Mullvad Browser

Mullvad Browser is a privacy-focused web browser developed by Mullvad VPN AB (Gothenburg, Sweden) in collaboration with the Tor Project. Launched on April 3, 2023, it applies the Tor Browser’s anti-fingerprinting technology without routing traffic through the Tor network — instead, it is designed to be used with a VPN (ideally Mullvad VPN, though any VPN works). Built on Firefox ESR, the browser is fully open source under the Mozilla Public License 2.0.

The core concept is “Tor Browser without Tor.” All Mullvad Browser users on the same operating system present a nearly identical browser fingerprint, implementing the Tor Browser’s “hide-in-the-crowd” approach to privacy. Firefox’s resistFingerprinting mode is enabled, which spoofs timezone to UTC, restricts font access, hides keyboard layout, and reports common version/OS strings. All telemetry and crash reporting are disabled at compile time — the pingsender executable that sends telemetry to Mozilla is removed entirely.

Mullvad VPN AB is a Swedish limited company (registration number 559238-4001) owned by parent company Amagicom AB, which is 100% owned by founders Fredrik Strömberg and Daniel Berntsson. The browser is free and requires no account. It is a separate product from Mullvad VPN ($5/month) but shares the same company and privacy philosophy.

Key Features

• Tor Browser Anti-Fingerprinting Without Tor: All users on the same OS present an identical browser fingerprint
• Zero Telemetry: All telemetry disabled at compile time; pingsender removed entirely
• Pre-installed Privacy Extensions: uBlock Origin (ad/tracker blocking) and NoScript (script control)
• Permanent Private Browsing: Always-on; no persistent cookies or history between sessions
• New Identity Button: One-click session reset to clear all cookies and site data
• Three Security Levels: Standard, Safer, and Safest — matching Tor Browser tiers
• Mullvad DNS-over-HTTPS: Supports encrypted DNS resolution through Mullvad infrastructure

Privacy Highlights

Mullvad Browser implements privacy at the architectural level. All Mozilla telemetry is disabled at compile time, not merely through settings — the telemetry sending code is physically removed from the build. The browser makes no connections to Mozilla or any other server for telemetry purposes. Network requests are limited to: browser updates, extension updates (via Mozilla), Mullvad DoH, certificate/domain updates, and uBlock Origin filter list updates. No personal information is collected in relation to any of these requests.

The anti-fingerprinting approach is comprehensive. Firefox’s resistFingerprinting mode spoofs timezone to UTC, restricts available fonts to a specific limited set, hides keyboard layout, and reports common version/OS strings. First-Party Isolation is enabled by default. Third-party cookies and trackers are blocked. Several hardware APIs are removed or restricted to prevent fingerprinting. The browser operates in permanent private browsing mode — cookies are never saved between sessions.

Mullvad VPN AB maintains a strict no-logging policy that has been independently audited (most recently by Assured in August 2025 and X41 D-Sec in late 2024). The company operates under Swedish jurisdiction, where the Electronic Communications Act (LEK) does not require VPN services to log customer data or traffic.

Privacy Breakdown

Data Residency (Score: 95 — Confidence: High)

Pros:

• Developed by Mullvad VPN AB, a Swedish company (EU/EEA). Subject to GDPR.
• 100% founder-owned through Amagicom AB. No external investors or shareholders.
• Swedish Electronic Communications Act (LEK) does not require VPN services to log data.

Cons:

• Browser update checks connect to Mullvad/Tor Project servers (necessary for security).
• Extension updates route through Mozilla infrastructure.
• Some network requests for certificate/domain updates go through Mozilla.

Open Source (Score: 95 — Confidence: High)

Pros:

• Fully open source under Mozilla Public License 2.0 (MPL-2.0).
• Source code publicly available at github.com/mullvad/mullvad-browser and Tor Project GitLab.
• Built on Firefox ESR — well-audited, widely reviewed codebase.
• Developed in direct collaboration with the Tor Project, one of the most trusted privacy organizations.

Cons:

• No separate independent security audit of the Mullvad Browser specifically (relies on Tor Browser and Firefox audit ecosystem).
• Depends on the Tor Project’s release cycle for security patches, which may introduce delays.

Privacy Policy (Score: 95 — Confidence: High)

Pros:

• Zero data collection — all telemetry removed at compile time, not just disabled.
• Mullvad company-wide no-logging policy independently audited (Assured, August 2025; X41 D-Sec, late 2024).
• Swedish police raid at Gothenburg office (early 2024) produced nothing — confirming no logs exist.
• Transaction IDs deleted after 20 days; support emails purged 70 days after ticket closure.

Cons:

• Browser-specific privacy policy is sparse; relies on Mullvad company-wide privacy policy.
• As a relatively new product (launched April 2023), track record is shorter than established browsers.

Trackers (Score: 98 — Confidence: High)

Pros:

• All telemetry disabled at compile time. pingsender executable removed entirely.
• uBlock Origin pre-installed for ad and tracker blocking.
• Permanent private browsing mode — no persistent cookies between sessions.
• Uniform fingerprint across all users on the same OS, making individual tracking extremely difficult.

Cons:

• Extension updates route through Mozilla infrastructure (necessary for security).
• uBlock Origin filter list updates require network connections to list providers.

Terms of Service (Score: 78 — Confidence: Medium)

Pros:

• No binding arbitration. Swedish law jurisdiction applies.
• No data selling. GDPR rights respected. Refund eligibility documented.
• 30-day advance notice for terms changes. Complete cookie list provided.

Cons:

• Personal data may be shared with third parties involved in service operation (e.g., payment processors).
• Account termination without warning possible (standard boilerplate).

Controversies

Swedish police executed a search warrant at Mullvad’s Gothenburg office in early 2024, seeking subscriber data. The raid produced nothing because Mullvad does not retain logs, IP addresses, or connection timestamps. This incident actually reinforced Mullvad’s privacy claims. [1]

The browser’s aggressive anti-fingerprinting breaks some websites and frequently triggers CAPTCHAs and Cloudflare challenges. This is a usability trade-off inherent to the privacy design. [2]

In November 2025, Mullvad discontinued its privacy-preserving search proxy “Leta,” citing hostile changes in the search industry. This affected users who relied on it as a default search option. [3]

Some community members have raised concerns about potential delays in receiving Firefox security patches compared to mainline Firefox, as the browser depends on the Tor Project’s release cycle. [4]

References

1. Mullvad VPN and the Tor Project team up — Mullvad Blog
2. Releasing Mullvad Browser — Tor Project Blog
3. Mullvad Review of 2025 — Mullvad Blog
4. Desktop Browsers — Privacy Guides