TechEngage®

Technology Reviews, Guides & Analysis

TechEngage » Security & Privacy

How does a VPN protect user privacy and anonymity?

Avatar for Ali Raza Updated: May 16, 2026

A smartphone with VPN activated
PinLinkedInPrint

The VPN industry has a marketing problem: it sells privacy as a binary thing — install our app, become anonymous — when the actual privacy gain in 2026 is narrower than the ad copy suggests. HTTPS now covers 95%+ of web traffic. DNS over HTTPS (DoH) has been on by default in Firefox since 2020 and in Chrome since 2022. Apple’s iCloud Private Relay does much of what a VPN does for Safari traffic on the iPhone. The “VPN-or-no-privacy” framing that defined the 2018–2022 era has aged into something more nuanced: VPNs still do specific useful jobs, but the jobs are smaller than the ads claim, and the cases where you actually need one are more specific than “anytime you go online.”

This guide explains what a VPN really protects you against in 2026, where the original 2023 framing of “VPN protects everything” overreached, and the specific situations where running one is still genuinely worth it.

Contents

What a VPN actually does

Strip the marketing away and a VPN does exactly two things:

  1. Encrypts the network traffic between your device and the VPN server. Anything observing the link between you and the VPN server (your ISP, your office network, the coffee-shop Wi-Fi router) sees only encrypted gibberish.
  2. Substitutes the VPN server’s IP address for yours. Anything observing traffic after it leaves the VPN server (the website you visit, ad trackers, analytics tools) sees the VPN server’s IP, not yours, and the VPN server’s geographic region, not yours.

That’s it. Everything else a VPN is marketed for — security, anonymity, privacy, fraud protection — is a downstream consequence of these two facts. The clear-eyed version of each marketing claim:

  • “Encrypts your traffic” — true, between you and the VPN server. After the server, it’s the same web protocols (HTTPS, TLS, QUIC) protecting your traffic as without the VPN.
  • “Hides your IP from websites” — true. The site sees the VPN’s IP, not yours.
  • “Stops your ISP from seeing your browsing history” — true. The ISP sees only that you connected to a VPN provider; not which sites you visited via the tunnel.
  • “Lets you watch geo-restricted content” — partially true and increasingly contested by streaming services. See our roundup of VPNs for smart TVs for which providers still work for Netflix, Disney+, and BBC iPlayer.
  • “Protects you on public Wi-Fi” — true, but the real risk on public Wi-Fi in 2026 is much smaller than it was in 2017 because of HTTPS adoption.

What a VPN does NOT do

The list of things VPNs are marketed for but do not actually deliver is longer than most providers admit:

  • It does not make you anonymous. Anonymity requires no account, no cookies, no fingerprintable behaviour. A VPN handles the IP address; you log into Google two minutes later and the IP is irrelevant. The EFF’s analysis of VPNs and online anonymity covers this in clear detail.
  • It does not stop tracking by Google, Meta, or any signed-in service. If you are logged in, the company knows it’s you regardless of IP.
  • It does not stop browser fingerprinting. Canvas fingerprinting, WebGL fingerprinting, and font enumeration all work through a VPN.
  • It does not protect you from malware. Some VPN providers bundle a malware blocker (NordVPN’s Threat Protection, Surfshark’s CleanWeb) which works, but the VPN tunnel itself does nothing against a malicious download.
  • It does not stop your ISP from knowing you use a VPN. The destination IP and the data volume are visible; the ISP sees “this customer is sending encrypted traffic to a known VPN provider’s IP range.” That visibility is what enables some governments to block VPN use.
  • It does not help with HTTPS sites. A site you visit over HTTPS is already encrypted end-to-end from your browser to the site. The VPN adds a second encryption layer, but for HTTPS-only traffic (which is now most of the web), this is belt-and-suspenders, not the difference between safe and unsafe.

VPN protocols in 2026

The 2023 version of this article recommended OpenVPN as “the best balance between speed and security.” That was true at the time. By 2026, OpenVPN has largely been displaced by WireGuard for consumer VPN use.

ProtocolStatus in 2026SpeedWhere it’s used
WireGuardDominant for new connectionsFastestNordVPN (NordLynx), Mullvad, Proton VPN, IVPN, almost every Linux router
OpenVPNStill widely supported, slower than WireGuardMediumLegacy enterprise deployments, business VPNs, fallback option in most consumer apps
IKEv2Used for fast handoff between WiFi/cellular, especially on iOSFastMost providers as a secondary option, native Windows/macOS/iOS
LightwayExpressVPN proprietary, based on wolfSSLFastest after WireGuardExpressVPN only
L2TP/IPsecDeprecated; security weaknessesSlowAvoid in 2026 unless required by legacy hardware
PPTPInsecure, deprecatedFastAvoid entirely

The short version for 2026: use WireGuard (or your provider’s WireGuard-based variant like NordLynx). Use IKEv2 if WireGuard is blocked on your network. Use OpenVPN only if neither is available. Do not use PPTP or L2TP/IPsec.

