The VPN Hype Problem
Virtual Private Networks (VPNs) are among the most aggressively marketed security tools available. Ads routinely claim they make you "invisible online," "completely anonymous," and immune to "hackers." These claims sell subscriptions — but they don't accurately represent what a VPN does. Understanding the real capabilities and limitations helps you make smarter security decisions.
What a VPN Actually Does
At its core, a VPN does two things:
- Encrypts your internet traffic between your device and the VPN server, preventing your ISP or anyone on your local network from reading it.
- Masks your IP address from websites and services you connect to — they see the VPN server's IP address instead of yours.
That's it. Everything else is either a bonus feature, a marketing embellishment, or a misunderstanding.
Myth vs. Reality Breakdown
Myth: "A VPN makes you anonymous online"
Reality: A VPN masks your IP address, but you can still be identified through browser fingerprinting, cookies, logged-in accounts, and behavioural tracking. If you're signed into Google while using a VPN, Google still knows exactly who you are. True anonymity requires a completely different approach (such as Tor) and significant operational discipline.
Myth: "A VPN protects you from hackers"
Reality: A VPN protects traffic in transit on untrusted networks (like public Wi-Fi). It does not protect you from malware on your device, phishing attacks, weak passwords, or software vulnerabilities. If your device is already compromised, a VPN does nothing to help.
Myth: "A VPN hides everything from your government"
Reality: VPN providers are subject to the laws of the country in which they are based. A provider operating under a jurisdiction with mandatory data retention laws or subject to a lawful court order may be compelled to hand over data. Even "no-logs" providers have faced legal scrutiny. A VPN reduces surveillance exposure, but is not a guaranteed shield against law enforcement.
Myth: "Free VPNs are just as good as paid ones"
Reality: Free VPN services must fund themselves somehow. Many monetise by logging and selling user data — the exact opposite of their stated privacy purpose. Some free VPNs have been caught injecting ads, tracking users, or even selling bandwidth. If you're not paying for the product, the product is often your data.
Myth: "A VPN stops websites from tracking you"
Reality: Websites primarily track users through cookies, pixels, and browser fingerprinting — none of which a VPN affects. Changing your IP address does not prevent Google Analytics, Facebook Pixel, or ad networks from building a profile on your browsing behaviour.
What a VPN IS Good For
| Use Case | Does a VPN Help? |
|---|---|
| Hiding traffic from your ISP | Yes ✓ |
| Using public Wi-Fi safely | Yes ✓ |
| Bypassing geo-restrictions on content | Usually ✓ |
| Preventing browser tracking/cookies | No ✗ |
| Protecting from malware | No ✗ |
| Achieving true anonymity | No ✗ |
| Hiding activity from logged-in accounts | No ✗ |
How to Choose a Trustworthy VPN
If you decide a VPN fits your threat model, look for these characteristics:
- Verified no-logs policy — ideally confirmed through an independent audit or a real-world legal case where no useful data was produced
- Jurisdiction — providers based outside the 5/9/14 Eyes intelligence-sharing alliances face less compelled disclosure pressure
- Open-source clients — auditable code you can inspect or that others have reviewed
- RAM-only servers — data cannot persist across server reboots
- Payment privacy — acceptance of cash or privacy-focused cryptocurrency for those requiring maximum separation
Mullvad and ProtonVPN are frequently cited by privacy researchers as meeting many of these criteria, though you should evaluate any provider based on your own needs and research.
The Bottom Line
A VPN is a useful but limited privacy tool. Use it for what it's actually good at — protecting traffic from your ISP and on public networks — but don't treat it as a complete privacy or security solution. Layer it with good browser privacy practices, 2FA, a password manager, and general security hygiene for a meaningful defence-in-depth approach.