A buyer's guide to VPNs

Tunnel into the the Internet with a VPN for greater privacy.

You can't always trust your Internet connection, but virtual private networks (VPNs) give you some protection and privacy on the Web. Find out why you may want a VPN, what to look for when choosing a service, and whether it's worth paying for one.

Why use a VPN?

Virtual private networks used to be chiefly a workplace tool, so employees could connect securely to the company server. VPNs have evolved into a tool for personal anonymity online -- provided that you find the right service and follow certain best practices.

First, a lot of wireless networks are insecure. If you connect your laptop or mobile phone to Wi-Fi in airports, hotels, coffee shops, and other public places, you're probably on poorly protected or unprotected networks where people could snoop on your Web activity. Even if your network is secure, your service or your government might have a data-retention policy that tracks and logs your browsing. In cases like these and many others, a private, encrypted tunnel between you and the Internet can provide some peace of mind.

But personal VPNs are an emerging phenomenon with an evolving set of features and potential legal entanglements. To help you navigate the options, we've tested a number of VPNs and have outlined what to look for if you're thinking of signing up.

What is a VPN?

A virtual private network is like a local area network (LAN) that operates remotely. A remote network connects a number of devices to the Internet through a router. With that setup, the websites that you connect to see only the IP address of the router, instead of that of the device that you're using on the network. So it is with a VPN. Your device's IP remains hidden, and a VPN usually adds strong encryption. If someone breaks into the VPN server facility, they won't get far, because most VPNs use full-disk encryption -- it would be extremely difficult to pull information off those servers and figure out who was connecting to which websites. This gives the VPN's customers a high degree of privacy and anonymity.

When you're on public Wi-Fi at a coffee shop or library, its password is shared and sometimes easy to crack anyway. Anyone on the network can see which websites you're connecting to and even your data packets, if your connection to the website is not encrypted. Since a VPN creates a highly encrypted tunnel between your device and the VPN servers, no one on the public network can track what you're doing. The only IP address they can see you connecting to is that of the VPN itself.

If you believe that your Internet service provider is monitoring you without your consent, a VPN tunnel will prevent the ISP from tracking and logging your activities. A number of VPN providers also use an open-source client called OpenVPN to connect you to their service. Open-source code is available for public inspection, making it difficult to hide suspicious behavior in the software.

IVPN created this diagram to explain what VPNs do.

What a VPN is not

A VPN won't make you invisible. Someone can monitor the traffic coming out of the VPN server location, determine that it's a VPN, and potentially shut it down. Websites that detect a VPN server as your point of origin can refuse your connection.

Also, the connection between the VPN and the websites that you visit while using it is not necessarily encrypted. The VPN has no control over that. Your bank website presumably uses its own encryption, but shopping on Amazon, for example, will still be wide open. A person or agency can sit between you and an unencrypted website and record things, like every link that you click and how long you stay on each page. (To see if the site's encrypted, look in your browser's address bar for a padlock or "https" in the URL.)

No padlock icon next to the Internet address? Then the connection between the website and your VPN can still be snooped on.

Finally, many VPN services block peer-to-peer traffic to protect themselves from piracy lawsuits. So there may be limitations on the kind of Web activities you can engage in.

Using a VPN requires a leap of faith, even if you trust your computer and the software that you're running on it. There's always a possibility that the VPN service is not as anonymous or as private as it claims. These companies rely on trust, and spying on users would lose them customers. But it's a possibility that you have to keep in mind, especially if you live in a country with limited human rights. In that scenario, a VPN alone may not be enough to protect you when the political situation gets volatile. You may need to combine a VPN with Tor (see below) or another privacy tool to protect yourself.

Legal issues

Countries (and groups of countries like the European Union) have varying laws on what they allow companies operating on the Internet to do. EU laws require companies to retain certain customer data for six months, which is a problem for a VPN service that's trying to advertise privacy and anonymity. Specifically, the EU laws require them to keep a record of IP addresses, which law enforcement uses to identify specific users.

There are potential problems with this, such as the data being stolen or accidentally disclosed, and the difficulty of proving in court that a specific person is linked to the activity log of a specific IP address. An unauthorized individual may have been using the IP address without the legitimate owner's knowledge. The German legal system determined in 2010 that this law is unconstitutional. Romania and the Czech Republic have also rejected the law, and it appears that the EU will not compel them to follow it.

