Is using a VPN safe? Most people never seriously ask that question — they just download an app because someone recommended it, because they read something alarming about public WiFi, or because they want more privacy online. What very few people do after installing it is actually understand what they have — what it protects, what it doesn't, and whether the specific app they chose is helping or quietly making things worse.
That last part is the one that matters most, and it's the part that rarely gets a straight answer.
This post covers three questions that come up constantly when people start thinking seriously about VPNs. Not surface-level answers, but the actual mechanics — because once you understand how a VPN works, what a free VPN's business model usually looks like, and exactly what "tracked" means in this context, the decisions become obvious.
Let's start at the beginning.
Part One: Is Using a VPN Safe?
The short answer is yes — with a condition attached that most VPN marketing deliberately glosses over.
What a VPN Is Actually Doing
When you connect to the internet without a VPN, your traffic flows through your internet service provider before reaching wherever it's going. Your ISP sees what you're connecting to, can record your DNS queries (the domain names you look up), and has a detailed picture of your online activity. The websites you visit see your real IP address, which reveals your approximate location and can be used to track you across sessions.
A VPN changes this flow. When you activate a VPN, your device establishes an encrypted connection — called a tunnel — to a server operated by the VPN provider. All your traffic travels through that tunnel first before going anywhere else. The result:
- Everything flowing through the tunnel is encrypted, so anyone who could intercept it — including your ISP — sees only scrambled data they cannot read
- The websites and services you connect to see the VPN server's IP address instead of yours, masking your real location and identity
- Your ISP sees that you're connected to a VPN server and exchanging data, but cannot see the content or the destinations beyond the VPN
This is the fundamental value of a VPN — encrypted traffic, masked IP, a layer of separation between you and the services that would otherwise see exactly who you are and what you're doing.
The Encryption That Actually Matters
Not all encryption is equal, and this is where a lot of consumer VPN marketing gets slippery. Terms like "military-grade" and "bank-level" get thrown around as if they mean something specific. They don't. What matters is the actual protocol and algorithm in use.
The current gold standard for consumer VPNs is WireGuard. It's a modern VPN protocol that's faster, leaner, and more thoroughly audited than older alternatives like OpenVPN or L2TP/IPsec. Under the hood, WireGuard uses two cryptographic algorithms: ChaCha20-Poly1305, which is particularly efficient on mobile processors that lack hardware acceleration for AES, and AES-256-GCM for environments where hardware AES support is available.
These aren't marketing claims — they're specific, well-understood cryptographic standards. ChaCha20-Poly1305 was designed by Daniel Bernstein, one of the most respected cryptographers working today. AES-256-GCM is used by governments to protect classified information. The point isn't to impress you with names; it's that when a VPN says it uses WireGuard with these algorithms, you can verify what that means through independent research. When a VPN says "military-grade," you cannot verify anything because it means nothing specific.
Older protocols worth being cautious about: PPTP is broken and should be avoided entirely. L2TP/IPsec is old but functional. IKEv2 is reasonable on mobile. OpenVPN is solid but slower. WireGuard is where most good providers have landed.
If a VPN doesn't tell you what protocol it uses, that's a signal worth paying attention to.
The Part That Marketing Doesn't Want You to Think About
Here is the thing that changes how you should think about VPN safety entirely: a VPN doesn't remove the question of who can see your data. It moves that question.
Without a VPN, your ISP has a complete view of your internet activity. With a VPN, your ISP loses that view — but your VPN provider gains it. You've moved your trust from one company (your ISP) to another (your VPN provider). Whether that trade makes sense depends entirely on which of those two companies is more trustworthy in your specific situation.
For many people, this trade is clearly worth making. ISPs have a history of selling browsing data to advertisers. ISPs work closely with government agencies in many countries. Your ISP is also the company billing you for internet access, which means they have your real name, address, and payment information already attached to your browsing profile.
A good VPN provider, by contrast, is specifically in the business of protecting your privacy. Their entire product is built around not being able to see your activity — or more precisely, seeing it technically while being architecturally designed not to retain or use any of it. This is what the no-logs policy is about, and it's the most important thing to understand about any VPN.
No-Logs: What It Means and What to Look For
A no-logs policy means the VPN provider does not record, store, or retain information that could link your identity to your online activity. Specifically, this means not storing: your real IP address, the IP addresses of websites you visit, your browsing history, DNS query data, connection timestamps, session duration, bandwidth used per session, or which VPN server you connected to.
