Skip to main content

You probably know by now that using your mobile device on the public Wi-Fi network of your local coffee shop or airport poses some risk. Public networks are not very secure – or, well, private – which makes it easy for others to intercept your data. So, what can you do to keep your mobile data private and secure while out and about? Some consumers have started using Virtual Private Network (VPN) apps to shield the information on their mobile devices from prying eyes on public networks. Before you download a VPN app, you should know that there are benefits and risks.  

VPN app basics

How do VPN apps work? When you use a VPN app, data sent from your phone – be it your browsing data or the apps you are using – is routed through servers located elsewhere. A VPN app can make traffic from your phone to a website you visit appear to come from a server operated by the VPN provider, rather than directly from your phone. Some VPN apps also encrypt the data sent between your phone and the VPN server. So, for example, say you are using a public Wi-Fi network that isn’t secure – such as a network that allows anyone to use it, even if they don’t have a password.  Other people on the same network can see your traffic.  But when you use a VPN app that encrypts the data, anyone monitoring your network connection only sees gibberish – even if the particular site you are visiting doesn’t itself employ encryption.

Why would someone use a VPN app? VPN apps tout a variety of uses. Not only do some VPN apps promise to keep your information secure on public networks, but some also claim they will keep your information private from advertisers and other third parties. And because VPN apps route your traffic through another network, they can make it appear as if your traffic is coming from somewhere else.  This is similar to how a company might use a VPN to allow employees to use their work computer as if they were on the company’s network, even while they’re on the road.

What are some privacy and data security concerns about using a VPN app? First, you should be aware that when you use a VPN app, you are giving the app permission to intercept all of your internet traffic. You don’t want to grant such permission lightly. Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps. According to the study, for example, some VPN apps did not use encryption; some requested sensitive, and possibly unexpected, privileges; and some shared data with third parties for purposes such as injecting or serving ads, or analyzing the data to see how people are using a particular site or service.

Given these findings and the considerable trust you must place in a VPN app with your traffic, here are some things to consider before you download a VPN app.

Before you download a VPN app

  • Research the VPN app before you use it. You are trusting a VPN with potentially all of your traffic. Before you download a VPN app, learn as much about the app as you can. Look up outside reviews from sources you respect. You can also look at screenshots, the app’s description, its content rating, and user reviews, and can do some online research on the developer. The fact that an app promises security or privacy does not necessarily make it trustworthy.
  • Carefully review the permissions the app requests. Apps will present the permissions they request on their app store page, during installation, or at the time they use the permission. It’s useful information that tells you what types of information the app will access on your device in addition to your internet traffic. If an app requests particularly sensitive permissions (reading text messages, for example), consider whether the permission makes sense given the app’s purpose and whether you trust the app developer with that access.
  • Know that not all VPN apps actually encrypt your information. Some VPN apps use protocols that do not encrypt your traffic, or encrypt only some of your traffic. Outside reviews from sources you respect might provide more information about a particular app’s use of encryption.
  • A VPN app generally isn’t going to make you entirely anonymous. Instead, the app will typically obscure the content of your traffic from your internet service provider or public Wi-Fi provider, shifting trust from those networks to the VPN app provider. In addition, sites you visit may be able to determine that you are using a VPN app, and can still use any identifying information you directly share with them (for example, filling out a form with your email address) to track you.
  • VPN apps may share your information with third parties. Many VPN apps are free because they sell advertising within the app, or because they share your information with (or redirect your traffic through) third parties. If you are using the VPN app to keep your traffic private, make sure you review the VPN app’s terms and conditions and its privacy policy to determine if it shares information with third parties such as advertisers, and if so, what information it shares.

