What a VPN actually does technically
When you browse without a VPN, your data travels directly from your device, through your internet service provider (ISP), to the website you're visiting. Your ISP can see every domain you visit. The website sees your real IP address. Ad networks, trackers and nosy network operators on public Wi-Fi can all listen in.
A VPN inserts an encrypted tunnel between your device and a VPN server. All your traffic is encrypted and sent to that server, which then forwards it in its own name.
The result: your ISP only sees that you're connected to a VPN server — not which websites you visit. The website sees the VPN server's IP address, not yours. The catch: the VPN provider itself sees everything. You are shifting your trust from your ISP to the VPN provider.
A VPN does not make your traffic invisible. It shifts the question "who can see my traffic?" from your internet provider to your VPN provider. That is why choosing the right VPN provider is the single most important decision.
What VPN adverts promise — and what's true
A VPN hides your IP address from websites. But websites also identify you via cookies, logged-in accounts (Google, Facebook), browser fingerprinting and behaviour patterns. Anyone logged into Google whilst using a VPN is still fully identifiable to Google. True anonymity online requires considerably more than a VPN.
A VPN encrypts the connection between your device and the VPN server. It does not scan files, detect malware or protect against phishing attacks — that's what antivirus software is for. Some VPN providers offer DNS-based malware blocking as an add-on, but it's not a comprehensive replacement.
A VPN protects your network traffic. It does not protect against surveillance on your own device (e.g. spyware), surveillance at the destination website, intelligence agencies targeting the VPN provider directly, or metadata analysis (when you're online, for how long, how much traffic).
This holds true for unencrypted connections (HTTP). But modern websites use HTTPS almost exclusively — your traffic is already protected by TLS encryption before a VPN even comes into play. A VPN on public Wi-Fi is still worthwhile though: it prevents DNS leaks, hides which domains you visit, and protects against certain network-level attacks.
Correct. Without a VPN, your internet provider can see exactly which domains you visit and when. With a VPN, it only sees that you're connected to a VPN server. In many countries, ISPs are required to hand over traffic data to authorities on request. A VPN with a foreign jurisdiction makes that considerably more complicated.
Yes. By connecting to a VPN server in another country, streaming services, news sites and other websites see an IP address from that country. This enables access to geo-restricted content. Streaming services actively try to block known VPN IPs — not all VPNs work reliably with Netflix, Disney+ etc.
When a VPN makes sense
Public Wi-Fi — airports, hotels, cafés. Even with HTTPS widespread: a VPN prevents DNS leaks and network-level attacks.
Avoiding ISP tracking — in many countries, ISPs can be compelled to hand over traffic data. A VPN with a no-log policy and foreign jurisdiction makes that considerably harder.
Bypassing geo-blocking — accessing content that isn't available in your country.
Protection from mass surveillance — if you don't want your browsing systematically recorded and analysed, a VPN can minimise the data your ISP holds.
Travelling in countries with internet censorship — Iran, Russia, UAE etc. A VPN with obfuscation (disguised connection) can be critical here.
If you're logged in everywhere — Google, Facebook and other platforms identify you via your account, not your IP. A VPN changes nothing about that.
As a replacement for antivirus software — a VPN does not protect against malware, viruses or phishing.
If you don't trust the provider — a cheap or free VPN that sells your data is worse than no VPN at all. Trust in the provider is everything.
No-log, audits and jurisdiction — what does it mean?
No-log policy
Almost every VPN provider claims to keep no logs. This means they don't record which websites you visited or when. What matters is exactly what isn't stored. There's a hierarchy:
- Traffic logs — what you browse. Reputable providers never store these.
- Connection logs — when you were connected, for how long, to which server. Some providers store this briefly for technical purposes.
- Account data — email address, payment method. All providers that require an account store this. The only exception: providers like Mullvad and IVPN that work without an email account.
Independent audits
A no-log claim is only as valuable as the verification behind it. Reputable providers have their infrastructure regularly audited by independent security firms — for example Cure53Cure53 is an independent German IT security firm that has conducted penetration tests and code audits for companies worldwide since 2007. They are considered one of the most respected providers in VPN auditing., Deloitte, or Assured. An audit checks whether the servers are actually configured such that no logs can be created. Important: audits are snapshots in time. A 2022 audit says nothing about what's happening today. Current, annual audits are the minimum requirement.
Jurisdiction
The country where a VPN provider is based determines which laws it is subject to. Two key questions: does that country have mandatory data retention laws for VPN providers? And is the country a member of an intelligence-sharing alliance that exchanges data internationally?
RAM-only servers
Modern privacy-focused VPNs run their servers exclusively in RAM, without a physical hard drive. When the server restarts, everything is wiped — there is literally nothing to hand over, even if a server is physically seized. Mullvad proved this in practice in 2023, when a police raid produced no results. (Source: TechRadar)
5/9/14-Eyes explained
Following the Snowden revelations in 2013, it became known that several Western states maintain a formal agreement for mutual intelligence cooperation. This means: if one state wants data about you, it can ask an ally with less strict data protection laws — or exchange data directly. Relevant for VPN users because a VPN in an Eyes country may under certain circumstances be obliged to cooperate with foreign intelligence services. Source: Our detailed 5/9/14-Eyes article
A VPN provider based in Switzerland, Panama or Gibraltar is not subject to any Eyes-alliance obligation to share data. That doesn't make government cooperation impossible, but considerably more cumbersome. Mullvad (Sweden, 14-Eyes) has demonstrated that good technical infrastructure can still protect users even in an Eyes country — if there is simply no data available to hand over.
How many people use VPNs?
At the same time, the VPN market is a textbook example of opaque marketing: many of the most-used services belong to the same two or three conglomerates, and the review portals recommending them earn a commission on every sale.
9 providers, all the facts — data disclosure history, jurisdiction, audits, ownership and pricing. With a clear editorial verdict. No affiliate links.
→ View the 2026 VPN comparison