A genuine no-logs system means that even if someone compelled the VPN provider to hand over data about you — through a court order, government pressure, or legal demand — there would be nothing useful to hand over. The data simply doesn't exist.
The challenge is that "no logs" has become a marketing phrase as much as a technical commitment. Every VPN claims it. Many don't deliver it. The difference shows up in two places: the actual privacy policy (not the marketing page), and the provider's track record when put under real legal pressure.
On reading the privacy policy:A real no-logs policy reads like a specific legal commitment. It names exactly what is not collected — IP address, browsing history, traffic data, DNS queries, timestamps, session data. A privacy policy that says "we value your privacy" and "we don't keep logs of your activity" without specifics is not a no-logs policy; it's marketing copy written to sound like one. Read the actual policy document. Look for specifics about what is not retained.
On track record:A handful of VPN providers have been subpoenaed, had servers seized, or faced government legal pressure and were genuinely unable to provide user data because none existed. This is the most concrete possible evidence that a no-logs policy is real rather than aspirational. No such test is dispositive — policies change, new infrastructure might log things old infrastructure didn't — but a provider that has been through this test and demonstrated having nothing to hand over is far more credible than one that has never been tested.
Features That Make a VPN Meaningfully Safer
Beyond the protocol and the no-logs policy, a handful of features determine whether a VPN is doing its job reliably rather than just most of the time.
- Kill switch. A VPN connection is not perfectly stable. On mobile, it drops when you move between networks, when your device sleeps, when signal quality changes. Every time the VPN connection drops without a kill switch, your real IP address is exposed for the duration of the reconnection. A kill switch prevents this by blocking all internet traffic the moment the VPN connection drops, restoring it only when the VPN is back up. On mobile specifically, this is an essential feature rather than a nice-to-have.
- DNS leak protection. DNS lookups happen constantly as you browse — every domain name you visit requires a lookup that translates the name to an IP address. Without DNS leak protection, these lookups can bypass your VPN tunnel and go to your ISP's DNS servers, giving your ISP a detailed view of which domains you're visiting even while your traffic is encrypted. DNS leak protection ensures these queries travel through the tunnel with everything else.
- Auto-connect on unfamiliar networks. The moment you most need a VPN — connecting to an unfamiliar WiFi network — is also the moment you're most likely to forget to turn it on. An auto-connect feature that activates the VPN whenever you join a network outside your trusted list solves this problem by making the protection automatic.
- Ad blocking and tracker blocking. Some VPN apps include network-level blocking of known advertising and tracking domains. This operates at a lower level than browser-based ad blockers and blocks tracking attempts from within apps, not just browsers. It's a meaningful additional privacy layer when it's well-implemented.
- Malware and phishing protection. Similarly, some apps block connections to known malicious domains before they load — useful protection against phishing sites and malware distribution networks that change domains frequently enough to evade browser-based protection.
AtmosVPN, for example, includes all of the above in a single app — kill switch, DNS leak protection, auto WiFi shield, ad and tracker blocking, and phishing/malware protection — alongside a zero-logs policy and WireGuard encryption. It's available free on Google Play with no hard data cap and no credit card required.
Part Two: Is a Free VPN Risky?
The honest answer here is: it depends on the specific app, and the deciding factor is almost always the business model.
The Fundamental Problem With "Free"
VPN infrastructure is not cheap. Maintaining servers across dozens of countries, with the bandwidth capacity to serve potentially millions of users, requires significant ongoing investment. The engineers who build and maintain the systems get paid. The server costs are real. None of this disappears because an app is free.
Which means: if you're not paying, something or someone else is. What that something is tells you most of what you need to know about whether the app is actually protecting you.
Business Models That Fund Free VPNs
- Advertising within the app. The app is free; you see ads. The ad revenue covers costs. This is the most benign free-VPN business model — your privacy isn't directly compromised by it, though ad injection at the network level (inserting ads into web pages you visit) can expose you to lower-quality ad networks and occasionally to malicious ads. It also means the app itself is filled with ads, which affects the user experience.
- A freemium model with a premium paid tier. The provider offers a free version to attract users who will hopefully upgrade to a paid plan. In this model, free users are future customers — treating them poorly would undermine the whole strategy. The free tier typically includes the same core privacy protections as the paid plan, with limitations on server access, speed, or features rather than on privacy. This is the model under which a free VPN can be genuinely trustworthy.
