A smartphone with a VPN icon on the screen.

Just about all security experts agree that using a VPN, or virtual private network, when you're accessing the internet via computer or phone is a good idea. In particular, a VPN is one of the easiest ways to avoid getting hacked while you're taking advantage of the free WiFi at an airport or library.

But some VPNs are better than others. And a few even sell the consumer data they collect for a profit. Sorting through the various options can be a tough task, even for people schooled in digital security.

more on privacy

Case in point: Onavo, a free VPN owned by Facebook, was removed from Apple’s app store this month because of consumer privacy concerns, the Wall Street Journal reports.

Facebook had recently come under fire for using the VPN app to collect information about other apps installed on users’ devices, information that could be used for audience analysis or marketing.

“There aren’t widely-agreed-upon standards in place to ensure that VPNs operate as advertised, and in the best interests of their users,” says Robert Richter, program manager for privacy and security testing at Consumer Reports.

As Richter points out, Apple had updated its guidelines for developers in June, forbidding apps from collecting data on other apps. This prohibits a maps app such as Waze from gathering information about the music or banking app on your phone, for example. A VPN app shouldn't be collecting data about which social media and streaming services you use, Richter says.

In an emailed statement Tuesday, Facebook defended Onavo's data-collecting practices, which are laid out in the developer's privacy policy, and argued that they didn't violate Apple's rules.

“We've always been clear when people download Onavo about the information that is collected and how it is used,” a Facebook spokesperson wrote. “As a developer on Apple's platform, we follow the rules they've put in place.” (Apple did not immediately respond to a request for comment.)

So how does one go about safely choosing a VPN? To help solve that problem, we asked top security experts for tips and recommendations. Here's what you need to know.

How Does a VPN Work?

VPNs route all the data sent to and from your device through the service provider's servers. That keeps anyone who's watching the traffic from knowing what sites you're visiting. It can mask your identity and location from snoops, too. Ideally, the data is even encrypted, or scrambled, so if someone were to intercept it, it would be worthless.

Most people think of VPNs as tools to use when you're away from home. But security experts say it's smart to use a VPN on your own WiFi network as well, since your internet service provider now has the green light to collect information about what you do online.

If you use a VPN, the internet service provider will not be able to see what you're reading, viewing, or shopping for online. The traffic coming to and from your computer will be linked to just one source—the VPN company.

Even the Federal Trade Commission is making a point of telling consumers to use VPNs, particularly on their smartphones.

So the decision to use a VPN should be easy. But choosing a service? That's harder. Some VPNs protect you better than others. And certain ones might gather up the details of your online activities and sell them to other companies on their own.

“They are in the perfect position to hack, snoop, collect, and expose you if they so choose,” says Lance Cottrell, chief scientist for the cybersecurity firm Ntrepid. And, he adds, promises to protect you can mean “very little with respect to your actual safety using a service.”

Why Use a VPN?

The most obvious place to use a VPN—the classic example nearly every expert cites—is the coffee shop with free WiFi.

Even if the WiFi network is password-protected, that password is accessible to everyone else, too. So there’s nothing stopping would-be hackers from jumping on the network and intercepting the information that’s going to and from your computer in a so-called “man in the middle” attack.

If you’re using that internet connection to shop online, manage your bank account, or do your taxes, you could be putting a slew of personal information at risk, setting yourself up for financial or identity theft down the road. While many websites do encrypt traffic, someone snooping would still be able to capture metadata, such as which sites you're accessing.

In addition to masking your identity and encrypting your data, some VPNs will stop advertisers and other third parties from collecting information about you. 

But VPNs can’t protect you against everything, says Mark Nunnikhoven, vice president of cloud research at Trend Micro, which makes security products for businesses and consumers.

It won’t protect you from malware or hide your identity from the sites you're visiting. “A VPN is just a way to secure your traffic from snooping as it travels through the network,” he says. 

What to Look for in a VPN

Cybersecurity experts say the best VPNs are secure and easy to use.

Nunnikhoven recommends picking a VPN that supports your computer and your mobile devices with the same account. And, he says, VPN connections that are always on, or initiate with just a click, are better than ones that require you to enter log-in credentials each time you want to go online.

“If it’s hard to connect, you’re going to forget and then have no protection,” he says.

A good example, says Joshua Konowe, chief strategy officer for Silent Circle, which specializes in secure communications, is TunnelBear

The VPN, which was acquired by the McAfee security company in March, has an easy-to-use free version, and it works on Mac and PC computers as well as Apple and Android mobile devices. The free version covers 500MB of data a month, and an unlimited plan can be had for as little as $6 per month.

TunnelBear has another advantage that consumers should look for in any VPN, according to Konowe: lots of servers. The company has connection spots in 20 countries, and your machine will automatically connect to the closest available point. That minimizes the distance your data has to travel and reduces potential slowdowns. Remember, when you use a VPN, your data has to make an extra stop along the way.

TunnelBear also subjects itself to independent security audits and publishes the results, Konowe says.

It also scores points for not logging any user activity. VPNs that do could potentially cause problems for users if the VPN company is hacked or forced by government officials to hand that information over, says Brian Vecci, technical evangelist at the data-security company Varonis.

Vecci says he uses NordVPN for his personal devices, including mobile ones. That company, which offers plans starting at $7 per month, operates more than 3,000 servers in 60 different countries and, like TunnelBear, makes a point of saying that it doesn’t log user information.

Konowe says he has also used Tor, which provides a secure web-browsing experience through a network of volunteer servers, as well as ZenMate, a paid service that’s based in Germany and operates hundreds of servers in about 30 countries. It starts at $6 per month and promises not to log user information.

But whatever VPN you go with, Konowe and Vecci say it’s important to do your research before signing up.

“Trust is everything, and so is history and performance, so be sure to read the fine print, if there is any,” Konowe says.

Free VPNs can do a great job, adds Vecci, but be especially diligent in researching them. “It’s not always true, but you often get what you pay for with security software,” he says. “You don’t necessarily need the most expensive, but make sure you know what you’re getting with the cheapest.”