VPNs: What They Actually Do (And Don't Do)

No privacy tool has been more oversold than the VPN. Millions of people pay for VPN subscriptions believing they are “anonymous online,” because VPN marketing has spent a decade telling them so. The truth is more modest and more useful: a VPN encrypts the traffic between your device and the VPN server and masks your IP address from the websites you visit. That is genuinely valuable in specific situations. It is not the invisibility cloak that the advertising suggests, and understanding the difference between what a VPN does and what VPN marketing claims it does is one of the clearest exercises in distinguishing real protection from privacy theater.

Why This Matters for Sovereignty

The VPN industry is a case study in the dynamics Zuboff identified in The Age of Surveillance Capitalism (2019) — even the tools marketed as defenses against surveillance capitalism operate within its logic. VPN companies run affiliate programs that pay technology YouTubers and podcasters handsomely, creating an ecosystem where the people you trust for privacy advice are financially incentivized to oversell the product. The result is a public that believes a VPN is the first thing you should buy for privacy, when in reality it is somewhere around the fifth or sixth most impactful action — well behind a password manager, DNS changes, a better browser, and two-factor authentication.

Sovereignty requires clear sight. Snowden addressed this directly in Permanent Record (2019): the most important step in protecting yourself is understanding what you are protecting against and what tools actually address that threat. A VPN addresses a real threat — network-level traffic interception — but that threat is not the one most people face in their daily digital lives. Buying a VPN before fixing your passwords is like installing a security camera before locking your front door. It is not wrong. It is just out of order.

How It Works

A VPN creates an encrypted tunnel between your device and a server operated by the VPN provider. All your internet traffic passes through this tunnel before reaching the open internet. From the perspective of the websites you visit, your traffic appears to come from the VPN server’s IP address, not your own. From the perspective of your ISP or anyone else monitoring your local network, your traffic is encrypted and directed at the VPN server — they can see that you are using a VPN, but they cannot see what you are doing through it.

This provides three concrete benefits. First, on public Wi-Fi networks — coffee shops, airports, hotels — a VPN prevents anyone on the same network from intercepting your traffic. This was more critical before the widespread adoption of HTTPS, which encrypts traffic between your browser and the website you are visiting. Today, with most websites using HTTPS by default, the public Wi-Fi risk is reduced but not eliminated. A VPN adds a layer of protection for non-HTTPS traffic and prevents the network operator from seeing which websites you visit.

Second, a VPN prevents your ISP from seeing the content of your traffic and the specific sites you visit. Your ISP can see that you are connected to a VPN server, but the details of your activity are hidden. This matters because ISPs in the United States are legally permitted to collect and sell browsing data , and many do.

Third, a VPN masks your IP address from websites, which provides a degree of location privacy and makes it harder (not impossible) to correlate your activity across sites using IP address as an identifier.

Here is what a VPN does not do, and this is where the marketing diverges from reality.

A VPN does not make you anonymous. If you connect to a VPN and then log into Gmail, Google knows exactly who you are. The VPN hid your IP address from Google, but you told Google who you are by logging in. The same applies to Facebook, Amazon, Twitter, and every other service where you authenticate with your account. Cookies, browser fingerprints, and logged-in sessions all continue to track you through a VPN. The VPN changed your apparent IP address. It did not change your identity.

A VPN does not protect you from malware. If you download a malicious file or click a phishing link, the VPN does nothing to prevent the damage. The encrypted tunnel protects traffic in transit, not the content of what travels through it.

A VPN does not make your browsing “private” from the VPN provider itself. This is the critical point that VPN marketing elides. When you use a VPN, you are moving your trust from your ISP to the VPN company. Your ISP can no longer see your traffic — but the VPN provider can. If the VPN provider logs your traffic and sells that data, or is compelled to hand it over by a court order, you have gained nothing. You have simply replaced one entity watching your traffic with a different entity.

The Proportional Response

The question is not whether VPNs work. They do what they do. The question is whether what they do is the thing you need, given your actual threat model and the other privacy measures you have (or have not) already taken.

If you have already changed your DNS resolver to a privacy-respecting option (Cloudflare 1.1.1.1, Quad9, Mullvad DNS), you have already addressed the most important piece of what a VPN offers for home use. Your ISP can no longer see which specific websites you visit through DNS logging. A VPN adds additional protection by encrypting all traffic and hiding the IP addresses you connect to, but the marginal gain over DNS changes for a typical home user is modest.