- Selling user data. The provider covers its costs by collecting data about user behavior — browsing patterns, app usage, location data — and selling it to data brokers, advertisers, or market research firms. The data is typically described as "anonymized," but the practical value of anonymization is frequently overstated; device identifiers, browsing patterns, and location data can often be re-identified when combined with other available datasets. In this model, the VPN app is not a privacy tool. It's a data collection tool with a privacy label on it.
- Monetizing bandwidth. Some free VPN providers have been found to route other users' traffic through free subscribers' devices, effectively turning their users' internet connections into residential proxies that pay for the service. Users agreed to this in terms of service they didn't read, and typically have no idea their device is being used as a relay.
The problem for users is that these business models are not always clearly disclosed. An app that appears to be a free privacy tool may, in its terms of service, reserve the right to collect and share data in ways that directly contradict the stated purpose.
The Security Risks Beyond Business Model
- Malware bundled into free VPN apps. Security researchers have found cases — both in third-party app stores and, in some historical cases, within official app stores — where free VPN apps contained malware bundled into the application itself. The app installs something that looks like a VPN while simultaneously installing malicious code that operates in the background. This is most common with unofficial APKs downloaded outside Google Play or the App Store, but not exclusive to them.
- Excessive permissions. During installation, apps request permissions to access device features and data. A VPN needs network access — that's it for the core function. Some free VPN apps request access to contacts, call history, device storage, camera, microphone, or precise location. These permissions serve no legitimate VPN purpose and exist to collect data for purposes that aren't privacy protection. Checking the permissions an app requests before installing it is a quick and useful filter.
- Weak or undisclosed encryption. Some free VPN apps use outdated protocols with known vulnerabilities, or simply don't disclose what they use. PPTP, an old VPN protocol, has been cryptographically broken — traffic encrypted with PPTP can be decrypted. An app that uses PPTP while marketing itself as "secure" is providing security theater rather than actual protection. An app that doesn't disclose its protocol at all gives you no way to evaluate what you're getting.
- Hard data caps that drive risky behavior. Many free VPNs impose monthly data caps that make them functionally unusable for regular browsing — 500MB, 1GB, or 2GB covers a few hours of actual use. Users who hit the cap often respond by cycling through multiple free VPN apps, installing new ones as the previous one runs out. Each new installation is a new trust decision being made under pressure, without proper evaluation.
What Separates a Safe Free VPN From an Unsafe One
The dividing line is whether the provider's revenue model is compatible with genuine privacy protection. A freemium VPN funded by premium subscriptions can credibly offer real privacy on the free tier. A VPN funded by data sales cannot, by definition, offer real privacy — the product is the data.
Practical things to look for:
- A privacy policy that specifically lists what is not collected (IP address, browsing history, DNS queries, traffic data, timestamps)
- A disclosed encryption protocol that's current and reputable
- App permissions limited to what a VPN actually needs
- Available on official app stores (Google Play, App Store)
- A clear explanation of how the provider makes money
- No hard data cap that makes the app impractical
- Evidence of independent security audits
AtmosVPN's free plan is an example of the freemium model done honestly — no data cap, no credit card, the same WireGuard encryption and no-logs policy as the paid plan, with the free tier funded by ads rather than user data. You can check its privacy policy directly at atmosvpn.com/privacy.
Part Three: Can a VPN Be Tracked?
Yes — in specific and limited ways. Understanding exactly what "tracked" means here is important because the popular understanding often doesn't match the technical reality.
The Accurate Picture of What a VPN Hides
- From websites and online services: Your real IP address is replaced by the VPN server's IP. The site sees where the VPN server is located, not where you are. Your approximate location, your ISP, and your device's network identity are all hidden.
- From your ISP: The content of your traffic — which sites you visit, what you do there, what data you send and receive — is encrypted and invisible. DNS queries (which reveal the domains you're looking up) are also encrypted if your VPN includes DNS leak protection. Your ISP can see that you're connected to a VPN server and the volume of data you're exchanging, but nothing beyond that.
- From other users on shared networks: Public WiFi is a shared network. Other users on the same network could use freely available tools to monitor unencrypted traffic. A VPN encrypts everything at the network level, making this interception useless — encrypted data without the key is just noise.
