Are VPNs really safe? How to check your service’s security
They’re meant to protect our data—but can we trust them?
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
You might not realize but when you’re browsing the internet, whether this is clicking on links or simply scrolling on your social media feed, you’re leave behind digital traces. This digital trace can be anything from personal information, like your name, phone number or address, or at worse, can be record of what you do online. In any case, your anonymity is compromised.
Commercial corporations are collecting this data under the guise of making your life smarter by customizing your online experience. Governments are doing so under the pretext of national security. Hackers are using this data to steal your identity or money, while threatening your security. Evidence actually suggests that home devices are now thetop target for cyber criminals, meaning all of these things are targeting you in your own home.
If you are worried about your online privacy, you will likely have come across a software that appears to magically solve all of your security problems: aVPN service. Short for Virtual Private Network, it encrypts all the data leaving your device and anonymizes your internet connection by masking your internet protocol (IP) address.
VPN usage has also soared worldwideas governments increasingly restrict the web. Internet shutdowns wereon the rise in 2023, a trend that is likely to continue this year. Again, citizens have been exploiting VPNs' IP spoofing ability to keep accessing censored content or blocked apps.
Online freedom is under attack. 💢 #VPNs are essential tools to combat internet #censorship. Watch our video to learn about censorship & check out our page tracking Proton VPN signup spikes to see how they correlate to major geopolitical events worldwide https://t.co/VUjnyKLKvj. pic.twitter.com/rxVmi7mzOzJuly 27, 2023
Whether the reason is better privacy/security online or bypassing geo-restrictions, aVPNis a necessity nowadays. Yet, even the top services and providers can have their own weaknesses. For example, in February it was revealed thata flaw in ExpressVPN’s split tunneling featuremay have been causing DNS leaks and leaking user’s private information for years.
Worse than this, if you usean unsafe free VPN service, it may deliberately sell your sensitive information to third parties for commercial purposes.
So, are VPNs actually safe? Is even themost secure VPNprovider enough for protecting your privacy from the mischievous digital world?
Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.
Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.
How does a VPN protect your privacy?
VPNs useencryption protocolsto protect your data from snoopers. Hiding your location and personal information, they make your connection anonymous and private.
Every VPN protocol is responsible for defining how app and server connect with each other as well as the methods used to send and encrypt data. There are several types that VPNs use to secure your flow of information into an encrypted tunnel.
Among them,OpenVPNhas historically been the most secure that you can get and many providers offer this protocol. As the name suggests, it’s an open source software meaning that anyone can check if the code is working as it should. Its original design dates back to 2001, but much has changed in the tech world over the last 20 years.
A relative newcomer into the world of VPN protocols,WireGuardis now among the choices offered by many providers. Our top choiceNordVPNuses it as a basis for its own NordLynx protocol, whileExpressVPNhas developed its very ownLightway protocolinspired by it. On top of that, our testing shows that its connection can be up to three times faster than OpenVPN.
Offering ano-logs policyis another effective way to protect your online privacy. It’s the VPN provider’s guarantee that it will not keep any of your personal data in store. Swedish VPN providerMullvad, for example, proved the efficacy of its no-logs claims after being hit by aninconclusive police raid.
Other providers rely on more orthodox methods (namely external audits) to prove they really do have no-logs policies. ExpressVPN has just completed its18th external audit, proving once again that it does not track users' data.
Some logs are inevitable, but they should be restricted to basic data like your email address or the number of users connecting to the same server. Whereas a logging policy that keeps data on your activities is much more invasive. These include browsing history, DNS requests, URLs visited and usage metadata—the kind of stuff that you wouldn’t want revealed in a data breach.
Allowinganonymous payments, like PayPal andBitcoin, keeps your online banking details safe. Some services don’t even ask for your email address to sign up. Always Mullvad allows you to create an account without providing any personal information at all. The provider evenaxed recurring subscriptionsin the name of privacy.
Shared IP addressesis another feature that enhances VPN safety. It tricks the system by assigning the sameIP addressto multiple users from different locations, basically making it almost impossible to trace you.
Does a VPN service share your data?
Choosing ano-logs VPNis the best bet you have to prevent the service from sharing your data with third parties. Even if the authorities manage to demand access from your provider (in certain criminal investigations, for example), your digital footprint will be protected. This is simply because the company cannot share information that do not exist.
Generally speaking, using a premium service is much better for protecting your online activities - although not even all of those have thorough enough no-logging policies. Manyfree VPNsuse ads that can collect your data for commercial purposes… probably not what you are looking for if you want to be safe online.
It’s also important to bear in mind that there are some digital traces that even the top services can fail to secure. If you log into something like a web or social media account, you can still be tracked to a certain extent. Some apps keep your location data, for example.
Can a VPN be hacked?
Sadly, even VPNs can have some faults and weaknesses that hackers can take advantage of.
For example, in January of this year, hackers exploiteda security flaw with Ivanti VPNin order to deploy all sorts of malware. TheVPN provider was then attacked againwith a similar modus operandi just a month later, in February 2024.
