Virtual Private Network (VPN) marketing has done an incredible job convincing people that a single subscription makes them anonymous, secure, and untouchable. "Military-grade encryption." "No logs." "Total privacy." The reality is far messier: a VPN is a useful tool for a narrow set of problems, but as a privacy solution it has structural weaknesses that no amount of marketing can fix.
This post walks through the real concerns: logging, jurisdiction, political pressure, ownership, and the fundamental trust problem at the heart of the whole model.
The core problem: you're just moving trust, not removing it
Without a VPN, your Internet Service Provider (ISP) can see which domains you connect to. With a VPN, your ISP sees only encrypted traffic to the VPN server — but now the VPN provider sees everything your ISP used to see. You haven't eliminated the observer. You've swapped one for another.
The question then becomes: do you trust a VPN company — often an opaque business registered in an offshore jurisdiction, owned by a holding company you've never heard of — more than your ISP? Sometimes the answer is genuinely yes (hostile networks, oppressive regimes, snooping ISPs that sell browsing data). But it's a trade-off, not an upgrade to anonymity.
"No logs" is a claim, not a guarantee
Every major VPN advertises a no-logs policy. Here's why that phrase deserves skepticism:
You cannot verify it. The server infrastructure is a black box. You have no way to inspect what a provider's servers actually record. The policy is a promise on a marketing page, enforced by nothing but the company's word.
Audits are snapshots. Some providers commission third-party audits, which is better than nothing. But an audit verifies a configuration at a point in time, on the servers the auditors were shown. It doesn't prove what happens tomorrow, or what happens on a server seized by police, or what a provider does under a gag order.
History is not encouraging. There are documented cases of "no-log" VPNs handing over logs that supposedly didn't exist. PureVPN provided connection logs to the Federal Bureau of Investigation (FBI) in a 2017 cyberstalking case despite advertising a zero-log policy. IPVanish did something similar in 2016, handing subscriber records to Homeland Security. In 2020, seven Hong Kong-based "no-log" VPNs (UFO VPN among them) leaked a shared database containing plaintext passwords and activity logs — logs they claimed not to keep. The pattern repeats often enough that the default assumption should be: logs may exist until proven otherwise, and proof is nearly impossible.
Even "connection metadata" is enough. Providers often draw a line between "activity logs" (what you browsed) and "connection logs" (timestamps, Internet Protocol (IP) addresses, bandwidth). The second category sounds harmless, but timestamps plus source IP addresses are exactly what's needed to correlate a user with an action. Metadata is not a lesser form of data; in investigations, it's frequently the more useful one.
Jurisdiction: laws beat policies, every time
A privacy policy is a document. A court order is a legal obligation. When they conflict, the court order wins.
Where a company is incorporated — and where its servers physically sit — shapes what can be forced out of it:
| Jurisdiction type | Examples | Privacy posture |
|---|---|---|
| Five / Nine / Fourteen Eyes members | United States (US), United Kingdom (UK), Australia | |
| Offshore "privacy havens" | Panama, British Virgin Islands | |
| Mandatory-logging regimes | Russia, India |
Where a company is incorporated matters. A VPN based in a Five Eyes / Nine Eyes / Fourteen Eyes country (the US, UK, Australia, and friends) operates under intelligence-sharing frameworks and can be compelled to cooperate — sometimes with gag orders that legally forbid them from telling you. National security letters in the US come with exactly this kind of silence requirement.
Offshore isn't a magic escape either. Providers in Panama or the British Virgin Islands advertise their jurisdiction as a feature, but their servers live in datacenters all over the world, each subject to local law. A server in a rack in Frankfurt is subject to German law and German police, regardless of where the parent company files its paperwork. Physical server seizures have happened repeatedly — and when they do, whatever is in memory or on disk at that moment is up for grabs.
