VPNs are one of the most marketed privacy tools on the internet — and one of the most misunderstood. You've probably seen the ads: a celebrity endorsing a VPN that will make you "invisible online," keep hackers away, and protect your privacy forever. Most of it is exaggerated. But that doesn't mean you don't need one.
Here's an honest breakdown of what a VPN actually does, when it genuinely helps, and when it doesn't matter.
What a VPN Actually Does
A VPN (Virtual Private Network) does two things:
- It encrypts your internet traffic between your device and the VPN server, so anyone watching your connection — your ISP, a coffee shop's network, a hacker on the same Wi-Fi — can't read what you're sending and receiving.
- It masks your IP address from the websites you visit. Instead of seeing your real IP (which reveals your approximate location and your internet provider), websites see the VPN server's IP address.
That's genuinely useful. But notice what's not on that list: a VPN doesn't make you anonymous. It doesn't stop websites from tracking you with cookies or browser fingerprinting. It doesn't prevent Google from logging your searches if you're signed in. It doesn't protect you from malware.
A VPN is a specific tool for a specific job — not a magic privacy shield.
When You Definitely Need One
On public Wi-Fi. This is the clearest use case. Coffee shop networks, airport Wi-Fi, hotel internet — these are unencrypted networks where other people on the same network can potentially intercept your traffic. A VPN encrypts everything you send over that connection. If you ever use public Wi-Fi, you should have a VPN running.
To prevent ISP tracking. Your internet service provider can see every website you visit and can legally sell that browsing data to advertisers in the US. A VPN moves that visibility from your ISP to your VPN provider — which is only an improvement if you pick a VPN that has a verified no-log policy (more on that below).
When traveling internationally. Some countries block access to certain websites or monitor internet traffic more aggressively. A VPN routes your traffic through a server in another country, bypassing geographic restrictions and making your traffic harder to monitor.
For privacy from your own network. If you're on a shared network — a university, a workplace, an apartment building — the network administrator can see your traffic. A VPN encrypts it.
When a VPN Doesn't Help Much
For Google or Facebook tracking. If you're signed into Google and searching, Google logs every search regardless of whether you're using a VPN. The VPN hides your IP, but Google already knows who you are.
Against browser fingerprinting. Your browser fingerprint — a combination of your screen resolution, fonts, plugins, and hardware — can identify you across websites without any cookies or IP address. A VPN does nothing to prevent this.
For data broker profiles. Data brokers built their profiles on you from public records, social media, and purchase history. Your IP address isn't relevant to this — a VPN won't remove your listing from Spokeo or BeenVerified.
The Catch: Not All VPNs Are the Same
This is the part the ads skip. When you use a VPN, you're routing all your internet traffic through the VPN company's servers. Instead of your ISP seeing everything you do online, your VPN provider does. You've just shifted who you trust.
A bad VPN is worse than no VPN at all. VPN companies have been caught logging user traffic and handing it to law enforcement, selling browsing data to advertisers, and getting acquired by data broker companies with terrible privacy practices.
What to look for in a VPN:
- A verified no-log policy — the VPN company should have been independently audited to confirm they don't log your traffic. Not just a promise in their terms of service.
- Based outside the US, UK, or Australia — these countries have data-sharing agreements that can compel VPN providers to hand over user data
- WireGuard or OpenVPN protocol — modern, well-audited encryption protocols
- A kill switch — automatically cuts your internet connection if the VPN drops, so you don't accidentally browse unprotected
The providers we recommend: Mullvad (accepts anonymous payment, consistently audited) and ProtonVPN (Swiss-based, open-source, audited). Both have verified no-log policies and a track record of defending user privacy.
Providers to avoid: most free VPNs (they monetize your traffic), and any VPN with heavy celebrity advertising and no published audit results.
How to Set One Up Correctly
Buying the subscription is the easy part. Most people then make mistakes in the configuration that leave them partially exposed: not enabling the kill switch, having DNS leaks that reveal their real location, or using the wrong protocol for their threat model.
If you want to make sure your VPN is actually working — not just running in the background while still leaking your data — our VPN Mastery Guide covers:
- How to configure a VPN correctly on iPhone, Android, Mac, and Windows
- How to enable and test your kill switch
- How to run a DNS leak test and fix any leaks
- When to use a VPN vs. Tor vs. encrypted DNS
- Advanced setups including router-level VPN and multi-hop connections
VPN Mastery Guide — Set Up Real Privacy in 30 Minutes →
And if you want to pair your VPN with a complete privacy setup — covering your phone, browser, email, and data broker profile — the Privacy Starter Kit bundles VPN Mastery with The Privacy Playbook and the Data Broker Opt-Out Checklist at a discount.
The answer to "do you need a VPN" is almost certainly yes — but only if you pick the right one and set it up correctly. Otherwise you're paying for a false sense of security.