How to Pick a VPN You Can Actually Trust (and Spot the Fakes)

Consumer VPNs promise privacy with one click. Some deliver. Many don’t. A few have even spied on their own users. Here’s a straight-talking guide to what VPNs are, when they’re useful, and a practical checklist to separate reputable providers from the pretenders.

What a VPN really does (and doesn’t)

A Virtual Private Network (VPN) creates an encrypted tunnel from your device to a VPN server. Everyone on the outside (your ISP, the coffee-shop Wi-Fi owner, hotel, etc.) sees only an encrypted connection to that server, not the sites you visit. Good uses:

• Securing traffic on untrusted/public Wi-Fi
• Reducing what your ISP can log about your browsing
• Getting a stable IP in hostile networks or shifting location for content/testing

A VPN does not make you invincible or fully anonymous. You’re trading who you trust with your traffic—from your ISP to the VPN operator. If the provider is shady, you’ve just handed them the keys. (EFF’s plain-English explainer is excellent. (Electronic Frontier Foundation))

Why caution is warranted

The consumer VPN market is a magnet for hype, affiliates, and a few outright abuses. A quick history:

• Facebook’s “Onavo Protect” was marketed as a free privacy VPN while feeding app-usage data back to Facebook; Apple later forced its removal from the App Store. (Ars Technica, Wikipedia)
• Hola VPN turned users into exit nodes and sold that bandwidth; researchers linked it to DDoS/botnet activity. (Ars Technica, CSO Online)
• PureVPN touted “no logs,” yet connection logs helped the FBI in a 2017 case—proof that “no activity logs” can still mean some logs. (TorrentFreak, BetaNews)

These are not one-off rumors; they’re documented incidents. (A recent video deep-dive offers a good non-technical overview of how the VPN business works and the tricks some providers use. (YouTube))

The flip side: some providers have evidence they’re doing it right. Example: in 2023 Swedish police showed up at Mullvad’s offices and left with nothing because there were no logs to seize. That’s what real “no-logs” looks like. (TechCrunch)

When you should use a public VPN

• Travel & public Wi-Fi: airports, hotels, conferences
• Hostile or nosy networks: landlords, campuses, or ISPs with aggressive logging
• Testing & geolocation needs: QA, ad checks, region-locking edge cases
• Censorship/workarounds: where lawful and appropriate

When a VPN is not the answer: protecting accounts from phishing, hiding from the platforms you log into, or replacing endpoint security. Pair it with MFA, a password manager, and good device hygiene.

A quick way to weed out bad VPNs

Use this Red-Flag Filter before you even read the pricing page:

1. “Free & unlimited.” If you’re not paying, you are the product.
2. Vague or absolute claims. “Military-grade,” “complete anonymity,” “zero-log*” footnotes—run. (The FTC has been prodding the industry over deceptive claims.) (cognitivemetropolis.com, Federal Trade Commission)
3. No independent audits or transparency reports. Reputable VPNs publish 3rd-party audits (ideally recurring) and detail ownership/changes. (EFF recommends public audits.) (Electronic Frontier Foundation)
4. Shady mobile apps. Check the app with Exodus Privacy to see if it’s packed with trackers. If your “privacy” app includes ad/analytics SDKs, hard pass. (Exodus Privacy Reports)
5. Ownership shell games. If you can’t quickly learn who owns it and where it’s legally based, stop.

What to look for instead

1) Verifiable “no-logs” posture
Look for: repeat independent audits; real-world tests (e.g., warrants/raids yielding nothing); RAM-only servers; minimal operational telemetry. Example: Mullvad’s no-log posture held up under a police visit. (TechCrunch)

2) Clear, narrow data collection
Read the privacy notice. Mozilla VPN (which rides on Mullvad’s infrastructure) explicitly describes what it collects—and what it doesn’t. That’s what clarity looks like. (Mozilla Accounts, Mozilla)

3) Modern protocols & security
Prefer WireGuard or well-configured OpenVPN; kill switch; DNS leak protection; first-party or audited DNS.

4) Independent evaluations
Consumer Reports tested major VPNs for privacy/security practices; Mullvad, IVPN, and Mozilla VPN ranked at the top for transparency and security posture. (Consumer Reports)

5) Sensible jurisdiction & ownership
Jurisdiction alone isn’t everything, but it affects secrecy laws and gag orders. If the company is proud of its governance, they’ll explain it plainly (and often publish canaries/transparency reports).

