VPN stands for Virtual Private Network, and it has become one of the most heavily marketed security products on the internet. Celebrities endorse them, tech YouTubers promote them, and they appear as sponsored content on virtually every major media platform. Yet the majority of people who use them have only a vague understanding of what they actually do — and a significant proportion are using products that may be actively harmful to their privacy.
This guide cuts through the marketing and gives you the honest, complete picture.
What a VPN actually does
When you connect to the internet normally, your traffic travels from your device to your router, then to your internet service provider (ISP), and then out to the website or service you are visiting. Your ISP can see every website you visit and the timing of those visits, though not the content of encrypted HTTPS connections. The websites you visit can see your IP address, which reveals your approximate geographic location and identifies your internet connection.
When you connect through a VPN, your traffic is first encrypted by VPN software on your device before leaving it. It then travels to a server operated by the VPN provider — which could be in a different city or a different country — and from there out to the internet. From the perspective of the website you are visiting, the traffic appears to originate from the VPN server, not from your actual location. From the perspective of your ISP, they can see that you are connected to a VPN server but cannot see what you are doing beyond that.
This achieves two things: it conceals your browsing activity from your ISP, and it masks your real IP address from websites you visit. It does not make you anonymous online — the VPN provider itself can see all your traffic — and it does not protect you from any threats other than network-level monitoring.
When a VPN genuinely helps
On public Wi-Fi. This is the scenario where a VPN provides the clearest, most meaningful protection. Public Wi-Fi networks in coffee shops, airports, hotels, libraries, and gyms are often unencrypted or encrypted with keys that are publicly shared. An attacker on the same network using freely available tools can potentially intercept traffic from other connected devices. A VPN encrypts your traffic before it leaves your device, making it unreadable even if intercepted. If you regularly use public Wi-Fi for any purpose that involves logged-in accounts, a VPN is worth having for these moments specifically.
Against ISP monitoring. In the UK, internet service providers are required under the Investigatory Powers Act to retain records of websites their customers visit for 12 months, and this data can be accessed by a range of government agencies without a warrant. A VPN prevents your ISP from seeing which websites you visit. If this concerns you, a VPN provides real protection against it.
For geographic access. Content streaming services, news websites, and some online services restrict access by geographic location. A VPN allows you to appear to be located in a different country. Note that many streaming services actively attempt to detect and block VPN usage.
When a VPN does not help
A VPN is not a comprehensive privacy tool and it is not a security product in the traditional sense. It does not protect you from phishing attacks — if you click a convincing fake PayPal link, the VPN does nothing to warn you or block the fake website. It does not protect you from malware — if you download a malicious file, the VPN does not scan or block it. It does not make you anonymous — your accounts, your cookies, your browser fingerprint, and your login sessions all remain identifiable regardless of your VPN status. It does not protect against data breaches at services you use.
Marketing that positions VPNs as an all-encompassing cybersecurity solution is misleading. They address a specific, real threat — network-level traffic monitoring — and nothing else.
The crucial question of trust
When you use a VPN, you are transferring your trust from your ISP to your VPN provider. Your ISP can no longer see your traffic — but your VPN provider can. This means choosing a trustworthy VPN provider is essential, and the vast majority of free VPN products do not qualify.
Studies of free VPN applications have consistently found concerning practices: many log user activity and sell it to data brokers, some inject advertising into unencrypted traffic, and a small number have been found to contain outright malware. If a VPN product is free and has no clear business model based on paid subscriptions, your data is almost certainly the product.
Which VPN to use
ProtonVPN (free tier) is the recommendation for anyone who wants a free VPN that is genuinely trustworthy. ProtonVPN is operated by Proton AG, a Swiss company also known for ProtonMail. It has a verified no-logs policy that has been independently audited, its apps are open source (meaning anyone can inspect the code), and it offers unlimited data on the free tier — which is extremely rare among legitimate free VPNs. The limitation of the free tier is slower speeds and access to only three country locations.
Mullvad is the choice of security professionals and privacy researchers. It requires no account creation — you receive a random account number when you sign up — and accepts anonymous payment methods including cash and cryptocurrency. It has passed independent audits and has a strong track record. It costs €5 per month.
NordVPN is the most mainstream paid option and is appropriate for everyday use by people who want a balance of security, speed, and ease of use. It has good independent audit results and a user-friendly interface. Treat any promotional pricing skeptically — the meaningful cost is the renewal price after the introductory period.