Are VPNs safe?
Choose a reputable paid-for VPN service to protect your privacy and stay safe online
There’s no doubt about it: picking a reputable VPN provider will improve your online security in some situations and make your activities harder to spy on. But are all VPNs safe to use, and what features should you look for if you want to maximise your privacy and security?
How do VPNs work?
When you press the Connect button in your VPN client, all of your Internet traffic is encrypted and routed through a secure digital ‘tunnel’ to a VPN server, gateway or ‘exit node’ operated by your VPN provider. This server has its own IP address, which will be different to your real IP address, and its own location, which again won’t match your own.
Your ISP – or whoever provides your Internet connection – will see that you’re connected to a VPN provider, but they can’t see which websites or services you’re accessing from there. Similarly, the sites and services you connect to can’t see your IP address or where you’re connecting from; all the traffic will appear to originate from the VPN server. Does this mean you’re completely anonymous? Not quite.
There are some ways in which your browser can give the game away, though most good VPNs will fix these, and the VPN itself can log some information. They make keep records of your activity, and at the minimum, they’ll have your account details. They may have logs of the times you connect and the internet address you’re connecting from, along with details of the VPN servers you connected to and the IP address and location that these gave you. This could be used to link your activities with your real identity and location.
READ NEXT: The best VPN services 2020
Does the location of your VPN provider matter?
VPN providers aim to protect your privacy, but they’re still subject to local laws. If approached by security services or law enforcement, they may choose to – or be forced to – hand over any relevant logs, and could even be compelled by a subpoena or court order. As an average, law-abiding citizen this might not bother you, but VPNs are also used by whistleblowers, political activists and journalists dealing with sensitive information – not to mention privacy-conscious users who don’t want the state or corporate entities snooping on their activities and communications.
Simply choosing a VPN that’s based in another country won’t necessarily give you protection. The UK has extensive information-sharing agreements with Australia, Canada, New Zealand and the United States – the so-called ‘Five Eyes’ security alliance – enabling British authorities to access data held by anyone of those countries, and meaning that they could also share information with them. You can make life harder for them by choosing a VPN based somewhere outside of their jurisdiction, but even outside of the Five Eyes, intelligence-sharing is common. If privacy and anonymity matter, it’s arguably more sensible to go for a VPN based in a country with strong laws that protect data privacy and/or where there are no legal requirements for companies to maintain logs.
We recommend ExpressVPN because it is based in the British Virgin Islands, which isn’t part of the Five or wider Fourteen Eyes security alliances. The only information they maintain is your connection times, but that is more for their server maintenance than to trace your online whereabouts. The service is also audited independently by PwC to prove that it doesn’t log or store any identifiable user data whatsoever, and it has the same level of encryption as most government organisations.
Are there any features that make your VPN safer?
Some VPNs offer special obfuscation or double-hop features, where the client takes further measures to obscure your real identity or location, or even create an extra link to another VPN server to add an extra layer of privacy.
It’s also worth checking whether your chosen VPN features a ‘kill switch.’ Should your VPN connection fail or you deliberately disconnect, this instantly ceases all internet activity, ensuring that your PC doesn’t automatically reconnect to open sites and services, exposing your true location and IP address.
Are there any other risks?
As with any online service, VPNs can be attacked by hackers. In 2015 a vulnerability called ‘Port Fail’ was discovered which made it possible for attackers to expose the real IP address of VPN users. Security researchers have also discovered vulnerabilities in the OpenVPN protocol used by many commercial VPNs, or in the Linux stacks may VPN servers run on. In 2016, researchers also uncovered flaws in how VPNs handled IPv6 connections, failing to encrypt the traffic. In 2018 a NordVPN server in Finland running on a third-party datacentre was breached, though no useful information was stolen. Another VPN, TorGuard, was affected in the same attack.
The leading VPN providers, including NordVPN, have been fast to tackle any vulnerabilities and improve security, and most VPNs haven’t encountered any such breaches. The other risk of using a VPN is that the VPN provider themselves may capture data running through the VPN at the server end, sell on user information or pass on data to a third party. Some free VPNs, in particular, have been known to track user data and sell it on or pass data on – usually anonymised – to advertising partners. Again, respectable commercial VPNs don’t operate in this way, and it’s one reason why a good VPN is well worth paying for. If you want to use a free VPN, choose one of our best free VPN selection.
So are VPNs safe?
No VPN can guarantee 100% privacy, security and anonymity, but the best, most reputable VPNs – including our best VPNs – deliver additional layers of protection that get you much, much closer to the mark. Breaches are rare, and unless you’re planning a career in espionage or high-stakes criminal activity, it’s unlikely you’ll be singled out for a court order, subpoena or hacking attack.
Pick a big, established provider, then check their features and their privacy policy to make sure you understand what information, if any, is logged and retained. The biggest VPNs have made their reputation on their strong levels of privacy, so they have everything to lose if they fail to make the grade. As a result, they have every incentive needed to ensure your activities and identity stay completely private and secure.