20 VPN Myths Debunked
Dangerous misconceptions about VPN privacy lead people to make costly security mistakes. Here are the 20 most common VPN myths — and the truth behind them.
Dangerous misconceptions about VPN privacy lead people to make costly security mistakes. Here are the 20 most common VPN myths — and the truth behind them.
This is the single most dangerous VPN myth. VPNs hide your IP address and encrypt your traffic, but they don't erase your digital identity. Websites track you through browser cookies, device fingerprints, logged-in account sessions, and behavioural patterns. If you're signed into Google Chrome while It Protects and How to Use It">on Public WiFi: Why It's Essential in Hong Kong">Hong Kong?">using a VPN, Google knows exactly who you are — your VPN just means your ISP doesn't also know.
Truth: A VPN provides pseudonymity, not anonymity. It hides your IP and encrypts traffic, but browser cookies, account logins, and device fingerprinting still identify you. For genuine anonymity, combine a VPN with the Tor Browser and no account logins.
VPN users include journalists protecting sources, lawyers securing client communications, businesses protecting trade secrets, remote workers accessing company networks, travellers maintaining access to home services abroad, and ordinary people who simply value their privacy online. The cybersecurity community universally recommends VPN use as a basic security hygiene practice.
Truth: Over 1.5 billion people worldwide use VPNs, primarily for privacy, streaming, remote work, and security on public WiFi. They are recommended by cybersecurity professionals, governments, and enterprise IT departments as essential security infrastructure.
Free VPN providers must fund their infrastructure somehow. Studies — including a landmark 2019 CSIRO analysis of 283 free VPN apps — found that 38% contained malware, 82% requested access to sensitive personal data, and 18% didn't encrypt traffic at all. Many free VPNs monetise user data through third-party advertising networks and data broker sales.
Truth: Free VPNs typically monetise your browsing data — the very thing you're trying to protect. With limited exceptions (ProtonVPN Free, Windscribe Free), free VPNs provide significantly less security, lower speed, and greater privacy risk than paid alternatives costing HK$40–80/month.
This was true of older VPN protocols like OpenVPN on limited hardware. Modern protocols — especially WireGuard — add minimal overhead. Independent speed tests consistently show top VPNs like NordVPN (NordLynx) and ExpressVPN (Lightway) delivering 400–600 Mbps throughput from Hong Kong, which is far faster than most home internet connections.
Truth: Quality VPNs using WireGuard add only 5–15% speed overhead — imperceptible for streaming, browsing, and most downloads. On a 500 Mbps connection you'll realistically still get 400+ Mbps through a well-chosen VPN server.
When you use a VPN, you shift trust from your ISP to your VPN provider. The VPN server decrypts your traffic to forward it to the internet — technically, the VPN provider could log everything you do. This is why the no-logs policy and its verification through independent audits are so critical. Without a verified audit, a VPN's no-logs claim is just a marketing statement.
Truth: Your VPN provider can technically see your traffic. A verified no-logs policy (audited by firms like Cure53 or PwC) means the provider does not retain logs — but you are trusting the provider. Research ownership, jurisdiction, and audit history before subscribing.
VPN use for personal privacy and security is entirely legal in Hong Kong under current law. Hong Kong's legal framework differs significantly from mainland China, where VPN use is restricted to government-approved providers. Many businesses in HK rely on VPNs for legitimate remote access, and the technology itself is not prohibited by any Hong Kong legislation as of 2026.
Truth: VPN use is legal in Hong Kong. While HK's legal environment has evolved since 2020, no law prohibits personal VPN use. What remains illegal is using a VPN to commit crimes — the VPN doesn't create a legal shield for criminal activity.
A VPN encrypts your internet traffic — it doesn't scan files, block malicious downloads, or prevent malware from executing on your device. If you download an infected file while connected to a VPN, the VPN will happily transmit the malware to your device just as efficiently as without it. Only some VPNs include basic malware blocking (NordVPN's Threat Protection, for example), and even these are not substitutes for dedicated antivirus software.
Truth: A VPN is a privacy and encryption tool, not an antivirus. Use a reputable antivirus solution (Malwarebytes, Bitdefender) alongside your VPN — they serve different, complementary security functions.
Marketing materials for VPN providers often lead with server counts ("6,400+ servers in 111 countries") as a quality indicator. In reality, server quality — bandwidth capacity, hardware specifications, network peering, and uptime — matters far more than quantity. A provider with 500 well-maintained, high-capacity servers will consistently outperform one with 7,000 overloaded or virtual servers in the same locations.
Truth: Server count is a weak proxy for quality. Prioritise providers who publish server load statistics, use RAM-only hardware (no data retention), and have demonstrated fast speeds in independent tests from your specific region.
This argument misunderstands what privacy is for. Privacy isn't just about hiding wrongdoing — it's about maintaining control over personal information. Your browsing history reveals your health concerns, financial situation, relationship issues, political views, and personal interests. You wouldn't hand all this data to a stranger — why freely give it to your ISP to sell to advertisers and share with authorities upon request?
Truth: Privacy is a fundamental right, not evidence of wrongdoing. Your browsing data is commercially valuable and can be used against your interests. "Nothing to hide" implies accepting surveillance of all personal activities — a standard few would accept in physical spaces.
HTTPS encrypts the content of your communications with a website — but it doesn't hide which websites you're visiting. Your ISP can see every domain you connect to (through DNS queries and SNI headers) even when all traffic is HTTPS. HTTPS also provides no protection on unsecured networks where MITM attacks can strip it, and it doesn't prevent your ISP from building a detailed profile of your browsing habits.
