A VPN can protect your privacy, if you use it right. We explain what VPNs do, what they don’t, and how to get the most out of a VPN.
Virtual Private Networks (VPNs) have gone from being an obscure networking concept to big business. You’ve probably seen the ads from your favorite YouTuber, on podcasts, and even during the Superbowl with claims about how a VPN can make you anonymous or let you access free video streaming. Do the products live up to the hype? Although VPNs can be useful tools for protecting your privacy, it’s important to understand how these tools work so you can decide whether they will actually help you. We break down what VPNs do and what they don’t do to help you understand why you’d want one and how to pick the one that’s best for you.
How Do VPNs Work?
When we talk about VPNs, we’re usually talking about a commercial VPN being sold directly to consumers for use in their day-to-day life, but the idea of VPNs has much broader applications than that. Corporations have long used VPN technology to let workers access digital resources no matter where they are, long before COVID-19 made work from home the norm.
When you switch on a VPN, it creates an encrypted connection (sometimes called a “tunnel”) between your device and a remote server operated by the VPN service. All your internet traffic is routed through this tunnel to the server, which then sends the traffic off to the public internet as usual. Data coming back to your device makes the same trip: from the internet, to the VPN server, through the encrypted connection, and back to your machine.
Keep in mind that you don’t need another company to set up a VPN. There are a few options out there to set up your own, such as Outline. Doing so is fairly straightforward, but you’ll either need your own server or rent one. While there are some efforts to make self-hosted VPNs more accessible, it’s something best left to tinkerers who are eager to get their hands (digitally) dirty.
Do VPNs Make You Anonymous Online?
By encrypting your traffic and routing it through a VPN server, it is harder but not impossible for observers to identify you and track your movements online. No VPN can provide total anonymity, but they can help improve your privacy.
For example, your internet service provider (ISP) is probably the single entity with the most insight into what you do online. The FTC issued a report in 2021(Opens in a new window) outlining exactly how much your ISP knows about what you do online, and it’s a lot. Worse, thanks to Congress, your ISP can sell anonymized data about its customers. If you don’t like that a company you’re already paying is profiting from your data or if you have concerns about ISPs hoarding detailed information about your activities, a VPN will help. Not even your ISP can see your web traffic when you use a VPN.
VPNs also make it harder for advertisers and others to track you online. Normally, data is transmitted from the internet to your device using its IP address. When the VPN is active, your true IP address is hidden and anyone watching you can only see the IP address of the VPN server. By hiding your real IP address, VPNs blunt one method used to identify and track you online.
Despite that, VPNs do not make you fully anonymous online. Advertisers, for instance, have numerous ways to identify and track you as you move across the web. Trackers and cookies in websites try to uniquely identify you, and then watch for where you appear next.
Sites and advertisers can also identify you by noting several unique characteristics, such as browser version, screen size, and so on. On their own, this information is harmless, but when companies compile enough of these identifiers, they form a unique signature—so much so that the process is called browser fingerprinting.
That’s not to mention the privacy we give up in exchange for services. Amazon, Google, and Meta (formerly Facebook) have become pillars of the modern internet infrastructure, and are impossible to completely avoid. Even if you deleted all your accounts and never used them again, they’d still probably be able to harvest data on you.
These privacy threats require tools other than VPNs. Ad and tracker blockers, like those found in some browsers or as standalone tools like the EFF’s Privacy Badger(Opens in a new window), address some of these concerns.
Using Tor can guard your privacy even better than a VPN, and grant you access to the Dark Web. Unlike a VPN, Tor bounces your traffic through several volunteer server nodes, making it much harder to trace. It’s also managed by a non-profit organization and distributed for free. Some VPN services will even connect to Tor via VPN, making this arcane system easier to access. The cost to your internet connection is high, however, as using Tor will degrade your connection much more than a VPN. Tor isn’t perfect either, and it has plenty of its own weaknesses(Opens in a new window) to consider.
Keep in mind that law enforcement and government agencies have access to more advanced and invasive techniques. Given enough time, a determined, well-funded adversary can usually get what it’s after.
Do VPNs Protect Against Malware?
Several VPNs say that they include some protection against malicious files. Sometimes this is basic protection against known malicious sites and files. Some VPN services include dedicated antivirus tools as well, and some antivirus companies now offer VPNs.
We don’t typically test the malware detecting abilities of VPNs, since we view VPNs primarily as a privacy product. To address the threat of malware, we believe that standalone anti-malware software—whether it’s one you buy or the one that ships with your computer—does a better job. Also, as a privacy product, we believe VPNs should be paying as little attention to your web traffic as possible.
Do VPNs Keep You Safe Online?
A VPN will hide the contents of your web traffic from some observers and can make it harder for you to be tracked online. But a VPN can, at best, provide only limited protection against the threats you’re most likely to encounter on the web: malware, social engineering scams, and phishing sites.
