Are VPNs really safe? How to check your service's security

digital data lock on screen
(Image credit: Shutterstock)

You might not realize but when you're browsing the internet, whether this is clicking on links or simply scrolling on your social media feed, you're leave behind digital traces. This digital trace can be anything from personal information, like your name, phone number or address, or at worse, can be record of what you do online. In any case, your anonymity is compromised. 

Commercial corporations are collecting this data under the guise of making your life smarter by customizing your online experience. Governments are doing so under the pretext of national security. Hackers are using this data to steal your identity or money, while threatening your security. Evidence actually suggests that home devices are now the top target for cyber criminals, meaning all of these things are targeting you in your own home.

If you are worried about your online privacy, you will likely have come across a software that appears to magically solve all of your security problems: a VPN service. Short for Virtual Private Network, it encrypts all the data leaving your device and anonymizes your internet connection by masking your internet protocol (IP) address.

VPN usage has also soared worldwide as governments increasingly restrict the web. Internet shutdowns were on the rise in 2023, a trend that is likely to continue this year. Again, citizens have been exploiting VPNs' IP spoofing ability to keep accessing censored content or blocked apps.

Whether the reason is better privacy/security online or bypassing geo-restrictions, a VPN is a necessity nowadays. Yet, even the top services and providers can have their own weaknesses. For example, in February it was revealed that a flaw in ExpressVPN's split tunneling feature may have been causing DNS leaks and leaking user's private information for years. 

Worse than this, if you use an unsafe free VPN service, it may deliberately sell your sensitive information to third parties for commercial purposes. 

So, are VPNs actually safe? Is even the most secure VPN provider enough for protecting your privacy from the mischievous digital world?

How does a VPN protect your privacy?

VPNs use encryption protocols to protect your data from snoopers. Hiding your location and personal information, they make your connection anonymous and private. 

Every VPN protocol is responsible for defining how app and server connect with each other as well as the methods used to send and encrypt data. There are several types that VPNs use to secure your flow of information into an encrypted tunnel. 

Among them, OpenVPN has historically been the most secure that you can get and many providers offer this protocol. As the name suggests, it's an open source software meaning that anyone can check if the code is working as it should. Its original design dates back to 2001, but much has changed in the tech world over the last 20 years. 

A relative newcomer into the world of VPN protocols, WireGuard is now among the choices offered by many providers. Our top choice NordVPN uses it as a basis for its own NordLynx protocol, while ExpressVPN has developed its very own Lightway protocol inspired by it. On top of that, our testing shows that its connection can be up to three times faster than OpenVPN.

A digital image depicting a VPN

(Image credit: Shutterstock)

Offering a no-logs policy is another effective way to protect your online privacy. It's the VPN provider's guarantee that it will not keep any of your personal data in store. Swedish VPN provider Mullvad, for example, proved the efficacy of its no-logs claims after being hit by an inconclusive police raid.  

Other providers rely on more orthodox methods (namely external audits) to prove they really do have no-logs policies. ExpressVPN has just completed its 18th external audit, proving once again that it does not track users' data.

Some logs are inevitable, but they should be restricted to basic data like your email address or the number of users connecting to the same server. Whereas a logging policy that keeps data on your activities is much more invasive. These include browsing history, DNS requests, URLs visited and usage metadata—the kind of stuff that you wouldn't want revealed in a data breach.

Allowing anonymous payments, like PayPal and Bitcoin, keeps your online banking details safe. Some services don't even ask for your email address to sign up. Always Mullvad allows you to create an account without providing any personal information at all. The provider even axed recurring subscriptions in the name of privacy.

Shared IP addresses is another feature that enhances VPN safety. It tricks the system by assigning the same IP address to multiple users from different locations, basically making it almost impossible to trace you.

Does a VPN service share your data?

Choosing a no-logs VPN is the best bet you have to prevent the service from sharing your data with third parties. Even if the authorities manage to demand access from your provider (in certain criminal investigations, for example), your digital footprint will be protected. This is simply because the company cannot share information that do not exist. 

Generally speaking, using a premium service is much better for protecting your online activities - although not even all of those have thorough enough no-logging policies. Many free VPNs use ads that can collect your data for commercial purposes... probably not what you are looking for if you want to be safe online.

It's also important to bear in mind that there are some digital traces that even the top services can fail to secure. If you log into something like a web or social media account, you can still be tracked to a certain extent. Some apps keep your location data, for example. 

Can a VPN be hacked?

Sadly, even VPNs can have some faults and weaknesses that hackers can take advantage of.

For example, in January of this year, hackers exploited a security flaw with Ivanti VPN in order to deploy all sorts of malware. The VPN provider was then attacked again with a similar modus operandi just a month later, in February 2024.

In May 2024, Check Point issued a warning to its customers that its VPN services were being targeted by hackers attempting to gain access to company networks, and by extension, their data.

