Virtual Private Networks, or VPNs, are popular services for (supposedly) increasing your security and privacy on the internet. They are often marketed as all-encompassing security tools, and something that you absolutely need to keep hackers at bay. However, many of the selling points for VPNs are exaggerated or just outright false.
VPNs are services that route your internet connection (or at least specific applications) through an external server instead of your local network. The network traffic going through the VPN is indecipherable to your internet service provider (ISP), and as far as websites and other services are concerned, your IP address is just the IP address of the VPN server. The technical aspects of a VPN don't make for great advertising, so that information usually gets distilled into talking points about changing your device's location, or supposedly preventing hackers from finding where you live, or something else.
It's difficult to find accurate and non-biased information about VPNs. Many popular web searches about VPNs or specific VPN features are filled with content written by VPN companies, which are usually written specifically to endorse their own product. VPN companies are also popular sponsors for independent content creators, so you've probably seen some of your favorite YouTube channels and podcasts echo the same inaccurate selling points.
I want to "debunk" some of the common misconceptions around VPNs and outline some of the few use cases where you might need a VPN. To be clear, this article has no affiliate links, does not recommend any specific VPN services, and is not sponsored by any companies.
The IP address
The most common selling point for VPNs might be that they can change your IP address, and how that can be a benefit to privacy and security. The home page for TunnelBear says, "Ad services use your IP address to track your behaviour across sites. TunnelBear stops them by assigning you a new IP." The site for ExpressVPN says, "Changing your IP address with a VPN helps shield your identity from websites, apps, and services that want to track you."
It's true that your IP address is your main identifier on the internet. However, there are many other identifiers that are used for tracking your activity across the internet. Most advertising networks, including Google Ads, primarily use cross-site cookies (eventually to be replaced by the Privacy Sandbox) to keep track of you across the web. Google uses an advertising ID for the same purpose on Android devices, and Apple has a similar ID for iPhone and iPad devices. VPNs do not change any of those identifiers.
There are also other browser features that can be used for tracking you across the web, such as the User Agent and HTML5 <canvas> element, in a process called fingerprinting. Web browsers have been reigning in this behavior over the past few years. For example, Firefox 11 in 2012 introduced the Battery API, which allowed sites to check the current battery level, and it was later implemented in Chrome and other browsers. It later turned out that it could be used for tracking, so Mozilla removed it from Firefox in 2016 (though it's still in Chrome). All web browsers are also slowly phasing out User Agent identifiers. VPNs, again, have no effect on any of these features.
It's true that changing your IP address might make it slightly more difficult for advertising networks or bad actors to track you, but there are so many other methods for achieving the same goal that a VPN alone won't really make a difference. Tor Browser can give you an idea of what is required to truly mask your identity online: in addition to routing your network connection through several servers, basic features like window resizing and drag-and-drop links are blocked to prevent possible fingerprinting.
The encryption claims
Another common claim you'll hear with VPNs is that they can "encrypt" your internet connection. You might assume that without a VPN, your internet connection is not encrypted, leaving all your data open for hackers, governments, and internet service providers (ISPs) to look through. It's true that most VPNs are encrypted: they use one of several protocols with varying encryption methods (e.g. OpenVPN uses OpenSSL and TLS).
However, when VPNs say they are encrypted, they are referring to the connection between your device or browser to the VPN service. After that hop is complete, your data is still being transmitted to the same endpoint. If you are using a website that doesn't support HTTPS, a VPN is not going to magically make it more secure. It's like the driving to the same city from two different starting points: you eventually get dumped onto the same road as everyone else heading to the destination.
The good news is that most of your internet connections are already fully encrypted in transit, whether or not you use a VPN.