Shortlist from public research

We’re not affiliated with any VPN. Based on third-party reporting and audits:

• Mullvad – strong privacy culture, anonymous accounts, proven “no logs.” (TechCrunch)
• IVPN – detailed policy, open communication, regular audits. (See Consumer Reports’ findings.) (Consumer Reports)
• Mozilla VPN – runs on Mullvad infrastructure with a clear privacy notice and published audits. (Mozilla Accounts, TechRadar)
• Proton VPN & TunnelBear – solid transparency and audits; worth evaluating for your needs. (Referenced in CR’s test set.) (Innovation at Consumer Reports)

This is not a guarantee—do your own due diligence—but it’s a safer starting point than ad-driven “top 10” lists.

Step-by-step: vet a VPN in 20 minutes

1. Ownership check: Who owns it? Any acquisitions or shell companies?
2. Audit trail: Search “[provider] audit pdf” and look for reputable firms (Cure53, Deloitte, etc.) and recent dates. (NordVPN)
3. History check: Any scandals (e.g., Onavo/Hola/PureVPN-style incidents)? (Ars Technica, BetaNews)
4. Privacy notice: Is data collection specific and minimal? Does it forbid ads/trackers? (Mozilla Accounts)
5. Mobile trackers: Scan the Android app with Exodus Privacy. If you see ad/analytics SDKs, reconsider. (Exodus Privacy Reports)
6. Security features: Kill switch, DNS leak protection, modern protocols, IPv6 handling, multi-hop optional.
7. Payment/identity: Can you pay without linking more data than necessary?
8. Support & transparency: Do they publish transparency reports/canaries?
9. Independent reviews: Prioritize labs and orgs that test privacy not just speed. (Consumer Reports’ research is a good reference point.) (Consumer Reports)
10. Trial & test: After signup, run leak tests and try different networks; make sure the kill switch really kills.

Setup tips once you’ve picked one

• Enable auto-connect on untrusted Wi-Fi and the kill switch.
• Use split tunneling thoughtfully (keep banking and email inside the tunnel).
• Lock down the account with a password manager and 2FA.
• Test for leaks (DNS/WebRTC) after major updates or travel.
• Don’t stack VPNs; one well-configured tunnel is usually best.

For businesses

A public VPN is not a substitute for Zero Trust Network Access (ZTNA), SASE, or a proper remote-access design. For employee privacy on travel, a vetted consumer VPN can help—but corporate data should live behind identity-aware controls, device checks, and least-privilege access.

Wendego + Perimeter 81 (Check Point SASE)

Wendego has partnered with Perimeter 81 (now part of Check Point SASE) to help customers implement modern ZTNA and SASE—the right way. In plain English: users authenticate with your identity provider, their device posture is checked (encrypted disk, AV present, etc.), and they’re granted only the specific app access they need—no flat network, no VPN hairpins, no implicit trust. The platform consolidates ZTNA, Secure Web Gateway (SWG), Cloud Firewall/FWaaS, and centralized policy in a single cloud service, with support for Azure AD/Entra, Google, SAML IdPs, and more. Checkpoint SASE/ Perimeter 81.

Why we like it for ZTNA/SASE:

• Identity- and app-level access (not network-level), with continuous verification. Checkpoint SASE
• Device Posture Check to block unmanaged/unsafe endpoints. Perimeter 81 SupportPerimeter81
• Built-in SWG & Cloud Firewall for URL/category filtering and east-west control. Perimeter 81 SupportCheckpoint SASE
• Tight IdP integrations for quick rollouts and SSO. Checkpoint SASE

As a partner, Wendego can assess your current remote access, map apps/users to least-privilege policies, pilot Perimeter 81, and roll it out with minimal disruption. Want a quick design session or pilot? Contact us—we’ll recommend the right approach for your environment.

Bottom line

A VPN can meaningfully improve privacy on hostile networks—but only if the provider earns your trust. Look for verifiable no-logs, public audits, clear privacy notices, and a history without skeletons. Avoid free VPNs and ad-tech tie-ins. If a claim sounds too good to be true, it probably is.

If you’d like us to sanity-check a provider or design a travel-safe configuration for your team, we’re happy to help.

Sources & further reading

• EFF: Choosing the VPN That’s Right for You. (Electronic Frontier Foundation)
• Consumer Reports: many VPNs over-promise; Mullvad/IVPN/Mozilla among the most trustworthy in testing. (Consumer Reports)
• Mullvad “no logs” confirmed when police left empty-handed. (TechCrunch)
• Onavo (Facebook) privacy controversy & App Store removal. (Ars Technica, Wikipedia)
• Hola VPN abuse of users’ bandwidth. (Ars Technica)
• PureVPN logs used in FBI case. (BetaNews)
• Check mobile-app trackers with Exodus Privacy. (Exodus Privacy Reports)
• Overview of industry issues (video explainer). (YouTube)