VPNs are marketed as essential privacy tools. The reality is more nuanced: they solve specific problems well, and are often irrelevant for the threats most people actually face. We break down when a VPN helps — and when it doesn't.
If you've watched more than ten minutes of YouTube in the past few years, you've been told to use a VPN. They're marketed as essential privacy tools, ways to "hide your IP address," protect you from hackers on public networks, and browse the internet as if you were somewhere else entirely.
Some of that is true. Most of it is marketing. The reality of what a VPN does — and doesn't do — is considerably more specific than the ads suggest, and understanding the difference is the only way to make a sensible decision about whether you need one.
A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a server operated by the VPN provider. When you make a connection to any website or service, your traffic travels through that tunnel to the VPN server, then onward to its destination. The response comes back the same way.
This produces two concrete effects:
Your ISP sees a connection to the VPN server, not to the sites you visit. Your internet service provider can normally see every domain you request. With a VPN active, all it sees is sustained encrypted traffic to a single VPN endpoint. The sites themselves see the VPN server's IP address and location, not yours.
The sites you visit see the VPN server's location, not yours. From their perspective, you're visiting from wherever the VPN server is. This is the basis for geo-circumvention — choosing a server in a different country to appear to be browsing from there.
That's the mechanism. The VPN is a rerouting and encryption service. It moves trust: instead of trusting your ISP not to spy on your traffic, you're trusting the VPN provider. The traffic is still visible to someone — you're just choosing who that someone is.
This point is often glossed over in VPN marketing, but it's important. A VPN doesn't make your traffic invisible. It changes who can see it. Whether that's an improvement depends entirely on whether you trust the VPN provider more than you trust your ISP. In some cases, you should. In others, especially with free or shady VPN services, you may have simply traded surveillance by your ISP for surveillance by a company you know even less about.
The gap between what VPNs are marketed as doing and what they actually do is wide enough to drive a truck through.
A VPN does not protect you from data breaches. When a company is hacked and your account data is stolen, it has nothing to do with how you connected. The 23andMe breach affected 6.9 million people — not because of how they connected, but because the company's systems held sensitive data that attackers accessed through credential stuffing. A VPN running on every affected user's device at the time of the breach would have done nothing.
A VPN does not protect you from phishing. The sophisticated Gmail phishing campaign using real Google infrastructure works by tricking users into entering credentials on a fake login page. Your network connection is irrelevant — the attack succeeds because of what you type, not where you're connecting from. A VPN cannot tell the difference between a legitimate login page and a convincing fake.
A VPN does not protect you from malware. If you've downloaded malicious software, a VPN doesn't contain, detect, or remove it. Malware operates at the application layer, not the network layer. A VPN encrypts the tunnel your traffic travels through; it has no visibility into what applications on your device are doing.
A VPN does not make you anonymous. This is perhaps the most aggressively misrepresented claim in VPN advertising. Modern web tracking is dominated by methods that have nothing to do with IP addresses. Browser fingerprinting — the practice of identifying users by the unique combination of their browser version, installed fonts, screen resolution, time zone, and dozens of other parameters — can identify you regardless of which IP address you're connecting from. Logged-in accounts (Google, Facebook, Apple) track you across the entire web regardless of IP. Tracking cookies persist across sessions. If your goal is genuine anonymity, a VPN alone doesn't get you there — and most VPN providers don't advertise that honestly.
A VPN doesn't "stop hackers" on your home network. This is a marketing line that has little relation to how home network attacks actually work. The devices on your home network connect to each other through your router, which the VPN doesn't protect. The realistic threats to a home user — compromised IoT devices, router firmware vulnerabilities, targeted attacks — are not addressed by a VPN running on one device.
With all of that said, there are real, specific situations where a VPN provides meaningful protection.
