You might not realize but, every time you click on a link or simply scroll on your social media feed, you leave behind some digital traces. These might be personal information, like a name, phone number or address. Or worse, the record of what you do online. In any case, your anonymity is compromised.
Commercial corporations are collecting this data with the promise to make your life smarter by customizing your online experience. Governments are doing so under the pretext of national security. Hackers' goal might be stealing your identity or money, while threatening your security. Evidence actually suggests how home users are now the top target for cyber criminals.
If you are worried about your online privacy, you will likely have come across a software that appears to magically solve all of your security problems: a VPN service. Short for Virtual Private Network, it encrypts all the data leaving your device and anonymizes your internet connection by masking your internet protocol (IP) address.
VPN usage have also soared worldwide as governments increasingly restrict the web. Internet shutdowns reached a new high in 2022, in fact, with that toll likely to be beaten by the end of the year. Again, citizens have been exploiting VPNs' IP spoofing ability to keep accessing censored content or blocked apps.
Online freedom is under attack. 💢 #VPNs are essential tools to combat internet #censorship. Watch our video to learn about censorship & check out our page tracking Proton VPN signup spikes to see how they correlate to major geopolitical events worldwide https://t.co/VUjnyKLKvj. pic.twitter.com/rxVmi7mzOzJuly 27, 2023
Whether the reason is better privacy/security online or bypassing geo-restrictions, a VPN is a necessity nowadays. Yet, even the top services and providers can have their own weaknesses. Think about the massive data breach that put more than 69,000 LimeVPN users at risk. Or worse, free VPN services that deliberately sell your sensitive information to third parties for commercial purposes.
So, are VPNs actually safe? Is even the most secure VPN provider enough for protecting your privacy from the mischievous digital world?
How does a VPN protect your privacy?
VPNs use encryption protocols to protect your data from snoopers. Hiding your location and personal information, they make your connection anonymous and private.
Every VPN protocol is responsible for defining how app and server connect with each other as well as the methods used to send and encrypt data. There are several types that VPNs use to secure your flow of information into an encrypted tunnel.
Among them, OpenVPN has historically been the most secure that you can get and many providers offer this protocol. As the name suggests, it's an open source software meaning that anyone can check if the code is working as it should. Its original design dates back to 2001, but much has changed in the tech world over the last 20 years.
A relative newcomer into the world of VPN protocols, WireGuard is now among the choices offered by many providers. Our top choice ExpressVPN has developed its very own Lightway protocol inspired to it, while NordVPN uses it as a basis for its own NordLynx protocol. On top of that, our testing shows that its connection can be up to three times faster than OpenVPN.
Offering a no-logs policy is another effective way to protect your online privacy. It's the VPN provider's guarantee that it will not keep any of your personal data in store. Swedish VPN provider Mullvad, for example, proved the efficacy of its no-logs claims after being hit by an inconclusive police raid.
Some logs are inevitable, but they should be restricted to basic data like your email address or the number of users connecting to the same server. Whereas a logging policy that keeps data on your activities is much more invasive. These include browsing history, DNS requests, URLs visited and usage metadata—the kind of stuff that you wouldn't want revealed in a data breach.
Allowing anonymous payments, like PayPal and Bitcoin, keeps your online banking details safe. Some services don't even ask for your email address to sign up. Always Mullvad allows you to create an account without providing any personal information at all. The provider even axed recurring subscriptions in the name of privacy.
Shared IP addresses is another feature that enhances VPN safety. It tricks the system by assigning the same IP address to multiple users from different locations, basically making it almost impossible to trace you.
Does a VPN service share your data?
Choosing a no-logs VPN is the best bet you have to prevent the service from sharing your data with third parties. Even if the authorities manage to demand access from your provider (in certain criminal investigations, for example), your digital footprint will be protected. This is simply because the company cannot share information that do not exist.
Generally speaking, using a premium service is much better for protecting your online activities - although not even all of those have thorough enough no-logging policies. Many free VPNs use ads that can collect your data for commercial purposes... probably not what you are looking for if you want to be safe online.
And, bear in mind that there are some digital traces that even the top services can fail to secure. If you log into something like a web or social media account, you can still be tracked to a certain extent. Some apps keep your location data, for example.
Can a VPN be hacked?
Sadly, even VPNs can have some faults and weaknesses that hackers can take advantage of. In 2021, several security services have been the target for cyber attacks.
For example, cybercriminals managed to leverage a vulnerability on the Pulse Secure VPN entry point to execute malicious codes. After an investigation, the provider seems to have fixed its VPN issue—at least on paper.
In June, it was then the time of the no-logs service LimeVPN. More than 69,000 users' data was put at risk when a hacker tried to sell them on RaidForums.
