TGM-110 Active

Do you Need a VPN? A Clear-Eyed Perspective

Issued
April 14, 2024
Effective
April 14, 2024
Category
Security
Author
Rebecca Murphy

The single most important thing to know about VPNs is this: they are not a security magic wand, and most of what the VPN industry tells you is exaggerated or misleading. A VPN can be a useful tool in specific, well-defined situations — protecting your traffic on hostile networks, hiding your browsing from a snooping ISP, or circumventing censorship. But it will not make you anonymous, will not protect you from hackers, and will not stop companies from tracking you. The near-universal adoption of HTTPS encryption has already eliminated the most common threat that VPNs once addressed. If you do need a VPN, Mullvad is the clear recommendation from privacy researchers, the Electronic Frontier Foundation, Consumer Reports, and The New York Times Wirecutter — and the reasoning behind that consensus is worth understanding.

This memo explains what a VPN actually does, when it helps, when it doesn't, why the VPN industry is a minefield, and how to think clearly about whether you need one at all.

What a VPN actually does (in plain language)

Think of your normal internet connection as a postcard. When you send a postcard, the mail carrier can read what you wrote, see who you're sending it to, and know your home address. A VPN is like placing that postcard inside a sealed, opaque envelope and mailing it to a trusted friend, who then forwards it to the final destination on your behalf. Your mail carrier can see you're sending something to your friend, but cannot read the contents or see where it's ultimately going. The recipient sees your friend's return address, not yours.

In technical terms, a VPN creates an encrypted tunnel between your device and a remote server operated by the VPN provider. All your internet traffic travels through this tunnel. Your internet service provider (ISP) can see that you're connected to the VPN server, but cannot see what websites you visit or what data you send. Websites you visit see the VPN server's IP address and location instead of yours (Center for Democracy and Technology [CDT], 2021).

The most common modern protocol is WireGuard, which uses approximately 4,000 lines of code — making it fast, efficient, and easy to audit for security flaws. The older standard, OpenVPN, involves over 100,000 lines of code but remains widely trusted.

The important thing to internalize: a VPN changes who can see your traffic. It does not make your traffic invisible. Your ISP can no longer see what you're doing — but your VPN provider can see everything your ISP previously could. You are choosing a different entity to trust, not eliminating the need for trust. As CDT (2021) puts it, people often use VPNs because they do not trust the network they're connected to, but they think less about whether they can trust the VPN service itself.

HTTPS already does most of the heavy lifting

Before deciding whether you need a VPN, you need to understand a transformation that has already happened. Over 95% of web pages loaded in Chrome now use HTTPS encryption, up from roughly 40% in 2014 (Google, 2024). This change is largely thanks to Let's Encrypt, a nonprofit certificate authority founded in 2013 that made encryption certificates free and automated. Let's Encrypt now issues approximately 10 million certificates per day and secures the majority of the web (Let's Encrypt, 2025).

What this means in practice: the content of your browsing — the pages you read, the forms you fill out, the passwords you enter — is already encrypted between your browser and the website. Your ISP cannot read it. A coffee-shop hacker cannot intercept it. The Electronic Frontier Foundation built its HTTPS Everywhere browser extension in 2010 to force encrypted connections wherever possible. In January 2023, they retired it, declaring that the goal of HTTPS Everywhere was always to become redundant — which would mean a world where HTTPS is so broadly available that users no longer need an extra browser extension to get it (Electronic Frontier Foundation [EFF], 2023).

This context matters enormously. The VPN industry's loudest marketing pitch — "protect yourself on public Wi-Fi!" — was most compelling in 2010, when the security tool Firesheep demonstrated that anyone on the same Wi-Fi network could trivially hijack your Facebook or email session. Today, that specific attack is blocked by HTTPS. As the EFF's Surveillance Self-Defense guide now states, while it used to be standard advice to use a VPN on public Wi-Fi, this isn't as necessary for everyone anymore because the majority of web traffic is now encrypted using HTTPS (EFF, n.d.-a).

What HTTPS does not hide: your ISP and local network can still see which domains you visit (via DNS queries and a protocol header called SNI), even if they cannot see the specific pages or content. If you visit healthcondition.org, your ISP knows you visited that site — just not which pages you read. A VPN hides even this metadata from your ISP. Whether that matters depends on your situation.

When a VPN is genuinely worth using

Despite the reduced threat from public Wi-Fi, there are real scenarios where a VPN provides meaningful protection. The key is knowing which scenario applies to you.