What a VPN Doesn't Hide
- That you're using a VPN. Your ISP can see that your device is connecting to an IP address associated with a VPN server. The content is hidden; the fact of VPN usage is not. In most countries and situations, this is irrelevant — VPN use is legal and common. But the idea that VPN usage itself is invisible is incorrect.
- Your identity if you're logged into accounts. This is the most important limitation to understand. A VPN masks your IP address. It does not create a new identity. If you're logged into your Google account, Google knows who you are regardless of which IP address you're connecting from. The same applies to any service where you have an account. Account-based tracking operates on credentials, not network identity — and a VPN doesn't touch your credentials.
- Browser and device fingerprinting. Websites can identify users through signals entirely unrelated to IP address: browser version, installed fonts, screen resolution, time zone, language settings, installed browser extensions, hardware performance characteristics, and many other data points. Combined, these signals create a fingerprint that's often unique to a specific browser on a specific device. A VPN changes your IP; it doesn't change your fingerprint.
- Cookies placed before the VPN was active. If a website placed tracking cookies in your browser in a previous session when you weren't using a VPN, those cookies still exist and still identify you to that website in your current session, regardless of VPN status.
- Traffic fingerprinting in specialized environments. Deep packet inspection — network analysis that examines packet sizes, timing, and flow characteristics — can in some cases identify VPN traffic patterns even when the content is encrypted. This requires specialized equipment and deliberate implementation. It's relevant in corporate networks that prohibit VPN use, in countries that actively restrict VPN access, and in very high-security threat models. For everyday users in most countries, it's not a practical concern.
- Your VPN provider's logs, if any exist. If your VPN provider retains logs linking your account to your activity, those logs can be accessed. This is the reason the no-logs policy matters so much — a provider that retains no usable logs removes themselves from the equation entirely.
The Kill Switch Detail That Most People Skip
VPN connections are not always stable, especially on mobile. Network handoffs when you move between WiFi and cellular, device sleep states, signal quality variations, and server-side issues can all cause brief disconnections. During these gaps — which may last only seconds — your device falls back to your regular, unencrypted connection with your real IP visible.
For casual browsing, brief disconnections are usually inconsequential. For situations where consistent IP masking actually matters, a kill switch that blocks all traffic during the reconnection period is essential. It's worth confirming not just that a kill switch exists but that it's actually working — some implementations are more reliable than others.
Understanding the Real Threat Model
One reason VPN questions are hard to answer cleanly is that "is a VPN safe" means very different things depending on who's asking and what they're worried about.
For typical privacy-conscious users— people who don't want their ISP building a browsing profile, who want to use public WiFi without worrying, or who simply don't feel their internet activity is anyone else's business — a VPN with a genuine no-logs policy, WireGuard or equivalent encryption, a kill switch, and DNS leak protection addresses their needs effectively. The limitations around account-based tracking and browser fingerprinting don't affect the core protection they're looking for.
For users with higher security needs — journalists, activists, legal professionals, anyone whose browsing activity could have serious consequences if exposed — a VPN is part of a larger privacy practice rather than the whole solution. Browser fingerprint mitigation, compartmentalizing accounts, using privacy-focused browsers, and understanding the limitations of any single tool all become relevant.
For users on public WiFi — this is the use case where a VPN delivers the most immediate, clear-cut protection regardless of other factors. Encrypting traffic on an untrusted shared network is unambiguously useful, and the attack surface it eliminates is real.
Understanding which of these situations applies to you helps you evaluate what a VPN needs to deliver rather than trying to evaluate whether it's "safe" in the abstract.
The Questions to Ask Before Downloading Any VPN
After everything above, these are the specific things worth finding out about any VPN before installing it:
- What protocol does it use? WireGuard is the current standard. OpenVPN is solid. Anything that doesn't disclose this deserves skepticism.
- What does the privacy policy actually say about data collection? Look for specific lists of what is not collected. Vague language about "respecting privacy" is not a no-logs policy.
- How does the provider make money? Premium tiers and advertising within the app are compatible with real privacy. Revenue from user data is not.
- Has it been independently audited? Third-party audits of no-logs claims and infrastructure provide meaningful evidence beyond self-reporting.
- What has happened when it's been put under legal pressure? Providers that have demonstrated they had nothing to hand over under subpoena have the most credible no-logs claims.
- Does it include a kill switch and DNS leak protection? These are essential features, not optional add-ons.
- What permissions does it request? Network access is what a VPN needs. Anything beyond that deserves scrutiny.
