20 VPN Facts Everyone Should Know
From global usage statistics to the mathematics of AES-256 — these are the verified facts that reveal the true state of VPN technology and online privacy.
From global usage statistics to the mathematics of AES-256 — these are the verified facts that reveal the true state of VPN technology and online privacy.
According to Global Web Index and Statista data, approximately 31% of global internet users — over 1.5 billion people — used a VPN in 2024–2025. This represents extraordinary growth from under 200 million users a decade ago, driven by increasing privacy awareness, remote work adoption, and streaming geo-unblocking demand. Indonesia, India, and Saudi Arabia have the highest VPN adoption rates relative to internet population.
AES-256 has 2²⁵⁶ possible key combinations — approximately 1.15 × 10⁷⁷. Even if every atom in the observable universe were a computer performing one billion operations per second, brute-forcing AES-256 would take approximately 10⁵² years — many orders of magnitude longer than the current age of the universe (13.8 billion years). This is why AES-256 is considered computationally unbreakable with any foreseeable technology.
WireGuard's complete implementation is approximately 4,000 lines of code, compared to OpenVPN's roughly 70,000 lines. This isn't just an engineering preference — it has direct security implications. Every line of code is a potential vulnerability; fewer lines means fewer places for bugs to hide, and a smaller surface area for security researchers to audit. WireGuard's lean codebase has been reviewed and verified more thoroughly than any previous VPN protocol.
A 2019 CSIRO study — one of the most comprehensive academic analyses of free VPN apps — tested 283 free VPN applications available on the Google Play Store. The results were alarming: 38% contained malware, 82% requested permissions to access sensitive user data including contacts and messages, and 18% didn't encrypt user traffic at all despite claiming to be VPNs. The study's findings underpin security professionals' universal recommendation against free VPNs for sensitive use.
The global VPN market was valued at approximately US$45 billion in 2023 and is projected to reach US$350 billion by 2032, growing at a CAGR of approximately 17% annually. The growth is driven by enterprise remote access adoption, increasing cybersecurity awareness among consumers, expanding digital surveillance legislation, and growing streaming geo-unblocking demand particularly in Asia-Pacific markets including It Protects and How to Use It">on Public WiFi: Why It's Essential in Hong Kong">Hong Kong.
Survey data from Statista and GlobalWebIndex consistently places Hong Kong in the top tier of VPN awareness among Asian internet users, with VPN usage significantly higher than the global average. This is driven by Hong Kong's historically open internet culture, high awareness of digital privacy, a large proportion of international business users who require secure remote access, and the city's proximity to mainland China where VPN usage is essential for many cross-border workers.
DNS (Domain Name System) leaks are one of the most underappreciated VPN vulnerabilities. They occur when a device sends DNS resolution requests — essentially lookups of which websites you're visiting — through the ISP's DNS servers rather than through the VPN tunnel. This means an ISP can log every domain you visit even while your VPN is connected, completely undermining the privacy protection. Test at dnsleaktest.com after connecting to ensure your DNS is routed through the VPN server.
Enterprise VPN usage is near-universal among large corporations globally. Corporate VPNs — typically deployed on solutions like Cisco AnyConnect, Palo Alto GlobalProtect, or Zscaler Private Access — provide secure remote access for employees, connect branch offices, and protect the transmission of sensitive business data. The COVID-19 pandemic dramatically accelerated enterprise VPN adoption, with VPN connection volumes rising over 600% in March 2020 alone.
Content licensing varies enormously by country. US Netflix carries approximately 5,800 titles as of 2026, while Hong Kong Netflix carries around 3,200. The gap — over 2,600 titles — represents content licenced exclusively to US Netflix due to territorial rights agreements. This disparity is the primary driver of streaming VPN use, with subscribers paying identical monthly fees receiving dramatically different content libraries based purely on their geographic location.
The Five Eyes (FVEY) intelligence alliance — comprising the US, UK, Canada, Australia, and New Zealand — share signals intelligence data under the UKUSA Agreement. VPN providers headquartered in these countries can be compelled to provide user data to intelligence agencies. The alliance extends to Nine Eyes (+ France, Netherlands, Denmark, Norway) and Fourteen Eyes (+ Germany, Belgium, Italy, Sweden, Spain). VPN providers in jurisdictions outside these alliances — Panama, Switzerland, British Virgin Islands — have stronger legal protections against forced data disclosure.