Hiding your browsing from your ISP. In March 2017, the U.S. Congress voted to repeal FCC broadband privacy rules, allowing ISPs like Comcast, AT&T, and Verizon to collect and sell browsing histories without explicit consent (Lomas, 2017). If you do not want your ISP building a profile of every website you visit, a VPN is the most straightforward countermeasure.

Circumventing censorship. Journalists, activists, and ordinary citizens in countries with aggressive internet censorship use VPNs to reach blocked websites and communicate freely. The Freedom of the Press Foundation notes that journalists use virtual private networks every day to bypass censorship, protect their location information, and defend their traffic against network eavesdropping (Freedom of the Press Foundation, 2023). This is among the most legitimate and important uses of VPN technology.

Protecting traffic on genuinely hostile networks. While HTTPS handles most encryption, a VPN adds a meaningful layer on networks you have strong reason to distrust — an employer or school network that monitors traffic, a hotel network in a country with aggressive surveillance, or any network where someone may be watching DNS queries to build a profile of your activity.

Masking your IP address from websites. Every website you visit sees your IP address, which reveals your approximate location and can be used for tracking across sites. A VPN replaces your IP with the VPN server's IP, making this form of tracking significantly harder. This matters most for people facing targeted surveillance, doxxing threats, or other situations where IP-based identification is a concrete risk.

Torrenting and geo-restriction. VPNs are widely used to avoid copyright enforcement letters when torrenting and to access region-locked streaming content. Note that circumventing geo-restrictions typically violates streaming services' terms of service.

What VPNs absolutely do not protect you from

The VPN industry thrives on a gap between what people think VPNs do and what they actually do. The EFF (n.d.-a) states this bluntly: VPN providers often overpromise security benefits in advertisements that assert a VPN is the only tool needed to stop cyber criminals, malware, government surveillance, and online tracking — but these advertisements vastly oversell the benefits of VPNs.

VPNs do not make you anonymous. When you log into Google, Facebook, Amazon, or any other account, those services know exactly who you are regardless of your VPN. A VPN changes your IP address — it does not change your identity. The EFF (n.d.-a) is explicit that a VPN is not a tool for anonymity.

VPNs do not stop tracking. Cookies, tracking pixels, and browser fingerprinting all operate independently of your IP address. Browser fingerprinting — which collects your screen resolution, installed fonts, timezone, browser plugins, and other device characteristics — can identify the vast majority of users even across different browsers (Eckersley, 2010). A VPN is invisible to these techniques.

VPNs do not protect against malware or phishing. If you click a malicious link or download infected software, your encrypted VPN tunnel faithfully delivers the malware to your device. A VPN adds another layer of encryption around traffic that is already encrypted — it does not inspect or filter that traffic.

VPNs do not protect a compromised device. If spyware, a keylogger, or other malware is already on your device, it captures your data before it enters the VPN tunnel.

VPNs do not defeat state-level adversaries. Sophisticated intelligence agencies have capabilities that go far beyond monitoring a network connection. Bruce Schneier has documented NSA capabilities to exploit VPN traffic (Schneier, 2014). For people facing state-level threats, a VPN alone is inadequate.

VPNs do not replace Tor for serious anonymity needs. The Tor network routes your traffic through at least three independent servers, so no single entity sees both who you are and what you're doing. A VPN routes everything through a single provider who can see both. The EFF (n.d.-a) advises that for those interested in increased anonymity, Tor is a better solution than a VPN.

The VPN industry has a serious credibility problem

The commercial VPN market is plagued by misleading marketing, opaque ownership, and documented betrayals of user trust.

The YouTube sponsorship machine. Researchers at the University of Maryland analyzed YouTube videos containing VPN advertisements and found that a substantial majority used absolute terms like "completely anonymous" — claims that are flatly false. The study concluded that it is problematic that users believe they're getting protections where they really aren't (Akgul et al., 2022). The UK's Advertising Standards Authority has banned NordVPN advertisements multiple times for exaggerating public Wi-Fi risks and unsubstantiated malware-blocking claims (Advertising Standards Authority, 2019).

