Do You Use It? VPN Use Is Widespread

Originally published at: Do You Use It? VPN Use Is Widespread - TidBITS

Prompted by the latest revelations about common VPNs being owned by Chinese companies that may share data with their government, our latest Do You Use It? poll explored how TidBITS readers use VPNs. As someone who has never used a VPN, I was surprised by their popularity—84% of respondents use one at least some of the time. As always, the results of this poll reflect the audience and shouldn’t be interpreted to imply anything more broadly.

Before we start, let’s make sure we’re all on the same page. A VPN, or virtual private network, is low-level software that enhances your privacy and security by routing your Internet traffic through an encrypted tunnel to a remote server, hiding it from potential attackers on your local network or between you and the destination. Many people also use VPNs to circumvent location- and IP-based restrictions that support geographic content licensing and the desires of organizations to block certain types of content.

When Do You Use a VPN?

We started the poll by asking when people use a VPN to assess the overall level of VPN usage. The distribution of responses was fascinating, with the all-or-nothing answers bookending the results at 16% each. In the middle, 26% of participants indicated they often use a VPN, while 42% rely on one only when necessary.

Only 16% of respondents never use a VPN, which may reflect the technical aptitude and security-mindedness of TidBITS readers. I can’t speak for others, but I’ve never found the need to use a VPN because I work from home nearly all the time. Most of my traffic is already encrypted with HTTPS, I don’t download torrents or engage in activities where I’m concerned about protecting my privacy from my ISP, and I don’t watch videos or do other things that run afoul of geo-restrictions.

The 16% of respondents who use a VPN all the time seemed to fall into two categories: those who are required to do so by their employer (and see no reason to turn the VPN off for personal work) and those who are willing to endure a bit of inconvenience for complete privacy protection.

That inconvenience seems to be what causes 26% of respondents to turn off their VPNs occasionally. People mainly reported performance issues and difficulties with websites not loading or functioning properly when accessed via a VPN. These issues undoubtedly influence why 42% of respondents say they use a VPN only when necessary. In other words, VPNs don’t just work for everyone.

Why Do You Use a VPN?

Our next question attempted to discern what those who do use VPNs aim to achieve.

The answers require some unpacking:

• Security (69%): The most common reason people use a VPN is to ensure security—they want a guarantee that no one can eavesdrop on their connection and read data. Organizations care deeply about confidential information, which is one reason employers often mandate VPN usage. The risk of an attacker connected to the same public Wi-Fi network being able to see unencrypted traffic also drives many people to use VPNs when working outside the home or office. While added security is generally beneficial, it’s important to remember that most Internet traffic is now encrypted by default. Nearly all Web pages use HTTPS, most email over IMAP and SMTP employs TLS encryption, everything transmitted via iMessage is encrypted, and so on. The primary unencrypted traffic for most individuals consists of DNS lookups, which reveal which websites you are visiting, even if the actual data transferred remains encrypted.
• Privacy (57%): The next most common issue is privacy, or controlling who sees what you do, which directly relates to the fact that most DNS traffic isn’t encrypted. When you use a VPN, neither your ISP nor an attacker on the same local network can determine where you’re going and thus infer what you’re doing. However, the VPN provider can see that information and may log it, potentially allowing it to be exposed, at least to law enforcement. Remote websites see an IP address, but it’s that of the VPN server, not your ISP or device, which may also enhance your privacy.
• Access (52%): Another major reason TidBITS readers use a VPN is to bypass access restrictions. Streaming services may have licenses to show content in some countries but not in others, sports teams may have streaming blackouts in their local markets, and so on. With a VPN, you can make your traffic appear to originate from an allowed location. Given the ease and popularity of circumventing these arbitrary restrictions, one would hope they will diminish over time. VPNs also assist people in working around organizational restrictions, such as schools blocking games or employers limiting access to adult sites.
• Anonymity (42%): This answer was higher than I expected, which may have been due to people conflating it with privacy and voting for both. I was trying to tease out VPN use triggered by the desire to be completely anonymous—to make it difficult or impossible to connect your online activity back to who you are. A VPN contributes to that—selecting one that doesn’t log traffic is crucial—but you must also limit your actions to avoid leaving clues about who you are.
• Control (27%): The least common reason for using a VPN was control, by which I meant remote network access. Two prominent examples include accessing network resources on an employer’s network—such as file servers and printers—and connecting to your home network while traveling. Several people mentioned using Tailscale to access their home networks, as Glenn Fleishman described in “Tailscale Gives You Remote Access to Your LAN from Anywhere” (24 February 2025).

What Type of VPN Do You Use?