Public Wi-Fi. Coffee shops, airports, hotels, conference centres — any network you don't control and don't trust. While HTTPS (the padlock in your browser address bar) encrypts the content of your web traffic, it doesn't encrypt which domains you're connecting to. On a public network, a passive observer can see the domains you're visiting, build a profile of your browsing, and potentially inject content into unencrypted connections (most ISP-style "captive portal" networks still use unencrypted HTTP). A VPN encrypts all of this. This is the VPN's natural habitat, and it provides real value here.
ISP data practices. In some jurisdictions, internet service providers are legally permitted to log browsing data, sell it to advertisers, or provide it to government agencies with limited oversight. In the US, the FCC's 2016 ISP privacy rules were repealed in 2017, leaving ISPs with relatively broad latitude to use browsing data commercially. A VPN prevents your ISP from building this kind of profile. This is a genuine use case, though it transfers the trust question to the VPN provider.
Geo-restriction circumvention. Accessing streaming content available in other regions, bypassing news paywalls with geographic restrictions, or accessing services blocked in your country are all legitimate uses. This is the most common reason most people use VPNs in practice, and it works reliably with any decent provider.
Journalists, activists, and high-risk users. In contexts where traffic surveillance by an ISP, government, or network operator is a genuine threat, a reputable VPN provides meaningful protection. Reporters working on sensitive stories, activists in authoritarian environments, or anyone whose browsing habits could have professional or personal consequences under surveillance all have legitimate reasons to use a VPN as part of a broader operational security setup. For these users, jurisdiction and audit history (covered below) matter significantly.
Remote access to work resources. Many organisations use VPNs to allow employees to securely access internal systems while working remotely. This is a different use case from consumer privacy — these VPNs are operated by the employer and are designed for access control and network security rather than anonymity. They work well for their intended purpose.
The VPN market is large and poorly regulated, and a significant portion of it is actively misleading. Here's what separates legitimate providers from the rest.
No-logs policy — and independent audit of that policy. Every VPN claims to have a no-logs policy. The meaningful question is whether that claim has been independently verified. A handful of providers have submitted to third-party security audits that specifically test whether their no-logs claims hold up — whether the infrastructure actually cannot produce user data even under legal demand. If a provider hasn't been audited, their no-logs claim is a promise, not a verified fact.
Jurisdiction. Where a company is legally incorporated determines what legal process can compel them to produce data. Providers in the US are subject to National Security Letters (which come with gag orders). Providers in the UK are subject to the Investigatory Powers Act. Providers in Switzerland or Iceland operate under different legal frameworks. For most users, jurisdiction matters less than audit history. For high-risk users, it matters considerably more.
Ownership transparency. This is where the VPN market has a serious and underreported problem. A significant number of VPN providers — including some well-known names — are owned by large holding companies that own multiple competing VPN brands simultaneously, and often also own the "review" sites that rank those VPNs highly. Kape Technologies (now Ziff Davis) owns ExpressVPN, Private Internet Access, CyberGhost, and Zenmate — as well as review publications including vpnmentor.com and wizcase.com. When a review site tells you a VPN is the best on the market, it's worth checking who owns both.
History under pressure. Some providers have been subpoenaed, had servers seized, or been presented with legal demands. How they responded — and what data they were or weren't able to produce — is the real-world test of their privacy claims. PureVPN's cooperation with the FBI in a cyberstalking case (despite claiming no logs) and IPVanish's cooperation with Homeland Security are both documented examples of VPNs that didn't hold up under legal pressure. Providers with clean records in this regard are worth noting.
Speed and infrastructure. Privacy considerations aside, a VPN you don't use because it makes your connection unusably slow is worse than no VPN at all. Server count, geographic distribution, and protocol support (WireGuard is generally faster than OpenVPN) all matter for day-to-day usability.
Price: €5/month flat, no subscription required, pay month to month
Mullvad is the privacy researcher's VPN. The account model is unusual: you don't provide an email address. Instead, you're assigned a randomly generated account number, which you use to log in and add time to your account. Mullvad accepts cash sent in an envelope — genuinely, not metaphorically — as well as Bitcoin, Monero, and conventional payment methods. If you pay with cash or privacy-preserving cryptocurrency, Mullvad has no payment information linked to your account.
