Too many people think just running a VPN will solve all privacy, security, malware, etc problems. A VPN only really does two or three things:
- Gets you an IP address that is somewhere else and not associated with your ISP or carrier provided address.
- It cuts out any snooping by your carrier or ISP, as well as any person-in-the-middle attacks, e.g. at a public Wi-Fi area.
- Can bypass any traffic throttling an ISP may have for specific protocols, for example on torrent traffic, or a specific website such as Netflix. But this also means losing any potential data-free allocations, such as for some gov or educational websites.
But it is probably important to note all the things it is not protecting you against:
- Visiting suspect sites that maybe install a key logger or other malware – both ends of a VPN are open.
- Clicking on links in e-mail that install malware, Trojans, etc that sniff your passwords or infect your device.
- The information you provide to every website you visit. Your browser fingerprint still ties that browser to where you use it across different sites.
- Most free/basic VPNs will also not unlock geographic blocks for many entertainment streaming services, nor may they be doing aggressive ad blocking.
- They can be overall slower than not using a VPN as there is an overhead to encrypting all traffic.
- You can’t bypass your ISP or carrier’s data cap restrictions as all traffic still counts as data usage.
- It may not be usable from inside some organisations where VPN traffic is being blocked, and it can be a give away in some countries such as China or Russia where the use of VPNs may be banned.
- Many VPN providers do not log activity, but a lot of the free ones may be recording and logging what you do (or inserting ads into your traffic).
So, it really depends on why you’d want to use a VPN e.g. bypass geo-blocking for media streaming, bypass country censorship, be more secure on a public Wi-Fi network, etc. For example, for country censorship, Tor browser and Signal messenger have toggles you can activate which use special servers and can make the traffic look more like normal web traffic.
So, whilst VPNs may help hide activity from your carrier and ISP, it is only one part of a privacy and security solution as you need to secure your device itself, as well as your browser and extensions, your DNS provider, and be careful of what information you provide to websites. Unique passwords and proper 2FA (not via mobile phone number) are also essential.
Privacy and security are not really protecting you from your own government as they should already know who you are, where you work, what health conditions you have, how much you get paid, where you live, and much more. It is more about those who want to sell your behaviour analytics to advertisers and data brokers, and even worse, those who want the information for identity theft purposes.
The human is still the weakest link in most cybersecurity threat chains, and it is not always about your personal finances, but often a way to leverage into an organisation which is way more attractive to threat actors.
See https://www.howtogeek.com/do-vpns-hide-data-usage-from-isps-or-cellular-carriers/