You Don't Need A VPN

If you've consumed any tech content in the last five years, you've heard the pitch. Every YouTube creator you watch, every podcast you listen to seems to suddenly care deeply about your online privacy. The script is always the same: "Hackers are lurking on your Wi-Fi," "Your ISP is selling your data," "Protect yourself with [VPN Name]."

The transition is seamless. One moment your favorite creator is discussing a technical topic, the next they're telling you that NordVPN, ExpressVPN, Surfshark, CyberGhost, or Private Internet Access (some combination of these brands) is absolutely essential for your security. They make their case, drop a promo code, and seamlessly transition back to content.

Most of it is fearmongering designed to extract $10-15 from your wallet every month.

The Industry That Sells Fear

VPN companies have built a multi-billion dollar industry on exaggerated risks and outdated security assumptions. They operate in jurisdictions like Panama and the British Virgin Islands with minimal consumer protections. The barrier to entry is low. Set up a few servers, resell bandwidth with a markup, make big promises, and watch the money roll in from affiliate commissions.

These companies spend millions on marketing because their actual value proposition is questionable. If VPNs were genuinely as essential as they claim, they wouldn't need to sponsor every tech creator on the platform. You don't see security experts at major tech companies doing YouTube sponsorships for two-factor authentication apps, because people understand why they need those.

According to the Open Technology Fund's 2025 VPN Transparency Report, many VPN providers obscure their true ownership through complex corporate structures, operate sketchy practices around data collection, and in some cases, are directly controlled by state actors. Yet they continue to receive millions of downloads because the marketing is so effective.

The Problem That Doesn't Exist: Public Wi-Fi

The cornerstone of every VPN marketing campaign is public Wi-Fi danger. "You're at a coffee shop. A hacker is nearby. They intercept your banking password. Your life is ruined." The imagery is compelling. The narrative is terrifying.

The problem: this scenario is essentially extinct.

Over 95% of web traffic is now encrypted with HTTPS. That little lock icon in your browser? It means your connection is encrypted end-to-end, whether you're on your home Wi-Fi, a coffee shop's network, or an airport's public hotspot. The hacker sitting next to you can see that you're visiting a website, but they can't see your login credentials, messages, or the content you're viewing.

This transformation happened largely because of Let's Encrypt, a nonprofit that started offering free HTTPS certificates in 2015. Before that, SSL/TLS certificates cost hundreds of dollars per year, creating a financial barrier for small websites. Today, over 90% of web pages loaded in Firefox use HTTPS (according to Mozilla telemetry data), and similar rates are seen in Chrome. Google prioritizes HTTPS sites in search rankings. Modern browsers display frightening warnings when you visit unencrypted sites.

When you check your bank account, send an encrypted message, or access your email on public Wi-Fi, that data is already protected by the same strong encryption that would protect it on your home network. A VPN adds another layer of encryption, but it's redundant for the activities that actually matter.

The ISP Snooping Narrative: Trading Devils

VPN companies love to claim that your ISP is spying on you and selling your browsing history to the highest bidder. This isn't entirely false. ISPs can see which domains you visit through DNS queries. But the solution VPN providers offer introduces an equally problematic dynamic.

When you use a VPN, you're moving your trust from your ISP to your VPN provider. Everything your ISP could theoretically see (your visited domains, your connection patterns, your metadata), your VPN provider can see even more clearly. They can see every byte that passes through their servers.

But here's what the marketing won't tell you: VPN providers have been caught lying about their logging practices. HideMyAss famously claimed not to log user data, then handed over user information that led to arrests. PureVPN has admitted to cooperating with law enforcement. TorGuard has been implicated in copyright enforcement. Yet they all continue operating and collecting new customers.

Here's the uncomfortable truth. Your $10/month subscription doesn't fund a team of lawyers willing to protect you from government pressure. If law enforcement or intelligence agencies knock on your VPN provider's door with a subpoena, the company will cooperate. Your "privacy" is only as strong as the company's willingness to go to court, and most VPN startups can't afford lawyers for a sustained legal battle.

