Does a VPN make me anonymous on the internet?

No. A VPN moves the point where your traffic exits onto the public internet from your ISP's network to the VPN provider's network, and it hides the destination of your traffic from your ISP and the local Wi-Fi. It does not hide anything from the websites you log into - if you sign into Google, Facebook, your bank, or Amazon, those services know exactly who you are because you just told them. It does not hide your browser fingerprint, which identifies the same browser across sessions even from different IPs. It does not hide cookies, advertising IDs, or device identifiers. The marketing language - 'browse anonymously', 'become invisible online' - is wrong in a way that is not subtle. A VPN is a tunnel, not a cloak.

If a VPN says 'no-logs', does that mean they have no logs?

It means they have written that sentence on their marketing page. Whether it is true is a separate question, and the historical record is unkind. HideMyAss famously handed over user logs to the FBI in the LulzSec case in 2011 despite a privacy policy that strongly implied no such logs existed. IPVanish handed over user data to Homeland Security in 2016 while marketing itself as a zero-logs provider. PureVPN handed over logs in a 2017 stalking case despite a no-logs policy. EarthVPN, in 2013, said it kept no logs and then it turned out their hosting provider was keeping connection logs the VPN had no control over. The pattern is consistent: 'no logs' is a marketing claim, and it tends to collapse the first time a subpoena lands. A few providers (Mullvad, IVPN, Proton) have submitted to independent audits and have had their no-logs claims tested in court or by police raids without producing user data - those are the exceptions, not the norm.

So a VPN provider can see everything my ISP used to see?

Yes, and that is the part of the trade that most marketing pages do not say out loud. You have not removed a surveillance vantage point - you have moved it from your ISP, which is regulated by the country you live in and is at least nominally accountable to a telecoms authority, to a VPN company you have never met, often headquartered offshore, whose business model is selling you privacy. The VPN sees every DNS lookup, every destination IP, and the timing and size of every connection. They can correlate that with your billing information if you paid with a credit card. They are also a single juicy target for a subpoena or a breach. There are reasonable reasons to make that trade - your home ISP is hostile, you are on hotel Wi-Fi, you are in a country that filters at the network level - but it is a trade, not a free privacy upgrade.

Has a VPN provider ever been caught selling user data?

Yes, repeatedly. The most cited example is the family of free VPN apps owned by a company that operated as Innovative Connecting / Autumn Breeze / Lemon Cove and sold apps under names like SuperVPN, Gecko VPN, and Chat VPN; in 2021 a database containing more than 21 million users' email addresses, plaintext passwords, payment information, and device IDs leaked from those apps. Facebook's Onavo Protect was a 'VPN' that Facebook used to siphon analytics about which competing apps people used, until Apple kicked it out of the App Store in 2018. Hola VPN was caught in 2015 turning its 'free' users into exit nodes for a paid sister product, Luminati, that sold their bandwidth to anyone with a credit card. Hotspot Shield was the subject of an FTC complaint in 2017 for injecting tracking code and redirecting traffic to advertising partners. The free-VPN category in particular is heavily populated with apps whose actual business model is selling the user's data or their connection.

Should a normal person be using a VPN by default?

Our position: no, not by default. For an ordinary user on a home internet connection in a country with reasonable telecoms law, a VPN solves a problem most people do not have, while adding a new party with full visibility into their traffic and a recurring monthly bill. The genuinely useful cases are narrow: you are on untrusted Wi-Fi and the sites you visit are not all HTTPS (which today is rare - the modern web is overwhelmingly TLS); you are in a country that filters or surveils traffic at the ISP level; you are trying to access a service that geofences based on IP and you have a legitimate reason to appear from another country; you have a specific threat model in which your ISP is the adversary. Outside those cases, the protection a VPN provides is overstated by the marketing and the new risk it introduces is rarely mentioned. HTTPS, a tracker-blocking browser, and a hardened DNS resolver cover most of what people actually mean when they say 'I want privacy online'.

When is Tor the right tool instead of a VPN?