Some countries compel logging outright. Russia and India, among others, have passed rules requiring VPN providers to retain user data or register with the state. The providers that refuse pull their servers out; the ones that stay are, by definition, logging. If your provider quietly operates servers in a mandatory-logging jurisdiction, their global "no-logs" claim has an asterisk they may not be advertising.
Political pressure and the quiet squeeze
Legal compulsion is only the visible part. There's a softer layer of pressure that never shows up in transparency reports:
- Gag orders mean a provider can be cooperating right now and be legally unable to say so. Warrant canaries (statements like "we have never received a secret order," removed when it stops being true) were invented for this — and their legal reliability is untested and shaky.
- Governments lean on infrastructure, not just companies. Datacenter operators, hosting providers, and network carriers can be pressured or tapped upstream of the VPN itself. Your provider can be perfectly honest and still be transparently observable to a capable adversary sitting at the right vantage point.
- Authoritarian markets create compromises. Providers that want to keep operating in restrictive countries face a choice between compliance and exit. Not all of them choose exit, and their choices aren't always public.
Who actually owns your VPN?
The VPN industry has quietly consolidated. Kape Technologies — a company that earlier in its life (as Crossrider) distributed ad-injection software — now owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate, plus a portfolio of VPN "review" sites that rank those same products favorably. Many of the top-ten lists you'll find when googling "best VPN" are owned by the companies being ranked.
Beyond consolidation, plenty of providers are shell companies with unclear ownership, sometimes traced to jurisdictions or actors you'd never knowingly hand your traffic to. And the free-VPN tier is worse: running servers costs real money, so free providers monetize the only asset they have — you. Selling bandwidth, injecting ads, or harvesting browsing data isn't a scandal in that segment; it's the business model. Facebook's Onavo VPN, which was explicitly used to surveil users' app activity for competitive intelligence, is the canonical example.
Technical realities the ads skip
Traffic correlation defeats the model. An adversary who can watch traffic entering a VPN server and leaving it (a state agency, or anyone with visibility at internet exchange points) can match flows by timing and volume without breaking any encryption. A single-hop VPN offers essentially no protection against this class of adversary. This is the entire reason Tor (The Onion Router) uses three hops across independently operated relays.
Leaks are common. Domain Name System (DNS) leaks, Internet Protocol version 6 (IPv6) leaks, Web Real-Time Communication (WebRTC) leaks, and traffic escaping during reconnection windows can expose your real IP address even with the VPN "on." Kill switches help but are themselves software that can fail.
You are not anonymous to the sites you use. Browser fingerprinting, cookies, and logged-in accounts identify you regardless of your IP address. Logging into Google over a VPN tells Google exactly who you are; the VPN changed nothing about that.
Most of the web is already encrypted. With Hypertext Transfer Protocol Secure (HTTPS) everywhere, your ISP sees domain names, not page contents, passwords, or messages. The "hackers on café Wi-Fi will steal your bank login" pitch describes the web of 2010. The marginal security a VPN adds on a modern HTTPS connection is small — its real effect is hiding domains from the local network and shifting that visibility to the provider.
The provider is a high-value target. Concentrating the traffic of millions of privacy-conscious users behind a handful of companies creates exactly the kind of chokepoint attackers and agencies love. NordVPN's 2018 server breach (disclosed in 2019) showed that even large, reputable providers can have compromised infrastructure without knowing it for months.
So what is a VPN actually good for?
To be fair to the tool: VPNs are legitimately useful for a specific set of jobs. What matters is separating those from the anonymity claims they get bundled with.
| Concern | Does a single-hop VPN help? |
|---|---|
| Snooping on a hostile local network (café Wi-Fi) | |
| Your ISP seeing which domains you visit | |
| ISP throttling or selling your browsing data | |
| Reaching geo-restricted or region-locked content | |
| Reaching an internal or corporate network | |
| Staying anonymous to the sites you log into | |
| A global adversary running traffic correlation | |
| Not having to trust anyone with your traffic |
Those first rows are real benefits — hiding traffic from a hostile local network, getting around ISP throttling or data-selling, accessing region-restricted content, and reaching internal networks (the original corporate use case).
