|When to Use a VPN—and When It Won’t Protect Your Data|
Internet service providers, hackers and others can collect a treasure trove of user data. VPNs can offer more privacy…sometimes.
Virtual private networks, better known as VPNs, are shrouded in mystery. These software tools are meant to hide the data coming in and out of your phone or PC, to make web browsing and other activity more private. But it isn’t always that simple.
Let’s start with why you might want a VPN. For one thing, when you’re online, your internet service provider can see a lot of the data that passes through your devices. It knows where you are, what apps you download, which websites you browse and how long you spend on a site. ISPs can use that information to improve their products, but they also can sell it to marketers.
“In most places in the U.S., ISPs can look, process and sell whatever information they see,” says Paul Ohm, a professor of law at the Georgetown University Law Center who specializes in information privacy. “VPNs address a lot of those threats.” VPNs also can protect you from hackers when you’re on a public Wi-Fi network.
To use a VPN, you just download an app and fire it up. The app creates a private channel over the open web. It encrypts your data, turning it into an incoherent string of code, and routes it through the VPN provider’s own servers. The process associates your web surfing with the VPN server’s IP address, masking your online activity from your ISP. Websites and apps might think you’re logging on far from your actual location, and they shouldn’t be able to see what you’re doing when the VPN is activated.
But what happens next can vary, cybersecurity experts and industry researchers say. Sometimes, you’re getting precisely what you expect: an online experience masked from prying eyes. Other times, you’re not only the customer, you’re also the product. Some VPN providers that log your internet traffic can share your data with other companies without your knowledge.
Here, we explain three common VPN use cases, and explore how effective they are at keeping your data secure.
Keeping safe on public Wi-FiScenario: You’re connecting to a public Wi-Fi network at your hotel, the airport or a local restaurant. What are the dangers?
If you log onto a public Wi-Fi network, a hacker could intercept any unencrypted information you enter on the web—say, your credit-card number or other personal information. You might even be connecting to a rogue Wi-Fi hot spot that looks like it’s run by a legitimate business but isn’t.
SHARE YOUR THOUGHTSWhen do you use VPNs? Join the conversation below.
The threats associated with legitimate public Wi-Fi networks have diminished somewhat, because most websites use secure connections (that “https” text or padlock icon at the top of your browser), keeping your information private. However, the risk of personal information being intercepted is the most common reason people turn to VPNs, says Roya Ensafi, a University of Michigan assistant professor of computer science who led an extensive study of VPN providers last year.
VPNs can protect your data when you’re using a public network because they obscure all the data coming to and from your device, says Michael Horowitz, a New York-based security researcher and independent computer consultant. In the event you’re using websites or services that don’t have encryption of their own, a VPN will make that communication appear as gibberish to any snooping party.
VPNs don’t always deliver an online experience masked from prying eyes. Sometimes, you’re not only the customer, you’re also the product.Illustration: Beth Goody
“VPNs are designed to make sure that no one else connected to the network in the coffee shop can see what you’re doing,” Mr. Horowitz says. “That includes the owner, other coffee drinkers, even the person who set up the router.”
Still, while your data is safe from outsiders, it runs the risk of being accessed by the VPN provider itself. To offer more security, many VPNs—but not all—have a “no logs” policy, which means they don’t “log” or save information about where you go online. Some VPNs, such as NordVPN and Proton VPN, submit their technology to independent analysts for a privacy and security audit, and publish the results.
If your VPN connection drops, or when you switch between VPN servers (more on that below), your data may not be encrypted. VPNs with a so-called kill switch, such as Norton’s Secure VPN, can address that, security experts say. Some “system level” kill switches won’t let you browse the internet until your VPN connection is established.
Watching Netflix and other streaming sitesScenario: You want to watch movies on Netflix while traveling abroad, but some aren’t available because your profile is linked to the country where you established the account. Or you’re a big fan of “Love Island” and want to tune in live as it plays in the U.K.—except that’s not where you live.
While nearly all of Netflix’s original content is globally available, other releases are regional and may not be available for you to stream beyond U.S. borders. Other services, such as Hulu, don’t operate overseas.
