You are here

Shopping for a VPN app? Read this.

Share this page

You probably know by now that using your mobile device on the public Wi-Fi network of your local coffee shop or airport poses some risk. Public networks are not very secure – or, well, private – which makes it easy for others to intercept your data. So, what can you do to keep your mobile data private and secure while out and about? Some consumers have started using Virtual Private Network (VPN) apps to shield the information on their mobile devices from prying eyes on public networks. Before you download a VPN app, you should know that there are benefits and risks.  

VPN app basics

How do VPN apps work? When you use a VPN app, data sent from your phone – be it your browsing data or the apps you are using – is routed through servers located elsewhere. A VPN app can make traffic from your phone to a website you visit appear to come from a server operated by the VPN provider, rather than directly from your phone. Some VPN apps also encrypt the data sent between your phone and the VPN server. So, for example, say you are using a public Wi-Fi network that isn’t secure – such as a network that allows anyone to use it, even if they don’t have a password.  Other people on the same network can see your traffic.  But when you use a VPN app that encrypts the data, anyone monitoring your network connection only sees gibberish – even if the particular site you are visiting doesn’t itself employ encryption.

Why would someone use a VPN app? VPN apps tout a variety of uses. Not only do some VPN apps promise to keep your information secure on public networks, but some also claim they will keep your information private from advertisers and other third parties. And because VPN apps route your traffic through another network, they can make it appear as if your traffic is coming from somewhere else.  This is similar to how a company might use a VPN to allow employees to use their work computer as if they were on the company’s network, even while they’re on the road.

What are some privacy and data security concerns about using a VPN app? First, you should be aware that when you use a VPN app, you are giving the app permission to intercept all of your internet traffic. You don’t want to grant such permission lightly. Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps. According to the study, for example, some VPN apps did not use encryption; some requested sensitive, and possibly unexpected, privileges; and some shared data with third parties for purposes such as injecting or serving ads, or analyzing the data to see how people are using a particular site or service.

Given these findings and the considerable trust you must place in a VPN app with your traffic, here are some things to consider before you download a VPN app.

Before you download a VPN app

  • Research the VPN app before you use it. You are trusting a VPN with potentially all of your traffic. Before you download a VPN app, learn as much about the app as you can. Look up outside reviews from sources you respect. You can also look at screenshots, the app’s description, its content rating, and user reviews, and can do some online research on the developer. The fact that an app promises security or privacy does not necessarily make it trustworthy.
  • Carefully review the permissions the app requests. Apps will present the permissions they request on their app store page, during installation, or at the time they use the permission. It’s useful information that tells you what types of information the app will access on your device in addition to your internet traffic. If an app requests particularly sensitive permissions (reading text messages, for example), consider whether the permission makes sense given the app’s purpose and whether you trust the app developer with that access.
  • Know that not all VPN apps actually encrypt your information. Some VPN apps use protocols that do not encrypt your traffic, or encrypt only some of your traffic. Outside reviews from sources you respect might provide more information about a particular app’s use of encryption.
  • A VPN app generally isn’t going to make you entirely anonymous. Instead, the app will typically obscure the content of your traffic from your internet service provider or public Wi-Fi provider, shifting trust from those networks to the VPN app provider. In addition, sites you visit may be able to determine that you are using a VPN app, and can still use any identifying information you directly share with them (for example, filling out a form with your email address) to track you.
  • VPN apps may share your information with third parties. Many VPN apps are free because they sell advertising within the app, or because they share your information with (or redirect your traffic through) third parties. If you are using the VPN app to keep your traffic private, make sure you review the VPN app’s terms and conditions and its privacy policy to determine if it shares information with third parties such as advertisers, and if so, what information it shares.


Can the FTC recommend one or more VPN providers that fulfill all of the FTC's recommended features? It would be much more efficient than having each reader do the research on their own.

Or you could put some effort into becoming more informed and rely less on the advice or opinions of others. There’s nothing wrong with knowledge, especially when you use that knowledge to secure your privacy online.

The FTC as a Federal Commission will never recommend any commercial service or product. The FTC may issue a bulletin warning of discovered security issues with a paricular type of network equipment, brand or model, with the intent that a patch or precaution be applied to mitigate the issue.

No. The FTC cannot recommend commercial products! That would be a severe violation of the public trust.