In the United States, data retention is a complicated issue. Currently, there is no law compelling mandatory data retention, but there are indications that US law enforcement has vast resources and legal powers to monitor you without your knowledge. Therefore, a VPN provider based in the United States may be confronted with these agencies without its customers being aware. A number of VPN providers are deliberately headquartered outside the jurisdiction of the United States and the European Union to avoid these complications, and they usually mention this in their marketing materials.

Paying for VPN access

Let's assume you've found a VPN you trust that appears to be free of laws that could compromise your privacy. If you haven't, we did some research and came up with interesting choices, such as IVPN. In our opinion, a paid VPN is the way to go.

We don't recommend using free VPNs. Their advantage is that there's no financial transaction that can be tracked. But the flip side is that when the service is free, the customer is the product. Free VPNs may inject ads into your Web browser, or they may sell your data -- the websites you visit, when you visit, how many times a week you visit, and so on. In the case of Hola VPN, it resells your unused bandwidth as a premium service, and you have no way of knowing how that bandwidth will be used -- the buyer might be using it for illegal activity. Or the buyers might consume vast amounts of data, which is a problem if you have a monthly data cap.

With a free VPN, your connection speed and the variety of geographical locations you can connect to may also be limited. When you pay for VPN access, your download speed is usually unrestricted, there usually isn't a data cap, and you have the full range of server locations to connect to.

Most paid VPNs have monthly and annual options. The more time you pay for at once, the less you pay on a monthly basis. Some services allow you to pay in three-month or six-month blocks as well, or they add a two-year option. Often you can try the service for seven days and get a full refund if you change your mind. Then there's Privatetunnel.com, which charges for gigabytes used rather than a time frame. You can start with 500MB for free, then buy 50GB for $12, 100GB for $20, or 500GB for $50. The more data you buy at once, the less you pay per gigabyte.

If privacy is a big concern, you won't want to use your personal credit or debit card to sign up. You can buy a gift card with the MasterCard or Visa logo, using cash, if you're willing to accept activation fees and potentially monthly service fees. But these store-value cards usually require you to activate them online, using a physical address, name, phone number, and even a Social Security Number. Also, some services that offer a monthly subscription will not accept a gift card or reloadable card as payment, since these can eventually be depleted. These cards are also frequently limited to use within US borders. So if the website's payment processor is based in Europe or Canada, for example, your card may be declined, even if you have sufficient funds. Lastly, if a store-value card gets lost or stolen, you lose all the funds stored on it.

If the VPN service has a PayPal option, that can give you a wider range of stored-value options, depending on which country you're in. You may also be able to use Bitcoin, whose currency can be purchased without giving away your personal information. Your local laws may conflict with such payment methods, though, so you'll have to research that on a case-by-case basis.

Bonus considerations

Do you trust your operating system? If you really need a secure computing environment, Linux might be a better option. Like OpenVPN, most Linux distributions are open source. There's a lot more programming code in an OS than there is in a VPN client, so there's a greater chance for suspect code or bugs that threaten your security, even when the code is publically reviewable. But Linux may be a better choice when privacy is paramount. If you're on a business trip overseas with a company laptop, your employer may even require it.

There are also options to mask the fact that your traffic is exiting from a VPN. The most popular option is Tor, which is short for The Onion Router. Tor reroutes your traffic through a network of encrypted relays operated by volunteers around the world. Your point of access is a version of the Mozilla Firefox browser that the Tor Project has customized to access its network and to increase general Internet security. This can make it difficult for a spy to figure out who you are or where you are. Still, Tor is theoretically vulnerable to a few technical exploits, one of which can be triggered when you use BitTorrent. Websites can also recognize that your traffic is being routed through Tor, and block you. Wikipedia is one example. You can counter that by using a Tor bridge (detailed on the Tor Project's website). Lastly, the Tor network is a relatively slow one. You won't be able to use it to stream HD videos, for example.

The Tor Browser can help protect you from being tracked.

There is a kind of arms race going on between those who want to have privacy on the Internet and those who want to track you. The mere act of choosing one side can put you on the radar of the other. For example, the National Security Agency is known to use a system called XKeyscore to monitor the Tor network. The NSA says that XKeyscore is intended to gather information about "legitimate foreign intelligence targets," a broad classification that can include a variety of individuals, from terrorists to local politicians. That's all the more reason to use tools like Tor and VPNs for personal privacy.

More resources

About Tom McNamara

Tom is the senior editor covering Windows at Download.com.