One of the complications of this poll is that precisely what constitutes a VPN is somewhat unclear. The initial trigger for the poll was to warn people about potentially problematic Chinese VPNs and seek recommendations for alternatives, but that didn’t account for enterprise-grade VPNs used by large organizations or individuals hosting their own VPNs. As I delved deeper into the topic, I discovered that there are also browser-level VPNs that protect only Web traffic, along with secure proxy browser extensions that provide much the same functionality through other protocols. Some browser-based VPNs are actually secure proxies as well. It’s quite a mess, so the next question asked what type of VPN you use.

The answers offered some clarity:

• System-level VPN (86%): Most respondents rely on a system-level VPN that protects all the traffic leaving the computer. To my mind, that aligns closely with what most people consider a VPN to be—an encrypted tunnel for everything.
• Employer’s VPN (15%): I suspect that most of those who use their employer’s VPN also voted for the system-level VPN, as enterprise VPNs manage all traffic. This figure also aligns fairly well with the 16% of respondents who use a VPN all the time.
• Browser-based VPNs (10%): These VPNs are relatively new, which may explain the low ranking for this answer. Opera introduced the concept in 2016 with a secure proxy, but the full-fledged Brave VPN (based on Guardian) only launched in 2020, and the similarly functional Proton VPN for Vivaldi came out this year.
• Self-hosted VPN (9%): It’s too much work for most people to host their own VPN. I suspect that many people responding with this answer were referring to Tailscale, although there are certainly approaches using dedicated software or hardware.
• Secure proxy browser extension (3%): Very few people use these browser extensions, which I think is generally a good thing because many of those I looked at seemed a little sketchy.

Which VPN Do You Use?

Our final question aimed to identify the most popular VPNs among TidBITS readers. While some readers suggested alternatives in the comments—our polls max out at 20 answers—I doubt any would have received significant votes. Therefore, anyone looking for a VPN should consider the top-rated choices below.

While I can’t provide personal recommendations, a few notes are warranted for the responses garnering more than 5% of the votes:

• NordVPN (26%): The most popular choice was NordVPN, which features a welcome option to disable itself on trusted networks. However, a reader reported encountering difficulties while traveling in China, although he didn’t specify whether he attempted different VPN protocols, some of which are more easily detected and blocked. Several users noted receiving poor tech support, with one individual unable to get it to function on his iPhone. Prices range from $3.39 to $12.99 per month, depending on the plan and length of subscription.
• Proton VPN (21%): Proton VPN was almost as popular. No one had anything negative to say about the service, although there were questions about whether it was worth the price, which seems comparable to others. There appears to be a 70% off deal right now, causing prices to range from $2.99 to $9.99 per month.
• Mullvad/Mozilla VPN (11%): I combined these products into one answer because Mozilla VPN uses Mullvad’s servers. Several people noted that Mullvad also integrates with Tailscale, allowing you to route Internet-bound traffic through Mullvad’s servers while keeping local traffic within the Tailscale network. Mullvad charges a flat rate of €5 per month, regardless of how long you subscribe—that’s currently $5.69 in US dollars. In contrast, Mozilla VPN costs $4.99 or $9.99 per month, depending on billing frequency.
• ExpressVPN (10%): While one user said he had found ExpressVPN to be the best for bypassing geo-restrictions (the streaming services try to block VPN connections for obvious reasons), others raised concerns about the company’s ownership. ExpressVPN was acquired in 2021 by Kape Technologies, a British holding company that also owns Private Internet Access (next) and CyberGhost (1%), along with the antivirus company Intego and a review site that ranks Kape’s companies highly. Kape was previously known as Crossrider and was associated with adware. ExpressVPN’s monthly prices range from $4.99 to $12.95.
• Private Internet Access (9%): As with ExpressVPN, only one person mentioned using Private Internet Access, presumably successfully. Again, Private Internet Access is owned by Kape Technologies, which some may consider a negative. Its prices range from $2.03 to $11.95 per month.
• TunnelBear (8%): Several respondents expressed their fondness for TunnelBear, mentioning that it is operated by Plucky Canadians™ and complimenting its Web login screen of a cartoon bear covering its eyes with its paws while a password is being typed in. One individual remarked that he had found it slow several years ago. TunnelBear’s pricing ranges from $3.33 to $9.99 per month.
• Surfshark (7%): While it continues to operate independently, Surfshark merged with Nord Security, the company behind NordVPN, in 2022. No one commented about it, and its monthly pricing ranges from $1.99 to $15.45.

