When you're researching what you can do to better protect your personal information online, you'll see some stock advice, such as creating stronger passwords, using multi-factor authentication and keeping your browsers and software up to date.
Another tip you'll often get: Use a virtual private network, or VPN, service to hide your internet activity from prying eyes, whether those eyes belong to your internet service provider (ISP), to government agencies, or to hackers and trackers.
Yet the conventional wisdom that touts the importance of paying for one of the best VPNs may be outdated — unless you know you're being personally targeted by hackers, stalkers or government agents and need to stay anonymous online.
"For most day-to-day browsing, a VPN isn't needed, and may make things worse," said Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation.
Here's why you may not need to invest your time, effort or money into paying for a VPN — and when using a commercial VPN still makes sense.
Internet snooping is harder than it used to be
In the not-too-distant past, it was relatively easy for your ISP (or your employer, or indeed anyone with the know-how to snoop on public Wi-Fi networks) to see the details of your internet browsing activity.
That's because only a relatively small percentage of web traffic was encrypted. Using a VPN would provide that encryption, give you more privacy and prevent your ISP from collecting data about your browsing habits that it could sell to marketers and advertisers.
However, today upwards of 90% of web connections are encrypted (opens in new tab). This means that your ISP can get only a limited look at the specifics of your browsing behavior, and coffee-shop hacking over public Wi-Fi has become a high-risk, low-reward activity.
Most of the web traffic that remains unencrypted involves marketing and ad trackers. Trackers often collect data you may not want out there, but using a VPN cannot always protect against that.
"If you're worried about people selling your data, worry about Facebook and Google Ads," said Chester Wisniewski, principal research scientist with security firm Sophos. "No amount of VPN helps you with that."
What about the websites you visit?
Operators of commercial VPN services point out that even with encrypted web connections, your ISP can often still see which websites you visit, although it can't tell exactly what you're viewing on those sites. That's because the ISP can log which sites your browser looks up in a DNS server, sort of an internet phone book for web browsers.
"You're telling third parties — including your ISPs, their partners, and/or the operators of Wi-Fi networks that you're connected to — what websites and apps you use," ExpressVPN Vice President Harold Li said.
However, new technology called DNS-over-HTTPS can put a stop to that — and you don't need a VPN to use it. DNS-over-HTTPS is the default for Mozilla's Firefox browser, and here's how to make sure it's on (opens in new tab).
This feature can also be enabled in Chrome, Edge, Brave and related browsers by going to Settings > Security and Privacy > Use secure DNS.
Yet not every website is encrypted, NordVPN security expert Daniel Markuson pointed out, which means you're still running a risk of being snooped on sometimes.
"[The] argument against VPN services because 99% of websites are encrypted (although they aren't) is similar to the argument against safety belts, because 99% of your road trips do not end up in an accident," said Markuson.
Who do you trust more — your VPN or your ISP?
Wisniewski likened entrusting your activity to a commercial VPN provider so you can avoid ISP snooping to "trading the devil you know for the devil you don't."
Like an ISP, a VPN provider can see which websites you visit, unless you turn on encrypted DNS.
While we may not love the fact that our ISP has information about our browsing behavior, we generally know more about the ISP's ownership and its practices than we do about commercial VPN services, which are subject to far less regulation and oversight and are often based in overseas tax havens. Some prominent VPNs have begun to urge greater transparency (opens in new tab) within the industry.
"Some [VPN providers] make big promises about privacy and not logging data (like what sites you visit), but those are hard to verify and sometimes turn out to be false," said Hoffman-Andrews. "Also, some VPNs ask you to install their custom VPN client [application]. That process may also install other, unwanted software."
The choice for you is to balance the risk of using a little-known VPN service with the reward of gaining potentially greater privacy, as well as how much of a hassle a particular VPN service may be to use.
This is especially true when it comes to VPNs that are entirely free to use. If a free VPN isn't charging you, then it may be selling your personal information or bandwidth. It's safer to use the free tiers of paid VPN services despite their data limits.
Of course, VPN service providers, and many security experts, say that their tools are safe and crucial for protecting privacy online. As an example, both ExpressVPN's Li and NordVPN's Markuson pointed out that it's hard for the user to tell whether a mobile app on a smartphone or tablet is properly encrypting its internet communications.
"Most of us don't have the slightest clue how mobile apps are transporting our sensitive data," said Markuson. "The end user has no way to determine whether their app is following best practices or not. VPN solves that."
Meanwhile, Mullvad CEO Jan Jonsson stressed the privacy angle of VPNs.
"The main argument for using a VPN, from Mullvad's standpoint, is privacy and control of your data and yourself," Jonsson told Tom's Guide. "The amount of power you give to the big tech [companies] ... is stunning."
So what (or who) is a VPN good for?
None of this is to say that commercial VPNs are obsolete or that they can't serve an important function for some internet users. For the average person, one potential perk is the ability to get around geofences that prohibit you from accessing certain sites, services or content at your current location.
For example, a VPN might be good for connecting to Netflix when you travel, using YouTube at school or circumventing government censorship in certain countries. Using a VPN may also be helpful, or even required, when connecting to company networks remotely, although most large companies will set up their own VPN servers.
A VPN can also serve as protection for anyone who has what Wisniewski called a "determined adversary" that puts one's physical or digital safety at risk.
Journalists, politicians, and dissidents, as well as celebrities and those who are victims of abuse or stalking, may benefit from obfuscating their online traffic.
How to protect yourself without a VPN
Those who are worried about privacy but don't fall into the above categories can use other tools besides a consumer VPN to protect themselves:
- Use Tor, a free browser protocol that "anonymizes" your online activities and makes it difficult to track you
- Enable DNS-over-HTTPS in your browser to foil tracking logs
- Use your mobile data connection instead of public Wi-Fi by using your phone as a hotspot for other devices
- Set up a private VPN server on your high-end or gaming router, or "flash" a cheap router with free firmware like DD-WRT (opens in new tab) or Tomato (opens in new tab), so laptops and mobile devices can use your secure home broadband connection while out of the house
"Some of the issues discussed could also be addressed without relying on a VPN service," admitted Markuson, but added that "commercial VPN services make it easy."
"Anyone, without having any technical knowledge, can add a layer of security and privacy with a single click," Markuson added.
Ultimately, though, for the average consumer, VPNs may be a solution to a problem that isn't much of a problem anymore.
"How much is really secure, how much is mostly secure, and how much should I really be worried about?" said Wisniewski. "I don't think you need to worry about this."