Even if a VPN claims they don't log your data, there's no way for you to verify this claim from the outside. You can't audit their servers. You can't inspect their infrastructure. A malicious VPN provider would make the exact same promises as an honest one. This fundamental problem (the impossibility of independent verification) means that trusting a VPN's "no-logging policy" is ultimately an act of faith, not security.

Some VPN providers have been caught using sketchy security practices. Certain services install self-signed root certificates on your device, which allows them to intercept and decrypt your HTTPS traffic. They're literally doing the thing they claim to protect you from.

The Real Privacy Gap: DNS and How to Fix It (Without a VPN)

VPN companies aren't entirely wrong about one thing: DNS privacy is a legitimate privacy concern. When you type a website address into your browser, your device queries a DNS server asking, "What's the IP address for this domain?" Traditionally, these requests were sent in plain text, meaning your ISP could log every domain you visited.

But you don't need a VPN to solve this problem. Modern encryption technologies have made VPNs obsolete for this specific use case.

DNS over HTTPS (DoH)

Your browser can now encrypt DNS requests and send them through HTTPS, just like regular web traffic. This is the default in Firefox and can be enabled in Chrome, Edge, and Brave. It's completely free and requires zero configuration beyond flipping a browser setting. Your ISP can no longer see which domains you're visiting.

DNS over TLS (DoT)

Similar to DoH but uses a different protocol. It's supported by most modern operating systems and routers.

Encrypted Client Hello (ECH)

A newer technology that encrypts even more information about your TLS connections. It hides which specific website you're visiting from network observers. Not just which domain, but the SNI (Server Name Indication) data. This is gradually being deployed across the web.

Setup guides coming soon on our guides page. In the meantime, encrypted DNS services like Cloudflare's 1.1.1.1 and Google's DNS provide free encrypted DNS queries. These solutions accomplish what VPNs claim to do for DNS without requiring you to route all your traffic through a third party.

IP Addresses Don't Matter Anymore

VPN marketing loves to emphasize how they "hide your IP address" from trackers and advertisers. This sells the illusion of anonymity. It also happens to be increasingly irrelevant.

Modern tracking systems have moved far beyond IP addresses. Advertisers use browser fingerprinting. They analyze your user agent, installed fonts, screen resolution, timezone, browser extensions, and even how you move your mouse. Google's advertising network can correlate your browsing across millions of sites without seeing your IP address. Facebook tracks you regardless of your IP.

With CGNAT (Carrier-Grade Network Address Translation) becoming more common, multiple devices share the same IP address anyway. IP-based targeting is unreliable. Marketing companies know this, which is why they stopped relying on it years ago.

You can hide your IP through a VPN while advertisers still track you perfectly using cross-site cookies, advertising IDs, and sophisticated fingerprinting. It's like changing your jacket while keeping your name tag visible.

Free VPNs: The Worst Option

If paid VPNs are problematic, free VPNs are actively dangerous.

A free service has to make money somehow. If you're not paying, you're either the product or the bandwidth is being monetized. Free VPN providers have been caught:

• Selling user data to advertisers
• Injecting malware and adware
• Collecting location data despite claiming not to
• Using outdated or broken encryption protocols
• Renting server capacity to other services

The Open Technology Fund's comprehensive study found that apps like Turbo VPN, VPN Proxy Master, and 3X VPN, each with over 100 million downloads, contained critical security flaws. Some used cryptographic protocols not designed for confidentiality. Hard-coded passwords in the apps allowed attackers to decrypt all user traffic.

The study concluded that millions of users believe they're protected by services that actually compromise their security. If you absolutely must use a VPN, paid services with reputational incentives are marginally better than free ones.

When a VPN Actually Makes Sense

For all the criticism, VPNs aren't useless. They're just vastly overmarketed to people who don't need them. There are legitimate use cases. They're just not "I watched a YouTube video and got scared."

Government Censorship and Internet Blocking

This is the strongest legitimate use case. In countries like China, Russia, Iran, and North Korea, governments actively censor the internet. China's "Great Firewall" blocks Google, Facebook, Wikipedia, news organizations, and thousands of other sites. Russia has dramatically escalated censorship, especially since 2022.