If you travel frequently, work from public Wi-Fi networks, or connect to networks you do not control, a VPN is more clearly valuable. The public network threat model is the strongest case for a VPN — you are on an untrusted network, and the VPN ensures that the network operator and other users cannot monitor your traffic.

If you need to access geo-restricted content — streaming services, websites blocked in certain jurisdictions — a VPN is the standard tool. This is not a privacy use case, but it is a legitimate and common reason people use VPNs.

If your primary concern is that advertisers and data brokers are building profiles based on your online behavior, a VPN provides minimal protection. Those entities track you through cookies, browser fingerprints, logged-in sessions, and advertising IDs — none of which a VPN addresses. A better browser with uBlock Origin and Enhanced Tracking Protection does far more against this threat than a VPN.

For those who decide a VPN is appropriate, the choice of provider matters enormously. Three providers stand out based on independent audits, transparency, and track record.

Mullvad is the gold standard for privacy-focused VPN use. It costs 5 euros per month, accepts cash payment by mail, does not require an email address to create an account, and has been independently audited. You receive an account number; that is your entire identity with the service. In 2023, Swedish police executed a search warrant on Mullvad’s offices and left empty-handed because there was no data to seize — Mullvad’s no-logs architecture meant there was nothing stored to hand over.

ProtonVPN is operated by the same Swiss company behind ProtonMail. It offers a free tier (limited servers, adequate speed), has been independently audited, and benefits from Switzerland’s privacy-favorable legal framework. If you are already using ProtonMail, the integrated ecosystem is convenient.

IVPN has been independently audited, publishes detailed transparency reports, and maintains a clear privacy policy. It is less well-known than Mullvad or ProtonVPN but equally credible.

What to avoid: free VPNs from unknown providers. The infrastructure to run a VPN service is expensive. If a VPN is free and the company is not a nonprofit or offering a limited free tier as a gateway to paid plans, the revenue is coming from somewhere — and that somewhere is usually your data. Multiple free VPN providers have been documented selling user browsing data to data brokers, injecting ads into browsing traffic, and in some cases bundling malware with their applications. The principle is simple: if you are not paying for the product, you are the product. In the VPN market, this principle holds with unusual consistency.

What to Watch For

The VPN market is consolidating. A company called Kape Technologies (formerly Crossrider, an adware company) acquired ExpressVPN, CyberGhost, Private Internet Access, and Zenmate, giving a single corporate entity control over multiple VPN brands that consumers believe are independent competitors. When you see comparison websites ranking VPN providers, check whether the website and the VPN are owned by the same company. Affiliate relationships in the VPN space are pervasive and not always disclosed.

The legal landscape for VPNs varies by jurisdiction. In the United States and most Western countries, using a VPN is legal. In some countries — China, Russia, Iran, and others — VPN use is restricted or monitored. If you travel to countries with VPN restrictions, research the current legal status before relying on a VPN there.

The technical landscape is also shifting. As HTTPS becomes nearly universal and DNS encryption becomes standard, the practical privacy gap that VPNs fill continues to narrow for home users on trusted networks. The VPN industry is adapting by bundling additional services — ad blocking, malware protection, password management — into VPN subscriptions. Evaluate these bundles critically. A VPN provider’s ad-blocking is unlikely to be better than uBlock Origin, and their password manager is unlikely to be better than Bitwarden. Bundling can be a sign of a company searching for relevance as its core product becomes less essential.

The sovereign approach to VPNs is utilitarian, not ideological. A VPN is a tool with specific capabilities and specific limitations. Use it when those capabilities match your needs — public networks, ISP surveillance, geo-restriction. Do not use it as a substitute for the foundational privacy measures (passwords, DNS, browser configuration) that address the threats most people actually face. And do not pay for a VPN because a podcast ad made you afraid. Pay for one because you assessed your threat model, identified a gap that a VPN specifically addresses, and chose a provider whose architecture and track record justify your trust.

This article is part of the Data & Privacy series at SovereignCML.

Related reading: Browser and DNS: The Two Levers That Matter Most, The Privacy Landscape: What’s Real, What’s Theater, Your Threat Model: Who Are You Actually Defending Against?