- Is it available on official app stores? This reduces but doesn't eliminate malware risk.
Final Thoughts
Three questions, three real answers.
Is using a VPN safe?Yes — when the provider is genuine about its no-logs policy, uses current encryption, and includes the features that make the protection reliable rather than intermittent. The technology is sound. The variable is who you're trusting with it.
Is a free VPN risky? Sometimes significantly, sometimes not at all — and the difference is the business model. A free tier funded by premium subscriptions can be genuinely private. A free VPN that covers its costs by collecting and selling user data is the opposite of a privacy tool. Reading the privacy policy and understanding how the provider makes money takes five minutes and tells you almost everything you need to know.
Can a VPN be tracked?In limited ways, yes. Your ISP can see you're using one. Account-based services still know who you are. Browser fingerprinting still works. But for the things a VPN is actually designed to protect — encrypting traffic on shared networks, masking your IP from the services you connect to, keeping your browsing private from your internet provider — a well-built VPN does exactly what it says.
A VPN is a specific tool with specific strengths and specific limits. Understanding both makes you a better judge of which VPN to trust and what to realistically expect from it.
VPN Safety Across Different Devices
The same VPN provider behaves somewhat differently across device types, and understanding these differences helps you use whatever you've installed more effectively.
VPNs on Android
Android is the most open of the major mobile platforms, which creates both advantages and risks in the VPN context. The advantage is that Android allows VPN apps deep system-level access, meaning a well-implemented VPN on Android can encrypt all traffic from all apps on the device — not just browser traffic. The risk is that the same openness means third-party app stores and sideloaded APKs are common, and some of these contain VPN apps that are not what they appear to be.
- Always install VPN apps from Google Play rather than third-party sources. Google's review process isn't perfect, but it provides meaningful filtering that independent APK sites don't.
- Check whether the VPN app uses Android's VpnService API — this is the legitimate system interface for VPN apps. Apps that implement VPN functionality through other means may be doing something other than what's described.
- Android's "Always-on VPN" setting, available in network settings, can force all traffic through the VPN at the system level regardless of which app is running. Combined with a kill switch at the app level, this provides strong coverage.
- Battery and performance are real considerations on Android. WireGuard is significantly more efficient than older protocols on mobile hardware, which is one reason it's become the standard for mobile VPN apps.
VPNs on iOS
iOS is a more locked-down platform than Android, which has privacy implications in both directions. Apple's app review process is stricter, which reduces (though doesn't eliminate) the risk of malicious VPN apps in the App Store. On the other hand, iOS's sandboxing model means VPN apps operate within tighter constraints.
One iOS-specific consideration: Apple's iCloud Private Relay is sometimes confused with a VPN. It's not a VPN. Private Relay encrypts Safari traffic and routes it through two relays to mask your IP from websites, but it only applies to Safari and doesn't cover in-app traffic or other browsers. It's a useful privacy feature for iCloud+ subscribers but not a replacement for a full VPN.
iOS also has a persistent VPN limitation worth knowing: iOS can terminate background VPN connections to preserve battery life, particularly when the device is in a low-power state. A VPN with a well-implemented kill switch handles this by blocking traffic when the VPN isn't active rather than falling back to an unencrypted connection.
VPNs on Desktop
On desktop — Windows, macOS, Linux — VPNs generally work more reliably and with more flexibility than on mobile, simply because the power and connection stability constraints are less severe. Desktop VPN clients typically offer more configuration options, more reliable kill switches, and better performance under sustained load.
One desktop-specific consideration: split tunneling, a feature offered by some VPN apps, lets you route some traffic through the VPN while leaving other traffic on your regular connection. This is useful if you want to VPN your browser traffic while keeping local network access (printers, network drives) available. It requires careful configuration to avoid accidentally routing sensitive traffic outside the tunnel.
The Regulatory Context: What Governments Know About Your VPN Use
One area that gets less attention than it deserves is the regulatory environment that VPN providers operate in — because this affects what protections are actually available to you regardless of what the privacy policy says.
Data Retention Laws
Many countries have data retention laws that require internet service providers and telecommunications companies to retain records of user activity for specified periods. VPN providers that operate servers in these countries may be subject to these requirements, depending on how local law defines "telecommunications provider."