Providers caught logging despite "no-log" promises. The phrase "no-log VPN" is the industry's most important marketing claim and its most frequently broken promise. CDT (2021) observes that VPNs often trip over themselves to make broad "no logging" claims that have turned out to be inaccurate time and time again. Three cases stand out:

  • PureVPN (2017): Despite advertising that it kept no logs identifying user activity, PureVPN provided the FBI with connection logs that identified a cyberstalking suspect by correlating his home and work IP addresses (Van der Sar, 2017).
  • IPVanish (2016, revealed 2018): After initially telling Homeland Security it kept no usage logs, IPVanish's parent company provided detailed connection logs — timestamps, source IPs, and usage data — in a child exploitation investigation, while its homepage prominently displayed a "strict zero-logs policy."
  • HideMyAss (2011): A UK court order compelled HideMyAss to hand over session logs that led to the arrest of a LulzSec hacker, despite the service marketing itself as a privacy tool (Leyden, 2011).

The Kape Technologies problem. One company now controls a staggering share of the VPN market, and its history should give any privacy-conscious user pause. Kape Technologies owns ExpressVPN (acquired for approximately $936 million in 2021), CyberGhost, Private Internet Access, and ZenMate. Kape was founded in 2011 as Crossrider, a company whose core business was building browser extensions that injected advertisements into users' browsers (Corfield, 2021). Malwarebytes classified Crossrider products as adware. The company rebranded to Kape Technologies in 2018, with its CEO acknowledging the name change was due to the strong association with the past activities of the company. Kape also acquired the VPN review websites vpnMentor and Wizcase, which consistently rank Kape's own VPNs at the top of their recommendations — a glaring conflict of interest. Days after the ExpressVPN acquisition was announced, the U.S. Department of Justice disclosed that ExpressVPN's chief information officer had been charged for his role in Project Raven, a covert UAE surveillance program that targeted human rights activists, journalists, and American citizens (Cox, 2021).

Malware in VPN apps. A landmark study by researchers at CSIRO/Data61, UNSW, UC Berkeley, and IMDEA Networks analyzed 283 Android VPN apps and found that 38% contained malware, 18% did not encrypt tunneled traffic at all, and the majority leaked DNS queries or IPv6 traffic (Ikram et al., 2016). A 2025 Citizen Lab investigation found that 20 of the top 100 most-downloaded VPN apps on Google Play — with a combined 972 million downloads — contained serious security flaws, including hardcoded passwords that could allow anyone to decrypt users' traffic, and that many were secretly linked to Chinese companies including Qihoo 360, a firm sanctioned by the U.S. government (Citizen Lab, 2025).

Why Mullvad is the clear recommendation

Against this troubled industry backdrop, Mullvad VPN stands out as the provider that privacy researchers, journalists, and security experts consistently recommend.

No personal information required. Mullvad does not ask for your email, name, or any identifying information. You generate a random 16-digit account number with one click — that number is your entire identity in their system. You can pay with cash mailed in an envelope, Bitcoin, Monero, or other methods (Mullvad, n.d.-a). This is not a marketing gimmick; it is a structural privacy guarantee. If Mullvad does not have your personal information, it cannot hand it over to anyone.

Flat, honest pricing. Mullvad charges €5 per month — the same price since 2009. No multi-year contracts, no deceptive sales that lock you in, no tiered pricing.

Independently audited, repeatedly. Mullvad has completed more than ten independent security audits by firms including Cure53, Radically Open Security, Assured Security Consultants, NCC Group, and X41 D-Sec. These audits cover apps, server infrastructure, payment systems, and web properties. All audit reports are published publicly (Mullvad, n.d.-b).

Proven under legal pressure. In April 2023, six Swedish police officers from the National Operations Department arrived at Mullvad's Gothenburg office with a search warrant, intending to seize computers with customer data. The police left empty-handed (Mullvad, 2023). Mullvad's RAM-only server infrastructure means no persistent data exists to seize. This is real-world validation of a no-logs claim — not a marketing promise, but a tested architectural reality.

Endorsed by the organizations that matter. The New York Times Wirecutter names Mullvad its top VPN pick, citing its serious approach to privacy, transparent policies, and competitive pricing (Crawford & Klosowski, 2024). Consumer Reports ranked Mullvad among its top VPNs — alongside IVPN and Mozilla VPN — praising its open-source code, public third-party security audits, and channels for outside researchers to report vulnerabilities (Germain, 2024). Privacy Guides recommends Mullvad (Privacy Guides, 2024). The Freedom of the Press Foundation includes Mullvad in its journalist security guidance (Freedom of the Press Foundation, 2023). Mozilla built its own VPN product entirely on Mullvad's server network. The Tor Project collaborated with Mullvad to create the Mullvad Browser (Tor Project, 2023).