While I still find the VPN space overwhelming, if I needed to use a VPN, I would start by investigating NordVPN, Proton VPN, Mullvad, TunnelBear, and Surfshark. I find Mullvad’s flat-rate pricing attractive for short-term usage, although in that case, I would probably also consider whether Brave VPN or Proton VPN for Vivaldi would meet my needs. But that’s just me. If you’re trying to compare these or other VPNs, Randy Singer shared a link to the CyberInsider site, which has reviewed and compared many of the VPNs. Wirecutter recommends Mullvad, TunnelBear, and Proton VPN.

I remain comfortable not using a VPN, but I wouldn’t judge anyone who did.

I travelled from Norway to Montana in October some years ago to fish. I was leaving Rock Creek and heading to Clark Canyon Reservoir. My goal was to fish in the Beaverhead River. As I was driving on Interstate 15, a snow-storm (this is what we call it in Norway, maybe it is called something else in US?) met me. I saw big trailers and cars that had turned over and lay by the side of the road.
Large signs declared that Monida Pass was closed. I wasn’t sure if this affected me, so I stopped to check. Googling “Montana traffic reports” led me to https://www.mdt.mt.gov/travinfo/detailed.aspx
I was met with this.

It was a strange sort of message, and it took me a few minutes to realize I was blocked. Fortunately, I had a VPN app on my iPhone, and I soon discovered the road was closed at Barretts. Barretts lies beside the Beaverhead River, about 30 minutes from Clark Canyon Reservoir. That proved helpful–when I was stopped at Barretts, I was ready and asked if I could park at Barretts Park Campground, and he let me through.

One interesting thing is that this is becoming less important over time, thanks to so many corporate services being provided as cloud services.

At my first few jobs, my employers ran all their servers. If I wanted to access anything from home, there was no choice but to go in via a VPN. Or in the oldest case, dial-up login to a corporate modem pool.

But my current employer uses a lot of cloud-based services from a variety of vendors. Access requires authentication by corporate servers (which are also cloud-accessible), so most of what I need to do can be done without a VPN - I just need to have the required credentials (passwords, certificates, 2FA hardware) to log in. So although I still have and occasionally use VPN access, it’s not nearly as much as was the case 20 years ago.

I suspect this is going to be common for a lot of large corporations, since moving IT resources off-site to cloud services has been popular for quite some time now.

I use a vpn when I use someone else’s internet access to read my email.
Are you saying that that is not necessary if my email addresses are smtp protected?

It depends on how you’re reading it.

• If you’re reading mail via the mail provider’s web interface, then it is encrypted if it is using HTTPS URLs.
• If you’re reading mail via an app on your own computer/device, you need to make sure the IMAP/SMTP/POP connections are configured to use SSL/TLS. If not, then they will not be encrypted, which is bad, even on your own personal Internet access.
• If you’re reading mail on someone else’s computer, then that has potential problems beyond the network’s encryption, including:
  • If you create an account on the computer’s mail app, you need to be able to completely delete it when you’re done. If the computer has an automatic backup system (e.g. Time Machine), that may be easier said than done.
  • There may be malware present, which could record screens and keystrokes.

Without knowing the specific details, it’s impossible to be certain, but if your network connections (web, IMAP, POP, SMTP) are all using encrypted transports (HTTPS, SSL/TLS, etc.) then it is unlikely that a VPN will give you any additional security.

But if your network connections are not encrypted (which is always bad, no matter whose network it may be), then a good VPN will provide a layer of encryption, protecting the data moving between you and the VPN server.

But it won’t (and can’t) protect data moving between the VPN provider’s network and the destination server. Which could also be snooped, and could expose critical data if your apps are not using encrypted transports (like HTTPS and SSL/TLS) in addition to the VPN.

Oddly, we have several SaaS applications where we’ve implemented restrictions that they can only be used from trusted egress IP addresses (i.e., from one of our on-prem locations, or on the employer VPN). This is more to avoid the potential for threat actors to actively attack these systems, as traffic not matching a known source address is immediately dropped.
So, it’s “fun” for me - I’ll be working and all of a sudden realize I can’t get to something, and it’s because I didn’t enable the VPN that morning.

My work VPN is Global Protect. But personally, I was using ExpressVPN until Kape took over, then I switched to NordVPN (as there was a deal at the time).
One thing about the top four listed here (NordVPN, Proton, Express, Mullvad and also Surfshark) are they are trusted zero log vpn providers. This means they’ve been researched and checked against court cases that they have no logs of your browsing, connections or amount of data transmitted/received. I know it sounds nefarious, but in light of current political climate, leaving no traces for DHS, PRC and others is considered wise.

There are only 2 reasons to use a VPN:

a) Location shifting. You want to pretend to be located in a different country so you can access country specify restricted web services (such as streaming some BBC shows, watching your favorite sports team, or similar).

b) You work for a company that requires VPN access in order to access the company’s internal network. In this case the company will specify and provide the VPN client, along with connection details.