Also a bunch of less than reputable Android apps—SuperVPN, Gecko VPN and Chat VPN—failed to protect more than 21 million users. It worth mentioning that SuperVPN had already suffered from a major data breach only a year before.
In 2018, it was a NordVPN data breach to shake the world of cybersecurity. Luckily the hack affected only a single VPN server in Finland, not its central infrastructure. Therefore, the intruder couldn't access sensitive information like user credentials or billing details.
Since then, the company refined its security controls to prevent similar incidents from happening. This includes carrying out independent VPN audits meant to verify the trustworthiness of its privacy policies.
Are VPNs legal to use?
Except for a few countries where they are banned, VPNs are completely legal. Governments, companies and an ever-growing amount of individuals secure their connections through these services every day.
Any use is allowed, but illegal activities that you may carry on online will still be against the law. For example, some people use VPNs for torrenting in order to hide copyright infringements. But you will not be protected in case you’d get caught.
When it comes to using a VPN for streaming, things are a little bit different. Netflix explicitly states in its terms and conditions of not allowing the use of a proxy or VPN. Although, it’s not a criminal offence to do so. In the worst case scenario, you will have your account suspended—more likely, you would have to simply disable the software to carry on watching.
Ultimately, every country has its own legislations that regulate VPNs usage. In at least 10 countries around the world VPNs are either tightly regulated (China, UAE, Iran, Turkey, Pakistan) or completely banned (Russia, Turkmenistan, North Korea, Belarus, Iraq, Myanmar).
We recommend checking your country’s digital privacy laws on this point.
The risk of using a free VPN
Beside having problems unlocking different catalogs on streaming platforms and slowing down your internet connection, the most worrying problem with free services is that they do not often bring the same security protections as paid-for versions.
As research on 283 Android apps showed, 72% of the free services included at least one third-party tracking library against only 35% for the premium versions.
That’s mainly because without asking users a fee, companies need to turn to advertising to make a revenue and keep the software running. Plus, ads do not just disturb your online experience, they are also known to collect your personal information—exactly what you are trying to avoid with a VPN. And, in the worst cases, they may infect your device with malware or viruses.
If you are worried for your privacy and like the idea of trying a service before committing fully, most of the top VPNs offer free-risk trials—you’ll need to pay the money upfront but you can get a refund in the first 30 or 45 days by way of a money-back guarantee.
Another option is opting for a reliable premium VPN offering a no-fee subscription.
Our favorite right now is Proton VPN Free. Even though it comes with some limits—such as unlocking foreign streaming catalogs or safely torrenting—it offers an unlimited data bandwidth, over 100 free servers across three worldwide locations (Japan, the Netherlands and US) as well as some unusual security features for a freebie like split tunneling and DNS leak protection.
Other valid alternatives include Windscribe, TunnelBear, HotspotShield and Hide.me. And, for those looking to download torrents from the web in total security, PrivadoVPN boasts servers supporting P2P sharing. Head to our guide of the best secure free VPN services on the market for more info.
Who owns your VPN provider?
After carefully looking at encryption protocols, privacy and logging policies, there is a last element that you should probably check before making up your mind: the parent company producing your VPN service.
This is an area not without its controversies. Research from VPNpro found that only 24 companies actually own or operate at least 104 VPN products available on the market. So, products that don't initially seem connected can actually be operate by the same company.
The ownership of VPN services seems to keep changing, too. Take popular provider IPVanish, as an example. It was originally founded by the Highwinds Network Group, which was acquired by StackPath in 2017. In turn, it was one of the services then purchased by J2 Global in 2019...a company that subsequently changed its name to Ziff Davis, Inc. Are you following!?
There's obviously nothing wrong with that—corporations are welcome to acquire and sell as they please—but sometimes the apparent lack of transparency can create confusion and raise questions for VPN users wanting to know exactly who has their data.
VPNs in global jurisdictions
Another potential problem could be when a company operates in countries where strict laws regulating VPN usage are in place—like China, Russia or even the US. These are territories in which VPN providers may sometimes have to comply with government requests under specific investigations to hand over some user data.
The above-mentioned IPVanish operates under the US-based Ziff Davis, for example.
While its co-founder and CEO is Pakistani entrepreneur Uzair Gadit, PureVPN seems now to be owned by Honk-Kong based GZ Systems Limited. However, it also results to be part of the security firm Gaditek based in Pakistan—a country that has previously passed cyber-crime laws that have sparked concerns among activists and human rights groups for its potential dangers to civil liberties.