Encryption was initially only used on websites and other internet services for sensitive data, such as online shopping. That made it possible for hackers, network administrators, and ISPs to analyze and potentially modify any data in transit. AT&T public Wi-Fi networks at two airports in 2015 were injecting ads into unencrypted web pages, and Comcast did the same with its public Wi-Fi networks in 2014. That's the sort of behavior that led to public Wi-Fi networks being generally regarded as insecure or possibly stealing your data.
The security risks and bad user experiences of unencrypted web pages started a push for the entire internet to be encrypted, starting roughly in the mid-2010s. Google's ranking algorithm for web searches started favoring sites with HTTPS support in 2014, and in 2018, the Chrome web browser started showing "Not secure" warnings on HTTP sites. Mozilla Firefox rolled out a similar warning in 2017. Meanwhile, the non-profit certificate authority Let's Encrypt made it possible for websites and online services to set up security certificates easily and without spending more money.
Thanks to that progress, most web traffic is now encrypted by default. As of December 2023, 99% of web traffic loaded through Chrome on Android and Chromebooks is encrypted, followed by 98% on Mac, 95% on Windows, and 88% on Linux. Mozilla says 81% of all pages loaded through Firefox are encrypted. It's increasingly rare to land on a website that isn't using encryption in transit, and when you do, your browser will show warnings in the address bar. Your internet service provider or network administrator can still see the servers connected to your browser or device, but the actual content of those requests (like the contents of web pages or passwords you type in) are obscured.
Now that most connections between your device and the internet are already secure, VPNs are another step your internet traffic goes through, rather than meaningfully improving your security. For outdated sites and services without encryption, you're just trusting the VPN service to handle that insecure data instead of your local network or internet provider.
Who has your data
When you use a VPN, the VPN service has the same level of access as your internet service provider. This is usually spun as an advantage in marketing, with VPN services claiming they can hide your network activity from governments and ISPs. If the cloud is just someone else's computer, then a VPN is just someone else's ISP.
Some VPN providers can point to independent audit reports to back their claims, while others simply pull the "trust me, bro" card and say they don't collect logs. Even if there are security audits available, you're still trusting someone else about the security of the tunnel for all your internet traffic.
Here's what you should ask yourself when using a VPN: do you trust the VPN provider as much (if not more) than your internet service provider? The answer to that will probably be different for everyone. I live in the United States, where I already have no digital privacy, and tunneling my internet traffic through a VPN owned and operated in another country won't meaningfully improve my privacy or safety.
When to use a VPN
VPNs are not magical fixes for privacy and security on the internet. However, there are some specific situations where they are useful tools.
- Network blocks and internet censorship. VPNs can help you access sites and services that are restricted by your local network or government. That's why downloads of VPN apps in Russia skyrocketed in 2022, after the country's invasion of Ukraine and more services became blocked. The same trend happened in Virginia and other U.S. states after they passed laws requiring photo identification for adult websites.
- Piracy. Internet service providers can sometimes detect when you are pirating movies, TV shows, music, or other media and send you angry letters. You can avoid that entirely by using a VPN when you download or torrent copyrighted material. Do what you want 'cause a pirate is free... but use a VPN.
- Region-locked content. This is a popular selling point for VPN companies that is actually true: VPNs can help you access online content that is officially restricted to a certain region. Switching your VPN server to a different country can change what movies and shows are available through Netflix, and UK-based VPN servers are frequently used to access BBC iPlayer content in other countries. However, this is not always reliable, as service providers will usually detect VPN servers after a while and block them.
- Accessing your home network. Setting up a VPN server at home is one way to access devices on your home network (such as self-hosted security cameras, media servers, and remote desktop) without opening up more of your network to the rest of the internet.
There are other more niche use cases for VPNs, but those are the most popular ones that aren't completely made up.
VPNs can be excellent tools in specific circumstances, but they are not must-have services to maintain your privacy and security on the internet. It's not true that a VPN will stop hackers in their tracks, or prevent the U.S. government from seeing your weird Google searches (the government just has to ask).
If you have to ask yourself if you need a VPN, you don't need a VPN.