Don’t use VPN services:

I’m surprised iCloud Private Relay doesn’t even get a mention - esp in this audience, I’d wager it is included in a service you’re already paying for (iCloud subscription) and offers unique privacy guarantees ‘by design’ - Neither Apple nor the 3rd party access proxy can see the entire tunnel to connect the dots on who’s connecting where.

Perhaps still under-appreciated, its a technical marvel: About iCloud Private Relay - Apple Support

I only use 1.1.1.1 and iCloud Private Relay. Used to use Mullvad which is stable and fast.

Talking about Mullvad, they have many ads on bus and billboard in the UK and I wonder why they can spend a lot on ad.

3. Your ISP requires you to use their DNS, so they can inject targeted ads based on the sites you visit.

Is this still going on? I read about ad-injecting DNS years ago, when it was apparently the way some “free” dial-up services paid their bills, but I haven’t read anything about it since then.

FWIW, I’ve used Comcast and Verizon and they have no such restrictions. I have manually configured my systems for third-party DNS servers for many years. Today, I run my own on a Raspberry Pi, which resolves everything, starting from the IANA root servers and working down from there.

Ach, just forgot. iCloud Private Relay isn’t a VPN, but it provides some similar privacy protection through its double-relay approach. And it works only in Safari.

Egad, I had Comcast Business Internet from about 2021-2024 and so many things kept breaking. I finally discovered that Comcast were silently redirecting all TCP and UDP traffic to port 53 (DNS) to their own miserable DNS servers “because… SECURITY!” and that this feature could not be disabled. The redirection actually happened in the cable modem, so it was extremely difficult to route around it. This was still happening as late as August 2024 when I was finally able to say goodbye and good-riddance to Comcast.

At some point, they finally (after being threatened with violations of California’s net neutrality law) issued a modem firmware update that enabled a well-hidden switch to turn off their “Security Edge” antifeature which was the root of the problem, but it would still silently turn back on from time to time (presumably with modem firmware updates).

Interesting. I’ve had Comcast/XFinity residential service, in Northern Virginia, since 2014 and it has mostly just worked.

Of note:

• I am using my own cable modem and router. I stopped renting theirs after the first month, after I was certain that the line was working.

  Today, I’m using an Arris SB6190 cable modem, a Linksys MR8300 router and a few VHW01v1 Velop mesh nodes. I didn’t have any problem setting up any of it for use with my Comcast service.

• I have had no problem setting my hosts to Google DNS, back when that was of interest to me. Today, my Raspberry Pi running Bind provides my DNS, and has no problem accessing the root servers or any other server it needs to access in order to resolve names.

  I did encounter all kinds of poor DNS performance before I switched away, but I never encountered any roadblock when switching.

• In addition to DNS, that Raspberry Pi also acts as a DHCP server for my LAN, so my devices are all given my own DNS address and not Comcast’s.

I wonder if this is a difference between residential and business service. Or a regional thing. Or maybe a “feature” of leasing equipment.

When I saw NordVPN coming in high on the list it struck me as odd as it seemed I’d associated it with having been hacked and wondered why the (far more advanced than I) TBTalkers would favor it.
But I searched online for ‘nordvpn hacked’ and only came up with something from 2018-19 in which the company indicated it was a rather minimal event ie no credentials taken, traffic monitored etc.
Was there a more recent hack and/or are NordVPNers satisfied it’s safe to use?

Not that this is a terribly important distinction, but this didn’t sound right, so I checked. As it turns out, iCloud Private Relay also works in apps for non-encrypted traffic. I imagine, though, that most app traffic is encrypted. Well, it should be, anyway.

As a result, Private Relay protects all web browsing in Safari and unencrypted activity in apps, adding both privacy and security benefits.

Allison Sheridan of Podfeet/Nosillcast fame did a deep-dive analysis on this a while ago for her decision, as most sites that do “best VPN” lists are typically unreliable paid placements:

She (and I) chose PIA, for what it’s worth. It seems to work fine, and offers most features wanted/expected including split-tunnelling which is useful.

Have things changed with PIA since May 2022 to change our decision, I wonder? It’s very affordable at just $79 for 40-months ($1.975/mth) I recently renewed at.

That explains this:

If you turn it back on here (Settings, Apple Account, iCloud, Private Relay), then you can’t turn it back off here. To turn it off for Safari, you do so here (Safari, Settings, Privacy Tab):

The Transparency Project reports: TTP - Apple Offers Apps With Ties to Chinese Military":

"Millions of Americans [presumably even more non-Americans—MLS] have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

“TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company.” Qihoo did not respond to questions about its app-related holdings."