VPN Reality Check: Who Actually Logs, Who Actually Protects

The VPN lies and the small truth

VPN companies spend half a billion dollars a year on advertising. The marketing is universally the same — hackers in hoodies, "military-grade encryption," "complete anonymity online," sponsor codes on every tech YouTuber's video. The reality is considerably more narrow than the ads suggest.

This post is the honest map. What a VPN actually does. What it doesn't. Which providers have been caught lying. Which have been audited. Which are worth the subscription. Which are malware.

What a VPN actually does

A VPN routes your internet traffic through an encrypted tunnel to a server operated by the VPN provider. That server then forwards your traffic to the destination. From the destination's perspective, you appear to be coming from the VPN server's IP address.

What you gain.

• Your ISP stops seeing which domains you visit (they still see VPN provider IP + timing + byte counts).
• Public Wi-Fi operators stop seeing domains in DNS (if you trust your VPN provider not to log DNS).
• Your real IP is hidden from the sites you visit.
• Geofenced content from the country your VPN server is in becomes accessible.

What you do NOT gain.

• Anonymity. You are anonymous to the destination website, not to the VPN provider.
• Protection against malware.
• Protection against phishing.
• Protection against tracking cookies and browser fingerprinting.
• Protection against data the apps on your phone already exfiltrate.
• Protection against your logged-in Google account.
• Immunity from law enforcement. Law enforcement subpoenas VPN providers.

The threat model VPNs actually address.

1. Hiding browsing activity from your ISP.
2. Hiding your origin IP from destination sites.
3. Bypassing geofencing.
4. Adding one layer of indirection in a threat chain.

The threat model they do NOT address.

• State adversaries with legal authority over your VPN provider.
• Traffic correlation attacks (timing analysis of encrypted tunnel).
• Browser fingerprinting, cookie tracking, logged-in account tracking.
• Your phone's ad ID being broadcast by apps.
• DNS leaks when the VPN client misbehaves.
• WebRTC IP leaks.

Providers caught lying about logging

Private Internet Access (PIA). Claimed "no logs." In 2016 and again in 2017, complied with FBI subpoenas by producing IP connection records that matched user activity to real identities. Two federal court cases. Their "no logs" claim survives in marketing despite repeated proof to the contrary.

HideMyAss. 2011 case. Claimed no logs. Produced logs identifying LulzSec member Cody Kretsinger. Arrest followed. Company continued advertising "no logs."

IPVanish. 2017 case. Claimed no logs. Produced subscriber logs including IP, timestamp, and connection info tying a user to child abuse material. Arrest followed. Company had been publicly claiming "zero logs."

PureVPN. 2017. Claimed no logs. Complied with FBI subpoena in a cyberstalking case by producing timestamps and real IPs tying a user to a stalker's accounts. Subsequently changed policies but the prior claim had been a lie.

Pattern recognition. "No logs" is a marketing claim, not a technical guarantee. Any VPN provider can be compelled to start logging a specific user under certain jurisdictions.

Providers that have actually been audited

These providers have commissioned independent third-party audits of their no-logging claims:

Mullvad. Sweden-based. Multiple audits since 2018 by Cure53, Assured AB. Does not require email for signup — you get a random account number. Payment accepted via Bitcoin, Monero, or cash by mail. In April 2023, Swedish police attempted a physical raid on Mullvad's office. Mullvad demonstrated to the police that no customer data existed to seize because none was stored. Police left empty-handed. Extensively documented.

Proton VPN. Switzerland-based. Multiple audits by SEC Consult and others. Run by the same team as ProtonMail. Strong jurisdiction (Swiss no-log regulations). Open-source clients.

IVPN. Gibraltar-based. Audited in 2019 by Cure53. Has a public warrant canary. Accepts cash and cryptocurrency payments.

OVPN. Sweden-based. Runs all servers from RAM (no persistent storage). Fires up a custom Linux distribution on each boot. Swedish court seizure in 2020 found nothing. Audited.

Providers owned by sketchy entities

ExpressVPN. Acquired by Kape Technologies in 2021. Kape (formerly Crossrider) is a company with a documented history of distributing adware through its Crossrider ad injection platform in the 2010s. Some of the adware campaigns Kape published and profited from distributed actual malware. Kape renamed, pivoted to privacy, and now owns ExpressVPN, Private Internet Access (the one caught logging), CyberGhost, and Intego. That's most of the consumer VPN market under one parent company with an unclean history.

NordVPN. Ownership structure is opaque. Headquartered in Panama but operated from Lithuania. Suffered a 2018 server compromise in Finland that NordVPN disclosed only after an outside researcher found the breach in 2019. The compromise involved a TLS key that could have enabled man-in-the-middle attacks against customers.

Hola VPN. Peer-to-peer VPN. Routes other users' traffic through your connection. In 2015, researchers demonstrated that Hola users had been rented out as a botnet, with their bandwidth sold to a DDoS-for-hire service. Never use Hola.

Hotspot Shield. 2017 FTC complaint. Hotspot Shield was caught injecting ads and redirecting users to affiliate URLs. Collected data and sold to advertisers despite "privacy" marketing.