In May 2024, Check Point issued a warning to its customers thatits VPN services were being targeted by hackersattempting to gain access to company networks, and by extension, their data.
Back in 2023, it was revealed that free VPN service,SuperVPN, had leaked over 360 million user data records online. The personal information exposed included email addresses, original IP address, geolocation records, unique users' identifiers, references to visited websites, and more.
In 2018, our top VPN providerNordVPNsuffered a data breach that shook the world of cybersecurity. Luckily the hack affectedonly a single VPN server in Finland, not its central infrastructure. Therefore, the intruder couldn’t access sensitive information like user credentials or billing details.
Since then, the company refined its security controls to prevent similar incidents from happening. This includes carrying outindependent VPN auditsmeant to verify the trustworthiness of its privacy policies.
Are VPNs legal to use?
Except for a few countries where they are banned, VPNs are completely legal. Governments, companies and an ever-growing amount of individuals secure their connections through these services every day.
Any use is allowed, but illegal activities that you may carry on online will still be against the law. For example, some people useVPNs for torrentingin order to hide copyright infringements. But you will not be protected in case you’d get caught.
When it comes to using aVPN for streaming, things are a little bit different. Netflix explicitly states in its terms and conditions of not allowing the use of a proxy or VPN. Although, it’s not a criminal offence to do so. In the worst case scenario, you will have your account suspended—more likely, you would have to simply disable the software to carry on watching.
Ultimately, every country has its own legislations thatregulate VPNs usage. In at least 10 countries around the world VPNs are eithertightly regulated(China, UAE, Iran, Turkey, Pakistan) orcompletely banned(Russia, Turkmenistan, North Korea, Belarus, Iraq, Myanmar).
We recommend checking your country’s digital privacy laws on this point.
The risk of using a free VPN
Beside having problems unlocking different catalogs on streaming platforms and slowing down your internet connection, the most worryingproblem with free servicesis that they do not often bring the same security protections as paid-for versions.
Asresearch on 283 Android appsshowed,72% of the free services included at least one third-party tracking libraryagainst only 35% for the premium versions.
That’s mainly because without asking users a fee, companies need to turn to advertising to make a revenue and keep the software running. Plus, ads do not just disturb your online experience, they are also known to collect your personal information—exactly what you are trying to avoid with a VPN. In the worst case scenario, they may infect your device withmalwareor viruses.
If you are worried for your privacy and like the idea of trying a service before committing fully, most of the topVPNs offer free-risk trials—you’ll need to pay the money upfront but you can get a refund in the first 30 or 45 days by way of a money-back guarantee.
Another option is opting for a reliable premium VPN offering a no-fee subscription.
Our favorite right now isPrivadoVPN Free. Even though it comes with some limits—for example its 10 GB data limit and the fact it is not available on Linux—it offers an unlimited data bandwidth, over 100 free servers across three worldwide locations (Japan, the Netherlands and US) as well as some unusual security features for a freebie likesplit tunnelingand supporting P2P sharing.
Other valid alternatives includeProtonVPN,Windscribe,TunnelBear,HotspotShieldandHide.me. Head to our guide of the best securefree VPN serviceson the market for more info.
Who owns your VPN provider?
After carefully looking at encryption protocols, privacy and logging policies, there is a last element that you should probably check before making up your mind: the parent company producing your VPN service.
This is an area not without its controversies.Research from VPNprofound thatonly 24 companies actually own or operate at least 104 VPN productsavailableon the market. So, products that don’t initially seem connected can actually be operate by the same company.
The ownership of VPN services seems to keep changing, too. Take popular providerIPVanish, as an example. It was originally founded by the Highwinds Network Group, which was acquired by StackPath in 2017. In turn, it was one of the services then purchased by J2 Global in 2019…a company that subsequently changed its name to Ziff Davis, Inc.
Plus, in March 2024,Atlas VPN shut downand handed over its operations to NordVPN, automatically migrating all its users.
There’s obviously nothing wrong with this—corporations are welcome to acquire and sell as they please—but sometimes the apparent lack of transparency can create confusion and raise questions for VPN users wanting to knowexactlywho has their data.
VPNs in global jurisdictions
Another potential problem could be when a company operates in countries where strict laws regulating VPN usage are in place—like China, Russia or even the US. These are territories in which VPN providers may sometimes have to comply with government requests under specific investigations to hand over some user data.
The above-mentioned IPVanish operates under the US-based Ziff Davis, for example.
While its co-founder and CEO is Pakistani entrepreneur Uzair Gadit,PureVPNseems now to be owned by Honk-Kong based GZ Systems Limited. However, it also results to be part of the security firm Gaditek based in Pakistan—a country that has previously passed cyber-crime laws that havesparked concerns among activists and human rights groupsfor its potential dangers to civil liberties.
TheEdward Snowden revelations in 2013brought under the spotlight the existence of some intelligence-sharing agreements between nations. In addition to the initialFive Eyes Alliance—the US, UK, Canada, Australia and New Zealand—two more agreements have been confirmed (Nine and Fourteen Eyes countries). Among these, the original group appears to be the most interested in your data.
