A Virtual Private Network creates an encrypted tunnel between your device and a server operated by the VPN provider. All your internet traffic travels through that tunnel. From the outside, it looks like your traffic is coming from the VPN server's location, not your own. That's the whole mechanism. The privacy and security claims advertised by VPN providers all flow from that one technical reality — and so do the limits.
The VPN industry spends a remarkable amount on advertising, and much of that advertising overstates what VPNs actually protect against. Understanding what a VPN genuinely does is more useful than believing the marketing.
What a VPN Actually Protects
A VPN meaningfully protects your traffic from two parties: your internet service provider, and anyone on the local network you're using.
Your ISP can see every domain you visit without a VPN. With one, they see only that you're connected to a VPN server. The actual sites you visit are hidden from them. This matters if you're concerned about ISP data collection or in a jurisdiction where ISPs are required to log your browsing history.
On public Wi-Fi — in coffee shops, airports, hotels — a VPN encrypts your traffic so that other users on the same network can't intercept it. This was more significant before HTTPS became standard. Most websites now encrypt their own connections, so the incremental protection from a VPN on public Wi-Fi is smaller than it used to be. That said, a VPN on an untrusted network is still reasonable practice.
What a VPN Does Not Protect
A VPN does not make you anonymous. It shifts who can see your traffic from your ISP to your VPN provider. If the VPN provider keeps logs — and many do, despite claiming otherwise — those logs can be subpoenaed, obtained through data breach, or handed over under the laws of whatever country the provider operates in. You are trusting the VPN provider the same way you previously trusted your ISP.
A VPN does not protect you from tracking by websites. Cookies, browser fingerprinting, login sessions, and advertising trackers follow you regardless of what IP address your traffic appears to come from. If you're logged into Google, Google knows your activity whether you're using a VPN or not.
A VPN does not protect you from malware. A VPN running on a compromised device is useless for the purposes of protecting sensitive communications. The malware operates at a layer above the VPN.
What VPNs Are Actually Good For
The most legitimate and common use case for consumer VPNs is bypassing geographic restrictions on content. Streaming services license content by country. A VPN lets you appear to be in a country where content is available.
In countries with aggressive internet censorship — China, Iran, Russia — VPNs provide access to blocked content and, with caveats, some protection from surveillance. The caveats are significant: using an unauthorized VPN in some of these countries is itself illegal, and the VPN provider may be cooperating with local authorities.
For journalists, activists, or anyone operating in environments with genuine adversarial surveillance, a VPN is one tool among many — not a solution by itself. Proper operational security in high-threat environments requires tools designed for that purpose and an understanding of the threat model you're defending against.
Choosing a VPN
The most important factor in choosing a VPN provider is jurisdiction and logging policy. A provider headquartered in a country with strong privacy laws that has been audited by independent security researchers and demonstrated a no-logs policy in legal proceedings is meaningfully different from a provider you found in an ad with no public information about its ownership or logging practices.
Free VPNs present a specific problem: operating VPN infrastructure costs real money. If you're not paying for the service, the service is typically funded by your data — which entirely defeats the stated purpose.