When the question is genuinely 'I do not want any single party to be able to link my identity to what I am doing', the answer is Tor, not a VPN. Tor routes your traffic through three independent volunteer-run relays, encrypts it in layers so that no single relay knows both who you are and what you are looking at, and is specifically designed so that there is no provider in the middle who could be subpoenaed for logs because there is no central provider. Use Tor when you are a journalist talking to a source, a whistleblower, a domestic-abuse survivor researching escape options, a citizen of a regime that punishes the wrong searches, or a researcher who genuinely needs to be unlinkable. Use the Tor Browser (the official bundle from torproject.org), not random 'Tor over VPN' apps. Do not log into your personal accounts over Tor - the moment you sign in, you have linked the identity. Tor is slower and many sites block it; that is the cost. The benefit is a property no commercial VPN can offer: no one in the middle knows both ends of the connection.

What about 'VPN + Tor' setups - are they more secure?

Usually they are worse, not better. The two common configurations are 'Tor over VPN' (your traffic goes to the VPN first, then into the Tor network) and 'VPN over Tor' (your traffic enters Tor first, then exits through a VPN). The first lets your VPN see that you are using Tor but not what you are doing; the second lets the VPN see what you are doing but not that you are coming from Tor. Both add a fixed identifiable party to a system whose entire security property is that there is no fixed identifiable party. The Tor Project's official guidance is plain: use the Tor Browser as designed; do not chain it with a VPN unless you have a very specific reason and understand exactly what you are trading. For almost everyone, the answer is one or the other, not both.

What about VPNs for streaming - Netflix, BBC iPlayer, sports?

That is a real, useful, narrow use case. A VPN can let you appear to be in another country so that a geofenced streaming catalog will serve you. The streaming services know this is happening and play a constant cat-and-mouse game with the big VPN providers' IP ranges - Netflix, Disney+, and the major sports broadcasters all maintain block lists, and any given VPN server will work for a while and then stop. If this is your only reason for paying for a VPN, the honest framing is that you are buying a streaming-region tool, not a privacy tool, and you should evaluate providers on that basis (server count, how aggressively they rotate IPs, refund policy) rather than on whether they claim to be 'military-grade encrypted'.

If I do decide to use a VPN, what should I actually look for?

Three things, in order. First, jurisdiction and ownership: who actually owns the company, and what country can compel them? Many of the most heavily marketed brands are owned by the same handful of parent companies (Kape Technologies owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate; Nord Security owns NordVPN and Surfshark) and that consolidation matters. Second, audit history: has a reputable independent firm reviewed the provider's no-logs claim, and was the report published? Has the claim ever been tested in court or by a server seizure? Mullvad's servers were raided by Swedish police in 2023 and no user data was produced because none existed - that is the kind of evidence that means something. Third, payment options: a provider that accepts cash by mail or Monero is signaling that they do not want to know who you are; one that requires a credit card and an email confirmation is keeping a billing record they can be compelled to share. The marketing checklist - 'AES-256 encryption', 'kill switch', 'split tunneling' - is real but is roughly the same across all serious providers and is not where the meaningful differences live.

PrivacyVPNTor

VPNs explained without the marketing bullshit: what they hide, what they don't, and when Tor is the right tool

Every 'do I need a VPN' search result is written by a VPN company, and the honest answer is more boring and less flattering. A VPN moves the entity that sees your traffic from your ISP to a private company whose entire pitch is that they will not look at what they can see - and the industry has a long, well-documented record of 'no-logs' providers producing logs the moment a subpoena arrives, from HideMyAss handing over LulzSec logs in 2011 to IPVanish and PureVPN doing the same despite identical marketing. Here is what a VPN actually does on the wire, what it does not do (anonymity, fingerprinting, the apps already phoning home over the same tunnel), why the free-VPN category is mostly the user-as-product business model, why we do not recommend one by default for ordinary users, the narrow cases where one is genuinely worth it, and when the right answer is Tor instead.

By the Privvert team·May 23, 2026·19 min read

Search "do I need a VPN" and the first ten results are written by VPN companies. The honest answer - the one that survives more than a few minutes of looking at what a VPN actually does and at the track record of the industry that sells them - is more boring and less flattering than the ads suggest. A VPN is a useful tool for a narrow set of problems. It is sold as a solution to a much wider set of problems, most of which it does not solve, and a few of which it makes worse. This article is what we wish someone had told us before the first time we paid for one.