Free VPNs are malware

Onavo Protect (Facebook). Facebook bought Onavo in 2013 specifically to use it as a surveillance tool. Onavo was marketed as a free VPN. Facebook used the traffic data to identify competitors (they discovered WhatsApp's growth this way before they bought it) and track user behavior across apps. Apple kicked Onavo out of the App Store in 2018. Facebook relaunched the surveillance tool as "Facebook Research" paying teenagers $20/month to install a root certificate that MITM'd all their traffic. Apple kicked that out too.

Free VPN apps on mobile app stores. A 2019 VPNPro analysis found that 86% of free VPN apps on the Google Play Store shared data with third parties. Many contained actual tracking libraries. Some contained malware.

The unavoidable math. Running a VPN service costs money. Servers, bandwidth, and engineering. If you're not paying for the service, someone else is — and that someone is the advertiser buying your data.

Protocol matters

WireGuard. Modern, audited, minimal codebase. Fast. Secure. The default for Mullvad, Proton VPN, IVPN. If your VPN offers WireGuard, use it.

OpenVPN. Older, more configurable, slower. Still secure. Works through most firewalls.

IKEv2 / IPsec. Built into iOS and macOS. Fast. Reasonably secure.

PPTP. Broken. Never use. Some providers still offer it.

Custom protocols (like ExpressVPN's Lightway). Check whether they've been independently audited. Most are not.

What about "double VPN" and "onion over VPN"?

Double VPN. Routes through two VPN servers. The first server sees your real IP but not your destination. The second server sees your destination but not your real IP. Adds latency. Useful if you don't fully trust your provider and want to split trust across jurisdictions.

Onion over VPN. Pointing your VPN traffic through Tor. Mostly redundant. Tor already does what a VPN does, better, for the anonymity use case. Using both often makes you more identifiable (rare traffic pattern) rather than less.

Bottom line. For most users, single-provider good VPN beats double VPN.

What a VPN can't hide from law enforcement

Law enforcement does not need to break VPN encryption. They use traffic correlation.

Timing correlation. Your VPN provider's ISP logs your connection to the VPN server at time T1. The destination site logs a connection from the VPN server's IP at time T1 + small delta. Those correlate. An attacker with visibility into both sides of the VPN tunnel reconstructs the real traffic.

Metadata on the local side. Your phone still has carrier-visible patterns — which apps made network requests, how often, at what times. Pattern matching to specific apps works.

Paid payments. If you paid with a credit card, the VPN provider has your identity regardless of their no-log claim.

Endpoint vulnerabilities. If your machine is compromised before VPN traffic starts, the compromise is inside the tunnel. VPN doesn't help.

The recommendations

For general privacy from your ISP: Mullvad or Proton VPN. Both audited. Both reasonable jurisdictions. Both support WireGuard. $5-10/month.

For maximum anonymity from provider: Mullvad. No email needed. Cash by mail accepted. Multi-hop option. Audited.

For streaming geofenced content: Doesn't matter much. Pick any of the audited providers. Netflix/BBC iPlayer/etc. actively block most VPN IPs; ongoing cat-and-mouse.

For use from China, Iran, Russia, or other censored environments: Proton VPN (has obfuscated protocols). Also evaluate Psiphon (non-VPN, designed for censorship circumvention).

For corporate remote work: Use what your IT provides. Your employer has telemetry on your device regardless.

For torrenting: Any audited provider with port forwarding and explicit "allow P2P" policy. Mullvad and ProtonVPN both support.

Never use: Hola, ExpressVPN (Kape ownership), NordVPN (opaque ownership, history), any VPN that shows up as sponsored content on YouTube without proof of audit, any "free" VPN.

What actually helps more than a VPN

For most people's real threat model, these are higher-impact:

• uBlock Origin + Firefox. Blocks the trackers your VPN doesn't.
• DNS-level blocking (NextDNS, Pi-hole). Blocks tracking in apps where extensions can't reach.
• Signal for messaging. Protects content regardless of VPN status.
• Proton Mail / Tuta. Encrypts email at rest and limits provider access.
• iCloud Advanced Data Protection. Encrypts backups.
• Hardware 2FA keys. Stops account takeover, which most VPNs don't help with.

A VPN is one layer. It is not anonymity. It is not privacy. It is a targeted tool for a narrow set of threat models.

Sources

1. [Mullvad Audit Reports](https://mullvad.net/en/help/audit-reports/)
2. [Proton VPN Audit, SEC Consult](https://protonvpn.com/blog/open-source/)
3. [IVPN Security Audit by Cure53, 2019](https://www.ivpn.net/blog/ivpn-apps-audited-by-cure53-security-research/)
4. [Mullvad Sweden Police Raid, April 2023](https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/)
5. [PIA 2017 Subpoena Case](https://torrentfreak.com/private-internet-access-zero-logs-claim-proven-again-170823/)
6. [IPVanish 2017 Logging Incident](https://torrentfreak.com/ipvanish-no-logging-vpn-led-homeland-security-criminal-170605/)
7. [Kape Technologies Acquires ExpressVPN](https://www.vpnmentor.com/news/kape-technologies-acquires-expressvpn/)
8. [Hola Botnet Investigation, 2015](https://adios-hola.org/)
9. [VPNPro Analysis of Free VPN Apps, 2019](https://vpnpro.com/blog/top-10-vpn-apps-sharing-your-data/)
10. [FTC Complaint Against Hotspot Shield, 2017](https://www.cdt.org/insights/ftc-complaint-hotspot-shield/)