instance where they turned on IP logging on someone's email address and provided the IP and the person was caught (I can't recall more detail).

MullVad has better privacy approach, more transparent, fully describes the data retention and methodology (on their website), offers untraceable payments. and is less expensive (maybe).

I think in a video from "The Privacy Wayfinder" on youtube where he is talking about graphene OS, he mentions that the protonVPN app was better in one or two areas, but I can't recall what he said now. So the android app for proton might be better.

Mullvad has a good (visual) Linux app. Not sure about proton. Most vpns for linux are command line. Might not be relevant for you.

Just adding to what was already said here..

I personally use ProtonVPN with a paid subscription. It works great for me. I've also used Mullvad a few times.

ProtonVPN is more convenient in some ways than Mullvad. Like, you can have a subscription. With Mullvad, keeping up with payments would be more of a chore I think.

I'd also agree that the ProtonVPN app is more polished, but there are things I'd like to see improved.

Both apps have been audited, as well as server instances. Mullvad has been audited more times (if I remember correctly) and I recall the reports were more in depth, but both have proven they don't keep logs for their paid services. Check out their websites and read through them yourself.

We can always debate which VPN provider is more likely to cave in to government requests. I've read many things about this. I forget where Mullvad is based, but I've read that country is not as good for whatever privacy reason or Proton Mail turned over an IP address for someone, etc. etc. etc.

This part of the debate can go on and on but at this point we don't have any evidence either VPN provider has given data to any government. It's all hypothetical. If you really need true anonymity, use Tor, otherwise, I think you'd be happy with either VPN for normal use.

I forget where Mullvad is based

They are based in Sweden.

dlb I have used Mullvad for several years and I am quite satisfied with their services (speed, broad choice of servers, Wireguard, FOSS and audited client, privacy-respecting means of payment, minimalist account creation). They seem to be transparent about their operations.
I cannot say for Proton VPN; never used it.

Whatever provider you choose, do not rely on them to hide your identity online. For that, you should use other tools private by design.

I recommend reading the PrivacyGuides VPN overview page and their VPN comparison.

dlb Other folks already gave some good answers, I'll add my 2 cents:

Mullvad:

  • Their privacy policy is second to none. Read how they handle payment information for example, it really tells a lot
  • Can pay with Monero or cash

Proton:

  • Offer free accounts
  • Offer IKEv2 protocol which is important if you want to use native Android VPN implementation or setting up VPN profile on iOS via Apple Configurator so VPN doesn't leak
  • Has many features like secure core or stealth

Also look at IVPN to compare

I've tried to find proof of Proton turning on logging for a user but can't seem to find anything. Is there legit proof of this claim?

    Kottonballs i believe this case in france is the only known instance of proton giving over user data, but not a great look imo. i use them for my personal email but not vpn or anything else where i'm seeking full privacy.

    • dlb replied to this.

      itsjpb isn't Graphene os now supported by proton with funding? As I have read somewhere on this forum. If proton has this reputation, why would Graphene take money from them

        So if proton mail gives away IP address from clients , what other email service you recommend

        Thank you for providing the link but I'm still suspicious of the report. I question everything because the internet is full of lies all the time and this report seems to draw conclusions from questionable sources and a tweet or two. TY though.

          Kottonballs What part is suspicious? It's court documents and the company's response confirmation/clarification. But it is a niche case and proton's probably safe enough for most users.

          And agreed the internet is full of lies, i try to read as little of it as possible :)

          dlb yes proton is among the supporters of graphene. they're still a privacy focused company, they're just not perfect. It's only recorded they share logs for active criminal cases, not normies. I don't love that fact but use them for my main email client as they are still highly private and i'm not emailing about criminal activities. If I were I would consider mailfence or jumping to element or a similar matrix client instead of email.

          and there are far smarter people than me on this forum, its just my 2 cents.

            Kottonballs I've tried to find proof of Proton turning on logging for a user but can't seem to find anything.

            French police arrested a climate activist in September 2021. Proton were legally compelled to turn over data related to the IP address certain emails were sent from, and the IP address was useful in engineering the arrest. My understanding is it was just simple internet traffic logs that were turned over (they didn't break encryption on the emails or anything like that). Legally, Proton had no way out of it and no option to appeal the request. If they tried to illegally conceal the data, they would have been shut down, and Proton employees would have been arrested.

            Proton CEO Andy Yen responded to the event in a blog post here: https://proton.me/blog/climate-activist-arrest

            I think an important thing to note is the whole thing would have been made impossible if the user had simply connected with Tor or a VPN to send their emails. Proton even offers an onion site (https://proton.me/tor) for anonymous access--very uncommon for an email provider--which is a resource this person obviously did not take advantage of.

            This is basically a case of user error. Considering they were under criminal investigation, they were frankly a bit careless. It seems unfair to blame the email provider when a user cannot take even the most rudimentary precautions to protect their anonymity.

              BluishHumility

              Another point to make is to distinguish between a "privacy focused" service, and a "bulletproof" service.
              Proton has always said that they will comply with the laws.

              There are services that say they will not... and they don't last very long. They inevitable attract the worst criminals, and get infiltrated/raided/seized/shutdown.

              itsjpb It's only recorded they share logs for active criminal cases, not normies.

              It doesn't matter. They gave up customer data. What is the point of having VPN then if they sell your data. Maybe we are safer with our isp

                BluishHumility French police arrested a climate activist in September 2021

                I still can't wrap my head around of what does France have with Switzerland... How does France have authority in Switzerland

                  dlb they went through the Swiss courts and won. As another said, if the user used vpn, they would have not been found.

                    chuck if the user used vpn

                    I think you meant Tor

                    dlb what does France have with Switzerland

                    I think Swiss courts only allowed it because a Swiss law was broken. Not sure which.

                    dlb What is the point of having VPN then if they sell your data.

                    Not sold. Big distinction.
                    Selling data for profit is why so many privacy advocates hate Google.
                    Complying with local laws is still expected of privacy focused services.

                    If Proton were to start breaking the law to keep customers shielded, I'd leave. Because it won't last long and I'd expect LE to start infiltrating, spying and raiding.

                      dlb It doesn't matter. They gave up customer data. What is the point of having VPN then if they sell your data.

                      Proton didn't sell anyone's data, nor was this case related to their VPN service to begin with. You are letting the facts get away from you.

                      Graphite chuck if the user used vpn

                      I think you meant Tor

                      According to Andy Yen's blog post (which is worth a read if you haven't yet), either would have sufficed perfectly fine. If Proton turned over an IP address for the emails that lead to a no-logs VPN, that would have been the end of the trail. Even if the user connected with Proton's own free VPN service, that would have sufficiently obfuscated their traffic because the IP address doesn't lead anywhere (under current Swiss law, email and VPN are treated differently, and Proton VPN cannot be compelled to log user data.)

                      Graphite If Proton were to start breaking the law to keep customers shielded, I'd leave. Because it won't last long and I'd expect LE to start infiltrating, spying and raiding.

                      I think this is right. For people who can be bothered to use the resources correctly, what Proton offers is an amazing contribution to the privacy rights movement. To sacrifice all of that infrastructure and tooling just to take a bullet for someone who was careless or ignorant with how they were using the services does not seem right. It's unfair to everyone who is being cautious and using the tools correctly.