Will VPNs solve this? It depends on which VPN you use and how often it updates its software to get around a streaming service’s VPN restrictions.
“Streaming services try to detect circumvention of their security features, and VPN vendors try to avoid that detection,” says David Walkiewicz, director of test research at AV-Test, an independent IT-security research firm based in Germany. “So one day they might work, another they might not.”
But if your VPN skirts detection, you’ll be able to watch content available in other countries. During our test, NordVPN on MacOS bypassed Netflix’s geoblocking software. The app lets users select their server location, and switching it to the U.K. allowed “Rick and Morty” to play in the U.S., where it’s currently streamed by Netflix’s competitor, Hulu.
Other VPNs, such as Kaspersky, Avira and Avast, have worked in the past, Mr. Walkiewicz says.
“It’s a cat-and-mouse game,” he says.
Working undercoverScenario: You don’t want your home internet service provider to have so much data on you—and also want to limit what other companies, government entities and others can see.
Will a VPN solve this? It should. VPNs are often used in countries with oppressive censorship, helping people browse anonymously without government interference, experts say.
A VPN doesn’t block all information, though. Your ISP can see that you’re using a VPN, and it can see the VPN server’s IP address, experts say. Even when the VPN is turned on, your ISP will know what time you connected to the internet and have access to the amount of data you’re sending and receiving. But while the data is encrypted by a VPN, the ISP can’t see what websites you’re visiting, what words you’re searching or the amount of time you spend on a webpage.
If you’re in a country with strict censorship, the government may attempt to block VPNs to regulate internet traffic. In that case, you may have to try several.
“Users have to shop around to find a VPN which works, and sometimes this may change,” Mr. Walkiewicz says. “They might work one day and stop working the next day and vice versa.”
Beyond VPNsIf you’re not sure a VPN is right for you, there are other ways to make your online browsing more private.
Apple’s Private Relay is available as beta software for iCloud+ subscribers—those who pay 99 cents or more monthly for extra iCloud storage. It works like a VPN, hiding a user’s web traffic from Apple itself, ISPs and advertisers. Apple will also let you change your IP address so that websites can provide local content.
But unlike a VPN, it doesn’t work on all browsers, just Apple’s own Safari. It also won’t let you get around geolocation blocks, so no Netflix U.K.
To turn it on, go to your iPhone settings, tap your name at the top, then iCloud, and tap the toggle next to Private Relay (Beta) to turn it green. On a Mac, choose the Apple menu > System Preferences, then click Apple ID. Select iCloud > Private Relay.
The software, launched by Apple in 2021, remains in beta, but the company says it’s robust and secure enough to use.
Both iPhone and Android users looking for an extra layer of protection can sign up for a Google One subscription, which includes a VPN “to encrypt your phone’s online traffic—no matter what app or browser you’re using,” according to Google’s website.
Google’s VPN is included with 2-terabyte data plans for $9.99 monthly. To turn it on, you must be logged in to your Google account. On Android devices, open the Google One app, tap Benefits at the bottom of the page, find the VPN benefit and tap View details. Turn on Enable VPN. On iOS, sign into your Google account on the Google One app, tap Home at the bottom, then tap Enable VPN.
Bottom line: Experts say virtually any VPN should protect you from being spied on by outsiders. But if you’re not willing to pay for service, you should lower your expectations. The companies that don’t charge you still need to make money somehow. It might be from your data.
What to Look for in a VPNPrice: Often, paid VPNs are more secure choices than free VPNs. Companies offering free VPNs may make money selling ads, but also by selling their users’ data.
Compatibility: Some VPNs aren’t available on all platforms. Check for cross-platform compatibility if you plan to use a VPN on multiple devices, or both at home and when you’re away. Make sure the VPN you choose works with whichever operating system your device uses.
Servers: Find out how many servers the VPN provider lists on its website, and where those servers are located. If you’re looking to get around regional-streaming restrictions, make sure the provider has servers in the countries where you want to access content.
Mr. Brown is a reporter for The Wall Street Journal in New York. He can be reached at email@example.com. For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.