The use of Virtual Private Networks (VPNs) has experienced explosive growth over the last few years. One study showed that 785 million people downloaded VPN apps in 2021, up from 277 million in 2020, and the number of users is expected to continue to rise over the next several years. 

Unfortunately, the privacy and security advantages that are a selling point for are not always what they’re cracked up to be.

What is a VPN?

A VPN is a means of rerouting internet traffic from one device through an external server. A VPN can be used to bypass internet restrictions in certain countries, such as the Russian government’s recent blocking of Facebook and Instagram. It can be used to get access to licensed content in other regions. A VPN can also be used to sidestep companies that collect and monetize information based on internet activity.

The Risk of Using a VPN

Using a VPN ultimately requires a leap of faith: By rerouting your internet activity through a third party, you’re providing potentially sensitive data that you don’t want to share with an internet service provider or government to a private organization, and hoping for the best. The potential for abuse is high, especially with “free” VPN services, where they make their money selling information about their users.

Many VPN providers also overstate their security benefits. Routing internet activity through a VPN doesn’t block incoming malware, malicious attachments or phishing emails, although they can help prevent MiTM (man in the middle) attacks where internet traffic is intercepted and either manipulated or collected. 

Human error and security lapses also happen. In 2021, Ukrainian authorities seized servers operated by Windscribe, a Canadian VPN provider. They were unencrypted and were running on outdated and obsolete software, which would make it theoretically possible for outside parties to have a look at the traffic supposedly protected by the service. 

VPN providers aren’t always upfront about the nature of their services. Most providers say they don’t log user data, but many will admit to collecting and gathering data in their fine print. A “no-logs” provider may not gather usage data, but will store user data, including IP addresses, connection times and other diagnostic information that could be used to trace internet activity to de-anonymize users. 

Others mis-state their logging activities outright. UFO VPN, a Hong Kong-based VPN provider was found to store user account credentials, IP addresses and other identifying information on an unprotected and publicly accessible server despite claiming to not log any such data. 

VPNs have important, practical uses. They’re commonly used to secure connections to corporate networks, protect the identities and information of journalists and dissidents and more. It should serve to highlight the need to thoroughly vet a provider, and to confirm that they have a solid track record of protecting users’ privacy and state any information stored on their servers explicitly and clearly.