The Edward Snowden revelations in 2013 brought under the spotlight the existence of some intelligence-sharing agreements between nations. In addition to the initial Five Eyes Alliance—the US, UK, Canada, Australia and New Zealand—two more agreements have been confirmed (Nine and Fourteen Eyes countries). Among these, the original group appears to be the most interested in your data.
To ensure confidence that your data is as secure as possible, you could consider choosing a VPN that is based outside of these countries.
In fact, many providers choose to set up base in countries well known for being privacy havens. These include the British Virgin Islands (where ExpressVPN is based), Panama, Seychelles, The Cayman Islands and Malaysia.
Can you trust your VPN company?
There's also the potential for a company with a history of vulnerabilities or malicious activities can be hidden behind a different VPN provider name without you not knowing it.
Let's look at Kape Technologies as an example. It changed its name from Crossrider in 2018 after it was reported that people using its platforms were infected with malware.
As the company explained to Restore Privacy: "The Crossrider SDK and development platform was used by tens of thousands of independent developers to create cross-browser extensions, and unfortunately a small number of bad actors misused the platform to develop adware and malware.
"Kape is now a leading privacy-first digital security software provider, with a fully refreshed team."
In the very same week, the news of ExpressVPN's CIO Daniel Gericke involvement with Project Raven caused a greater stir still. The UAE cybersecurity operation included the building of a hacking system able to exploit an iPhone's vulnerability for taking over target devices without needing any clicks or other user interactions. Leading to comments online like this...
If you're an ExpressVPN customer, you shouldn't be. https://t.co/l8us92W0BQSeptember 16, 2021
In its official statement, the popular VPN provider explained its decision of continuing being involved with Gericke whilst condemning the UAE's conduct. They also put in place new practices to verify the credibility of its software.
More recently, Kape technologies was the latest company to join the wave of tech layoffs cutting around 180 employees. Many high-level executives were among those affected, with big names like Dan Gericke walking away from the business, raising questions whether these events will ultimately impact the security of its products.
What are VPN providers doing to ensure your safety?
It may sometimes sound like doom and gloom, but the biggest names across the VPN world are reacting to their vulnerabilities.
Many providers—like Express, Nord, ProtonVPN and Private Internet Access—are investing in different solutions to offer a more reliable and secure product to their users. These include dropping their least secure protocols, increasing the transparency over their policies (with independent VPN audits, for example) as well as improving the software infrastructure.
As TechRadar's Cybersecurity Specialist Mike Williams explains, a VPN's security starts at the protocol level. In the past, providers tried to compete by offering more protocols than anyone else, not always putting security as their priority. Due to a shift into the market, their offer is now limited to the safest encryption methods like WireGuard and OpenVPN.
He said: "Trust should be key in your choice of VPN, and that’s something providers understand very well, with many now making significant efforts to improve transparency."
That's why Private Internet Access, ProtonVPN, Mullvad, AirVPN and others have fully moved to open-source apps. As a result, anyone can check out the code and see exactly how the software works. Despite ExpressVPN not offering open-source apps, it releases its own encryption protocol Lightway under an open source license.
"The real change is providers finally realizing that shouting NO LOGGING on their website is no longer enough," sas Williams. "They now understand it’s necessary to provide some supporting evidence, and more and more of them are doing exactly that through public security and no log audits."
When it comes to significant VPN safety improvements, these aren’t always visible to the end user. They’re hidden away in the infrastructure, how it’s built and organized. And, many of those have come about simply as providers learned from their mistakes.
When it comes to that NordVPN breach, Williams explained: "Since the 2018 data breach, the company has moved to take far more control of its network. Its latest collocated servers are wholly owned and controlled by Nord, allowing to manage every aspect of how its hardware operates."
Are VPNs safe? What to do to stay secure online
Use a Tor browser together with your VPN service: Will slow down your connection, but your anonymity will improve.
Change your passwords often: Annoying we know, but a really good security practice. Especially the most important ones, like online banking and emails. Consider getting a password manager to help you with this.
Clear your location footprints: Especially on your smartphone, make sure to go through each app’s permissions and turn off the location services where you can.
So, if you were under the impression that VPNs are always enough to prevent hacks and data breaches, they clearly aren't—but then nor are antivirus or any other regular security tools in isolation. Even though using a good security software can considerably help you mellow the risks, you will never be 100% safe online (sorry!).
Despite this, using a reliable VPN can still make online threats way less dangerous. The biggest providers are investing time and money to make sure their software, privacy policies and transparency are the most secure they can be.
Either way, we suggest that you always take the utmost care when online, preferably sharing less details about yourself at all times—and that's where using a VPN can really help.
Sign up to receive daily breaking news, reviews, opinion, analysis, deals and more from the world of tech.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to email@example.com