Years ago, large parts of the web were unencrypted. Since well-configured VPNs encrypt all the traffic leaving your computer, they were an important layer of protection for many people. But there have been massive improvements in the security of operating systems and browsers since then. These days, you might be able to spend hours online—banking, emailing friends, posting on social networks, shopping, and watching videos—without landing on an unencrypted website.
Google now downranks sites that don’t use HTTPS, and browsers will alert you when you try to visit a site without HTTPS connections. Let’s Encrypt, a nonprofit organization that provides encryption certificates to websites free of charge, says that it is currently providing certificates for 276 million websites.
Some people may want to use a VPN to try to hide their identity or location from websites they connect to. That’s because the technology will mask your IP address, but that isn’t as effective a step as it might seem. Although company websites do use IP addresses as an identifier, there are many other tools they use that a VPN will not protect you from.
Your location can be determined from your GPS, and gleaned from the name of the WiFi network you connect to. And you can be tracked through web cookies, tracking pixels, and digital fingerprinting, in which apps and websites triangulate characteristics of a computer or phone, such as operating systems and model names, and screen resolutions, to uniquely identify individual users.
“There’s a ton of metadata, there’s a ton of time correlation, and those are not just hypothetical issues,” says security researcher Kenneth White. “There’s a multi-multi-billion dollar identity monetization industry right now. There’s entire lines of business and startups and there’s a whole ecosystem and world around it.”
Because a properly configured VPN routes traffic through an encrypted tunnel, your network history (all of your data, such as messaging and app use) is hidden from your internet service provider, and any third parties they might share that data with. Without a VPN, your ISP can see what sites you visit, how long you’re on them, and information about your devices. Many ISPs share far more data than their customers expect, including their browsing history and location data, a recent FTC report revealed.
While using a VPN means all that information is hidden from your ISP, the VPN provider can see it all instead. And it’s extremely hard to judge how well any of the hundreds of VPNs on the market take care of your data, because unscrupulous VPNs historically have left it unsecured and shared or sold the information they collected about the sites users visited and apps and services they used to marketers.
“I understand if users worry about ISPs tracking and selling their data. But on the other hand, transferring that data and trust onto a random, unverified commercial VPN provider, might be even worse,” said Reethika Ramesh, PhD candidate at the University of Michigan and lead researcher at VPNalyzer, an interdisciplinary research project headed by professor Roya Ensafi that aims to analyze the VPN ecosystem.
In Consumer Reports’ testing of VPNs running on Windows 10, Mullvad, IVPN, and Mozilla VPN stood out for their strong privacy and security protections. They all have consumer-friendly privacy policies, and marketing copy accurately represents their product and its underlying technology. In addition, their client-side code—the software that runs on your computer—is open-source, so it can be inspected by outside researchers like those at Consumer Reports. And these VPN providers subject themselves to independent third-party security audits and publish the results. (You can read our full testing report here.)