VPN companies spend enormous amounts on marketing. Sponsorships on YouTube alone run into hundreds of millions of dollars annually. The pitch is consistent: use our VPN and you’ll be invisible online, safe from hackers, protected from surveillance, and free to access anything from anywhere.

Most of these claims range from misleading to outright false. VPNs have legitimate uses, but the gap between what VPN marketing promises and what VPNs actually deliver is one of the largest in consumer technology.

Let me sort through what’s real.

What a VPN Actually Does

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and the VPN provider’s server. Your internet traffic goes through this tunnel before reaching its destination. This does two concrete things:

Hides your IP address from websites. Instead of seeing your home IP address, websites see the VPN server’s IP address. This prevents websites from easily determining your physical location based on IP geolocation.

Encrypts traffic between you and the VPN server. Anyone monitoring the network between you and the VPN server — your ISP, someone on the same public WiFi, a network administrator — can see that you’re connected to a VPN server but can’t see the content of your traffic.

That’s it. That’s what a VPN does. Everything else in VPN marketing is either an extrapolation or a distortion of these two basic functions.

The Myths

”VPNs protect you from hackers”

This is the most common and most misleading claim. In 2026, the vast majority of web traffic is already encrypted via HTTPS. When you visit your bank’s website, submit a form, or log into any modern service, that connection is encrypted end-to-end regardless of whether you’re using a VPN. A VPN adds an additional encryption layer for the first hop, but it’s encrypting traffic that’s almost certainly already encrypted.

The types of attacks that VPNs protect against — someone on public WiFi intercepting your unencrypted traffic — were a genuine risk 10 years ago when many websites didn’t use HTTPS. Today, Let’s Encrypt has made free HTTPS certificates universally available, and over 95% of web traffic is encrypted at the application layer.

The types of attacks that actually get people — phishing emails, malware downloads, credential stuffing, social engineering — are completely unaffected by VPN usage. A VPN won’t stop you from clicking a phishing link, downloading a malicious attachment, or reusing passwords.

”VPNs make you anonymous online”

IP address is just one of many identifiers websites use to track you. Browser fingerprinting, cookies, logged-in accounts, device identifiers, and behavioural analysis all work regardless of VPN usage. If you’re logged into Google Chrome with your Google account and using a VPN, Google still knows exactly who you are and what you’re doing.

True online anonymity requires tools like the Tor network, which routes traffic through multiple independent relays. A VPN routes through a single company’s infrastructure — a company that has your payment details and knows your real IP address.

”No-log policies mean your data is private”

Most VPN companies claim they keep no logs of your activity. Some have been audited to verify this claim, which is a positive step. But fundamentally, you’re trusting a single company with all of your internet traffic. Instead of trusting your ISP (which is regulated and subject to Australian law), you’re trusting a VPN company that may be headquartered in Panama, the British Virgin Islands, or another jurisdiction specifically chosen to avoid regulatory oversight.

Several VPN companies have had data breaches or been caught logging user data despite claiming otherwise. The Register has reported on multiple instances of VPN providers whose “no-log” claims didn’t hold up under scrutiny. Trusting a VPN provider requires at least as much faith as trusting your ISP — arguably more, since ISPs face more regulatory accountability.

Where VPNs Are Actually Useful

Despite the overhyped marketing, there are legitimate reasons to use a VPN.

Accessing geo-restricted content. This is the most common real-world use case. Connecting to a VPN server in another country can let you access streaming content that’s not available in Australia. Netflix, Disney+, and other services try to detect and block VPN traffic, but it remains a cat-and-mouse game where VPN providers often stay ahead.

Privacy from your ISP. Your ISP can see which websites you visit (the domain names, not the content, since most traffic is HTTPS-encrypted). Under Australian law, ISPs are required to retain metadata for two years under the Telecommunications (Interception and Access) Act. A VPN prevents your ISP from seeing your browsing destinations, though the VPN provider can see them instead.

Public WiFi on genuinely untrusted networks. While most web traffic is encrypted via HTTPS, some apps and older services may still use unencrypted connections. On a public WiFi network you don’t trust — a hotel, airport, or conference — a VPN adds a meaningful layer of protection. Specialists in this space, like the team at Team400.ai, generally recommend VPNs as one component of a broader security approach rather than a standalone solution.

Bypassing network restrictions. If you’re on a corporate or institutional network that blocks certain services, a VPN can bypass those restrictions by tunnelling through the firewall. This is technically against most acceptable use policies, so be aware of the consequences.

Do You Need One?

For most Australians, a VPN is a nice-to-have rather than a necessity. If your primary interest is streaming geo-restricted content, a VPN is the standard solution. If you’re concerned about ISP metadata retention, a VPN addresses that specific issue.

But if you’re buying a VPN because you think it makes you safe from hackers or anonymous online, save your money. Good security habits — unique passwords with a password manager, two-factor authentication, keeping software updated, being cautious about phishing — will protect you from more real-world threats than any VPN.

And if your concern is genuine anonymity from state-level surveillance or serious privacy threats, a commercial VPN is insufficient. You need Tor, compartmentalised identities, and operational security practices that go far beyond consumer VPN software.

For everyone else, the $5-12/month a VPN costs is not a bad investment if you understand what you’re getting. Just don’t mistake it for a security silver bullet. It’s not.