What a VPN is not is an anonymity system. If your threat model includes governments, sophisticated adversaries, or anyone with legal leverage over companies, a commercial VPN is a thin shield. For genuine anonymity needs, Tor — with all its own trade-offs — is designed for the problem in a way a single trusted intermediary never can be.
How to mitigate the risks
You can't eliminate the trust problem, but you can shrink it considerably. Start by deciding who you're actually hiding from — every choice after this depends on that answer.
Start with a threat model, not a product. Ask: who am I hiding from, and what happens if I fail? Hiding from café Wi-Fi is trivial. Hiding from your ISP is easy. Hiding from a government with legal reach is a different sport entirely, and no consumer VPN plays it. Every recommendation below only makes sense relative to an actual adversary.
Pick providers that minimize what they can know. The strongest logging policy is not being able to log in the first place. Look for:
- Random Access Memory (RAM)-only (diskless) servers. Everything lives in volatile memory; a reboot or a seizure wipes it. Mullvad, ExpressVPN's TrustedServer, and others run this way. It doesn't stop live interception, but it makes a seized server worthless.
- No account required. Mullvad's model — a randomly generated account number, no email, no name — means there's no identity to hand over even under compulsion. That's a structural guarantee, not a policy one.
- Anonymous payment. Cash by mail or cryptocurrency (ideally Monero, since Bitcoin is fully traceable on-chain) breaks the link between the subscription and your identity. Paying for a "private" VPN with your personal credit card undoes a lot of the point.
- Recurring independent audits and real transparency reports. Still snapshots, but a provider that submits to audits yearly, publishes infrastructure details, and reports the legal requests it receives is at least betting its reputation on the claims.
- Open-source clients and a track record. How a provider behaved during its last breach or subpoena tells you more than its landing page ever will.
Harden the client side. Enable the kill switch and verify it actually works (drop your network mid-session and watch what happens). Test for DNS, IPv6, and WebRTC leaks — sites like Mullvad's own check or dnsleaktest.com make this a two-minute job. Disable IPv6 if your provider doesn't tunnel it. Prefer WireGuard where offered: a drastically smaller codebase than OpenVPN means a drastically smaller attack surface.
Layer defenses instead of relying on one. Multi-hop configurations route through two servers, ideally in different jurisdictions, so no single node sees both who you are and where you're going. For serious anonymity, Tor remains the reference design — three hops across independently operated relays, built specifically to resist the correlation attacks that defeat single-hop VPNs. Some people combine them (VPN before Tor hides Tor usage from the ISP; Tor before VPN is almost never what you want), but understand each layer's purpose before stacking them.
Fix the application layer, or the network layer won't matter. A VPN cannot save you from yourself. Log out of Google, use a fingerprint-resistant browser (Tor Browser, or Firefox with resistFingerprinting), block third-party cookies, and compartmentalize identities — separate browsers or profiles for separate contexts. Encrypted DNS — DNS over HTTPS (DoH) or DNS over Transport Layer Security (DoT) — with a resolver you choose keeps your queries from silently falling back to your ISP. Most real-world deanonymization happens here, not through broken encryption.
Consider self-hosting — but know what it trades away. Spinning up WireGuard on a cheap Virtual Private Server (VPS) gives you full control and certainty about logging on your end. But the VPS provider can see your traffic and logs your identity at signup, and a personal server means the exit IP address is used by exactly one person: you. Self-hosting is great for securing hostile Wi-Fi and reaching your home network; it's actively worse than a shared commercial VPN for anonymity, where blending into a crowd is the entire mechanism.
Extra concepts worth knowing
A few ideas that round out the picture and come up constantly in this space:
Crowd size is a privacy feature. Your traffic on a shared VPN exit is mixed with thousands of other users — that's the anonymity set. It's why a popular server can hide you better than a private one, and why niche providers with tiny user bases offer weaker cover than the math of encryption suggests.