Back in 2023, it was revealed that free VPN service, SuperVPN, had leaked over 360 million user data records online. The personal information exposed included email addresses, original IP address, geolocation records, unique users' identifiers, references to visited websites, and more.

Hacker

(Image credit: ozrimoz / Shutterstock)

In 2018, our top VPN provider NordVPN suffered a data breach that shook the world of cybersecurity. Luckily the hack affected only a single VPN server in Finland, not its central infrastructure. Therefore, the intruder couldn't access sensitive information like user credentials or billing details.

Since then, the company refined its security controls to prevent similar incidents from happening. This includes carrying out independent VPN audits meant to verify the trustworthiness of its privacy policies. 

Are VPNs legal to use?

Except for a few countries where they are banned, VPNs are completely legal. Governments, companies and an ever-growing amount of individuals secure their connections through these services every day.

Any use is allowed, but illegal activities that you may carry on online will still be against the law. For example, some people use VPNs for torrenting in order to hide copyright infringements. But you will not be protected in case you’d get caught. 

When it comes to using a VPN for streaming, things are a little bit different. Netflix explicitly states in its terms and conditions of not allowing the use of a proxy or VPN. Although, it’s not a criminal offence to do so. In the worst case scenario, you will have your account suspended—more likely, you would have to simply disable the software to carry on watching.

Icon of blocked VPN on a black smartphone screen on a man hands. Blocking VPN services concept

(Image credit: Getty Images)

Ultimately, every country has its own legislations that regulate VPNs usage. In at least 10 countries around the world VPNs are either tightly regulated (China, UAE, Iran, Turkey, Pakistan) or completely banned (Russia, Turkmenistan, North Korea, Belarus, Iraq, Myanmar). 

We recommend checking your country’s digital privacy laws on this point.

The risk of using a free VPN

Beside having problems unlocking different catalogs on streaming platforms and slowing down your internet connection, the most worrying problem with free services is that they do not often bring the same security protections as paid-for versions. 

As research on 283 Android apps showed, 72% of the free services included at least one third-party tracking library against only 35% for the premium versions.

That’s mainly because without asking users a fee, companies need to turn to advertising to make a revenue and keep the software running. Plus, ads do not just disturb your online experience, they are also known to collect your personal information—exactly what you are trying to avoid with a VPN. In the worst case scenario, they may infect your device with malware or viruses.

If you are worried for your privacy and like the idea of trying a service before committing fully, most of the top VPNs offer free-risk trials—you’ll need to pay the money upfront but you can get a refund in the first 30 or 45 days by way of a money-back guarantee.

Another option is opting for a reliable premium VPN offering a no-fee subscription. 

Our favorite right now is PrivadoVPN Free. Even though it comes with some limits—for example its 10 GB data limit and the fact it is not available on Linux—it offers an unlimited data bandwidth, over 100 free servers across three worldwide locations (Japan, the Netherlands and US) as well as some unusual security features for a freebie like split tunneling and supporting P2P sharing.

Other valid alternatives include ProtonVPN, Windscribe, TunnelBear, HotspotShield and Hide.me.  Head to our guide of the best secure free VPN services on the market for more info.

Who owns your VPN provider?

After carefully looking at encryption protocols, privacy and logging policies, there is a last element that you should probably check before making up your mind: the parent company producing your VPN service. 

This is an area not without its controversies. Research from VPNpro found that only 24 companies actually own or operate at least 104 VPN products available on the market. So, products that don't initially seem connected can actually be operate by the same company. 

The ownership of VPN services seems to keep changing, too. Take popular provider IPVanish, as an example. It was originally founded by the Highwinds Network Group, which was acquired by StackPath in 2017. In turn, it was one of the services then purchased by J2 Global in 2019...a company that subsequently changed its name to Ziff Davis, Inc.

Plus, in March 2024, Atlas VPN shut down and handed over its operations to NordVPN, automatically migrating all its users.

There's obviously nothing wrong with this—corporations are welcome to acquire and sell as they please—but sometimes the apparent lack of transparency can create confusion and raise questions for VPN users wanting to know exactly who has their data.

VPNs in global jurisdictions

Another potential problem could be when a company operates in countries where strict laws regulating VPN usage are in place—like China, Russia or even the US. These are territories in which VPN providers may sometimes have to comply with government requests under specific investigations to hand over some user data.

The above-mentioned IPVanish operates under the US-based Ziff Davis, for example. 

While its co-founder and CEO is Pakistani entrepreneur Uzair Gadit, PureVPN seems now to be owned by Honk-Kong based GZ Systems Limited. However, it also results to be part of the security firm Gaditek based in Pakistan—a country that has previously passed cyber-crime laws that have sparked concerns among activists and human rights groups for its potential dangers to civil liberties. 

cybersecurity

(Image credit: Future)

The Edward Snowden revelations in 2013 brought under the spotlight the existence of some intelligence-sharing agreements between nations. In addition to the initial Five Eyes Alliance—the US, UK, Canada, Australia and New Zealand—two more agreements have been confirmed (Nine and Fourteen Eyes countries). Among these, the original group appears to be the most interested in your data. 