What a VPN actually does

Strip away the marketing and a VPN is one thing: an encrypted tunnel from your device to a server somewhere else, and then your traffic exits onto the public internet from that server's IP address instead of yours. That is it. Everything else - the military-grade-encryption graphics, the cartoon hackers in the coffee shop, the maps of the world dotted with servers - is decoration around that one mechanism.

The two real consequences of that mechanism are these. First, anyone who can see the network between your device and the VPN server - your ISP, the cafe Wi-Fi, the hotel router, the airport captive portal, the country you live in if it taps the upstream - sees encrypted traffic going to one IP address. They cannot see which sites you visited, the DNS lookups your device made, or the contents of the connections. They can see how much data moved, when, and that you were talking to a VPN provider. Second, the websites and services you actually connect to see the VPN's IP, not yours. They do not learn your home IP, your rough geographic location from that IP, or your ISP's identity.

Those two consequences are real, and for the small set of problems they address they are valuable. The marketing problem is that the rest of the pitch - "browse anonymously", "protect your identity", "become invisible online" - describes protections that the tunnel does not provide.

What a VPN does not do

A VPN does not log you out of Google. The moment you sign into any account, the service knows it is you, regardless of which IP the request came from. It does not stop browser fingerprinting - the combination of your fonts, screen size, time zone, installed plugins, and rendering quirks that identifies the same browser across sessions even from different IPs (we wrote up the mechanics in five things your browser sends to every website). It does not delete cookies, clear advertising IDs, or rotate the device identifiers your apps already sent home.

It does not encrypt the parts of the connection that were not already encrypted. HTTPS - the lock icon - covers the actual content of your traffic from your browser to the destination site. The modern web is overwhelmingly HTTPS; the Chrome team reports more than 95% of traffic on Android and Windows is already encrypted in transit. The "an attacker on the coffee shop Wi-Fi can read your bank login" pitch is real for the small minority of sites that are still plain HTTP, and is not real for everything else. A VPN does add an outer layer of encryption, but it does so on top of a connection that was already encrypted, and only as far as the VPN's exit server - after which the traffic continues to the destination in whatever state it was in before.

It does not protect you from malware. It does not protect you from phishing. It does not stop infostealers, password reuse, or accounts that get popped because the second factor was SMS (more on which in how long should a password actually be in 2026). It does not undo the data your phone's apps are already sending to their respective ad SDKs over the same tunnel.

The part the marketing skips: the VPN sees everything

Your ISP used to see every domain you connected to, the timing and size of every connection, and a fair amount about what services you used even without seeing the content. When you turn on a VPN, your ISP stops seeing those things. The VPN starts seeing them instead. You have not removed the surveillance vantage point - you have moved it from a regulated telecoms company in your own country to a private company whose entire pitch is that they will not look at what they can see. Whether they look is something you cannot verify directly. You can read their privacy policy. You can hope.

Several things make this trade worse than it sounds. The VPN is a single concentrated target - one subpoena, one warrant, one server seizure, one breach gives an attacker the traffic patterns of every customer, not just one. The VPN knows your billing information, which links a real identity to the IP sessions if you paid with a credit card. The VPN sees DNS lookups, which on their own are enough to reconstruct most of a browsing session. And if you are using a free VPN, the company is making money some other way, and the obvious way to make money from a free VPN is the one many of them have chosen.

The track record: when "no logs" turned out to be logs

"No-logs" is a marketing phrase. Whether a provider actually keeps no logs is an empirical question, and the historical record contains a long list of providers whose answer to that question changed when a subpoena arrived.

HideMyAss, 2011. A UK-based VPN that marketed heavily on anonymity. When the FBI investigated the LulzSec hacking group, HideMyAss handed over user logs that helped identify a member, Cody Kretsinger, who was arrested. Their privacy policy at the time had implied minimal logging; the company's response was that they complied with a UK court order and that their terms of service had always allowed it. The takeaway was widely cited then and is worth repeating now: a "no-logs" claim that you cannot verify is worth what you can verify it with, which is nothing.