There are better ways to address these threats. Your browser has built-in tools for detecting phishing sites, and so do most antivirus apps, so pay attention when you see a warning. Use common sense if you see a suspicious pop-up window or receive an unusual email prompting you to take some action. Many people reuse passwords and use weak passwords, so get a password manager to generate and store unique and complex passwords for each site and service that you use. Finally, protect your online accounts and enable multi-factor authentication wherever it’s available.
Do VPNs Hide Your Torrenting and Online Activity?
When a VPN is active, all your traffic is encrypted. This means your ISP can’t see the sites you’re visiting, or the files you’re moving.
But while your ISP maybe can’t see that you’re Torrenting the entire run of Great British Bake Off, they can surmise that you’re using a lot of bandwidth. This alone may be a violation of your terms and conditions. Pirating content may also be a violation of your VPN’s terms and conditions, so be sure to check carefully.
Can VPNs Bypass Censorship?
With a VPN, it’s possible to connect to a VPN server in another country and browse the web as if you were physically where the VPN server is. This can, in some cases, get around local content restrictions and other kinds of censorship. It’s easily the noblest use of a VPN, and VPN companies will often play up their role in protecting internet freedom.
Although it should work, it’s important to know that a VPN doesn’t make your traffic invisible. Observers can see encrypted traffic, but they shouldn’t be able to see the contents of the traffic. However, the encrypted traffic alone might attract unwanted attention. Some VPNs include modes that aim to disguise VPN traffic as more common HTTPS traffic.
We don’t test the ability of VPNs to bypass censorship and have grave concerns that endorsing a product for this ability could put people’s lives at risk if we got it wrong. Simply using a VPN may get you into legal hot water depending on where you are, so know the risks before you try. Remember, no tool can provide total protection, particularly against a well-funded and capable adversary—a nation-state, for example.
Can VPNs Spoof Your Location?
With a VPN, you can connect to a server in a different country and spoof your location. One of the ways to determine where an internet-connected machine is located is to look at its IP address. These addresses are distributed geographically and can sometimes be quite close to your true location. By hiding your true IP address behind the IP address of a VPN server, your true location can be obscured.
But remember that sites and services sometimes have other means of determining your location. Also, many sites are sensitive to changes in expected behavior. If your bank sees someone claiming to be you connecting from Latvia, it may require them to do some additional security checks before granting access. That’s generally a good thing, but it can be daunting when it’s you using a VPN and not a scammer.
Can VPNs Unblock Streaming Content?
Streaming services sometimes offer different content to different countries. Until recently, UK residents could watch Star Trek: Discovery on Netflix, while US residents had to use Paramount+. From the comfort of your home, you can pop over to a far-away VPN server, perhaps to access streaming video unavailable in the US.
Just like government censorship, streaming services know many people use VPNs to access their content and actively work to prevent it. So, while you can use a VPN to stream video online, and we am sure most of you reading this are, it may work but it may also stop working tomorrow.
Can You Trust a VPN?
The biggest problem with VPNs isn’t an issue of technology, but one of trust. Because all your traffic is passing through its systems, a VPN company is in the same position as an ISP. It could, if it wished, see everything you do online and sell that data. It could inject ads into the websites you view. It could keep unnecessary amounts of data that it could then be compelled to hand over to law enforcement.
We want to see VPNs taking every possible measure to protect their customers, but we also need to see transparency. Even when we don’t agree with all their choices, we prefer companies that are upfront about their operations. A VPN should also issue a transparency report that outlines what requests the company has received from law enforcement and how the company responded.
We also like to see third-party audits of VPN services that validate policies and the security of the company’s infrastructure. We have to acknowledge that audits are imperfect tools. Audits are commissioned by the VPN company and the company also outlines the scope of the audit. Still, it’s a valuable way to demonstrate a company’s commitment to transparency.
Do I Need a VPN?
A few years ago, VPNs had a much more well-defined place in your privacy and security toolbox. Back then, most traffic traveled via HTTP, sometimes without any encryption whatsoever. Nowadays, most web traffic is sent via HTTPS, which does encrypt your connection. Looking at HTTPS traffic, an ISP or someone spying on your network can only see the highest level of your traffic’s destination. That’s like seeing PCMag.com and not PCMag.com/max-is-great.
Advertisers have also become more sophisticated in their tracking efforts. Browser fingerprinting and other techniques mean that a VPN’s anonymizing abilities are curbed somewhat. Even a VPN’s lauded ability to spoof locations, bypass censorship, and unblock streaming is less certain as companies and governments have become increasingly aggressive in detecting and blocking VPN traffic.
The rise of sophisticated tracking methods and HTTPS are often cited as reasons why VPNs aren’t worth the money. But it really depends on what you want to use a VPN for. If, for whatever reason, you want your traffic to appear to be coming from another country, a VPN will do that. If you want to make it a little harder for advertisers and others to track you as you move across the web, a VPN can help do that, too. And if you want to ensure that your ISP knows as little about your online activity as possible, a VPN will absolutely do that.
A VPN will not make you invincible online, but it can help protect your privacy. It’s a valuable part of your security and privacy toolbox, and like every tool a VPN works best when you use it for the right job.