Should You Use a VPN?
Virtual private networks can provide a layer of privacy and security, but many people don't need them
For years, many security experts advised people to use virtual private networks, or VPNs, to help make their internet browsing more secure.
In particular, VPNs were supposed to help people avoid getting hacked while they were using the free WiFi at an airport or library, because these services route browser traffic through an encrypted tunnel. VPNs could also keep your internet service provider from knowing what sites you visited because the traffic coming to and from your computer all travels through the VPN’s servers, or servers VPNs pay to use. That can sound good to anyone who doesn’t trust their ISP.
All that’s still valid, at least to some extent. But as a tech journalist who’s been looking into VPNs since 2016, I’ve seen advice from security experts change over time. VPNs can be useful, but they’re not necessary for every person or every situation, especially now that so much web traffic is encrypted using HTTPS, the secure protocol whose initials you see at the start of most web addresses.
Many experts are much less concerned about people being hacked at a local cafe than they are about ad tracking, which uses tools that a VPN can’t defend against, such as digital fingerprinting. For the average person accessing the web from their home WiFi, there’s little reason to use a VPN service. CR’s in-depth evaluations identified leading VPNs that we’d feel comfortable using ourselves or suggesting to friends and family. But the testing also showed that some VPNs can actually make things worse for your data privacy and security. (Complete details of the testing, which was conducted on laptops running Windows 10, are on CR’s Digital Lab site.)
Why You May Not Want a VPN
Years ago, large parts of the web were unencrypted. Since well-configured VPNs encrypt all the traffic leaving your computer, they were an important layer of protection for many people. But there have been massive improvements in the security of operating systems and browsers since then. These days, you might be able to spend hours online—banking, emailing friends, posting on social networks, shopping, and watching videos—without landing on an unencrypted website.
Google now downranks sites that don’t use HTTPS, and browsers will alert you when you try to visit a site without HTTPS connections. Let’s Encrypt, a nonprofit organization that provides encryption certificates to websites free of charge, says that it is currently providing certificates for 276 million websites.
Some people may want to use a VPN to try to hide their identity or location from websites they connect to. That’s because the technology will mask your IP address, but that isn’t as effective a step as it might seem. Although company websites do use IP addresses as an identifier, there are many other tools they use that a VPN will not protect you from.
Your location can be determined from your GPS, and gleaned from the name of the WiFi network you connect to. And you can be tracked through web cookies, tracking pixels, and digital fingerprinting, in which apps and websites triangulate characteristics of a computer or phone, such as operating systems and model names, and screen resolutions, to uniquely identify individual users.
“There’s a ton of metadata, there’s a ton of time correlation, and those are not just hypothetical issues,” says security researcher Kenneth White. “There’s a multi-multi-billion dollar identity monetization industry right now. There’s entire lines of business and startups and there’s a whole ecosystem and world around it.”
Because a properly configured VPN routes traffic through an encrypted tunnel, your network history (all of your data, such as messaging and app use) is hidden from your internet service provider, and any third parties they might share that data with. Without a VPN, your ISP can see what sites you visit, how long you’re on them, and information about your devices. Many ISPs share far more data than their customers expect, including their browsing history and location data, a recent FTC report revealed.
While using a VPN means all that information is hidden from your ISP, the VPN provider can see it all instead. And it’s extremely hard to judge how well any of the hundreds of VPNs on the market take care of your data, because unscrupulous VPNs historically have left it unsecured and shared or sold the information they collected about the sites users visited and apps and services they used to marketers.
“I understand if users worry about ISPs tracking and selling their data. But on the other hand, transferring that data and trust onto a random, unverified commercial VPN provider, might be even worse,” said Reethika Ramesh, PhD candidate at the University of Michigan and lead researcher at VPNalyzer, an interdisciplinary research project headed by professor Roya Ensafi that aims to analyze the VPN ecosystem.
