A good VPN can protect your data online—overall, they’re great tools for staying safer and protecting your privacy. But can VPNs also introduce security or privacy risks? Are some VPNs safer than others? And when’s the right time to use one?
In this short guide, we’ll try to answer these questions, and help you gain a better understanding about how a VPN can fit into your plan for a safer Internet experience.
What are some situations where a VPN could improve safety?
Accessing censored content
Some countries censor the Internet content available to their citizens. A VPN can help you circumvent a censor’s firewalls and access prohibited content. By encrypting your content request, a VPN shields this information from your Internet service provider (ISP) and any other entities that might try to read it. A VPN can also mask your IP address, so you can’t be identified by the website you’re visiting.
However, note that in some cases a VPN will be illegal in the very countries that censor Internet access; in these cases, using a VPN might create its own dangers. While the ISP (or others) might not see your specific activity or know if you’re accessing prohibited content, they’ll be able to infer that a VPN is in use. In cases like this, a VPN should be used with caution.
Avoiding surveillance
Surveillance occurs more often than outright censoring. Governments can require ISPs to provide any tracked information about users’ activity (if the government requests it). By encrypting your activity, a VPN ensures the ISP has no browsing history to report (other than the simple fact you use a VPN).
However, note that avoiding surveillance or tracking by your ISP doesn’t necessarily mean you’re immune from surveillance. While a VPN can block your ISP from obtaining details on your browsing activity, the VPN provider may still have access to this information. That’s why it’s important to use a VPN provider with a strong, proven no-logs policy.
Public Wi-Fi networks
With the increasing adoption of HTTPS, the safety of public Wi-Fi has improved. With HTTPS you don’t need to worry about exposing your browsing data to a snooper on that coffee shop Wi-Fi—most of your data is encrypted before it even reaches the cafe’s router. However, in at least one way a VPN can help even with HTTPS in use: by masking the URL of the website you want to visit. Using a VPN in public spaces protects your browsing activity from being spied on by others on the same public network. A VPN can also fill any coverage gaps with HTTPS, such as if a website has poor application of HTTPS, or if you’re loading a non-HTTPS site.
Mobile apps, on the other hand, don’t always benefit from the protection of HTTPS. Some apps may have encryption built in, but this can vary from app to app and there’s no easy way for a user to confirm this. A mobile VPN can encrypt all data traffic on your device, including any data handled by apps.
Why does a VPN’s privacy policy matter?
A VPN’s privacy policy is often (though not always) centered on how (or if) they log user data; a no-logs policy is always a good criteria when selecting a VPN provider. Most VPN providers say they have a no-logs policy, but it’s important to look at the fine print to understand what their policies really are regarding your data. A true no-logs policy is one where no user activity is ever stored for any length of time. If a VPN provider stores your activity history even for just a short period for internal purposes (like assessing system performance), your data is exposed to the possibility of ending up in someone else’s hands.
With free VPNs, or those based in certain jurisdictions that require providers to store activity details, you should approach claims of a no-logs policy with skepticism. Conversely, when a company with a reputation for strong privacy protections (such as Brave) states they have a strict no-logs policy—and their privacy policy backs this up—it’s probably a safe bet.
What to look for in a VPN’s privacy policy
The best place to find accurate information on user data handling is the VPN provider’s privacy policy. A privacy policy will detail what user data is collected and stored, for what purpose, and for how long. This disclosure should also declare if the provider is required to adhere to any government-dictated data retention requirements, and any other third parties they might share your data with. A clear no-logs declaration in the privacy policy is a strong indicator the VPN provider takes data privacy seriously.
How independent audits validate VPN security
VPN providers will point to independent audits as proof of a legitimate no-logs policy. Audits are good-faith indicators that a company is doing what they claim—in this case not logging user activity—but they’re still theoretically fallible. It’s feasible that a company could stop logging user activity, conduct an audit, and then resume logging after the audit completes.
