Published 2026-04-28 10 min read Topic: networking

The VPN You Were Sold Is Not the VPN You Need

YouTubers have spent a decade telling you a VPN protects you from "hackers on public Wi-Fi" and lets you "browse anonymously online." Both claims are mostly false in 2026. A VPN is a useful tool with a precise function — and the gap between that function and the marketing pitch is where consumers get fleeced. Here's what a VPN does, what it doesn't, and how to evaluate one if you need one.

What a VPN actually is

A VPN is a tunnel. Your traffic, instead of leaving your device and going directly to the internet, is encrypted and routed first to a server operated by the VPN provider. That server then forwards the traffic to its destination. To the rest of the internet, the connection appears to originate from the VPN server's IP address, not yours.

That's it. Two simple consequences:

Your local network and ISP can no longer see what you're connecting to. They see only "encrypted traffic to a VPN endpoint." Useful on hostile networks (hotel Wi-Fi, conference centers, your boss's office).
Destinations see the VPN's IP, not yours. Useful for geographic rerouting (streaming, region-locked services) and for separating your real IP from a service that doesn't need it.

That is the entire value proposition. Everything else is marketing.

What a VPN does not do

It does not protect you from "hackers on public Wi-Fi"

This claim was true in 2008. In 2026 it is essentially obsolete. Every meaningful website now uses HTTPS — over 95% of web traffic is encrypted in transit before any VPN gets involved. The "hacker at the coffee shop" scenario the ads dramatize is an attacker who can already only see encrypted blobs. The remaining leaks (DNS, SNI) we covered in the DNS article, and they're solved by encrypted DNS, not a VPN.

It does not make you anonymous

Anonymity is a much harder property than network privacy. The moment you log into Google, Facebook, your bank, or any other identity-bound service, you have linked your VPN exit IP to your real identity. Browser fingerprinting (covered separately) tracks you across IPs anyway. Tor exists for genuine anonymity; a commercial VPN is a privacy proxy, not an anonymity service.

It does not stop tracking

Cookies, fingerprints, and account logins all survive a VPN connection unchanged. Your IP address is one identifier among dozens. Hiding it does not hide you.

It does not encrypt your traffic "end-to-end"

The encryption stops at the VPN exit. Beyond the exit, your traffic uses whatever encryption the destination supports (almost always HTTPS, but not always). Inside the VPN provider's infrastructure, the traffic is fully visible to them. You moved trust from your ISP to your VPN; you didn't eliminate it.

The trust transfer problem

This is the core question. A VPN does not give you privacy. It changes who has the privilege of watching your traffic. The question is whether the VPN provider is more trustworthy than your ISP. For some people in some jurisdictions, the answer is yes. For many others, "Comcast" is a worse default than the alternative.

VPN providers are subject to:

The legal regime where they operate. Five Eyes / Fourteen Eyes signatories can compel cooperation. So-called "no-log" claims have been disproved in subpoena responses (PureVPN, IPVanish — both produced user logs they had publicly denied keeping).
Whoever owns them. Kape Technologies (formerly Crossrider, an adware company) bought ExpressVPN, CyberGhost, Private Internet Access, and ZenMate, putting four of the largest VPN brands under one corporate umbrella with a chequered past. NordVPN is controlled by Tesonet, a Lithuanian holding company with murky data-broker affiliates.
Server-side compromise. NordVPN's 2018 incident (a Finnish data-center provider was breached, exposing TLS keys for one server) is a reminder that the security of a VPN is bounded by the security of every datacenter it operates in.
Their own data appetite. "Free" VPNs almost universally make money by selling traffic data; this has been documented repeatedly in academic audits of free Android VPN apps.

The influencer-marketing problem

The reason VPNs are over-promoted is structural. The major brands pay creators among the highest CPMs in the entire affiliate-marketing economy — frequently $40 to $70 per signup. This funds the "VPN ad" segments on essentially every YouTube channel and the "Best VPNs of 2026" review sites that all happen to recommend the providers paying the highest commissions. Independent technical evaluation barely competes.

Test for it: search for any major VPN's name plus "review" and count how many of the top results are from sites that take affiliate commissions. The number is close to all of them.

