
A VPN, or virtual private network, is an essential part of any modern-day digital privacy toolkit. It encrypts your online traffic, hiding your public IP address and approximate location, so snoops such as your internet provider can’t tell what websites you visit or internet-connected apps you use. Additionally, you can use a VPN to access region-restricted content, including foreign Netflix libraries or BBC iPlayer. However, even the best VPNs have their limitations when it comes to protecting your privacy.
While VPNs can reduce the amount of data collected about you and even protect against certain security threats such as adversary-in-the-middle attacks, they don’t solve every privacy problem on the internet, nor do they offer protection against most security threats, such as malware.
Although the most reputable VPN providers are transparent about what they can and can’t protect against, there are still plenty of exaggerated VPN marketing claims online that have, unfortunately, created unrealistic expectations about what a VPN can actually do.
A VPN doesn’t make you anonymous online
It’s easy to assume that a VPN gives you an all-encompassing invisibility cloak on the internet — but that’s far from the truth. While a VPN does give you a sizable privacy boost by hiding your online activity from your internet provider, network administrator, government entities and other prying eyes, and by preventing websites and online services from seeing your approximate physical location, it can’t make you anonymous.
As you visit websites and use apps, you leave a trail of breadcrumbs. Browser fingerprinting, or online fingerprinting, is a tracking technique used by websites to collect information such as your browser type, operating system, time zone, language preferences, screen resolution and public IP address to create your unique online “fingerprint.” Websites can then use this fingerprint to identify and track your activities across the web.
A VPN can’t hide your identity when you’re logged into accounts — such as Amazon or Best Buy while shopping, or Google or Facebook — because those companies can still identify you and continue tracking your purchases, browsing habits, searches and interests. This information can then contribute to your online profile and be used for advertising purposes.
A VPN also doesn’t protect you from sending your personal information to cybercriminals via phishing scams — a type of cyberattack that uses social engineering techniques to trick you into clicking a malicious link or sharing sensitive information, such as your banking details, usernames, passwords or even your Social Security number.
Fortunately, while a VPN can’t prevent browser fingerprinting or stop websites from identifying you after you log in, you can protect your privacy against cookies, online trackers and other browser-based threats with dedicated browser security tools. Extensions such as Bitdefender TrafficLight and Malwarebytes Browser Guard block several types of trackers, including advertising trackers, warn you about malicious and scam websites and even provide some level of malware protection.
A VPN does little for security
A VPN secures your online connection and masks your public IP address, but it doesn’t protect you from malware, phishing or other threats. That’s because VPNs are privacy tools, not security apps. A VPN on its own doesn’t offer malware protection, meaning that even with one enabled, you still run the risk of downloading a malicious application or file that infects your device with a virus, adware, spyware or ransomware and exposes your private information.
Still, VPNs can mitigate a few security threats by encrypting your internet traffic. One example is an adversary-in-the-middle attack, where a cybercriminal positions themselves between your device and the website you’re communicating with in an attempt to silently intercept your data.
Because the vast majority of current websites use modern encryption, like what’s included in HTTPS, AiTM attacks are generally harder to pull off. However, while unlikely, they aren’t impossible, particularly when you’re connected to an unsecured public Wi-Fi network, such as one in an airport or cafe. In these situations, a VPN’s end-to-end encryption may prevent attackers on the same network from snooping on your data. But a VPN and secure connections to websites or apps won’t help if you’re sending data directly to a bad actor — some scam websites have HTTPS, so you’ll need to look for signs to avoid scams.
Although VPNs aren’t all-in-one security solutions on their own, many providers now bundle their VPN services with antivirus software and other cybersecurity features, such as ad blocking, phishing protection, password managers, identity protection and dark web monitoring. This allows you to get an all-in-one internet security package while often spending less than you would by purchasing each tool separately.
That said, it’s important to remember that these are additional features some VPN providers include with their subscriptions — and they may not be functionalities a VPN typically provides. Plus, there are pros and cons to bundling, so the à la carte route to cybersecurity apps may be a better fit.
Your VPN won’t protect you from certain leaks
Most reputable VPNs offer protection against DNS leaks, which occur when your personal information, such as your IP address, location and the websites you’re visiting, bypass your VPN tunnel’s encryption and becomes visible to your internet provider or other snoopers. However, less effective VPNs may not protect you against DNS leaks. Plus, even if you’re using a quality VPN, it’s always a good privacy habit to regularly check whether your VPN is working properly..
However, a VPN can’t protect you from every privacy risk. Some VPN apps can’t protect against WebRTC leaks, as these occur due to vulnerabilities in your browser — whether that’s Chrome, Firefox, Opera, Safari, Brave or any other Chromium-based browser — rather than the VPN connection itself. WebRTC, or Web Real-Time Communication, is otherwise a very useful technology that enables direct browser-to-browser communication, allowing you to perform tasks such as video chatting, voice calling and peer-to-peer file sharing directly in your browser without downloading any additional apps or extensions.
However, because WebRTC uses your device’s network information — including your IP address — to establish direct peer-to-peer connections, websites may be able to discover your real IP address if your browser exposes this information. This is something a VPN app alone cannot always prevent. That said, some VPN browser extensions can mitigate WebRTC leaks by controlling WebRTC behavior and preventing your real IP address from being exposed.
Be careful which VPN you trust with your privacy
A VPN can protect your privacy, but only insofar as it’s reliable. After all, all of the private information a VPN vows to protect — including your IP address and browsing activity — is visible to the VPN itself. As such, your VPN provider must keep that information private and not share it with any third parties.
That’s why it’s important to pick a trustworthy VPN. To do so, look for VPNs with a clear, detailed no-logs policy that affirms its commitment not to record your browsing sessions while connected to a VPN server and that avoids excessive technical jargon. You should look for transparency reports that clearly indicate the provider’s commitment to protecting your information not only from leaks, but also show how they handle requests from the government or court orders.
The VPN company’s privacy policy should clearly outline the information it does collect for operational purposes, such as crash reports or bandwidth usage, rather than simply claiming that it collects nothing at all.
However, because a no-logs policy is ultimately just a written promise, you shouldn’t rely on it alone. Instead, prioritize VPNs that undergo regular audits, where independent third-party evaluators back up the provider’s privacy claims. While we don’t recommend choosing VPNs that haven’t been independently audited, keep in mind that audits don’t paint the full picture. They only confirm that a VPN lives up to its privacy claims at the time of the audit, not necessarily before or after it. That’s why we recommend choosing VPNs that undergo regular independent audits, ideally at least once a year.
Lastly, consider the VPN’s jurisdiction. While it’s helpful if the provider is based outside the Five Eyes, Nine Eyes and 14 Eyes intelligence-sharing alliances, it’s also important that the country’s laws don’t require VPN providers to log user data or web traffic.
VPNs are great for privacy, but are only one piece of the cybersecurity puzzle
A VPN can help improve your online privacy and bypass blocks such as region restrictions, but you’ll need more apps as part of your privacy and security toolkit. I recommend using reliable antivirus software and a password manager. Depending on your needs and risk level, you may also benefit from identity protection services. While I suggest using various apps, the good news is that there are great budget-friendly (even no-cost) options, such as reputable free antivirus software, including built-in solutions, like Microsoft Defender on Windows, so privacy and security don’t have to cost you a lot of money.