Truth: HTTPS and VPN are complementary, not alternatives. HTTPS encrypts content between your browser and the website; a VPN encrypts all traffic (including the metadata of which sites you visit) from your device to the VPN server, hiding your activity from your ISP and network.
Netflix does attempt to block VPN IP addresses, but this is an ongoing technical arms race rather than a total blockade. Premium VPN providers invest continuously in refreshing their server infrastructure to stay ahead of Netflix's detection. ExpressVPN, NordVPN, and Surfshark have maintained reliable Netflix unblocking for years, with dedicated teams monitoring and updating streaming servers regularly.
Truth: Most free and many cheaper VPNs are blocked by Netflix. Premium providers maintain Netflix access by continuously updating IP addresses. If one server is blocked, switching to another in the same country typically resolves the issue immediately.
A VPN hides your IP address but doesn't make you immune to law enforcement. VPN providers cooperate with legal requests in some jurisdictions, payment records link your subscription to your identity, and sophisticated attribution techniques (including traffic analysis and timing attacks) can correlate VPN users with online activities in high-resource investigations. VPNs are privacy tools, not criminal shields.
Truth: A VPN reduces your digital footprint but doesn't guarantee immunity from legal consequences. Many VPN providers — particularly those outside strong privacy jurisdictions — have cooperated with law enforcement when faced with valid legal compulsion.
Modern VPN apps from providers like ExpressVPN, NordVPN, and Surfshark are designed for non-technical users. Installation takes 2–3 minutes; connecting to a server requires a single tap or click. The days of manually configuring OpenVPN config files are long gone for consumer users. VPN apps work like any other smartphone app — download, subscribe, and tap Connect.
Truth: Consumer VPN apps are now among the simplest security tools available. If you can use a streaming app, you can use a VPN app. Most offer single-tap "Smart Location" features that automatically select the best server for your needs.
While mobile carrier networks are more secure than public WiFi — using SIM-based authentication and carrier-level encryption — they are still visible to your mobile carrier. Your carrier can see all your unencrypted browsing data and is subject to the same regulatory data retention requirements as fixed-line ISPs. A VPN on mobile protects you from carrier surveillance just as effectively as it protects against ISP surveillance on fixed broadband.
Truth: Mobile carriers can see your unencrypted browsing data and DNS queries, and are subject to data retention laws. A VPN protects your mobile data from carrier surveillance — particularly important for sensitive browsing on 4G/5G.
"No-logs" is one of the most misused marketing terms in the VPN industry. Dozens of providers claim no-logs policies that have been contradicted by their actual behaviour when confronted with legal requests or security breaches. A no-logs claim is only credible when backed by an independent third-party audit, a proven track record of resisting government data requests, and transparent ownership.
Truth: "No-logs" without independent verification is a marketing claim. Seek providers with audits from reputable firms (Cure53, PwC, Deloitte), transparent annual transparency reports, and a jurisdiction that limits forced data disclosure.
Browser VPN extensions (including those marketed by legitimate VPN providers) only proxy traffic from your browser — they are technically HTTPS proxies, not full VPNs. All other apps on your device continue connecting to the internet without any VPN protection. Your email client, torrent client, games, and background system processes all bypass the browser extension entirely.
Truth: Browser VPN extensions only protect browser traffic. Only a full VPN application (installed at the system level) creates a true encrypted tunnel covering all apps and connections on your device.
Double VPN (routing through two VPN servers sequentially) adds a layer of IP obfuscation but introduces trade-offs: speed drops significantly (often 40–60% slower than single-hop), and the security benefit for most users is marginal. The main use case is high-risk individuals (journalists in authoritarian states, activists) who need to ensure even the VPN provider's servers can't link inbound and outbound traffic.
Truth: Double VPN is a specialist feature for high-risk users — it adds meaningful security only in specific threat models. For everyday privacy use, a single well-chosen VPN with a verified no-logs policy provides all the security the vast majority of users require.
A VPN doesn't need to be always on to be useful. You can enable it selectively for high-risk situations: when using public WiFi, when accessing sensitive accounts, when you don't want your ISP to see your browsing, or when accessing geo-restricted content. That said, leaving a VPN running continuously is perfectly fine with modern implementations — WireGuard is efficient enough that always-on VPN has minimal impact on battery and performance.
Truth: Use your VPN as much or as little as your threat model requires. For maximum privacy, always-on is ideal. For users who primarily care about public WiFi protection, connecting only on untrusted networks is a perfectly reasonable approach.
Feature bloat in VPN apps can actually indicate poor priorities. Many providers add flashy extras — password managers, cloud storage, dark web monitoring, browser extensions, ad blockers — as bundled extras to justify pricing, while neglecting core VPN quality: speed, reliability, and genuinely verified privacy. A VPN that does its core job perfectly is preferable to one with 15 half-baked extras.
Truth: The essential VPN features are: strong encryption, verified no-logs policy, kill switch, DNS leak protection, and WireGuard support. Everything else is optional. Prioritise core quality over feature count when evaluating providers.
Your ISP can still observe that you're connected to a VPN — the connection to the VPN server's IP address is visible. In some countries, the mere fact of using a VPN is logged. What the ISP cannot see is the content or destination of your traffic beyond the VPN server. Timing analysis can sometimes reveal correlation between VPN connections and suspected activities, which is why high-risk users combine VPNs with additional tools like Tor.
Truth: Your ISP can see you're connected to a VPN server — but cannot see what you're doing through it. Obfuscated VPN protocols (Shadowsocks, NordVPN obfuscated servers) can disguise VPN usage as regular HTTPS traffic if ISP-level VPN detection is a concern.