To ensure confidence that your data is as secure as possible, you could consider choosing a VPN that is based outside of these countries.

In fact, many providers choose to set up base in countries well known for being privacy havens. These include the British Virgin Islands (where ExpressVPN is based), Panama, Seychelles, The Cayman Islands and Malaysia.

Can you trust your VPN company?

There's also the potential for a company with a history of vulnerabilities or malicious activities can be hidden behind a different VPN provider name without you not knowing it. 

Let's look at Kape Technologies as an example. It changed its name from Crossrider in 2018 after it was reported that people using its platforms were infected with malware.

As the company explained to Restore Privacy: "The Crossrider SDK and development platform was used by tens of thousands of independent developers to create cross-browser extensions, and unfortunately a small number of bad actors misused the platform to develop adware and malware.

"Kape is now a leading privacy-first digital security software provider, with a fully refreshed team."

In 2021 the company bought ExpressVPN, in what became the industry's largest ever deal.

In the very same week, the news of ExpressVPN's CIO Daniel Gericke involvement with Project Raven caused a greater stir still. The UAE cybersecurity operation included the building of a hacking system able to exploit an iPhone's vulnerability for taking over target devices without needing any clicks or other user interactions. Leading to comments online like this...

In its official statement, the popular VPN provider explained its decision of continuing being involved with Gericke whilst condemning the UAE's conduct. They also put in place new practices to verify the credibility of its software. 

They wrote: "To begin with, we’ll be increasing the cadence of our existing third-party audits to annually rectify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs. This is just a first step, and we will continue to strive to earn your trust."

More recently, Kape technologies was the latest company to join the wave of tech layoffs cutting around 180 employees. Many high-level executives were among those affected, with big names like Dan Gericke walking away from the business, raising questions whether these events will ultimately impact the security of its products. 

What are VPN providers doing to ensure your safety?

It may sometimes sound like doom and gloom, but the biggest names across the VPN world are reacting to their vulnerabilities.

Many providers—like Express, Nord, ProtonVPN and Private Internet Access—are investing in different solutions to offer a more reliable and secure product to their users. These include dropping their least secure protocols, increasing the transparency over their policies (with independent VPN audits, for example) as well as improving the software infrastructure

As TechRadar's Cybersecurity Specialist Mike Williams explains, a VPN's security starts at the protocol level. In the past, providers tried to compete by offering more protocols than anyone else, not always putting security as their priority. Due to a shift into the market, their offer is now limited to the safest encryption methods like WireGuard and OpenVPN.

He said: "Trust should be key in your choice of VPN, and that’s something providers understand very well, with many now making significant efforts to improve transparency."

That's why Private Internet Access, ProtonVPN, Mullvad, AirVPN and others have fully moved to open-source apps. As a result, anyone can check out the code and see exactly how the software works. Despite ExpressVPN not offering open-source apps, it has released its own encryption protocol Lightway under an open source license. 

ExpressVPN Lightway Protocol

(Image credit: ExpressVPN)

"The real change is providers finally realizing that shouting NO LOGGING on their website is no longer enough," sas Williams. "They now understand it’s necessary to provide some supporting evidence, and more and more of them are doing exactly that through public security and no log audits."

When it comes to significant VPN safety improvements, these aren’t always visible to the end user. They’re hidden away in the infrastructure, how it’s built and organized. Additionally, many of them have come about simply as providers learned from their mistakes.

When it comes to that NordVPN breach, Williams explained: "Since the 2018 data breach, the company has moved to take far more control of its network. Its latest collocated servers are wholly owned and controlled by Nord, allowing to manage every aspect of how its hardware operates."

Are VPNs safe? What to do to stay secure online

Tips to improve your online security

Use a Tor browser together with your VPN service: Will slow down your connection, but your anonymity will improve.

Change your passwords often: Annoying we know, but a really good security practice. Especially the most important ones, like online banking and emails. Consider getting a password manager to help you with this.

Clear your location footprints: Especially on your smartphone, make sure to go through each app’s permissions and turn off the location services where you can.

So, if you were under the impression that VPNs are always enough to prevent hacks and data breaches, they clearly aren't—but then neithee are antivirus or any other regular security tools in isolation. Even though using a good security software can considerably help you mellow the risks, you will never be 100% safe online (sorry!).

Apps and software can collect data, like location, directly from your device. Websites use cookies that gather some of your personal information for several purposes.

Despite this, using a reliable VPN can still make online threats way less dangerous. The biggest providers are investing time and money to make sure their software, privacy policies and transparency are the most secure they can be.

Either way, we suggest that you always take the utmost care when online, preferably sharing less details about yourself at all times—and that's where using a VPN can really help.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

With contributions from