When a VPN is genuinely the right tool

Despite the noise, there are real use cases:

Untrusted local networks. Hotels, conferences, airports, your friend's roommate's router. The risk isn't "hackers stealing your bank password" anymore — it's the network operator logging where you go and selling that data, or running a captive portal that injects content into HTTP requests.
ISP-level surveillance and throttling. If your ISP sells browsing history (most US ISPs since 2017) or throttles specific protocols (BitTorrent, sometimes streaming), a VPN moves the visibility elsewhere.
Geoblocking and censorship circumvention. Accessing services in your home country while traveling, or accessing services your government has blocked. Note that this is about transit, not anonymity — the destination still sees you logged in.
Hiding home IP from services that don't need it. Torrenting (which exposes your IP to every peer in the swarm), submitting tips to a journalist, or simply not feeding your residential IP into yet another database.
Site-to-site corporate access. Tailscale and headscale-style mesh VPNs replacing legacy enterprise VPN concentrators. Different category, different threat model — and the most genuinely useful "VPN" most professionals will use.

How to evaluate a provider

If your use case calls for a VPN, here's the rubric:

Independent audit. Has a real auditor (Cure53, Securitum, KPMG with a published scope) examined the no-log claim and the infrastructure? Within the last 12 months? Is the report public? Mullvad and Proton publish recurring audits; many big-name brands do not.
Ownership transparency. Is the parent company publicly known and reputable? Anonymous holding companies are a flag.
Jurisdiction. Switzerland (Proton, VyprVPN), Sweden (Mullvad), Iceland, Panama. Not because these are magical, but because the legal compulsion regime is more transparent than in Five Eyes states.
Payment options. Cash by mail, Monero, or Lightning means you can sign up without linking the account to your real identity. Mullvad pioneered this; Proton VPN and IVPN support it. If a provider only accepts credit cards, your account is identity-linked regardless of the no-log claim.
Account model. Mullvad uses anonymous account numbers — no email, no password, no KYC. The provider literally cannot identify you to a subpoena. Most others require an email.
Protocol. WireGuard is faster, simpler, and easier to audit than OpenVPN. Both are fine when implemented correctly; AmneziaWG, OpenVPN over obfuscation, and Shadowsocks add resistance to deep packet inspection in censored environments.
RAM-only servers. Some providers (Mullvad, ExpressVPN, IVPN) run servers from RAM with no persistent disks. A physical seizure of the server yields nothing. This matters in jurisdictions where datacenter raids are realistic.

The current honest shortlist

Provider	Why	Caveats
Mullvad	Anonymous account numbers, no email required, cash payment, recurring audits, RAM-only servers, flat €5/month	Smaller server count; doesn't unblock streaming reliably
Proton VPN	Swiss jurisdiction, audited, free tier exists and is honest, integrates with Proton ecosystem	Account is email-bound
IVPN	No-log audited, Gibraltar jurisdiction, transparent ownership, multi-hop, Monero accepted	Smaller
Tailscale	Different category — mesh VPN for accessing your own devices. Best-in-class	Not for "anonymizing" outbound traffic

Brands deliberately omitted: anything Kape-owned, NordVPN, Surfshark, anything you saw advertised by a YouTuber this week. Not necessarily because they're bad, but because the burden of proof is higher than the marketing suggests.

The configuration that actually matters

Always-on / kill-switch. If the VPN drops, your traffic must not silently fall back to the bare connection. Every reputable client supports this — turn it on.
DNS through the tunnel. Many VPN clients leak DNS to the local resolver by default. Verify with dnscheck.tools after connecting.
IPv6 leak protection. If your ISP gives you IPv6 and the VPN tunnel is IPv4-only, IPv6 traffic bypasses the VPN entirely.
WebRTC leak. Browsers can expose your real IP via WebRTC even when VPN-connected. Test at browserleaks.com/webrtc and disable WebRTC if you don't need it.

The point

A VPN is plumbing, not magic. Used appropriately, it's a fine tool that does a specific thing well. Used as a pretend-anonymity service, it gives you the worst of both worlds: a single party that knows everything you do, sold to you as freedom. If you're going to pay for one, pay for one whose business model is "we charge you money and that's how we make money," and use it for the things it's actually good at.

The privacy you can build at home with encrypted DNS, a competent browser, a password manager, and a hardware key is more meaningful than any VPN subscription. Once that foundation is in place, a VPN is a useful additional layer for the moments it solves a real problem. Before that foundation, it's a sticker on a leaky pipe.

← All articles 0data.net home