This blog is moderated. We review all comments before they are posted.  We won’t post sales pitches or promotions. Please see our  Comment Policy for more information.

Really???? How lame is that look up the intel your self and expand your knowledge. No way is the job of a government agency to say what a citizen should use. Perhaps you need to read 1984???

I'm sorry you're getting attacked for asking a question. Too many high and mighty commenters on here. The FTC should not give a recommendation on a VPN product. It would be like having the President recommending that everyone buy a Ford automobile or an HP PC/Laptop. That's something you'll have to research on your own through Google, IT websites, or ask people that work with these types of products. I hope you find the VPN product that fits your needs.

Are there any that are recommended by the FTC?

Thanks for the information. It would have been helpful to know who currently rating VPNs based on privacy, encryption, safety and so on.

Me too;I would like to know your recommended safe VPN apps,you could name several tried and trusted VPNs that a reputable security company would use. Not for advertisement but for consumer information and safety.We have the right to know and it's hard to know which ones to trust.

Agree, like other software there must be a list of how some of these rated somewhere, yes?

Thank you for the valuable information

I agree with the above statements are you able to recommend a list?

Since the FTC probably cannot make recommendations, what VPN providers are being or have been investigated and found to be deceptive, misleading, or untrustworthy?

I doubt the FTC would list any company names of who to use or who to stay away from, especially in just an Info Article about what VPNs are and what they do. Doing so would open them up to all sorts of possible legal liability issues.

Which VPN provider does Ajit Pai use to communicate with his Telco lobbyist friends? That's the one I want to use.

Very helpful. Thank you


FTC won't recommend a product, but try googling 'top vpn software'. PCMag and CNET (as well as many other orgs) publish their ratings.

On Thursday, 2/21/18
Wow. Dear FTC: For you to send this is highly misleading, veiled, incomplete and disrespectful to all consumers. You know what I am referring to but I will make a few notes in fairness to commenters posting in response to your helpful announcement: (Reader of course it is somewhat simplified)
1. What you write can be true and we should do our best to be informed prior to any action. However.
2. No proper notice was provided to any users before corporations mined our personal data years ago, and every day since, for their surveillance and business model
3. No notice was given to consumers that corporations will trade, sell, gift, to themselves AND secreted unnamed third and fourth, and so on parties, our information.
4. No compensation was made to consumers for our very valuable personal information taken daily
4a No taxes have been paid by these parties for the hundreds of millions of dollars that is being made from our data and the value of the phantom income to them by swiping it from all our devices
5. No notice has been provided to consumers that so called “Privacy” Policys attached to the millions of sites we access do the same as corporations and clauses are opaque ambiguous, demanding, comfortably presumptuous, arrogant, more forced arbitration, taking the names of our Facebook friends & phone contacts and making the tracking of those people, and the approval to do so, our responsibility simply by accessing the site. DONT LIMIT YOURSELF TO AMAZON!
6. The former protection that persons or Businesses will not be allowed to take any identifying sensitive information including credit card numbers, medical records if it is not actually relevant to their business - that disappeared.
7. No notice has been given that our data can be viewed beyond the U.S.
8. No notice was given to consumers that off shore employees, temporary contractors, transient workers simply have to be trusted and sign a form that they will not divulge our information.
9. No notice the information they take and use is not limited to name or financial information. That the technology now exists to know exactly what you eat and when, where your child went all week from the time she got out of bed and went fr Classroom to classroom, or went to the Wawa after school, or got in the car with a boy and when she made it back home; mothers and fathers don’t know this is done
10. That much of the breaches and hacks are accomplished by very smart people to do harm but they also happen Because our data, which is used by all these players is thrown out into the digital world when some of their software is still inferior.
11. There is so much more. When you go out to read up on that VPN, make sure everybody, you also read a dozen privacy policies and all kinds of opinions about big data, personal data, Google, Facebook and even Charlie’s at the mall
Oh, and yes, thought it was interesting they did not sipply the names of risky VPNs that came out of a study
I dont know if FTC will load this. Hope so.


There are some real serious scammers on the net and we need to have a good vpn that could also tell us where these calls are actually from. I think that these hackers are bright enough to still get to us! We need a way to be able to tell if these messages are coming from so we can protect ourselves. Some of them end up to be dangerous. So always be careful.