Perfect Forward Secrecy (PFS) generates a unique session encryption key for every VPN connection, derived using an ephemeral Diffie-Hellman exchange. When the session ends, the key is destroyed and never stored. This means that even if an attacker later steals a VPN server's private keys (through seizure or a security breach), they cannot decrypt previously recorded VPN sessions — because the session keys were never stored anywhere. PFS is now standard in all reputable VPN implementations.
China's Great Firewall employs sophisticated Deep Packet Inspection (DPI) technology to analyse internet traffic in real time and identify patterns characteristic of VPN protocols. Standard VPN protocols (including basic WireGuard and OpenVPN) have identifiable traffic signatures that DPI systems can detect and block. VPN providers that work reliably in China invest in obfuscation technologies that disguise VPN traffic as ordinary HTTPS browsing, making it indistinguishable from normal web traffic to DPI inspection.
An increasing number of premium VPN providers (including ExpressVPN, NordVPN, Mullvad, and others) run their server infrastructure entirely in RAM (Random Access Memory) rather than on hard drives or SSDs. RAM loses all data the instant power is removed. This means that even if authorities seize VPN servers, there is no persistent storage to forensically examine — user data, connection logs, and encryption keys simply cease to exist when the server is powered off. ExpressVPN's RAM-only architecture was put to the test when Turkish authorities seized their servers in 2017, finding no user data.
In the United States, a 2017 Congressional Review Act resolution eliminated FCC rules that would have required ISPs to obtain opt-in consent before selling customers' browsing history and app usage data. US ISPs including AT&T, Comcast, and Verizon have sold aggregated browsing data to advertisers. In Hong Kong, while direct selling of individual browsing data is more constrained, ISPs are subject to data retention requirements and can be compelled to share data with authorities through legal processes.
WireGuard was merged into the Linux kernel mainline (version 5.6) in March 2020 — an extraordinary milestone for a VPN protocol. This means WireGuard is available natively on all modern Linux systems (including Android, which is Linux-based) without additional software installation. Kernel-level integration provides performance advantages (no context switching between user space and kernel space) and security benefits (reviewed by the Linux kernel security team as part of the mainline codebase).
VPN kill switches come in two fundamentally different implementations: application-level (soft) kill switches, which only block traffic from the VPN app itself when the connection drops; and system-level (hard) kill switches, which use OS-level firewall rules (Windows Firewall, iptables, pf) to block all internet traffic from any application on the device. System-level kill switches are significantly more reliable and cannot be bypassed by any application — they're essential for torrenting, streaming, and any use case where even momentary IP exposure is unacceptable.
IBM's 2023 Cost of a Data Breach Report found that the global average cost of a data breach reached US$4.45 million — a 15% increase over 3 years. The report found that organisations with comprehensive security controls including encrypted VPN connections for remote access experienced significantly lower breach costs. In the context of enterprise security, VPN costs represent a tiny fraction of the potential financial and reputational exposure from a breach caused by unencrypted remote access.
Split tunnelling — routing only selected apps or domains through the VPN while others connect directly — reduces the load on both the VPN server and your device. For a user who routes only privacy-sensitive browsing through the VPN while streaming Netflix directly (without VPN overhead), the effective performance improvement for the non-VPN traffic is 100% (no overhead). For overall system performance, users report 40–60% improvement in perceived browsing speed when streaming and gaming traffic bypasses the VPN.
Browser fingerprinting creates a unique identifier from your browser's configuration — including your OS version, browser version, installed fonts, screen resolution, GPU model, time zone, language preferences, and dozens of other parameters. The Electronic Frontier Foundation's Panopticlick project found that most browsers are unique or nearly unique among the millions tested. This means that even with a VPN masking your IP and cookies cleared, websites can re-identify you through your browser fingerprint — underscoring why VPN alone is insufficient for complete anonymity.
Mullvad VPN's privacy model is unique in the industry: subscribers can pay with physical cash (mailed to their Swedish headquarters), cryptocurrency, or bank transfer — with no email address, username, or personal information required to create an account. Accounts are identified only by a randomly generated 16-digit number. This design means Mullvad has no personally identifiable information to surrender even if compelled by legal order — a genuine implementation of privacy-by-design rather than a marketing claim.