EarthVPN, 2013. A user was arrested after making a bomb threat over the service. EarthVPN had advertised no logging; the connection was traced because the hosting provider EarthVPN rented its server from was keeping connection logs at the datacenter level, which the VPN company had no visibility into and no control over. The lesson generalized: even an honest VPN cannot promise no logs for traffic that traverses infrastructure it does not own.

IPVanish, 2016. Court documents in a Homeland Security case revealed that IPVanish had handed over detailed connection logs of a user, including timestamps and the originating IP, despite its marketing pages claiming a strict zero-logs policy. The company was sold shortly after and the new owners issued a fresh no-logs commitment, which is the standard pattern.

PureVPN, 2017. An FBI affidavit in a cyberstalking case quoted PureVPN as having provided two original IP addresses linking the user to the stalking accounts, again contradicting the marketing.

UFO VPN and the SuperVPN family, 2020-2021. A cluster of free VPN apps - UFO VPN, FAST VPN, Free VPN, SuperVPN, Gecko VPN, Chat VPN, all linked to the same operating entity - left a database exposed containing more than a billion records: account passwords in plain text, payment information, device identifiers, and the original IP addresses of users along with the VPN-assigned IPs. All of these products had marketed themselves as no-logs.

There is a smaller, opposite list. Mullvad's servers were raided by Swedish police in April 2023; the police left empty-handed because the architecture genuinely did not retain user data. IVPN and Proton have published the results of independent audits and have responded to legal requests with statements that they had nothing to hand over. These are exceptions, and they got that way by designing for the adversarial case from the start rather than by writing the phrase "no-logs" on a webpage.

The free VPN problem

Running a VPN is not free. The servers cost money, the bandwidth costs money, the engineers cost money, the 24-hour support staff cost money. A company that gives you a VPN for free is paying those costs from some other source, and the obvious other source - the one that explains the genre - is your data and your bandwidth.

Facebook's Onavo Protect was a free "VPN" that Facebook used to learn which competing apps its users spent time in; Apple removed it from the App Store in 2018 for violating data-collection rules. Hola VPN was caught in 2015 turning its free users into exit nodes for a paid sister service called Luminati, which sold the users' bandwidth to anyone with a credit card - including, in one widely-reported case, a botnet operator. Hotspot Shield faced an FTC complaint in 2017 for injecting JavaScript into pages and redirecting search traffic to affiliate partners. A 2017 CSIRO study of 283 free Android VPN apps found that 38% of them contained known malware or malvertising libraries, 18% did not encrypt traffic at all despite being VPN apps, and more than 80% requested permissions to access sensitive data the app had no functional reason to read.

The rule of thumb that fits all of this: if you are not paying for the VPN, the VPN is the product, and so are you. The trade you are actually making is worse than the one you would be making with your ISP, because your ISP is regulated and has a known business model and the free VPN is neither.

The honest "should I use one" answer

Our position - the one we hold despite running a privacy site, and partly because we run a privacy site - is that a normal user on a normal home internet connection in a country with reasonable rule of law does not need a VPN by default. The protections it provides are mostly already provided by HTTPS and by a tracker-blocking browser. The new risk it introduces - a single private company with full visibility into all of your traffic and a recurring billing relationship that ties it to your real identity - is not zero. The cost is a monthly bill in perpetuity.

The cases where the trade is genuinely worth it:

You are connecting from a network you do not trust and the things you are doing on it are sensitive - a hotel network in a country known for traffic interception, a conference Wi-Fi run by people whose security practices you have no reason to trust.
Your ISP is the adversary - it injects ads into pages, it throttles specific services, it is required by local law to log and retain everything you do, or you live in a jurisdiction where ordinary browsing is grounds for legal trouble.
You have a specific geographic access need - a streaming catalog, a sports broadcast, a news site that geoblocks. This is a legitimate use; just call it what it is and choose a provider on that basis.
You are operating in a country that filters at the network level and a VPN is the working tool to reach the open web. The choice of provider here is a question with life-and-safety stakes, and the answer is rarely the biggest-billboard provider.