VPNs are a placebo gov'ts and others can infiltrate them and you are sharing your data specifically with Bob. There is NO PRIVACY on the public Internet

That is 100% true. The Government and Google can access anything they want and no software will keep you private, For browser is good but I have read that the NSA may be able to exploit that also.

Folks, the FTC is a government agency, and thus will not recommend a specific product or products. You'll have to do your own research.

An attorney wasted time writing this? No real new info here. Of course you should do your homework before selecting.... anything. And yes I’m on a vpn.

I thought this was a very informative article and I am glad an FTC attorney spent the time to share it with me.

How about just providing a link to the VPN study you reference? In the vein of transparency, that's a reasonable expectation & I'm frankly surprised you didn't already include it in the article!

The link is available now: "Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

Thank you for updating the list, making it available.

I have a feeling VPN recommendations (like mine) are being blocked because of FTC's comment policy about "sales pitches or promotions".
That said, there are several very large antivirus companies that offer VPN service for around $30 a year. How secure are they? I have no idea. I trust them with my phone and computer security so I have faith they'll protect me on VPN as well.

Sadler, This blog is moderated. We review all comments before they are posted.  We won’t post sales pitches or promotions. Please see our  Comment Policy for more information.

Use the built in VPN app most newer smartphones provide

Without recommending a vendor or app, maybe you can recommend article or paper that has the research on strengths and weaknesses.

You may want to read the article mentioned in the blog:

"Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

I think a more important fact to bring to light here is the use of your own vpn server (or concentrator for lack of a better phrase). Like a corporate endpoint. I see this more than anything else and in fact find that is what most people want vpn technology for. This would be a situation where you have road warriors that need information from headquarters, or connecting two office locations together over broadband cable. If you don't know for sure where the server is, you really don't know where your data is being decrypted. There are a few opensource solutions for this that are very good, very cheep, deployable with full mobile app support.

I absolutely love you guys, The communication and awareness you provide. This is an article I wish was out there years ago! I am so thankful it is now! Youngins, Parents and Grandparents subscribe. People come together on this workforce to provide consumers, " which every walk on the planet is" with the best information for you ! The article hurt a bit personally but God bless you for the truth.

Thanks for the information.

Maybe this is something Consumer Reports can evaluate? Just a thought...

I am aware of most of these issues with VPN's. I recently tried to pick one based on them. It is a daunting task for the consumer. I still haven't decided because they all have shortcomings.

I doubt the FTC could or would recommend any particular vendors/VPN solutions, regardless if the FTC surveyed them or not. A vendor/solution can change any component at any point. Plus, many factors are likely related to the end users configuration and usage of the products. Hence, each user needs to evaluate, configure and use appropriately.

Since Ajit Pai is reportedly now under investigation, you might not want to use that one. Here's the answer for which ones not to use: The free ones. Companies need to make money to stay in existence. If you are not paying for their product, then your personal information is the product they are selling to make money. That will all be in the license agreement you just click "Agree" to and never read even if you could understand it.

It's typically a good practice to cite your references. For example, you cite a study, but don't provide links to the study. That would be helpful. Also, "VPN" implies encryption, because the only way to achieve privacy is through encryption. So, those "VPN" products that do not encrypt would not technically be VPN's. Although, I don't know what you would call them, other than scams.

We corrected the problem with the link: " Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

This article was next to useless without whitepapers and links to the studies performed. I know the fed govt. will not endorse any private data apps, but a link to the study that showed what the various VPN apps do would have been a nice way for consumers to choose the right VPN for them. Now I have Google the study and find the whitepapers. Good advice, but next time include more links/whitepapers.

We corrected the problem with the link: " Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

Thank you for providing the link!

In this case the only way we can trust a VPN will be to build one ourselves! Does anyone know a way to build one on cloud like AWS from scratch by open source products? This way we own our traffics, contents, and encryption.

There is also nothing to stop the less than totally scrupulous and honest to give misleading information. Granted the person asked may not know positively but, in such cases some people tend to say what they think would be the correct answer rather than a "IDK".

“Also, a group of technical researchers who studied almost 300 VPN apps found potential privacy and security risks with some VPN apps. According to the study, for example, some VPN apps did not use encryption; ” What group? What study? Citations. Otherwise you’re making it up.

Here is the link: "Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."


Leave a Comment