What a VPN Actually Protects (and What It Doesn't)

VPN companies spend enormous sums on sponsorships, and that money buys a very specific story: the internet is a dark alley, hackers are reading everything you send, and ninety-nine cents a month makes you invisible. The technology underneath is real and useful. The story is mostly false — not because VPNs are scams, but because the problem they solved best was largely fixed by something else while the ad reads stayed frozen in 2014. Let's take the claims one at a time.

"Hackers on public Wi-Fi can see your passwords" — mostly no, anymore

This was once true. Then the web encrypted itself: HTTPS now covers the overwhelming majority of traffic — every login page, every bank, every major site — and browsers actively warn on the exceptions. A snooper on café Wi-Fi today sees which servers you're talking to, but the contents — passwords, messages, card numbers — are already encrypted end-to-end by TLS before any VPN gets involved. A VPN re-wraps that encrypted traffic in a second layer. Extra wrapping on a sealed envelope isn't worthless, but it isn't the difference between exposed and safe that the ads imply. (The risks that genuinely remain on public networks are different and smaller, and I've given them their own article.)

"Military-grade encryption protects you from viruses and hackers" — category error

A VPN is a pipe, not a guard. Malware rides through an encrypted tunnel exactly as comfortably as through an open connection; a phishing site loads beautifully over a VPN; a scam is a scam at any encryption strength. Nothing about tunneling inspects, filters, or judges what you fetch. The defenses against those threats are the unglamorous ones — an updated system, a hardened browser, Defender's protections actually switched on, and the habits that defeat phishing . Some VPN apps bundle a malicious-domain blocklist as a side feature, which is nice, and which your DNS resolver can also do for free (Quad9, or your own Pi-hole).

"Browse anonymously" — no. Visibility just moves

This is the claim that most deserves a red pen. Without a VPN, your ISP sees the domains you visit. With one, the VPN provider sees them instead — total visibility, relocated to a company whose logging practices you're taking on faith. "No-logs" is a promise; independent audits and court-tested incidents make some promises more credible than others, but it remains trust, not magic.

Meanwhile the tracking that actually follows you around the web doesn't care about your IP address: you're identified by cookies, account logins, and browser fingerprinting. Sign in to Google over a VPN and Google knows precisely who you are; the ad-tech graph reconstructs you in minutes. If your threat model genuinely requires anonymity — activism, journalism, a hostile environment — the tool designed for that is Tor, which routes through multiple independent relays so no single party sees both who you are and where you're going, at a steep speed cost. A commercial VPN is a privacy shift; Tor is a privacy architecture. Different tools, different problems.

So what is a VPN actually good for? Quite a lot, honestly

  • Hiding activity from your ISP — the domains you visit are your ISP's to log, profile, and in some jurisdictions sell. A trustworthy VPN takes that away from them. For many people this is the single best honest reason to pay for one.
  • Untrusted network operators — hotel networks, conference Wi-Fi, that one airport: the operator can't see your DNS lookups and destinations through a tunnel, and can't tamper with your traffic (injected ads and redirects on hotel networks are not hypothetical).
  • Location shifting — streaming catalogs, regional pricing, services blocked where you are. The cat-and-mouse with streaming services is eternal; this works often, not always.
  • Reaching your own network — the self-hosted kind of VPN (WireGuard on your router, or Tailscale) is the correct way to reach home machines from outside, as I keep insisting in the RDP guide. Note this is the inverse use case: not hiding from the network you're on, but joining one you trust.
  • Evading censorship — in filtered environments, with the caveat that this enters legal-risk territory that varies by country and is beyond a how-to blog's pay grade.

If you do buy one, buy on these and ignore the rest

The honest selection criteria fit in a paragraph. Independent no-log audits, plural and recent, by named firms — and bonus credibility if a real-world incident (server seizure, court order) produced nothing. Modern protocol: WireGuard, or the provider's WireGuard-derived implementation; it's faster and has a far smaller attack surface than the legacy stacks. A kill switch that blocks traffic if the tunnel drops, so you don't leak quietly. Honest jurisdiction and ownership — a surprising number of brands are the same few conglomerates in trench coats; know who you're paying. And the eternal rule of free services: a free VPN is the product selling you — your browsing data is the revenue. The defensible free exception is limited-bandwidth tiers from audited paid providers, useful as trials. Speed-wise, any decent WireGuard provider costs you little enough that you'll forget it's on — which is also the right way to run it: pick the configuration once, leave it, and stop thinking about it.

Do you need one?

You travel and work from hotels and airports weekly — yes, reasonable purchase, mostly for the untrusted-operator reasons. You're privacy-conscious and dislike your ISP's data practices — yes, that's the honest core use case; pick an audited provider. You want foreign Netflix — sure, with managed expectations. You want to be "safe from hackers" — your money is better spent on nothing at all: the protections that address that fear are free and already on your machine, a few settings away. You need real anonymity — Tor, and a much longer conversation than this article.

← Newer Posts Older Posts →