Choosing the VPN That's Right for You

VPN stands for “Virtual Private Network .” When you connect to a VPN, all data that you send (such as the requests to servers when browsing the web) appears to originate from the VPN itself, rather than your internet service provider (ISP). This masks your IP address , which can be an important tool for protecting your privacy, since your IP address provides an indication of your general location and can therefore be used to identify you.

VPN providers often overpromise security benefits in advertisements that assert that a VPN is the only tool you need to stop cyber criminals, malware , government surveillance, and online tracking. But these advertisements vastly oversell the benefits of VPNs. The reality is that VPNs are best suited for one thing: routing your network connection through a different network. In practice, VPNs are useful in two circumstances:

• Circumvent internet censorship on a network that blocks certain sites or services. For example, when you are working from a school’s internet connection or from a location that blocks content, a VPN can bypass some geographic restrictions or bans by making it appear like you’re connecting from a different location. Whether or not a VPN is useful for circumventing the censorship you face depends on several factors, but this guide can help you decipher what solution is best for you. Note: it’s important to keep up to date on security news for specific countries’ policies on VPNs (like VPN bans). Likewise, content providers, especially video streaming platforms, are increasingly blocking access to devices that appear to be using a VPN, so they are not a guaranteed means to get around geographic restrictions.
• Connect you to the corporate intranet at your office while you’re traveling abroad, at home, or any other time you are out of the office. A personal VPN you run on your own computer at home can also be used to connect to your home network while traveling.

So do you need a VPN? And which VPN should you use? This guide will help you think through what tools are right for you, and what factors you should consider in your search for a VPN.

How do VPNs Actually Work? anchor link

A VPN routes all your web traffic through an "encrypted tunnel" between your devices and the VPN server. Then, the traffic leaves the VPN to its ultimate destination, masking your original IP address. From a website's point of view, it appears your location is wherever the VPN server is.

A VPN also hides your outgoing traffic from your ISP and the local network owner (like a coffee shop or hotel). According to a 2021 report, the FTC found ISPs in the U.S. share more of your browsing data with third-parties than you might expect. However, while a VPN hides your browsing data from the ISP, it's all visible to the VPN provider. If you’re using a VPN to browse content not available in your region, the VPN provider could sell that information, just like an ISP could.

For additional information, this article from the Center for Democracy & Technology covers more of the technical aspects.

What VPNs Don’t Do anchor link

Fully Protect Against Security Threats on Public Wi-Fi anchor link

A properly configured VPN can protect any unencrypted internet traffic from surveillance on a public network, but while it used to be a standard recommendation to use a VPN when using public Wi-Fi, like at coffee shops or airports, this isn’t as necessary for everyone anymore because the majority of web traffic is now encrypted using HTTPS. Plus, if VPN software is not updated to deal with security issues, such as TunnelVision, it might not even be that good for protecting you in the very rare cases of public network compromises. 

However, HTTPS only protects the content of your communications, not the metadata . So when you visit HTTPS sites, anyone along the communication path—from your ISP to the internet backbone provider to the site’s hosting provider—can see their domain names (e.g. wikipedia.org) and when you visit them. But these parties can’t see the pages you visit on those sites (e.g. wikipedia.org/controversial-topic), your login name, or messages you send. They can see the sizes of pages you visit and the sizes of files you download or upload. When you use a public Wi-Fi network, people within range of it could choose to listen in. They’d be able to see that metadata, just as your ISP could see when you browse at home. If this is an acceptable risk for you, then you shouldn’t worry about using public Wi-Fi. A VPN would potentially protect this metadata from someone listening in on a local network, but the VPN provider itself would see it all.

But if you need to use a public network you do not trust, such as a network where you’re not sure who the ISP is, or when you don’t know who runs the Wi-Fi network, and you have a VPN you trust, a VPN may be useful.

Completely Anonymize You anchor link

A VPN is not a tool for anonymity, and while it can protect your location from some companies, there are many other ways companies may track you, including GPS, web cookies , tracking pixels, or fingerprinting.

A VPN doesn't protect your data from the private network you’re using. If you are using a corporate VPN, then whoever runs the corporate network will see your traffic. If you are using a commercial VPN , whoever runs the service will see your traffic. A disreputable VPN service might do this deliberately to collect personal information or other valuable data.

The manager of your corporate or commercial VPN may also be subject to pressure from governments or law enforcement to turn over information about the data you have sent over the network. You should review your VPN provider’s privacy policy for information about the circumstances under which your VPN provider may turn your data over to governments or law enforcement.

Most commercial VPNs require you to pay using a credit card, which includes information about you that you may not want to disclose to your VPN provider, as it can easily be linked back to your identity. If you would like to keep your credit card number from your commercial VPN provider, use a VPN provider that accepts gift cards, or use temporary or disposable credit card numbers. Also, note that the VPN provider may still collect your IP address when you use the service, which can also be used to identify you, even if you use an alternative payment method. 

