At launch, access to Mullvad Leta was restricted to users with a paid Mullvad VPN account, but it is now free and open to all.
Mullvad Leta has been audited by Assured.
Just a heads up, some of the details in the FAQ and Terms of Service seem a bit outdated and might not be accurate anymore.
Some relevant information from their FAQ section is as follows:
What can I do with Leta?
Leta is a search engine. You can use it to return search results from many locations. We provide text search results, currently we do not offer image, news or any other types of search result. Leta acts as a proxy to Google and Brave search results. You can select which backend search engine you wish to use from the homepage of Leta.
Can I use Leta as my default search engine?
Yes, so long as your browser supports changing default search engines.
Navigate to https://leta.mullvad.net in your browser and right-click on the URL bar.
From there you should see Add “Mullvad Leta“ with the Mullvad VPN logo to the left.
If you do not see this, you can attempt to add a custom search engine to your browser with:
- The name set to: Leta
- The URL set to: https://leta.mullvad.net/?q=%s
You can select which backend engine to use as follows:
- Google: https://leta.mullvad.net/?q=%s&engine=google
- Brave: https://leta.mullvad.net/?q=%s&engine=brave
Did you make your own search engine from scratch?
We did not, we made a front end to the Google and Brave Search APIs.
Our search engine performs the searches on behalf of our users. This means that rather than using Google or Brave Search directly, our Leta server makes the requests.
Searching by proxy in other words.
What is the point of Leta?
Leta aims to present a reliable and trustworthy way of searching privately on the internet.
However, Leta is useless as a service if you use the perfect non-logging VPN, a privacy focussed DNS service, a web browser that resists fingerprinting, and correlation attacks from global actors. Leta is also useless if your browser blocks all cookies, tracking pixels and other tracking technologies.
For most people Leta can be useful, as the above conditions cannot ever truly be met by systems that are available today.
What is a cached search?
We store every search in a RAM based cache storage (Redis), which is removed after it reaches over 30 days in age.
Cached searches are fetched from this storage, which means we return a result that can be from 0 to 30 days old. It may be the case that no other user has searched for something during the time that you search, which means you would be shown a stale result.
What happens to everything I search for?
Your searches are performed by proxy, it is the Leta server that makes calls to the Google or Brave Search API.
Each search that has not already been cached is saved in RAM for 30 days. The idea is that the more searches performed, the larger and more substantial the cached results become, therefore aiding with privacy.
All searches will be stored hashed with a secret in a cache. When you perform a search the cache will be checked first, before determining whether a direct call to Google or Brave Search should be made. Each time the Leta application is restarted (due to an upgrade, or new version) server side, a new secret hash is generated, meaning that all previous search queries are no longer visible to Leta
What could potentially be a unique search would become something that many other users would also search for.
What is running on the server side?
We run the Leta servers on STBooted RAM only servers, the same as our VPN servers. These servers run the latest Ubuntu LTS, with our own stripped down custom Mullvad VPN kernel which we tune in-house to remove anything unnecessary for the running system.
The cached search results are stored in an in-memory Redis key / value store.
The Leta service is a NodeJS based application that proxies requests to Google or Brave Search, or returns them from cache.
We gather metrics relating to the number of cached searches, vs direct searches, solely to understand the value of our service.
Additionally we gather information about CPU usage, RAM usage and other such information to keep the service running smoothly.
I do like it because when I’m trying to find out more information about break8ng events I want to know if I’m getting outdated information. Also, knowing that someone, somewhere in the world entered the same search terms as you within the last 30 days tells you absolutely nothing about that person.
Unless the terms include a name or location. Plus Leta is not widely used.
Suppose you tell someone in secret that you were arrested. You know they use Leta, so you look up “John Doe arrest” later and see that it was just recently cached. You only told one person so it must have been them. You now know what someone searched because they used Leta.
uh-oh
Please everyone, help click
https://leta.mullvad.net/?q=hide+body+lake+vs+forest&oc=1
This is somewhat valid but it still doesn’t really tell you anything about who searched for that thing. You only know that someone else searched for it and how long ago it happened. You have no idea who they are, where they are, or why they entered that search term.
No, you don’t know that. You are assuming it.
You don’t have a comprehensive list of Leta users and you aren’t the only person who knows about your arrest. There’s at very least the cops, whatever support staff they have around at the time, and anyone they talked to. Then there’s any witnesses to the arrest, everyone who could have seen you in the back of a cop car, and everyone they talked to. Even if you were somehow arrested and processed by a single officer in total secret and then he killed himself in front of you before he could tell anyone else, there’s still the possibility that your friend betrayed your confidence and told other people about your arrest.
It was just an example but ok, let’s fix it.
You want to see if someone is nosy so you lie and tell them you were arrested in 2006. You check and see “John Doe arrest 2006” or “John Doe 2006 arrest” is cached.
You get the idea.
Ok, cool. You successfully proved that a person you suspect of being nosy actually is. You probably could have figured that out based on their reaction to you telling them about the fake arrest. Also, your nosy fake friend is a real idiot. They are apparently privacy focused enough to be using Leta but ignorant of the fact that this search is going to be cached and the time logged. The arrest is from 2006 so it’s unlikely anyone else would have searched it. Leta isn’t widely used so the smart play is to use literally any other search engine for this one search because the only person they need to keep it a secret from is you. Or maybe they just don’t care if you know that they searched for more info on your arrest because everyone already knows they are nosy.
All of this is besides the point though because none of these super specific scenarios are what we’re talking about when we discuss privacy on this level. This is meant for keeping Google from harvesting your data. If you decide to use it for baiting people into searching specific things so you can have a weird little gotcha moment that’s on you.
A privacy-focused search should not potentially reveal to others that you searched something. My examples prove the possibility that it can do that. I’m sure there’s other examples that are less “weird”.
So name one…
No. You can raise concerns about a potential vulnerability without having identified a specific real-world method of exploitation.