VPN providers have perfected the art of the vague promise. "Military-grade encryption." "Complete online anonymity." "Browse without limits." These phrases appear on landing pages for services charging anywhere from $3 to $15 per month, and they are all technically meaningless, partially true, or both.
This isn't a takedown of VPNs — they're a useful tool for specific jobs. The problem is that people use them for the wrong jobs based on misleading marketing, and when that happens in a security context, people get hurt.
What a VPN Actually Does
A VPN creates an encrypted tunnel between your device and a server the VPN provider operates. All your network traffic goes through that tunnel. From the perspective of your ISP and anyone monitoring your local network, they see that you're connected to the VPN server — and nothing else. From the perspective of the websites you visit, they see the VPN server's IP address instead of yours.
That's the complete technical picture. The "military-grade encryption" most VPNs cite refers to AES-256 — the same encryption used everywhere from HTTPS to file system encryption. It's genuinely good encryption. It's also not uniquely military or exceptional; it's just the standard.
A VPN doesn't eliminate surveillance. It moves it. Instead of your ISP seeing your traffic, your VPN provider sees your traffic. You're trusting a different party — and that party may be less regulated, less accountable, and in some cases, actively hostile.
Where VPNs Genuinely Help
There are real use cases where a VPN provides meaningful protection:
- Untrusted networks. Coffee shops, hotels, airports — any public Wi-Fi where you don't control the network. A VPN prevents the network operator and other users on the same network from inspecting your traffic. This was more critical before HTTPS was ubiquitous; most traffic is encrypted end-to-end anyway now, but VPN still prevents metadata exposure on the local network.
- ISP-level tracking. In the United States, ISPs are permitted to collect and sell aggregated browsing data. A VPN prevents your ISP from seeing which sites you visit. Whether this matters depends on your ISP and your threat model.
- IP-based geoblocking. Accessing content restricted by geographic region works as long as the destination service doesn't block the VPN provider's IP ranges — which many streaming services now actively do.
- Hiding your real IP from destination servers. The websites you visit see the VPN's IP instead of yours. This is meaningful if you're trying to prevent a specific site from correlating activity to your home IP address.
What VPNs Don't Protect Against
This is where most VPN marketing fails its users. A VPN does not protect against:
Browser Fingerprinting
Your browser exposes dozens of attributes to every site you visit: screen resolution, installed fonts, graphics card capabilities (via WebGL), installed plugins, timezone, language settings, and more. The combination of these attributes creates a fingerprint that is often unique to your specific device, regardless of your IP address. Hiding your IP with a VPN while your browser fingerprint remains constant doesn't actually prevent tracking. Read more on how fingerprinting works.
Account-Level Identity
When you log into Google, Facebook, your bank, or any site where you have an account, that service knows who you are. They know because you told them. Your IP address is logged alongside the login, but it's not what identifies you — your credentials do. A VPN doesn't change this at all. Browsing logged into your Google account through a VPN means Google still knows it's you, and now associates VPN server IPs with your account.
The VPN Provider Itself
Your traffic is not invisible to your VPN provider — it flows through their servers. A VPN that logs your activity and your real IP is simply a relay between you and surveillance. "No-log" claims are common; independent verification is rare. Some providers have been audited and passed. Others have claimed no-log policies while cooperating with law enforcement requests that revealed logs they claimed didn't exist.
DNS Leaks
DNS queries — the lookups that translate domain names to IP addresses — can sometimes bypass the VPN tunnel depending on how the VPN is configured and how your operating system handles DNS. If your DNS queries go to your ISP's resolver instead of through the VPN, your ISP can see every domain you look up even if they can't see the traffic itself. Any competent VPN client should handle this; not all do.
WebRTC Leaks
Browsers implementing WebRTC (used for video calls, peer-to-peer connections) can reveal your real IP address to websites even through a VPN. WebRTC needs to negotiate direct connections and may expose both your local network IP and your real public IP in the process. Browser extensions or settings can block this; default browser behavior often doesn't.
Timing Correlation Attacks
A sophisticated adversary who can observe both your VPN connection and the VPN server's outbound connections can correlate traffic based on timing — when you send data, the server sends data shortly after, and the pattern is detectable. This is a high-sophistication attack, but it's worth understanding that VPNs don't defend against it.
| Threat | VPN Helps? | Notes |
|---|---|---|
| ISP seeing your traffic | ✓ Yes | Core function of a VPN |
| Local network eavesdropping | ✓ Yes | Effective on untrusted Wi-Fi |
| Destination site seeing your real IP | ✓ Yes | Site sees VPN server IP instead |
| Browser fingerprinting | ✗ No | IP is one signal; fingerprint persists |
| Account-level tracking | ✗ No | Logging in identifies you regardless of IP |
| VPN provider surveillance | ✗ No | They see everything; trust shifted, not eliminated |
| DNS leaks | ~ Maybe | Depends on VPN client configuration |
| WebRTC IP leaks | ~ Maybe | Depends on browser and VPN client |
| Malware, phishing | ✗ No | VPN is network-layer; malware is application-layer |
| Government compulsion of VPN provider | ✗ No | Legal process reaches VPN providers too |
The Logging Policy Problem
The most important question to ask about any VPN provider is: what data do they actually retain, and what happens when a court orders them to produce it?
The history here is instructive. IPVanish, once marketed heavily as a no-log VPN, provided detailed logs to the FBI in 2016 that helped identify and convict a user — despite their no-log claims. PureVPN similarly provided logs to law enforcement in 2017. These incidents revealed that "no-log policy" as a marketing term has meant different things to different providers.
A no-log claim you can't verify is a promise from a party whose business interests are served by making that promise. Independent audits of VPN infrastructure are more meaningful than policy statements, and even audits have limits — they verify what was true at the time, not what's true today.
When a VPN Is the Right Tool
Despite the limitations, there are contexts where a VPN is genuinely the right choice:
- You're using untrusted Wi-Fi regularly and want to prevent network-layer passive surveillance
- You're in a country where your ISP is actively monitoring and censoring traffic, and you want to circumvent that
- You want to prevent your ISP from profiling and selling your browsing data
- You need a consistent exit IP for accessing region-locked content
For these use cases, a well-audited VPN from a provider with a genuine no-log architecture — running on RAM-only servers with no persistent storage, based in a jurisdiction with strong privacy laws — provides real value.
For anonymity against sophisticated adversaries, for protecting communications from end-to-end interception, or for hiding your identity when you're logged into accounts that know who you are: a VPN isn't the tool, and treating it as one creates false confidence. The metadata surveillance problem doesn't disappear behind a VPN server — it just moves.