- Table of Contents
- Intro
- What is a VPN?
- What a VPN Can & Can't Do
- Conclusion
- Comments
The VPN industry has exploded in the past decade or so, and you've likely seen ads claiming they'll provide you with better security or prevent you from getting hacked. In reality, many of these promises oversell what a VPN can really do. We've become intimately familiar with VPNs, how they work, their limitations, and what the market looks like while testing over 15 of the most popular VPNs. In the process, we've learned that they're not a magic bullet to online privacy and security but can add a layer of protection in some specific circumstances.
What is a VPN?
VPN stands for virtual private network. It's a fairly straightforward type of network architecture that works by establishing a connection, or tunnel, between your computer and a remote server before reaching your final destination on the internet. Believe it or not, VPNs have existed since the 1990s, but back then, they were typically used by workers connecting to their offices' network while off-site.
These days, most people refer to VPN services, which encrypt and route your connection through one of their data centers in a location that you can specify. When connected, the VPN service hides your personal IP address and DNS queries from your internet service provider (ISP) and the websites or servers you connect to.
Hundreds of these services are available these days, and their popularity has exploded in the past decade or so. This is largely thanks to a huge marketing push from VPN providers that often make bold claims about how they can preserve your privacy online and protect against security threats. Spoiler alert: Many of these claims are hyperbole at best. In the rest of this article, we'll cover the limitations of a VPN and ultimately help you decide whether or not you should get one.
What a VPN Can & Can't Do
VPNs can prevent your ISP from monitoring your web traffic and seeing which sites you connect to.
Since VPNs create an encrypted tunnel from your device to their servers, your ISP can't see where you go online. This can be useful if you don't trust your ISP, and you might have good reason not to trust them. The FTC released a report in 2021 finding that most ISPs in the US collect, retain, and share large amounts of customer data that are beyond what's required to provide their core services. This data includes browsing history, app usage, search history, and location data that companies can use to advertise to you, either by your ISP or third-party advertisers. They can also share this data with law enforcement to investigate criminal activity, including sailing the seas (torrenting).
While a VPN can help protect your data from your ISP, you're now entrusting that VPN service with all your web traffic. Most providers claim they don't retain any of your data due to a no-logging policy, but there's no way to verify those claims. If the provider publishes third-party independent audits that prove their privacy claims, there's no knowing if they will continue to abide by their security practices after the auditors leave. Also, your IP address and DNS queries aren't the only information that can expose your identity. Trackers and advertising companies can use data from your device and web browser to create a digital fingerprint that's unique to you, so even if your IP address is anonymous, you're still identifiable. Here's a tool from the Electronic Frontier Foundation that tests your browser to see how trackable it is. That said, a VPN can still be useful in your privacy toolbox if you take the proper precautions. The Electronic Frontier Foundation has an excellent guide called Surveillance Self-Defence if you'd like to learn more about preserving your privacy online.
VPNs can help secure your connection on an untrusted network.
When using free public Wi-Fi, such as at an airport, a local coffee shop, or in your hotel room, a bad actor could intercept your traffic, also known as a man-in-the-middle attack. In these cases, using a VPN adds a layer of security to help prevent these types of attacks, thanks to an encrypted connection from your computer to their data centers.
There are several different types of man-in-the-middle attacks (Wikipedia), and while a VPN can help mitigate the risk of some types of attacks, your browser and the internet already have protections built in that are probably good enough for most people. You can see this list that shows almost all sites and apps nowadays use HTTPS, a protocol that uses end-to-end encryption to prevent anyone between you and the site you're visiting from seeing what you're doing. For instance, your DNS provider can see when you connect to RTINGS.com, but they can't see which page you're on. Another example is if you log into your bank account on an untrusted network, an attacker can't see sensitive data like your login credentials or balance information, even without a VPN.
VPNs can help bypass censorship and surveillance.
Most VPNs can make it appear like you're somewhere else by allowing you to connect to a server in a different jurisdiction. If you're in a country that blocks websites or services you want to use, you can connect to a VPN server in a different country that doesn't censor those sites to connect to them.
That said, authorities and websites often find ways to block VPN connections, resulting in a push-and-pull that can mean your VPN will work one day and be down the next day. Even if you're not in a country that blocks sites, certain services, like video streaming sites, can block you if they detect you're using a VPN. Features like obfuscation can remedy this, but it's not always a sure thing.
Can You Trust a VPN Provider? Not Really.
When you connect to a VPN provider's servers, they can see all of your traffic. Most claim they don't keep any logs, but that's impossible to verify from the outside. Even if a provider publishes positive independent third-party audits of its service, infrastructure, and data retention practices, they don't prove that the provider will continue to follow those practices. Some providers like Mullvad and IVPN use randomly generated account numbers and accept cryptocurrencies and cash to better preserve anonymity, but you still connect to their servers from your personal IP address, which can reveal other information about you.
With that in mind, you have to take a leap of faith at one point, and there are several things to look for to determine if a VPN is more trustworthy than others. We only recommend VPNs with a transparent and comprehensive privacy policy, marketing that doesn't oversell their capabilities, who are open about their ownership, and who publish frequent third-party audits.
Conclusion
A VPN can be a useful tool to protect yourself online, but it's far from an infallible shield against threats and surveillance. It can help secure your connection on an untrusted network, hide your web traffic from your ISP, and bypass censorship, but they don't offer complete anonymity. When you use one, you're ultimately transferring trust from your ISP to your VPN provider. Before deciding if you need a VPN, you should determine your risk profile and decide if you're comfortable entrusting a VPN provider with your information and money. Be sure to look for providers with transparent policies, third-party audits, and honest marketing. If you properly understand the limitations of a VPN and take other precautions to protect your privacy online, they can add a layer of protection for extra peace of mind.
With those privacy considerations in mind, if you're still looking for a VPN for other reasons, check out our recommendations for the best VPNs that we've tested.
Recommended Articles
