Are VPNs Still Safe?

Most VPN reviews answer the wrong question.

They test download speeds. They count server locations. They check whether Netflix unblocks. What they rarely do is tell you honestly what a VPN cannot protect you from — and in 2026, that gap between what VPNs promise and what they actually deliver has never been wider.

Are VPNs still safe? The honest answer is: safe for some things, dangerously misunderstood for others. The tool has not failed. The marketing around it has.

According to NIST's official guidance on IPsec VPNs, a VPN primarily secures traffic at the network transport layer — meaning it encrypts data moving between two points. What happens at either end of that connection, who owns the infrastructure in the middle, and what tracking methods operate above the network layer are entirely different questions.

This article covers what VPNs actually protect, where they structurally fail, and the questions that separate genuinely safe VPN services from the ones that create a false sense of security. The wider context sits inside our work on the future of digital privacy and security.

1. What a VPN Actually Does — And Does Not Do

A VPN creates an encrypted tunnel between your device and a server operated by the VPN provider. Traffic traveling through that tunnel is protected from interception by your internet service provider, public Wi-Fi operators, and network-level observers.

That is a meaningful and legitimate protection. It is also significantly less than what most people assume they are getting.

What a VPN Does Not Stop

• Browser fingerprinting — your device creates a unique identifier from GPU behaviour, screen resolution, installed fonts, and canvas rendering. This fingerprint follows you regardless of your IP address
• Account-level tracking — if you are logged into Google, Facebook, or any platform, that platform tracks you through your account credentials, not your IP
• Server-side tracking — data collection executed on the origin server itself, logging your API calls, requests, and behaviour before any response is sent back, completely invisible to browser extensions or client-side blocking tools
• Malware already on your device — a VPN encrypts traffic leaving your device but cannot remove software already operating on it
• The VPN provider itself — your traffic is visible to the VPN company whose server you connect through. This is why provider trust and logging policy matter more than any technical specification

2. The Threats Where VPNs Still Work Well

VPNs provide genuine, meaningful protection against a specific set of threats:

Public WiFi interception — cafes, airports, hotels, and shared networks create real attack surfaces. A VPN prevents other users on the same network from intercepting unencrypted traffic. This remains one of the strongest use cases.

ISP surveillance and throttling — in the US, UK, Canada, and Australia, internet service providers can legally monitor and sell browsing data. A VPN prevents ISP-level visibility into your traffic content and protects against bandwidth throttling based on traffic type.

Geographic restriction bypassing — streaming services, news sites, and certain platforms restrict content by location. VPNs legitimately and effectively bypass these restrictions.

Basic censorship circumvention — in markets with restrictive internet filtering, VPNs provide access to blocked content, provided the VPN itself is not blocked.

For these specific purposes, a quality VPN with independently audited infrastructure remains a valid and effective tool. NordVPN offers an independently audited no-logs policy and RAM-only servers — a strong option for public WiFi and ISP protection.

3. The Hidden Risks Most VPN Reviews Skip

The Corporate Consolidation Problem

Multiple major consumer VPN brands are owned by the same parent companies. Kape Technologies owns ExpressVPN, Private Internet Access, CyberGhost, and Zenmate. Ziff Davis owns IPVanish and StrongVPN. When a review site recommends five "independent" VPNs and three share an owner, the diversity of infrastructure and governance is significantly less than it appears.

This matters because centralized ownership means centralized legal exposure. A single court order to one parent company can potentially affect multiple branded services simultaneously.

Patching Lag Is a Real Risk

Enterprise VPN appliances — the hardware gateways organizations use for remote access — have a documented patching problem. Zscaler's ThreatLabz report found that 54% of organizations take over a week to patch critical gateway vulnerabilities. Consumer VPN apps update more frequently, but the underlying principle holds: any VPN client running outdated software is an attack surface rather than a security tool. Check your VPN app has auto-update enabled.

Encrypted Traffic Can Still Carry Threats

Research published on arXiv demonstrates that VPN traffic can be analyzed and classified even when fully encrypted — using packet size timing, flow patterns, and behavioural signatures. The content remains protected but behavioural patterns can reveal what type of activity is occurring. This is the same dynamic that drives modern AI traffic analysis threats.

The Free VPN Business Model

If a VPN service charges nothing, the business model is almost certainly the data of its users. Free VPN providers have been documented selling browsing histories, injecting tracking cookies, and redirecting DNS queries to monetize traffic. According to IBM's 2024 breach data, 46% of breaches involve customer personal data — and free VPN users are contributing to data pools they cannot audit or control.

Mullvad offers an anonymous sign-up process, accepts cash payment, and publishes regular infrastructure audits — the strongest privacy-first option.

4. India and the CERT-In Problem Nobody Explains

Most global VPN articles say VPNs are "legal and safe in India" and leave it there. That is incomplete and potentially misleading.

India's CERT-In (Indian Computer Emergency Response Team) directive requires VPN providers operating physical servers inside India to log and retain user data — including names, email addresses, IP addresses, and usage records — for a minimum of five years.

Several major VPN providers responded by removing their physical servers from India entirely and switching to virtual server locations that appear Indian to websites but route through servers physically located elsewhere — typically Singapore or the Netherlands.

What this means practically:

• If your VPN provider still shows Indian servers in their app, check whether they are physical or virtual servers
• Providers that removed Indian servers (Mullvad, ExpressVPN, Surfshark) maintained their no-logs policies by exiting Indian infrastructure
• Providers that complied with CERT-In and kept physical servers in India are now legally required to log your activity

For Indian users asking are VPNs still safe, the answer depends entirely on whether your provider is using physical or virtual Indian servers — a distinction almost no mainstream guide explains.

5. The 5 Questions That Separate Safe VPNs From Risky Ones

A VPN is only as trustworthy as the infrastructure and governance behind it. Before choosing or continuing with a provider, ask these five questions:

Surfshark offers RAM-only servers, independent audits, and unlimited device connections — strong value for families and multi-device users.

6. Does the VPN Prevent DNS Leaks?

Most users assume a VPN automatically encrypts DNS queries — the requests your device sends to look up website addresses. It does not unless the client forces DNS through the encrypted tunnel.

A DNS leak means your device is sending lookup requests to your ISP's DNS server outside the VPN tunnel, revealing every site you visit to your ISP even when the VPN is active.

Test this at dnsleaktest.com or ipleak.net with your VPN connected. If the test shows your ISP's DNS servers, your VPN is leaking. A trustworthy provider routes all DNS through their own encrypted resolvers by default.

7. When a VPN Is Not Enough

A VPN is one layer of a multi-layered privacy and security architecture. It is not a complete solution on its own.

Use a VPN alongside — not instead of — these tools:

• Privacy browser (Brave or Firefox with uBlock Origin) to address fingerprinting and tracker scripts that operate above the network layer
• Passkeys or hardware security keys for account protection that a VPN has no role in — covered in detail in our guide to passwordless authentication
• Encrypted messaging (Signal) for communication privacy — note that metadata remains visible even with E2E encryption
• Regular permission audits — camera, microphone, and location access on mobile devices create data exposure that VPN routing does not address

On mobile specifically, documented vulnerabilities in iOS and Android can cause system-level services to route traffic outside the active VPN tunnel. This means a VPN app running on a phone may not be encrypting all device traffic simultaneously — a critical limitation for users who rely on mobile VPN protection for sensitive work.

For the broader identity layer that sits above the network, see digital identity protection.