To ensure confidence that your data is as secure as possible, you could consider choosing a VPN that is based outside of these countries.
In fact, many providers choose to set up base in countries well known for being privacy havens. These include the British Virgin Islands (where ExpressVPN is based), Panama, Seychelles, The Cayman Islands and Malaysia.
Can you trust your VPN company?
There’s also the potential for a company with a history of vulnerabilities or malicious activities can be hidden behind a different VPN provider name without you not knowing it.
Let’s look at Kape Technologies as an example. It changed its name from Crossrider in 2018 after it was reported that people using its platforms were infected with malware.
Asthe company explained to Restore Privacy: “The Crossrider SDK and development platform was used by tens of thousands of independent developers to create cross-browser extensions, and unfortunately a small number of bad actors misused the platform to develop adware and malware.
“Kape is now a leading privacy-first digital security software provider, with a fully refreshed team.”
In 2021 the company boughtExpressVPN, in what became theindustry’s largest ever deal.
In the very same week, the news of ExpressVPN’s CIO Daniel Gericke involvement withProject Ravencaused a greater stir still. The UAE cybersecurity operation included the building of a hacking system able to exploit an iPhone’s vulnerability for taking over target devices without needing any clicks or other user interactions. Leading to comments online like this…
If you’re an ExpressVPN customer, you shouldn’t be. https://t.co/l8us92W0BQSeptember 16, 2021
Inits official statement, the popular VPN provider explained its decision of continuing being involved with Gericke whilst condemning the UAE’s conduct. They also put in place new practices to verify the credibility of its software.
They wrote: “To begin with, we’ll be increasing the cadence of our existing third-party audits to annually rectify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs. This is just a first step, and we will continue to strive to earn your trust.”
More recently, Kape technologies was the latest company to join the wave oftech layoffscutting around 180 employees. Many high-level executives were among those affected, with big names likeDan Gericke walking away from the business, raising questions whether these events will ultimately impact the security of its products.
What are VPN providers doing to ensure your safety?
It may sometimes sound like doom and gloom, but the biggest names across the VPN world are reacting to their vulnerabilities.
Many providers—like Express, Nord,ProtonVPNandPrivate Internet Access—are investing in different solutions to offer a more reliable and secure product to their users. These includedropping their least secure protocols,increasing the transparency over their policies(with independentVPN audits, for example) as well asimproving the software infrastructure.
As TechRadar’s Cybersecurity Specialist Mike Williams explains, a VPN’s security starts at the protocol level. In the past, providers tried to compete by offering more protocols than anyone else, not always putting security as their priority. Due to a shift into the market, their offer is now limited to the safest encryption methods like WireGuard and OpenVPN.
He said: “Trust should be key in your choice of VPN, and that’s something providers understand very well, with many now making significant efforts to improve transparency.”
That’s why Private Internet Access, ProtonVPN, Mullvad,AirVPNand others have fully moved to open-source apps. As a result, anyone can check out the code and see exactly how the software works. Despite ExpressVPN not offering open-source apps, it has released its own encryption protocol Lightway under an open source license.
“The real change is providers finally realizing that shouting NO LOGGING on their website is no longer enough,” sas Williams. “They now understand it’s necessary to provide some supporting evidence, and more and more of them are doing exactly that through public security and no log audits.”
When it comes to significant VPN safety improvements, these aren’t always visible to the end user. They’re hidden away in the infrastructure, how it’s built and organized. Additionally, many of them have come about simply as providers learned from their mistakes.
When it comes to that NordVPN breach, Williams explained: “Since the 2018 data breach, the company has moved to take far more control of its network. Its latest collocated servers are wholly owned and controlled by Nord, allowing to manage every aspect of how its hardware operates.”
Are VPNs safe? What to do to stay secure online
Use aTor browsertogether with your VPN service: Will slow down your connection, but your anonymity will improve.
Change your passwords often: Annoying we know, but a really good security practice. Especially the most important ones, like online banking and emails. Consider getting apassword managerto help you with this.
Clear your location footprints: Especially on your smartphone, make sure to go through each app’s permissions and turn off the location services where you can.
So, if you were under the impression that VPNs arealwaysenough to prevent hacks and data breaches, they clearly aren’t—but then neithee areantivirusor any other regular security tools in isolation. Even though using a good security software can considerably help you mellow the risks, you will never be 100% safe online (sorry!).
Apps and software can collect data, like location, directly from your device. Websites use cookies that gather some of your personal information for several purposes.
Despite this, using a reliable VPN can still make online threats way less dangerous. The biggest providers are investing time and money to make sure their software, privacy policies and transparency are the most secure they can be.
Either way, we suggest that you always take the utmost care when online, preferably sharing less details about yourself at all times—and that’s whereusing a VPNcan really help.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
Is it still worth using Proton VPN Free?
Mozambique VPN usage soars as internet restrictions continue
Thousands of employees could be falling victim to obvious phishing scams every month