Outside those cases, the things people usually mean when they say "I want privacy online" are better served by a hardened browser (Firefox with uBlock Origin and strict tracking protection, or Brave, or Safari with intelligent tracking prevention), a privacy-respecting DNS resolver (Quad9, Mullvad DNS, or NextDNS), HTTPS-only mode in the browser, and being thoughtful about which accounts you sign into where (the trade-offs of which we covered in sign in with Google, Facebook, or X). These cost nothing and they address the threats most users actually face.

When Tor is the right answer instead

There is a category of question a VPN cannot answer regardless of which provider you pick: "I need it to be the case that no single party in the chain can link my identity to what I am doing." Every VPN, by construction, is a single party that knows both. Tor is the tool built for that question.

Tor routes your traffic through three independent volunteer- run relays. The first relay (the guard) knows your IP but does not know where you are going. The third relay (the exit) knows where you are going but does not know who you are. The middle relay knows neither. The traffic is encrypted in nested layers so that each relay can only decrypt the next hop's address. There is no central operator who could be subpoenaed because there is no central operator. The Tor Project itself runs no relays and has no access to user traffic; it publishes the software and maintains the directory.

Use Tor when the stakes warrant it: journalism with sources, whistleblowing, organizing under a repressive regime, researching domestic-abuse escape options when the abuser controls the home network, accessing legal information that is criminalized where you live. The right way to use it is the Tor Browser - the official bundle from the Tor Project at torproject.org - which is a hardened Firefox configured to defeat the fingerprinting and timing attacks that would otherwise unwind the anonymity.

The discipline that makes Tor work is harder than installing a VPN. Do not log into accounts that identify you - the moment you sign into your real Gmail, the property collapses. Do not resize the browser window (window size is a fingerprinting signal). Do not install extra extensions. Do not open downloaded documents while still on the Tor connection (a PDF can be designed to phone home over the regular network when you open it). Tor is slower than a VPN and many large sites (Cloudflare-fronted ones especially) put extra captchas in front of Tor exits. The cost is real. The benefit is a property no commercial product can offer.

Skip the "Tor over VPN" and "VPN over Tor" configurations unless you have a very specific reason and a clear understanding of what each one trades. They are not a free upgrade; they introduce the identifiable party that Tor exists to remove. The Tor Project's own guidance is to use the Tor Browser as designed.

If you do decide to pay for a VPN

The marketing checklists - AES-256, kill switch, split tunneling, WireGuard - are real features and roughly the same across all serious providers. They are not where the meaningful differences live. The questions that actually matter:

Who owns the company? The market is more consolidated than it looks. Kape Technologies - a company whose previous incarnation, Crossrider, was known for adware - owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate. Nord Security owns NordVPN and Surfshark. J2 Global / Ziff Davis owns IPVanish and StrongVPN. That consolidation matters because it means choosing between several heavily marketed brands often means choosing the same parent company twice.
What jurisdiction can compel them? A provider in a Fourteen Eyes country, or a country with mandatory data retention, is operating under different legal pressure than one in a jurisdiction with stronger telecoms privacy law. The honest framing is not "country X is safe" but "what would happen if a court in country X ordered them to log this user starting tomorrow."
Has the no-logs claim been audited and tested? A published independent audit by a reputable firm is worth more than the claim alone. A real-world test - a server seizure or a court order that produced nothing - is worth more still. Mullvad's 2023 Swedish police raid is the cleanest recent example.
What payment options do they accept? A provider that takes cash by mail or Monero is signaling that they prefer not to know who you are. One that requires a credit card and an email confirmation is building the linking record that defeats half the point.

The five-line summary

A VPN moves the entity that sees your traffic from your ISP to the VPN. It does not make you anonymous, does not protect you from yourself, and does not encrypt anything the modern web is not already encrypting. The industry has a long, well-documented history of "no-logs" providers producing logs when subpoenaed, and the free end of the market is mostly running on the user-as-product business model. Most ordinary users do not need one; the cases that warrant one are real but narrow. When the question is true anonymity rather than a different IP, the answer is Tor.

More from us on the practical mechanics of what your device leaks before you can do anything about it - five things your browser sends - and on what encryption does and does not protect once you get past the network layer - what end-to-end encrypted actually means. Or jump back to the blog index.