VPNs — What They Protect, What They Don't, and How to Pick One

The TLDR

A VPN creates an encrypted tunnel between your device and a VPN server. Everything your ISP could normally see — which domains you visit, your DNS queries, your connection metadata — gets hidden inside that tunnel. But the VPN provider now sees everything your ISP used to see. You’re not eliminating surveillance. You’re choosing who does it. If your VPN provider logs and sells your data, you’ve paid money to make your privacy worse.

The Reality

Without a VPN, here’s what your ISP can see:

• Every DNS query — the domain name of every site you visit (even over HTTPS, the DNS lookup is usually plaintext)
• SNI (Server Name Indication) — the hostname you’re connecting to, visible in the TLS handshake
• Connection metadata — when you connected, how long, how much data transferred
• Your real IP address — visible to every server you connect to

Your ISP can (and does) sell this data. The FTC’s 2021 ISP surveillance report documented how major ISPs collect and monetize browsing history, app usage, and location data.

With a VPN, your ISP sees encrypted traffic going to a single IP address (the VPN server). They know you’re using a VPN. They can’t see what you’re doing through it.

But now the VPN provider sees everything your ISP used to see. The question isn’t whether a VPN helps — it does, on untrusted networks especially. The question is whether your VPN provider is more trustworthy than your ISP.

How It Works

The Tunnel Protocols

WireGuard is the modern standard. It uses ~4,000 lines of code (compared to OpenVPN’s ~100,000), making it easier to audit. It uses ChaCha20 for symmetric encryption, Curve25519 for key exchange, and is significantly faster than older protocols. Most reputable VPNs now default to WireGuard.

OpenVPN is the battle-tested option. It’s been around since 2001, extensively audited, and supports a wide range of configurations. Slower than WireGuard but proven.

IPSec/IKEv2 is commonly used on mobile devices. It handles network switching (WiFi to cellular) gracefully, which matters on phones.

All three protocols, when properly implemented, provide encryption that is effectively unbreakable. The differences are in speed, code complexity (audit surface), and platform support. The encryption itself — AES-256 or ChaCha20 — is not the weak link.

Kill Switches

A kill switch blocks all internet traffic if the VPN connection drops. Without one, a momentary VPN disconnection exposes your real IP and sends traffic unencrypted through your ISP.

Not all kill switches are created equal. Some only activate when the VPN app detects a disconnect (software-level — can leak during the detection delay). Better implementations use firewall rules that block all non-VPN traffic at the OS level, preventing leaks even during crashes.

DNS Leak Protection

Even with a VPN active, your device might send DNS queries outside the tunnel — through your ISP’s DNS servers. This completely undermines the privacy benefit of the VPN, because your ISP still sees every domain you visit.

Proper VPN implementations route DNS queries through the tunnel to the VPN provider’s own DNS servers. Test yours at dnsleaktest.com.

What a VPN Protects

• Traffic on untrusted networks: Coffee shop WiFi, hotel networks, airports. The VPN tunnel means the local network operator can’t see your traffic.
• ISP-level surveillance: Your ISP can’t see which sites you visit, can’t inject ads, and can’t sell granular browsing data.
• Geographic IP masking: Sites see the VPN server’s IP, not yours. This matters for privacy and for accessing region-locked content.
• DNS privacy: If properly configured, your DNS queries go through the tunnel instead of to your ISP.

What a VPN Does NOT Protect

This is where the VPN marketing gets dishonest.

Browser fingerprinting: Your browser’s unique combination of screen resolution, fonts, GPU, timezone, language, and plugins creates a fingerprint that identifies you regardless of IP address. A VPN changes your IP. Your fingerprint stays the same.

Signed-in tracking: If you’re logged into Google and browse the web, Google tracks you by your account — not your IP. Same for Facebook, Amazon, and every other platform where you’re authenticated. A VPN doesn’t help here.

Malware and phishing: A VPN encrypts your traffic. It doesn’t scan it. Malware travels through VPN tunnels just as easily as through unencrypted connections.