Open source and technically advanced. All Mullvad client apps are open source under GPLv3 with reproducible builds, meaning anyone can verify the code matches the distributed software. Mullvad has deployed quantum-resistant WireGuard tunnels and DAITA (Defense Against AI-guided Traffic Analysis), a feature designed to obscure traffic patterns that could be used to infer browsing activity even through an encrypted tunnel (Mullvad, 2024).

Mullvad VPN AB is a subsidiary of Amagicom AB, owned by founders Fredrik Strömberg and Daniel Berntsson, and is based in Gothenburg, Sweden. Swedish law does not classify VPN providers as electronic communications providers, so Mullvad faces no legal obligation to retain data.

Before getting a VPN, build a threat model

The most important step in deciding whether you need a VPN is asking yourself a few structured questions. The EFF's Surveillance Self-Defense guide provides a framework (EFF, n.d.-b):

  1. What am I protecting? Your browsing history? Your location? Communications with a source?
  2. Who am I protecting it from? Your ISP? An employer? A government? Advertisers? A specific person?
  3. How likely is the threat? Everyone's ISP can see their DNS queries. Not everyone faces state-level surveillance.
  4. How bad are the consequences if I fail? Embarrassment? Job loss? Physical danger?
  5. How much trouble am I willing to go through? Security always involves trade-offs with convenience.

The EFF (n.d.-b) emphasizes that trying to protect all your data from everything all the time is impractical and exhausting, but that thoughtful planning lets you put together a plan that's right for you.

For most people in most situations, more impactful security steps than a VPN include strong unique passwords with a password manager, two-factor authentication, HTTPS-only mode in your browser, full-disk encryption, keeping software updated, encrypted DNS, and tracker blocking. A VPN is one tool among many — and rarely the most important one.

Alternatives that may serve you better

For anonymity: Tor Browser. Tor routes your traffic through at least three independent relays, so no single entity sees both your identity and your destination. It is free, requires no account, and is the tool recommended by every major digital rights organization for situations where anonymity is critical. The trade-off is speed. For whistleblowing, investigative journalism in hostile environments, or circumventing sophisticated surveillance, Tor is the correct choice (Tor Project, n.d.).

For DNS privacy: encrypted DNS. Traditional DNS queries are sent in plaintext, letting your ISP see every domain you look up. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt these queries. Major providers include Cloudflare (1.1.1.1), Quad9 (a Swiss nonprofit), and Mullvad's own DNS service (Cloudflare, n.d.).

For secure remote access: self-hosted WireGuard or Tailscale. If your goal is to securely access your home network or office resources while traveling, a self-hosted VPN using WireGuard or the Tailscale overlay network is more appropriate than a commercial VPN.

For private messaging: Signal. VPNs protect your network connection; Signal protects your message content with end-to-end encryption. Signal is operated by a nonprofit, collects virtually no metadata, and when served with subpoenas can provide only a phone number and registration date.

Conclusion

The VPN industry spends enormous sums convincing you that a VPN is essential for basic internet safety. The evidence tells a different story. HTTPS encryption, now covering the overwhelming majority of web traffic, has already neutralized the most commonly cited threat. A VPN remains a useful tool in specific circumstances — protecting your browsing metadata from an ISP that may sell it, circumventing censorship, shielding your activity on a hostile network, or masking your IP address from websites. For those use cases, Mullvad is the clear choice: no personal information required, independently audited more than ten times, tested by actual law enforcement who came away empty-handed, endorsed by the EFF, Consumer Reports, Freedom of the Press Foundation, and The New York Times Wirecutter, and priced honestly at €5 per month.

But the most valuable thing this memo can offer is a shift in thinking. Do not ask "which VPN should I buy?" Ask first: "What specific threat am I facing, and is a VPN the right tool to address it?" A password manager, two-factor authentication, encrypted DNS, and the Tor Browser each solve problems that no VPN can touch. Security is not a product you purchase — it is a set of decisions you make based on a clear understanding of what you're protecting, from whom, and why.