In Consumer Reports’ testing of VPNs running on Windows 10, Mullvad, IVPN, and Mozilla VPN stood out for their strong privacy and security protections. They all have consumer-friendly privacy policies, and marketing copy accurately represents their product and its underlying technology. In addition, their client-side code—the software that runs on your computer—is open-source, so it can be inspected by outside researchers like those at Consumer Reports. And these VPN providers subject themselves to independent third-party security audits and publish the results. (You can read our full testing report here.)
When a VPN Can Help
For some people in some circumstances, VPN services can be a useful part of a plan to improve your online security and privacy.
As described above, VPNs can mask your IP address. Although there are many other ways to track you across the web, an IP address is an easy tool for doing that. Masking it can provide a bit of distance if you’re connecting to a site you don’t trust—especially when you combine a VPN with additional privacy methods.
Hiding your IP address can offer protection against being easily identified by small sites where administrators look at the logs. And because some sites do use IP addresses for ad retargeting, a VPN is one of several tools that can prevent those annoying ads from following you across the web.
In addition, you might want privacy from the owner of the local coffee shop, or the administrators at your college or a community center. Whoever runs the WiFi network you’re using can learn what websites you’re communicating with. “If you have a personal relationship where you know the name of the person operating your network, you might consider using a VPN, because that level of connection also allows the person to make a connection to you,” Guido says. “They might know your name. They might want to know what you’re doing.”
Even though most websites are encrypted, “not every single thing is encrypted,” says Matthew Green, associate professor at the Johns Hopkins Information Security Institute. “You go to websites that are not encrypted and stuff oozes out from around the side and a VPN wraps all that up so that for that coffeehouse kind of situation, you’re getting protection,” he says. “For most of the reputable services, I don’t think it can hurt and it might help.”
Tips for Using a VPN to Stay Safe
VPNs can add a layer of security and privacy to your web browsing, but it’s a relatively thin layer considering how good the tech industry has become at tracking people.
The most important thing to do about this is to use the safety steps I listed above, such as a password manager, multifactor authentication, and tracking blockers, and to follow standard safety advice to avoid online dangers that have nothing to do with your ISP or IP address. “VPNs do not protect against most known online risks, such as phishing, tracking, malware, and ransomware,” says Roya Ensafi, assistant professor at the University of Michigan’s computer science & engineering department and principal investigator of VPNalyzer.
White is quick to point out that there’s ultimately no guarantee that a VPN provider is on the level, even when testing like Consumer Reports’ comes back with good results. “The best we can do is to get an assessment for symptoms and hints of trustworthiness when we evaluate a VPN,” he says.
That said, choosing a VPN that seems solid is much safer than one without those signals of trustworthiness. Not doing so could put you at risk. If you use a VPN with a default configuration that’s insecure, it could allow for lateral movement, where an attacker can move through your home network and access all of your devices.
“Any other user on the VPN node you connect to is effectively now sitting on your internal network—be that at home or in the office,“ White says. “In attempting to be more secure, subscribers are instead literally silently opening their network up to potentially hostile or criminal threat actors.”
You may also want to create separate browser profiles to use—one for when you’re logged into your VPN and one for when you’re disconnected. If you are logged into a Google account while your VPN is connected, for example, it’ll be associated with your IP address and that account.
Also, check the VPN settings to ensure that the strongest protections are turned on. An important one to look for is a kill switch. With a kill switch enabled, the VPN will disconnect your internet connection if it temporarily loses contact with the VPN’s servers. (If your VPN connection falters and there’s no kill switch, your traffic and location will no longer be protected, but you may not realize it.)
Finally, if you are an activist, a journalist with sources to protect, or are at heightened risk because of who you are or what you do, a VPN might be part of the solution. However, it’s important to reach out to organizations such as Access Now that can provide customized recommendations for your specific situation, which will likely include additional measures beyond just using a VPN—and in some cases, may not involve a VPN at all.