Some VPN providers have responded to problematic data retention environments by removing physical servers from those jurisdictions entirely, offering virtual servers that appear to be in a given country but are physically hosted elsewhere. Others have moved to RAM-only servers — infrastructure where data is stored in volatile memory that's wiped every time the server restarts, making retention of historical data technically impossible. These approaches vary in effectiveness and honesty; a RAM-only server is a meaningful technical commitment, while a virtual server simply moves which government's laws apply.
Legal Requests and Compelled Disclosure
Even providers committed to no-logs policies operate within legal systems that can compel disclosure. A court order, national security letter, or equivalent legal instrument can require a provider to begin collecting data about specific users going forward — even if historical data doesn't exist. Providers operating under the laws of countries with strong rule-of-law protection typically cannot be compelled to log data without a court order, and can often notify users or challenge such orders.
Providers operating under authoritarian legal systems may have fewer options. Jurisdiction — where the provider is incorporated and where its key personnel and infrastructure are located — remains relevant for this reason, even though it's not a complete answer.
The Transparency Report as a Signal
Some providers publish regular transparency reports detailing the number of legal requests received, the types of requests, and the provider's responses. A history of reporting zero data provided — because no responsive data existed — is meaningful evidence that the no-logs infrastructure is functioning as described. The absence of a transparency report isn't automatically disqualifying, but its presence is a positive signal.
Why the VPN Market Is Confusing (And How to Cut Through It)
One reason people struggle to evaluate VPNs is that the market is genuinely confusing — saturated with providers making nearly identical claims, flooded with review sites that are compensated based on which products they recommend, and full of marketing language that sounds specific but isn't.
Review Sites and Affiliate Economics
A significant portion of VPN review sites operate on affiliate models — they earn commissions when readers click through and purchase a VPN. This creates structural incentives to rank providers that offer larger commissions, frame reviews around what makes a product sound good rather than what makes it genuinely good, and avoid recommending free options that generate no commission.
This doesn't mean all VPN reviews are compromised, but it means the source of a recommendation matters. Reviews from security researchers, independent journalists who cover privacy, and academic security institutions tend to reflect different incentives than reviews from sites whose primary revenue comes from VPN affiliate commissions.
Marketing Language to Discount
A few phrases appear constantly in VPN marketing and mean very little:
- "Military-grade encryption" — this phrase has no technical definition. It's applied to everything from genuinely strong encryption to products that are much weaker. What matters is the specific algorithm and implementation, not the adjective.
- "No logs" (without specifics) — as discussed above, this has become a marketing claim as much as a technical commitment. The privacy policy is what matters.
- "Fastest VPN" — speed depends on server proximity, current server load, your own connection, and what you're doing. No single VPN is fastest in all situations. Speed comparisons are context-dependent and change over time.
- "Most secure VPN" — security is multi-dimensional. A VPN can use strong encryption while having a poor no-logs policy. A provider can have excellent infrastructure security while being subject to problematic data retention laws. "Most secure" without specifying what dimension is being compared is meaningless.
The Signals That Actually Correlate With Quality
Across the noise, a few signals have consistently correlated with VPN providers that are actually doing what they claim:
Specific, detailed privacy policies that name what is not collected. Independent security audits with published results. A business model that makes sense without relying on user data. Transparency reports with historical track records. A reputation within the security research community as opposed to just consumer review sites. Technical choices — protocol disclosure, RAM-only servers, independently verifiable architecture decisions — that demonstrate commitment to privacy rather than just claiming it.
None of these guarantees anything. But they're the signals worth seeking when the marketing language from every provider sounds essentially the same.
Making a Decision
If you've read this far, you have everything you need to make a well-informed decision about any specific VPN — free or paid.
The framework is simple:
- Start with the privacy policy. Read the actual document, look for specific commitments about what data is not retained, and verify that what the policy says is compatible with the provider's business model.
- Check the technical basics. What protocol? What encryption? Kill switch? DNS leak protection?
- Understand the business model. Free plus premium tier works. Data sales don't. When in doubt, follow the money.
- Look for external validation. Independent audits, track record under legal pressure, transparency reports. Not because self-reported claims are always false, but because external validation provides evidence that self-reporting can't.
- Consider your specific use case. Public WiFi security, ISP privacy, IP masking, gaming latency — the features that matter most vary depending on why you're using a VPN.
The result of this process is a confident, informed choice rather than a guess based on app store star ratings or a recommendation from a review site that's paid to make recommendations.
A VPN is a useful tool. Like any tool, it works when you choose the right one for the job and understand what it actually does.