References

Advertising Standards Authority. (2019, December 18). ASA ruling on NordVPN SA. https://www.asa.org.uk/

Akgul, O., Roberts, R., Namara, M., Levin, D., & Mazurek, M. L. (2022). Investigating influencer VPN ads on YouTube. In 2022 IEEE Symposium on Security and Privacy (SP) (pp. 876–892). IEEE. https://www.cs.umd.edu/~akgul/papers/vpn-ads.pdf

Center for Democracy and Technology. (2021, March 25). Techsplanations: Part 5, virtual private networks. https://cdt.org/insights/techsplanations-part-5-virtual-private-networks/

Citizen Lab. (2025). Hidden links: Analyzing secret families of VPN apps. The Citizen Lab, University of Toronto. https://citizenlab.ca/

Cloudflare. (n.d.). DNS over TLS vs. DNS over HTTPS. Retrieved from https://www.cloudflare.com/learning/dns/dns-over-tls/

Corfield, G. (2021, September 14). ExpressVPN bought for $1bn by Brit biz with an intriguing history in adware. The Register. https://www.theregister.com/2021/09/14/expressvpn_bought_kape/

Cox, J. (2021, September 16). ExpressVPN knew "key facts" of executive who worked for UAE spy unit. Vice. https://www.vice.com/en/article/expressvpn-uae-hacking-project-raven-daniel-gericke/

Crawford, M., & Klosowski, T. (2024). The best VPN services. The New York Times Wirecutter. https://www.nytimes.com/wirecutter/reviews/best-vpn-service/

Eckersley, P. (2010). How unique is your web browser? In M. J. Atallah & N. J. Hopper (Eds.), Privacy enhancing technologies (pp. 1–18). Springer. https://www.eff.org/files/eff-unique-browser.pdf

Electronic Frontier Foundation. (n.d.-a). Choosing the VPN that's right for you. Surveillance Self-Defense. Retrieved from https://ssd.eff.org/module/choosing-vpn-thats-right-you

Electronic Frontier Foundation. (n.d.-b). Your security plan. Surveillance Self-Defense. Retrieved from https://ssd.eff.org/module/your-security-plan

Electronic Frontier Foundation. (2023, January). HTTPS Everywhere. https://www.eff.org/https-everywhere

Freedom of the Press Foundation. (2023). An in-depth guide to choosing a VPN. https://freedom.press/digisec/blog/choosing-a-vpn/

Germain, T. (2024). Mullvad, IVPN, and Mozilla VPN top Consumer Reports' VPN testing. Consumer Reports. https://www.consumerreports.org/electronics-computers/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/

Google. (2024). HTTPS encryption on the web. Google Transparency Report. https://transparencyreport.google.com/https/overview

Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M. A., & Paxson, V. (2016). An analysis of the privacy and security risks of Android VPN permission-enabled apps. In Proceedings of the 2016 Internet Measurement Conference (pp. 349–364). ACM. https://doi.org/10.1145/2987443.2987471

Let's Encrypt. (2025, December 9). 10 years of Let's Encrypt certificates. https://letsencrypt.org/2025/12/09/10-years

Leyden, J. (2011, September 26). HideMyAss defends role in LulzSec hack arrest. The Register. https://www.theregister.com/2011/09/26/hidemyass_lulzsec_controversy/

Lomas, N. (2017, March 28). Congress just voted to let internet providers sell your browsing history. TechCrunch. https://techcrunch.com/2017/03/28/house-vote-sj-34-isp-regulations-fcc/

Mullvad. (n.d.-a). Mullvad VPN: Privacy is a universal right. https://mullvad.net/

Mullvad. (n.d.-b). Audits. https://mullvad.net/en/blog/tag/audits

Mullvad. (2023, April 20). Mullvad VPN was subject to a search warrant. Customer data not compromised. https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised

Mullvad. (2024). DAITA: Defense against AI-guided traffic analysis. https://mullvad.net/en/blog/

Privacy Guides. (2024). Private VPN service recommendations. https://www.privacyguides.org/en/vpn/

Schneier, B. (2014, March 17). How the NSA exploits VPN and VoIP traffic. Schneier on Security. https://www.schneier.com/blog/archives/2014/03/how_the_nsa_exp.html

Tor Project. (n.d.). Can I use a VPN with Tor? Tor Project Support. Retrieved from https://support.torproject.org/faq/faq-5/

Tor Project. (2023, April 3). The Tor Project and Mullvad release the Mullvad Browser. https://blog.torproject.org/

Van der Sar, E. (2017, October 9). PureVPN logs helped FBI net alleged cyberstalker. TorrentFreak. https://torrentfreak.com/purevpn-logs-helped-fbi-net-alleged-cyberstalker-171009/

← Back to All Memos