An additional, if uncommon, gauge of a true no-logs policy is one that has stood up to legal or judicial challenge. Some VPN providers have had their logs subpoenaed in court, and were unable to produce them because they don’t exist.
Are there other risks with using VPNs?
A big reason for using a VPN is to avoid data collection efforts by ISPs and other entities. As we’ve seen, it’s important to have reasonable trust that your VPN provider won’t take advantage of their access and collect your data themselves. However, there are a few other concerns to consider in addition to data collection.
Free VPNs
As we mentioned above, free VPNs frequently track users and sell their data. This is how they’re able to provide a free service while building and maintaining a VPN network. Having your data collected and sold to third parties undoes everything you’re trying to accomplish by using a VPN. A free VPN may also cap your data usage and generally provide a poorer performing service.
Dropped connections
You may occasionally lose your connection to the VPN server. This can often be the result of spotty service on a cellular network or trying to switch between Wi-Fi networks. Whatever the cause, when this happens, your traffic automatically defaults back to using the ISP to handle your browsing activity, which means your ISP can again see your browsing activity.
You can limit the risks of dropped connections in a couple ways:
- Select a VPN provider with many servers, so that you have many reliable options in the event one or two servers go down. This can result in less time where the VPN service is unavailable or slow.
- Find a VPN provider with a killswitch. A killswitch recognizes when connection to the VPN server has been lost and instantly stops all Internet traffic, rather than allowing a handoff to the ISP.
DNS leaks
A DNS leak happens when a Domain Name System (DNS) request that’s supposed to go to your VPN server instead gets passed to your ISP, the very thing you’re trying to prevent by using a VPN. There are several reasons a DNS leak might occur, most of which have their root cause in poor VPN service. In these cases, the best defense against DNS leaks is to select a different (and more reputable) VPN provider.
Note that a DNS leak often occurs when the VPN provider experiences a dropped connection, so the two are closely related.
DNS leaks can also happen if certain features are enabled. One feature known to cause DNS leaks is Windows Smart Multi-Home Name Resolution. Be sure to turn this feature off to get the best protection. If you’re using Brave Firewall + VPN you will be automatically protected in the browser, but could still be affected by traffic sent from other apps or services.
Malware
It’s important to remember that, while VPNs can do a very good job at protecting some aspects of your privacy and security while online, they don’t protect against everything. For example, a VPN doesn’t protect against accidental downloading of malware. You still need to use other security tools to block these kinds of online threats. Brave Firewall + VPN pairs its VPN service with a robust firewall that blocks known malicious sites and malware downloads that have been detected by security researchers.
Are mobile VPNs as secure as desktop ones?
A mobile VPN for your phone or tablet should offer the same protections you’d find on a desktop/laptop computer VPN. A mobile VPN should hide your IP address, encrypt your transmitted data (including the website URL), and help you navigate restrictions associated with censorship or geographic limitations.
With mobile devices, however, there’s a greater possibility of a dropped connection due to unreliable Internet connection when on a mobile device. This risk is mitigated by choosing a provider that has an effective killswitch.
Check out our guide on selecting a VPN service for mobile devices.
Just like any software, a VPN service will have its pluses and minuses. Whether a VPN can contribute to your online security and privacy, or will create more problems than it solves, depends in large part on the VPN provider. Choosing the right provider is crucial for a safe, worry-free experience.
We encourage you to invest a bit of time comparing potential VPN providers, and reading their fine print. Look beyond the sales pitch and read the privacy policy to find out if your data will really be safe. Look into the provider’s track record for reliable service and reputation for putting the customer first. And resist the temptation to use a free VPN—these usually end up doing more harm than good.
The Brave browser and its built-in Firewall + VPN ticks all the boxes for safety, security, reliability, and—of course—privacy. We’re confident it will make anyone’s short list for best VPN for their needs. And remember: A VPN doesn’t protect against cookies, trackers, malware and phishing. To be as safe as possible online, you’ll still need additional tools to protect against these threats. Fortunately, Brave has you covered there, too, with protections built right into the browser.