Correlation beats decryption. Modern adversaries rarely break encryption; they match patterns. Timing, packet sizes, and volume entering and leaving a server are enough to link flows. This is also the idea behind website fingerprinting, where encrypted traffic patterns alone can reveal which site you're visiting. Encryption hides content, not behavior.
"Harvest now, decrypt later." Agencies are widely assumed to be storing encrypted traffic today in anticipation of future cryptographic breaks (including quantum ones). Long-lived secrets deserve stronger protection than a VPN tunnel; this is why post-quantum key exchange is starting to appear in protocols like WireGuard-based implementations.
Decentralized VPNs (dVPNs) like Mysterium or Orchid route traffic through peer-operated nodes rather than company servers, removing the central operator. The trade: your exit node is now a random stranger's machine, and you may be the exit for their traffic — with the legal exposure that implies. Different trust problem, not a solved one.
Multi-party relays are the more interesting recent development. Apple's iCloud Private Relay and similar two-hop designs split knowledge between two separate companies: one sees your IP address but not your destination, the other sees your destination but not your IP address. Neither party alone can profile you — a structural improvement over the single-operator VPN model, though you're still trusting that the two parties don't collude.
Port forwarding and static IP addresses erode anonymity. Features that make you reachable or consistent (dedicated IP addresses, forwarded ports) also make you linkable across sessions. Convenient for torrenting and hosting; costly for privacy.
VPN blocking and obfuscation. Networks and governments increasingly detect and block VPN protocols outright. Obfuscation transports (obfs4, Shadowsocks, stunnel-wrapped traffic) disguise VPN traffic as ordinary HTTPS. If your VPN "just works" in a censored country, obfuscation is why — and it's an arms race, not a guarantee.
The endpoint is the real perimeter. Malware, a malicious browser extension, or a compromised device sees everything before it's encrypted. No network-layer tool protects a machine that's already lost. Keep the Operating System (OS) patched, audit your extensions, and treat the VPN as one layer in a stack — never the stack itself.
Putting the trust models side by side makes the differences concrete:
| Model | Sees your real IP address | Sees your destination | One party sees both |
|---|---|---|---|
| Single-hop commercial VPN | The provider | The provider | |
| Multi-hop (one provider) | Entry server | Exit server | |
| Tor (three hops) | Guard relay | Exit relay | |
| Apple iCloud Private Relay | Apple relay | Third-party relay | |
| Decentralized VPN (dVPN) | A peer node | A peer node | |
| Self-hosted (your own VPS) | The VPS host | The VPS host |
For genuine anonymity, the ranking runs from a single trusted company at the weak end to independently operated hops at the strong end:
The takeaway
A VPN doesn't make you private. It makes you private from some parties by making you completely transparent to one party — a company whose honesty you can't verify, whose logs you can't inspect, whose ownership may be opaque, and whose promises dissolve on contact with a court order or a determined government.
Use one where the trade-off makes sense. Just don't confuse a subscription with anonymity, and don't let a marketing page do your threat modeling for you.
References
- PureVPN logs helped the FBI catch a cyberstalker (BetaNews, 2017)
- IPVanish "no-logging" VPN led Homeland Security to a Comcast user (TorrentFreak, 2018)
- Seven "no-log" VPN providers leaked 1.2TB of user logs (The Register, 2020)
- "Zero logs" UFO VPN exposed millions of logs including passwords (Comparitech, 2020)
- Kape Technologies (formerly Crossrider) — ownership and VPN portfolio (Wikipedia)
- Onavo — Facebook's surveillance VPN (Wikipedia)
- NordVPN admits to an "isolated" server breach in Finland (Engadget, 2019)
- About iCloud Private Relay (Apple Support)
- The Tor Project
- WireGuard
- Mullvad VPN