If you are interested in increased anonymity, Tor is a better solution than a VPN. A VPN provider can see your device’s traffic, but because of the way Tor is designed, no single Tor server can see your browsing data. For more information on Tor, head here. 

Protect Fully Against Law Enforcement and Government Requests anchor link

A VPN could potentially hide your browsing habits from your ISP, and thus protect against law enforcement asking your ISP for your information. But VPN providers are also subject to law enforcement requests, and many VPN providers save as much information as ISPs do. A VPN also doesn’t do anything to protect you from law enforcement potentially getting the browsing history saved in your browser or in your search history if you’re logged into an account. 

You should take note of the countries in which the VPN provider does business. The provider will be subject to the laws of those countries, including laws governing government requests for information. Laws vary from country to country, and sometimes those laws allow officials to collect information without notifying you or giving you an opportunity to contest it. The VPN provider may also be subject to legal requests for information from countries with whom the countries in which it operates have a legal assistance treaty.

VPNs Are Not a Security Multi-Tool anchor link

For many circumstances, a VPN isn't the most important security step to take. More impactful ways of securing yourself online include:

• Using strong passwords
• Setting up two-factor authentication
• Enabling HTTPS-only mode
• Encrypting your devices
• Running software updates
• Using encrypted DNS
• Blocking trackers

How Do I Choose a VPN That’s Right For Me? anchor link

If you’ve decided you’ll benefit from using a VPN, then you should evaluate VPNs based on the following criteria:

Claims anchor link

Is the VPN provider making claims about their product or services? Maybe they claim not to log any user connection data (see data collection below), or they claim not to share or sell data. Remember that a claim is not a guarantee, so be sure you verify these claims. Dig deep into a VPN provider’s privacy policy to uncover details about how your data is monetized, even if the VPN doesn’t sell it to third parties directly. On the VPN's marketing pages, keep an eye out for hyperbolic claims around privacy or security, too, as any VPN that makes impossible claims may not be trustworthy in other areas.

Trust and transparency anchor link

VPN providers can subject their service to third-party security audits, preferably annually, with results which are then made public. This type of transparency can reveal otherwise unknown security vulnerabilities in the VPN apps, data access, and infrastructure. As a potential subscriber, it's a sign the VPN provider is trying to take security seriously. But there's no certainty that the practices aren't changed after the audit, especially if compelled to do so by a government. 

Business model anchor link

Even if a VPN isn’t selling your data, it must be able to stay in operation somehow. If the VPN doesn’t sell its service, how is it keeping its business afloat? Does it solicit donations? What is the business model for the service? Some VPNs run on a “freemium” model, meaning they are free to join, but after you hit a data cap they charge you. VPNs can be entirely free, but sell your data. They can use a recurring subscription, which will keep charging you if you forget to cancel. If your budget is constrained, this is useful information to know. VPNs may also throw in extra features, like ad and tracker blocking, though they provide you with much less control than an ad blocking browser extension.

Reputation anchor link

It is worthwhile to do a search on the people and organizations associated with the VPN. Is it endorsed by security professionals? Does the VPN have news articles written about it? If the VPN was established by people known in the information security community, it is more likely to be trustworthy. Be skeptical of a VPN offering a service that no one wants to stake their personal reputation on, or one that is run by a company that no one knows about. It can be beneficial to look for a VPN's "about" page to see if it lists its founders or employees. Transparency of leadership isn't a guarantee that a company is reputable, but it is a sign the company is trying to establish trust.

Often, an app being available on the Google Play or Apple App Store seems like an indication that it’s trustworthy. But in the case of VPNs, a VPN provider may still collect and share user data, distribute malware, and more. Do not assume that just because a VPN app is available on an official storefront that it’s safe.

Data collection anchor link

A service that does not collect data in the first place will not be able to sell that data. When looking through the privacy policy, see whether the VPN actually collects user data and whether it sells it. A VPN company might log your data if it doesn't specifically rule it out in its privacy policy. And, depending on jurisdiction, a government can demand that data or issue a subpoena for it.

Even if a company claims not to log connection data, this is not a guarantee of good behavior. We encourage you to investigate instances where a VPN has been mentioned in the media. They may have been caught misleading or lying to their customers.

Encryption anchor link

How safe is the VPN encryption ? If a VPN is using broken encryption—such as Point-to-Point Tunneling Protocol (PPTP)—any data flowing through it can be easily decrypted and viewed by your ISP or country. Check to see if the VPNs use one of two different protocols, OpenVPN and WireGuard, which have become common. OpenVPN is still in heavy enterprise use for its flexibility and VPN providers may use their own implementations of Wireguard. If you’re using a work VPN, contact your IT department and inquire about the security of the connection.

EFF cannot vouch for any VPN or ratings. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.

Remember: There is no one-size-fits-all VPN. There are many factors to consider when choosing a VPN. Always remember to consider your security plan before making any decisions about the tools you use to protect your digital security.