Surveillance
Self-Defense

Choosing the VPN That's Right for You

Last reviewed: 
3-7-2019

VPN stands for “Virtual Private Network.” When you connect to a VPN, all data that you send (such as the requests to servers when browsing the web) appears to originate from the VPN itself, rather than your own ISP. This masks your IP address, which can be an important tool for protecting your privacy, since your IP address provides an indication of your general location and can therefore be used to identify you.

In practice, VPNs can:

  • Protect your Internet activity from prying eyes, especially if you’re connected to an unsecure Wi-Fi network in a café, airport, library, or somewhere else.
  • Circumvent Internet censorship on a network that blocks certain sites or services. For example, when you are working from a school’s Internet connection or in a country that blocks content. Note: It’s important to keep up to date on security news for specific countries’ policies on VPNs.
  • Connect you to the corporate intranet at your office while you’re traveling abroad, at home, or any other time you are out of the office.

One common misconception is that VPNs are just for desktop computers. Logging in to strange or unfamiliar Wi-Fi connections from your phone can be just as risky as logging onto a strange Wi-Fi network from your computer. You can have a VPN on your phone to encrypt traffic from your carrier and Internet Service Provider, or ISP.

There is no one-size-fits-all solution when it comes to VPNs. Just like email, there are many VPN services out there and you should choose the service that works best for you. Depending on which one you choose, you can benefit from an increased level of security when connected to networks you wouldn’t ordinarily trust. This does mean, however, that you will be placing your trust in the VPN itself.

So do you need a VPN? And which VPN should you use? The answer to these questions are packed with various considerations and nuances. This guide will help you think through what tools are right for you, and what factors you should consider in your search for a VPN.

 

Let’s Start With the Basics: How do VPNs Actually Work? Anchor link

This explainer by the Center for Democracy & Technology describes a VPN as a tool that creates “a sort of tunnel for your internet traffic [in order to] prevent outsiders from monitoring or modifying your traffic. Traffic in the tunnel is encrypted and sent to your VPN, which makes it much harder for third parties like internet service providers (ISPs) or hackers on public Wi-Fi to snoop on a VPN users’ traffic or execute man-in-the-middle attacks. The traffic then leaves the VPN to its ultimate destination, masking that user’s original IP address. This helps to disguise a user’s physical location for anyone looking at traffic after it leaves the VPN.”

We recommend reading the Center for Democracy & Technology’s entire article before continuing on to better understand what VPNs are and how they work.

 

Things to Consider: What VPNs Don’t Do Anchor link

A VPN protects your Internet traffic from surveillance on the public network, but it does not protect your data from the private network you’re using. If you are using a corporate VPN, then whoever runs the corporate network will see your traffic. If you are using a commercial VPN, whoever runs the service will be able to see your traffic.

A disreputable VPN service might do this deliberately, to collect personal information or other valuable data.

The manager of your corporate or commercial VPN may also be subject to pressure from governments or law enforcement to turn over information about the data you have sent over the network. You should review your VPN provider’s privacy policy for information about the circumstances under which your VPN provider may turn your data over to governments or law enforcement.

You should also take note of the countries in which the VPN provider does business. The provider will be subject to the laws of those countries, including laws governing government requests for information. Laws vary from country to country, and sometimes those laws allow officials to collect information without notifying you or giving you an opportunity to contest it. The VPN provider may also be subject to legal requests for information from countries with whom the countries in which it operates have a legal assistance treaty.

Most commercial VPNs require you to pay using a credit card, which includes information about you that you may not want to disclose to your VPN provider, as it can easily be linked back to your identity. If you would like to keep your credit card number from your commercial VPN provider, use a VPN provider that accepts bitcoin or gift cards, or use temporary or disposable credit card numbers. Also, note that the VPN provider may still collect your IP address when you use the service, which can also be used to identify you, even if you use an alternative payment method. If you would like to hide your IP address from your VPN provider, you could use Tor when connecting to your VPN, or connect to the VPN only from a public Wi-Fi network.

 

How Do I Choose a VPN That’s Right For Me? Anchor link

Everyone has different needs for how they hope to use a VPN. And the range and quality of VPNs varies a lot from one service to another. To find the VPN that’s right for you, you can evaluate VPNs based on the following criteria:

Claims

Is the VPN provider making claims about their product or services? Maybe they claim not to log any user connection data (see data collection below), or they claim not to share or sell data. Remember that a claim is not a guarantee, so be sure you verify these claims. Dig deep into a VPN provider’s privacy policy to uncover details about how your data is monetized, even if the VPN doesn’t sell it to third parties directly.

Business model

Even if a VPN isn’t selling your data, it must be able to stay in operation somehow. If the VPN doesn’t sell its service, how is it keeping its business afloat? Does it solicit donations? What is the business model for the service? Some VPNs run on a “freemium” model, meaning they are free to join, but after you transfer a certain amount of data they will charge you. If your budget is constrained, this is useful information to know.

Reputation

It is worthwhile to do a search on the people and organizations associated with the VPN. Is it endorsed by security professionals? Does the VPN have news articles written about it? If the VPN was established by people known in the information security community, it is more likely to be trustworthy. Be skeptical of a VPN offering a service that no one wants to stake their personal reputation on, or one that is run by a company that no one knows about.

Data collection

A service that does not collect data in the first place will not be able to sell that data. When looking through the privacy policy, see whether the VPN actually collects user data. If it doesn’t explicitly state that user connection data is not being logged, chances are that it is. And, depending on jurisdiction, a government can demand that data or issue a subpoena for it.

Even if a company claims not to log connection data, this may not always be a guarantee of good behavior. We encourage you to investigate instances where a VPN has been mentioned in the media. They may have been caught misleading or lying to their customers. A simple search can go a long way.

Location and laws

You might choose a VPN based on where its headquarters are based. Choosing a VPN based on the data privacy laws of that country may be an important factor, but please note that laws and policies can change.

Encryption

How safe is the VPN encryption? If a VPN is using broken encryption—such as Point-to-Point Tunneling Protocol (PPTP) or weak encryption ciphers—any data flowing through it can be easily decrypted and viewed by your ISP or country. If you’re using a work VPN, contact your IT department and inquire about the security of the connection. Evaluating the strength of encryption in a VPN can be difficult to do, so you may want to check out this VPN comparison chart by That One Privacy Site, which analyzes almost 200 VPN providers based on their jurisdictions and policies.

EFF cannot vouch for these or any VPN ratings. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.

Remember: There is no one-size-fits-all VPN. There are many factors to consider when choosing a VPN. Always remember to consider your security plan before making any decisions about the tools you use to protect your digital security.

JavaScript license information