The VPN provider itself: Your VPN provider can see everything your ISP used to see. If they log and sell your data, you’ve moved the problem, not solved it.

Anonymity: A VPN is not Tor. It provides pseudonymity (your real IP is hidden) but not anonymity. The VPN provider knows your real IP. If they’re compelled or compromised, you’re identified.

Evaluating a VPN

Jurisdiction

Where a VPN company is incorporated determines which governments can compel it to hand over data.

• Five Eyes (US, UK, Canada, Australia, New Zealand): Mutual intelligence-sharing agreements. A VPN in the US can be compelled to provide data that gets shared with four other governments.
• Switzerland: Strong privacy laws, not part of Five Eyes. ProtonVPN is incorporated here.
• Panama: Outside major intelligence-sharing agreements. NordVPN is incorporated here.
• British Virgin Islands: ExpressVPN’s jurisdiction. Limited compulsion mechanisms.

Jurisdiction matters, but it’s not everything. A VPN provider that logs everything is a liability regardless of where it’s based.

No-Log Policies and Audits

Every VPN claims a “no-log policy.” The only way to verify this is through independent audits.

• Mullvad: Based in Sweden. No accounts — you get an anonymous number. Accepts cash payments. Audited by Cure53 and Assured AB. Swedish police raided their offices in 2023 and found nothing because there was nothing to find.
• ProtonVPN: Based in Switzerland. Audited by Securitum. Open-source clients.
• NordVPN: Based in Panama. Multiple audits by PricewaterhouseCoopers and Deloitte. Previously suffered a server breach in 2019 but has since rebuilt infrastructure.

If a VPN hasn’t been independently audited and doesn’t publish the results, treat the “no-log” claim as marketing.

Ownership

The VPN industry has consolidated dramatically. Kape Technologies owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate. Nord Security owns NordVPN, Surfshark, and Atlas VPN. Before choosing a VPN, check who actually owns it — the brand name and the parent company may have very different track records.

The Free VPN Problem

If a VPN is free, you’re paying with your data. Documented cases:

• Hola VPN routed paying customers’ traffic through free accounts’ connections — turning free accounts into a botnet.
• Facebook’s Onavo VPN collected all user traffic data for Facebook’s competitive intelligence.
• Multiple free VPNs on Google Play have been caught injecting ads, installing tracking cookies, and selling bandwidth to third parties.

A study by CSIRO found that 38% of free Android VPN apps contained malware, and 84% leaked user traffic.

Tor vs. VPN

A VPN hides your traffic from your ISP and local network. The VPN provider knows who you are and what you do.

Tor routes your traffic through three relays, each knowing only the previous and next hop. No single relay knows both who you are and what you’re doing. Tor provides actual anonymity against network-level surveillance.

When to use a VPN: Daily browsing privacy, untrusted WiFi, streaming geo-restricted content, reducing ISP surveillance.

When to use Tor: Whistleblowing, journalism in hostile countries, communication where anonymity is life-or-death. Tor is slower, blocks some sites, and attracts scrutiny — it’s a tool for threat models that warrant it.

What You Can Do

1. Choose based on your threat model. If you want privacy from your ISP and protection on public WiFi, any reputable audited VPN works. If you need anonymity from nation-states, you need Tor.
2. Enable the kill switch — always. A VPN that disconnects without a kill switch is worse than no VPN because it creates a false sense of security.
3. Check for DNS leaks after setup at dnsleaktest.com.
4. Use split tunneling if your VPN supports it — route sensitive traffic through the VPN, let streaming and gaming go direct.
5. Don’t rely on the VPN alone. Use it in combination with browser privacy settings, ad blockers, and conscious login practices.

Sources & Further Reading

• EFF: Choosing a VPN — practical VPN guidance from the Electronic Frontier Foundation
• Mullvad Audit Reports — published independent security audits
• WireGuard Protocol Documentation — technical specification of the modern VPN protocol
• FTC ISP Surveillance Report (2021) — federal documentation of ISP data practices
• CSIRO Free VPN Study — academic analysis of free VPN security and privacy
• Tor Project — anonymity network documentation