When a VPN still makes sense

Given the narrower honest claims, when is a VPN genuinely worth running in 2026? Six scenarios where the answer is unambiguously yes:

  1. You are on public Wi-Fi in a hostile environment. Coffee-shop Wi-Fi in most countries is fine. Public Wi-Fi at a major airport in a country with sophisticated state-level traffic interception (China, Iran, UAE, some others) is not. A VPN here is a meaningful upgrade.
  2. You’re a journalist, researcher, or activist in a restrictive jurisdiction. A VPN combined with Tor and operational security is part of the standard toolkit. PrivacyGuides maintains a current set of recommendations for this case.
  3. You want to access content that’s blocked in your region. Geo-shifting works for many streaming catalogues (with the streaming-detection caveats above) and for sites blocked by your government.
  4. Your ISP throttles specific traffic types. Some ISPs throttle video, gaming, or torrent traffic. A VPN routes that traffic through the encrypted tunnel where the ISP cannot classify it.
  5. You torrent, legally or otherwise. Torrenting exposes your IP to every peer in the swarm by design. A VPN puts the VPN provider’s IP in front of yours instead.
  6. You want a basic privacy hygiene layer. Even with the narrower technical claims, paying a small monthly fee to keep your ISP and your local network out of your browsing history is a defensible privacy choice — analogous to choosing an encrypted messenger over SMS.

For the picks themselves, see our roundup of the 8 best paid VPNs and the best free VPNs. The paid list is shorter for a reason — free VPNs that don’t bundle malware are rare, and the few legitimate ones (Proton VPN Free, Mullvad’s free tier on some plans) are heavily rate-limited.

The no-logs question and how to assess it

Almost every VPN provider claims a “no-logs policy.” The claim is meaningful only if it’s verifiable. Three signals to look for in 2026:

  • Independent third-party audits. Big-four accounting firms (KPMG, Deloitte, PwC) and dedicated security firms (Cure53) regularly audit major VPN providers. ExpressVPN, NordVPN, Proton VPN, Surfshark, and CyberGhost all have multiple audits since 2022. Mullvad publishes its source code and infrastructure scope.
  • RAM-only servers. NordVPN and Surfshark moved to RAM-only colocation in 2020–2021. Servers that hold no persistent disk cannot be seized for their disk contents — when the server reboots, all state is gone.
  • Real-world court-record evidence. When law enforcement has subpoenaed VPN providers, the responses are public record. Providers with a clean record (Mullvad, IVPN, Proton VPN have all had public legal disputes where they demonstrated they had no user logs to hand over) earn more trust than providers with no such track record.

The reverse signal — providers to be cautious of — includes ownership structures that obscure the actual entity, providers based in jurisdictions with mandatory data retention (the so-called Fourteen Eyes countries for sensitive use), and providers with prior unresolved logging controversies. The Fourteen Eyes intelligence-sharing list is a useful reference but not a strict disqualifier — many trustworthy providers operate from member countries, the legal regime matters more than the country tag.

FAQ

Does a VPN make me anonymous online?

No. A VPN substitutes the VPN server’s IP address for yours, which is a useful privacy step but not anonymity. The companies you log into (Google, Facebook, banking apps) still know it’s you. Browser fingerprinting still identifies your device. For real anonymity, you need a combination of Tor, no logged-in accounts, no cookies, and behavioural discipline — a VPN alone is one piece of that, not the whole answer.

Are VPNs still worth using in 2026 with HTTPS everywhere?

For specific scenarios, yes. Public Wi-Fi in hostile environments, geo-shifted streaming, ISP-throttling avoidance, torrent IP protection, and keeping your ISP out of your browsing history are all real benefits that HTTPS alone does not provide. The case for a VPN as a universal always-on privacy layer has weakened. The case for a VPN as a tool used for specific situations has held up.

WireGuard or OpenVPN — which protocol should I use?

WireGuard for almost every consumer use case. It’s faster, has a smaller code base (easier to audit), and has better battery life on mobile because it handles network changes more gracefully. OpenVPN remains useful where WireGuard is blocked (some restrictive networks), in enterprise deployments that have invested in OpenVPN infrastructure, or as a fallback option in your VPN app. Avoid PPTP and L2TP/IPsec entirely.

Are free VPNs safe?

Mostly no. A few free VPN tiers from reputable paid providers (Proton VPN Free, Windscribe Free) are safe but heavily rate-limited. Most free-tier-only VPNs monetize through one of: selling user browsing data to third parties, injecting ads into pages, or using the free user as exit-node infrastructure for the paid product. The 2019 Hola VPN incident is the canonical example of what can go wrong. If your threat model includes ISP surveillance, paying $3-$5 per month for a reputable provider is the right call.

Is using a VPN illegal?

In most countries, no — using a VPN is legal even though some specific uses (accessing geo-restricted streaming content, bypassing local content laws) may violate platform terms of service or local laws. Countries that restrict VPN use include China, Russia, Iran, UAE, Turkmenistan, North Korea, and Belarus. Check your local jurisdiction; in most Western countries the VPN itself is unambiguously legal.

Related reading

Filed Under: Security & Privacy Tagged With: , ,

Related Stories

PinLinkedInPrint
Avatar for Ali Raza

Business & Cybersecurity Analyst

Ali Raza is a Business and Cybersecurity Analyst at TechEngage with nearly 170 published pieces covering enterprise technology, internet security, cryptocurrency markets, and software tools. His reporting connects the dots between business strategy and the technology that drives it, helping readers make informed decisions in a fast-changing landscape.

Joined March 2009

Reader Interactions

Share Your Thoughts

Please read our comment policy before submitting your comment. Your email address will not be used or published anywhere. You will only receive comment notifications if you opt to subscribe below.