VPNs and Online Privacy: What Actually Works

A VPN (Virtual Private Network) encrypts your internet traffic and routes it through a server in another location. Here's an honest breakdown:

What a VPN DOES:

• ✅ Encrypts traffic between you and the VPN server
• ✅ Hides your real IP address from websites
• ✅ Prevents your ISP from seeing which sites you visit
• ✅ Bypasses geographic content restrictions
• ✅ Protects traffic on untrusted networks (public WiFi)

What a VPN DOES NOT do:


• ❌ Make you "anonymous" — the VPN provider can see your traffic
• ❌ Protect you from malware or phishing
• ❌ Prevent cookies, browser fingerprinting, or tracking pixels
• ❌ Make you immune to targeted attacks
• ❌ Guarantee "military-grade encryption" (marketing buzzword)

When you SHOULD use a VPN:


• On public WiFi (cafes, airports, hotels)
• When your ISP sells or monitors browsing data
• To access geo-restricted content
• When traveling to countries with internet censorship

Your VPN sees all your internet traffic, so trust is paramount.

Must-have features:

• No-logs policy (independently audited): Verified by firms like Cure53, Deloitte, or PwC
• Open-source clients: You (or others) can verify the code
• WireGuard or OpenVPN protocol support: Modern, audited encryption
• Kill switch: Blocks all traffic if VPN connection drops
• DNS leak protection: Ensures DNS queries go through the VPN
• Jurisdiction: Ideally not in a 5/9/14 Eyes country

Reputable VPN providers (as of 2026):


• Mullvad — Anonymous accounts, accepts cash, fully audited
• Proton VPN — Open source, Swiss-based, free tier available
• IVPN — Independent audits, transparent team, ethical marketing
• Mozilla VPN — WireGuard-based, backed by Mozilla Foundation

Red flags in VPN marketing:


• "Military-grade encryption" (meaningless marketing)
• Lifetime deals (unsustainable = will sell your data)
• "100% anonymous" claims
• Free VPN with no clear business model

VPNs are just one piece. Here's the full privacy stack:

Browser privacy:

• Use Firefox with strict tracking protection or Brave
• Install uBlock Origin (ad/tracker blocking)
• Use a private search engine (DuckDuckGo, Brave Search, Startpage)
• Enable HTTPS-Only mode
• Clear cookies regularly or use container tabs

DNS privacy:


• Switch to encrypted DNS (DoH or DoT)
• Recommended: Cloudflare 1.1.1.1, Quad9 9.9.9.9, NextDNS (customizable)
• DNS filtering blocks malware domains automatically

Email privacy:


• Use email aliases (SimpleLogin, AnonAddy)
• Consider Proton Mail or Tuta for end-to-end encrypted email
• Never use your primary email for random signups
• Use + addressing: yourname+service@gmail.com

Communication privacy:


• Signal for messaging (gold standard)
• Matrix/Element for decentralized chat
• Avoid SMS for sensitive conversations

Data privacy:


• Review app permissions on your phone monthly
• Opt out of data broker sites (DeleteMe, Privacy Duck)
• Use privacy-focused alternatives: LibreOffice, Standard Notes, Nextcloud
• Encrypt your phone and laptop storage

Not everyone needs the same level of privacy. Your threat model defines what you're protecting and from whom.

Casual user:
Protecting against: mass surveillance, data brokers, ISP tracking

• Use a VPN on public WiFi
• Firefox + uBlock Origin
• Encrypted DNS
• Unique passwords + 2FA

Privacy-conscious user:
Protecting against: targeted advertising, data breaches, corporate surveillance


• Everything above, plus:
• Full-time VPN (Mullvad or Proton)
• Email aliases for every signup
• Signal for messaging
• Regular data broker opt-outs

High-risk user (journalist, activist, executive):
Protecting against: state-level surveillance, targeted attacks


• Everything above, plus:
• Tor Browser for sensitive browsing
• Tails or Qubes OS for sensitive work
• Hardware security keys only (no SMS/TOTP)
• Faraday bags for mobile devices in sensitive meetings
• Compartmentalized identities