I've been watching the VPN industry lie to consumers for over a decade, and I'm done being polite about it. Every YouTube sponsor segment, every podcast ad, every banner screaming "PROTECT YOUR PRIVACY" is selling you a fraction of the truth at premium markup. The average American now spends $120/year on a VPN they barely understand, based on a threat model that doesn't apply to 90% of users.

Let me be direct: a VPN is a tunnel, not a fortress. It encrypts the data traveling between your device and the VPN server. That's it. That's the entire product. Everything else — the "anonymous browsing," the "military-grade encryption," the "no-log promises" — is marketing copy designed to make you feel safer than you actually are.

The Three Things a VPN Actually Does

First, it hides your IP address from the websites you visit. Instead of your ISP's IP, sites see the VPN server's IP. This is real, and it's useful — if you're on public WiFi at a coffee shop, airport, or hotel. Without a VPN on public networks, anyone with basic packet-sniffing software can see what sites you're visiting. A VPN stops that. That alone is worth the price for frequent travelers.

Second, it prevents your ISP from seeing which specific sites you visit. They can still see you're connected to a VPN, but the actual URLs and services are hidden. This matters if you don't trust your ISP with your browsing history — and you shouldn't, since major ISPs like Comcast, AT&T, and Verizon have all been caught selling customer browsing data.

"

A VPN is a tunnel, not a fortress. It encrypts data in transit. It does not make you anonymous, it does not protect your passwords, and it absolutely does not make you "safe online."

Third, it lets you appear to be in a different geographic location. Want to watch a show only available in another country's streaming library? VPN. Need to access a service blocked in your region? VPN. This is the most honest use case in the entire industry, and ironically, it's the one they advertise the least.

That's the complete list. Three things. Everything else is either a secondary benefit, a half-truth, or an outright fabrication.

The Five Things a VPN Absolutely Does Not Do

A VPN does not make you anonymous. I'll say it again for the people in the back: a VPN does not make you anonymous. Your VPN provider can see every site you visit. You've simply moved your trust from your ISP to a company headquartered in a jurisdiction you've never researched. If that company keeps logs — and many do despite claiming otherwise — your browsing history is sitting on a server somewhere, one subpoena or hack away from exposure.

A VPN does not protect your passwords. It doesn't stop phishing emails. It doesn't prevent you from using "password123" on your bank account. It doesn't enable two-factor authentication. The vast majority of account compromises happen through credential stuffing, social engineering, and password reuse — none of which a VPN touches.

"

You've simply moved your trust from your ISP to a company headquartered in a jurisdiction you've never researched. That's not security — that's faith.

A VPN does not block malware or viruses. Some VPNs bundle basic DNS-level ad blocking, but that's not antivirus protection. If you download a malicious file, click a bad link, or install a compromised browser extension, your VPN sits there doing absolutely nothing. The NordVPN "Threat Protection" and Surfshark "CleanWeb" features are nice additions, but they're not replacements for actual endpoint security.

A VPN does not stop data brokers from selling your information. Your name, address, phone number, email, and purchase history are already on hundreds of data broker sites. A VPN hides your IP — it doesn't erase the terabytes of personal data already collected about you through apps, loyalty programs, credit card transactions, and public records.

A VPN does not protect you on social media. Facebook, Instagram, TikTok, and Google track you through account logins, device fingerprinting, cookies, and pixel tags. A VPN changes your IP address. These platforms identify you through a dozen other signals. You're still the product.

So What Should You Actually Buy?

After testing VPNs for years and watching this industry evolve, here's my honest assessment: most people should buy Mullvad VPN. It costs €5/month (no discounts, no tricks), accepts cash payments by mail, requires zero personal information to create an account, and has been independently audited multiple times. It's based in Sweden, which has strong privacy laws, and the company has a track record of transparency that makes the rest of the industry look like carnival barkers.

If you need something with more servers and better streaming unblocking, Proton VPN is the second choice. The free tier is genuinely useful — unlimited bandwidth, no ads, no data selling. The paid tier adds more servers and faster speeds. Proton is based in Switzerland, audited open-source, and run by the same team behind Proton Mail. They've earned trust over a decade.

"

Mullvad doesn't want your name, your email, or your credit card. They'll take cash in an envelope. That's how a privacy company should operate.

Avoid NordVPN, ExpressVPN, and Surfshark. Not because they don't work — they function fine as VPNs — but because their marketing is fundamentally dishonest. NordVPN's "military-grade encryption" is the same AES-256 that every reputable VPN uses. ExpressVPN's "TrustedServer technology" is a RAM-only server that still requires you to trust ExpressVPN. Surfshark's "unlimited devices" sounds great until you realize you're paying for a product that makes you feel secure without actually addressing your real vulnerabilities.

The biggest red flag? Any VPN that advertises on YouTube with a "get 83% off" promotion. Legitimate privacy tools don't need influencer partnerships and fake urgency. Mullvad has never offered a discount. That tells you everything.

What You Should Do Instead of Obsessing Over VPNs

If you actually want to protect your digital life, here's where your money and time should go: a password manager (Bitwarden is free and excellent), two-factor authentication on every account that supports it (use an authenticator app, not SMS), and a credit freeze at all three bureaus (free, takes 15 minutes, prevents identity theft more effectively than any VPN ever will).

Those three actions will eliminate roughly 90% of your actual digital risk. A VPN protects against a narrow set of threats — network-level eavesdropping and IP-based tracking — that matter primarily on untrusted networks. Your home WiFi, with a properly configured router, is already doing most of what a VPN provides.

I'm not anti-VPN. I use one every day — Mullvad, specifically. But I use it because I travel frequently, connect to hotel and airport networks regularly, and understand exactly what it does and doesn't do. If you're buying a VPN because you think it makes you "safe online," you've been marketed to, not educated.