After Russia's invasion of Ukraine in 2022, VPN downloads in Russia surged as citizens sought to bypass government blocks and access independent news. In Turkey and Iran, VPN usage spikes during periods of political unrest. These are genuine scenarios where a VPN provides meaningful protection.

Even here, the technology is increasingly compromised. China aggressively blocks VPN services. Russia has banned many VPNs and requires those operating legally to connect to government censorship systems. The VPN that works today might be blocked next week.

If you're in a country with heavy censorship, you need a specialized VPN with strong obfuscation technology, not a cheap consumer service.

Streaming Services and Geo-Restrictions

The classic pitch: "Watch Netflix from any country!" This used to work. It no longer reliably does.

Netflix actively blocks VPN users and will display an error message if one is detected. BBC iPlayer is even more aggressive. They've blocked entire data center IP ranges. HBO Max blocks VPNs. Disney+ blocks VPNs.

Some premium VPN services still work, but it's a constant arms race. The service that worked last month might be blocked today. Streaming providers are winning this battle because they have much stronger financial incentives than VPN providers. They make billions enforcing licenses.

Also note: Bypassing geo-restrictions violates the terms of service of every streaming platform. The content isn't licensed for your region for legal reasons. While streaming services usually won't ban your account, they can.

If circumventing geo-restrictions is your goal and you understand these limitations, a VPN is probably the most straightforward solution. Just recognize what you're doing and accept the impermanence of the workaround.

Corporate and Remote Access

VPNs were originally designed for this purpose: securely connecting to corporate networks remotely. If your employer requires a VPN to access internal systems, you should use it, but you should be using the company's VPN, not a consumer service.

High-Risk Individuals

Journalists, activists, whistleblowers, and others with elevated threat models (people actually targeted by sophisticated adversaries) may benefit from VPNs as part of a comprehensive security strategy. But if you're in this category, you shouldn't be taking security advice from YouTube sponsorships. You need expert guidance from organizations like Freedom of the Press Foundation or Committee to Protect Journalists.

Torrenting and P2P Applications

If you download copyrighted material, your ISP can see this activity and may send you angry letters. A VPN can prevent your ISP from seeing torrenting. We don't endorse piracy, but this is a real use case for some people.

Avoiding Targeted Price Discrimination

Some services charge different prices based on location. A VPN can help you see if you're being charged a premium. This is probably the most consumer-friendly legitimate use case for average people.

What Actually Protects Your Privacy Online

Instead of spending $120-180 per year on a VPN you probably don't need, focus on security measures that actually matter:

These steps will protect your privacy far more effectively than any VPN subscription. And they're all free or cost significantly less.

The Uncomfortable Questions VPN Marketing Avoids

Before you subscribe to any VPN service, ask yourself these questions. If you can't answer them honestly, you probably don't need a VPN:

• What specific threat am I protecting against? Vague fears about "hackers" don't count. Do you have a concrete security concern?
• Do I trust this VPN provider more than my ISP? Can I verify their no-logging claims? Have they been independently audited?
• Is this the best solution for my specific problem? For DNS privacy, there are encrypted DNS services. For anonymity, there's Tor. For censorship evasion, you need specialized obfuscation.
• Am I paying for security theater? Or am I actually solving a real problem that affects me?

The Bottom Line

The internet in 2025 is fundamentally different from the internet of 2010. HTTPS is ubiquitous. DNS can be encrypted without a VPN. Browsers have sophisticated built-in protections. The scariest threats aren't the ones VPNs protect against. They're data breaches, weak passwords, outdated software, and social engineering attacks.

VPNs are a tool with specific use cases. They're not a magic security blanket that makes you "safe" online. The VPN industry thrives on misunderstanding how modern internet security actually works. They've convinced millions of people that the internet is more dangerous than it is, and that their particular solution is the remedy.

Don't let marketing convince you that you're unsafe without their product. Don't assume that because your favorite YouTuber recommends a service, it's actually useful for you. And definitely don't pay $15 per month for peace of mind that free browser settings and common sense already provide.

Ask yourself: Why do these companies need to pay millions in sponsorships to convince people to use them? If a VPN was genuinely essential for security, you wouldn't need a promotional code to care about it.