VPN Myths vs. Reality: What a VPN Actually Protects

VPNs are one of the most heavily marketed privacy products on the internet, and one of the most widely misunderstood. The gap between what VPN advertising claims and what VPN technology actually does is significant. This article explains the mechanics honestly — what a VPN genuinely helps with, where it falls short, and what to use instead for the threats a VPN cannot address.

Myth 1: "A VPN makes you anonymous"

A VPN replaces your IP address as seen by websites with the IP address of the VPN server. This is a meaningful privacy improvement for some purposes — it prevents websites from directly identifying your ISP and approximate location. But it does not make you anonymous.

The VPN provider now sees all of your traffic. You have shifted trust from your ISP to the VPN operator. If the VPN provider keeps logs — regardless of what their marketing says — they can identify you. If they don't keep logs but can be compelled by courts to start doing so, future traffic can be captured. Your real IP address is known to the VPN provider, and that relationship exists in their billing records even if traffic logs don't.

Meanwhile, your ISP knows you are using a VPN, even if they cannot see what you are doing through it. A VPN connection is detectable by its traffic patterns, the port it uses, and the destination IP. This is not necessarily a problem, but "my ISP can't see me" is not the same as "no one can see me."

Myth 2: "VPNs protect against hackers"

VPNs encrypt traffic between your device and the VPN server. This is useful on untrusted networks — coffee shop Wi-Fi, hotel networks, conference networks — where someone on the same network could otherwise intercept unencrypted traffic or conduct man-in-the-middle attacks.

What it does not do: protect against malware already on your device, protect against phishing, protect against attacks on services you connect to (the traffic is decrypted at the VPN server and then travels in the clear to its destination unless the destination also uses HTTPS), or protect against any attack that doesn't involve intercepting your network traffic.

If you have malware installed on your device, it can exfiltrate data directly before it ever reaches the VPN tunnel. A VPN offers no protection in this scenario.

Myth 3: "No-log VPNs are provably private"

"No-log" is a policy claim, not a technical guarantee. A VPN provider claiming not to keep logs cannot be verified in real time — you are trusting their word and, in the better cases, the results of a third-party audit. Audits are point-in-time snapshots; they verify that logging was not occurring at the time of the audit, not that it never will be.

Several VPN providers that marketed themselves as no-log have been shown to have logs when compelled by law enforcement — either because the claim was false or because their infrastructure allowed reconstruction of activity without traditional logs. The no-log claim is a useful signal, but it is not a cryptographic guarantee. Treat it as one factor among several, not as proof of privacy.

Myth 4: "A VPN hides you from Google and Facebook"

If you are logged into a Google account, Google knows who you are regardless of your IP address. The same applies to any service where you are authenticated. Browser fingerprinting — which uses your browser version, fonts, screen resolution, plugin list, and dozens of other signals — can identify you with high accuracy across different IP addresses and even across different sessions.

Cookies, if not properly managed, persist across VPN connections. Third-party tracking scripts (present on the majority of websites) correlate your behaviour across sites regardless of IP. A VPN does nothing to address any of these mechanisms. Protecting yourself from pervasive tracking by large platforms requires a different toolkit: a privacy-hardened browser, aggressive cookie management, and in serious cases, a de-Googled phone.

Myth 5: "Free VPNs are fine"

Operating a VPN network at scale has real costs: servers, bandwidth, staff, legal compliance. A free VPN must cover these costs somehow. In many documented cases, the mechanism is data collection and sale — your browsing activity is exactly what some free VPN operators are selling to advertisers and data brokers. This is a direct inversion of the product's stated purpose.

A number of free VPN apps have been identified as outright malware: they install themselves, collect data including keystrokes and banking information, and forward it to third parties. Several were removed from app stores after investigation. The cost of a reputable paid VPN is low enough that using a free alternative to save that money is a poor trade for most threat models.

What VPNs genuinely help with

Despite the above, VPNs are genuinely useful for specific purposes:

• ISP traffic analysis: Your ISP cannot see which services you are using, only that you are using a VPN. This prevents ISP-level data collection and sale of your browsing behaviour.
• Untrusted Wi-Fi: Encrypting your traffic on a network you don't control prevents local network interception.
• Geo-restriction bypass: Accessing content or services that are region-locked is a legitimate and widely used function.
• CGNAT and port forwarding: For users on carrier-grade NAT, a VPN with port forwarding can enable services that wouldn't otherwise work.

Router-level VPN: why it matters

Installing a VPN app on a single device protects only that device. Every other device on your network — smart TVs, IoT devices, consoles, work laptops without VPN configured — connects unprotected. Running a VPN at the router level routes all traffic from all devices through the tunnel with a single configuration. This is particularly valuable for devices that cannot run VPN apps at all.

For anonymity rather than just traffic encryption, Tor provides stronger guarantees than any VPN — at the cost of speed. For tracking protection, a de-Googled phone addresses the surveillance infrastructure that no VPN can touch. A VPN is one layer in a privacy stack, not a complete solution on its own.

For comprehensive network-level VPN that protects every device in your home, see Norypt encrypted routers. For the device-level protection that addresses what VPNs cannot, Norypt GrapheneOS phones remove the tracking infrastructure at the OS level.