The company is based in Sweden, which is not a jurisdiction that privacy advocates uniformly recommend — Sweden is a member of the 14 Eyes intelligence-sharing alliance. But Mullvad's technical and operational commitments to no-logs have been independently audited, and the company has twice had its servers seized by authorities (in April 2023, German police raided Mullvad's Swedish office) and produced nothing, because there was nothing to produce. That real-world test is more credible than any policy statement.
Mullvad supports WireGuard and OpenVPN, offers multi-hop connections (routing through two servers for additional obfuscation), and provides browser extensions and a polished desktop app. The flat pricing model — no annual vs monthly tiers, no promotional pricing — is refreshingly straightforward.
For users who want to know that their VPN provider's privacy model is backed by verifiable technical architecture and a demonstrated track record under pressure, Mullvad is the honest choice.
Price: Free (unlimited data, limited to slower servers), $4.99/month for full access
Proton, the Swiss company behind ProtonMail and Proton Pass, operates ProtonVPN under the same privacy-first philosophy that has made it a credible name in the security community.
The free tier is genuinely unusual: unlimited data, no data caps, and no selling of user data to support the free offering. Most free VPNs monetise users through data collection or advertising — Proton does neither, funding the free tier through paid subscribers instead. The trade-off is that free users are limited to a subset of servers and slower speeds during peak times.
Swiss jurisdiction means Proton operates under Swiss privacy law, which requires a higher threshold for legal process than US or UK law. Proton has been transparent about the legal demands it has received and complied with — including a notable case where it provided an IP address of a climate activist's ProtonMail account under Swiss court order. That case was a reminder that Swiss jurisdiction is not a magic shield, but it does set a higher bar.
The ProtonVPN apps are clean and well-designed across all platforms. The service supports WireGuard, offers a Secure Core feature (routing traffic through multiple countries before exiting), and has been independently audited. For users already in the Proton ecosystem — ProtonMail for email, Proton Pass for passwords — the bundled Proton Unlimited plan that includes all Proton services at a discount is worth calculating against individual subscriptions.
Price: From $3.99/month on longer-term plans
NordVPN is the most heavily marketed VPN in the world, which has made it easy to be sceptical about. In practice, it's a solid service. The apps are well-designed across all platforms, the server network is large (over 6,000 servers in 60+ countries), and connection speeds are among the best in the category, particularly with NordLynx (its WireGuard-based protocol).
The Threat Protection feature — a built-in ad blocker, tracker blocker, and malware URL filter — adds useful functionality beyond basic VPN operation. It works without the VPN tunnel being active, functioning as a standalone browser protection layer.
Nord's ownership is clear (Nord Security, a Lithuanian company) and its no-logs policy has been audited multiple times by PricewaterhouseCoopers. In 2018, one of Nord's servers was compromised — an incident they disclosed and handled appropriately, and which didn't result in user data exposure because there was no logs data to expose. That response was more transparent than many providers would have managed.
NordVPN is not the privacy researcher's first choice, but it's a reliable, well-supported service for users who want something that works well, has good apps, and isn't going to disappear next month.
Most people don't urgently need a VPN at home on a trusted network. The threats that most commonly result in actual harm — account breaches from credential stuffing, phishing, malware downloads — are not problems a VPN addresses.
But if you regularly use public Wi-Fi, if your ISP's data practices concern you, or if you need to access geo-restricted content, a VPN is a reasonable and relatively inexpensive tool for those specific jobs. The key is to be clear-eyed about which problem you're solving.
Don't buy a VPN because an ad told you it would make you "invisible online." Don't assume it replaces strong passwords and good phishing awareness — a password manager addresses far more of the actual threat landscape for the average user. And if you do buy one, choose a provider whose privacy claims have been independently verified rather than one whose marketing budget is larger than their transparency record.
A VPN is a tool, not armour. Used for the right jobs, it's worth having. Used as a substitute for understanding the actual threats you face, it's expensive comfort.