67 Comments


It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

DBH
February 22, 2018
Can the FTC recommend one or more VPN providers that fulfill all of the FTC's recommended features? It would be much more efficient than having each reader do the research on their own.
Anon878
February 22, 2018

In reply to by DBH

Or you could put some effort into becoming more informed and rely less on the advice or opinions of others. There’s nothing wrong with knowledge, especially when you use that knowledge to secure your privacy online.
Pssst3
February 23, 2018

In reply to by DBH

The FTC as a Federal Commission will never recommend any commercial service or product. The FTC may issue a bulletin warning of discovered security issues with a paricular type of network equipment, brand or model, with the intent that a patch or precaution be applied to mitigate the issue.
Engineer
February 23, 2018

In reply to by DBH

No. The FTC cannot recommend commercial products! That would be a severe violation of the public trust.
FTC Staff
February 23, 2018

In reply to by Engineer

This blog is moderated. We review all comments before they are posted.  We won’t post sales pitches or promotions. Please see our  Comment Policy for more information.

DA
February 23, 2018

In reply to by DBH

Really???? How lame is that look up the intel your self and expand your knowledge. No way is the job of a government agency to say what a citizen should use. Perhaps you need to read 1984???
RH
February 23, 2018

In reply to by DBH

I'm sorry you're getting attacked for asking a question. Too many high and mighty commenters on here. The FTC should not give a recommendation on a VPN product. It would be like having the President recommending that everyone buy a Ford automobile or an HP PC/Laptop. That's something you'll have to research on your own through Google, IT websites, or ask people that work with these types of products. I hope you find the VPN product that fits your needs.
Madred1031
February 22, 2018
Are there any that are recommended by the FTC?
Pam0061
February 22, 2018
Thanks for the information. It would have been helpful to know who currently rating VPNs based on privacy, encryption, safety and so on.
buggy
February 22, 2018
Me too;I would like to know your recommended safe VPN apps,you could name several tried and trusted VPNs that a reputable security company would use. Not for advertisement but for consumer information and safety.We have the right to know and it's hard to know which ones to trust.
Chappy226
February 22, 2018
Agree, like other software there must be a list of how some of these rated somewhere, yes?
slb
February 22, 2018
Thank you for the valuable information
10glory
February 22, 2018
I agree with the above statements are you able to recommend a list?
Shar01010
February 22, 2018
Since the FTC probably cannot make recommendations, what VPN providers are being or have been investigated and found to be deceptive, misleading, or untrustworthy?
MK
February 22, 2018
I doubt the FTC would list any company names of who to use or who to stay away from, especially in just an Info Article about what VPNs are and what they do. Doing so would open them up to all sorts of possible legal liability issues.
meep
February 22, 2018
Which VPN provider does Ajit Pai use to communicate with his Telco lobbyist friends? That's the one I want to use.
anon
February 22, 2018
Very helpful. Thank you
North Wonders
February 22, 2018
FTC won't recommend a product, but try googling 'top vpn software'. PCMag and CNET (as well as many other orgs) publish their ratings.
JusticeLost
February 22, 2018
On Thursday, 2/21/18 Wow. Dear FTC: For you to send this is highly misleading, veiled, incomplete and disrespectful to all consumers. You know what I am referring to but I will make a few notes in fairness to commenters posting in response to your helpful announcement: (Reader of course it is somewhat simplified) 1. What you write can be true and we should do our best to be informed prior to any action. However. 2. No proper notice was provided to any users before corporations mined our personal data years ago, and every day since, for their surveillance and business model 3. No notice was given to consumers that corporations will trade, sell, gift, to themselves AND secreted unnamed third and fourth, and so on parties, our information. 4. No compensation was made to consumers for our very valuable personal information taken daily 4a No taxes have been paid by these parties for the hundreds of millions of dollars that is being made from our data and the value of the phantom income to them by swiping it from all our devices 5. No notice has been provided to consumers that so called “Privacy” Policys attached to the millions of sites we access do the same as corporations and clauses are opaque ambiguous, demanding, comfortably presumptuous, arrogant, more forced arbitration, taking the names of our Facebook friends & phone contacts and making the tracking of those people, and the approval to do so, our responsibility simply by accessing the site. DONT LIMIT YOURSELF TO AMAZON! 6. The former protection that persons or Businesses will not be allowed to take any identifying sensitive information including credit card numbers, medical records if it is not actually relevant to their business - that disappeared. 7. No notice has been given that our data can be viewed beyond the U.S. 8. No notice was given to consumers that off shore employees, temporary contractors, transient workers simply have to be trusted and sign a form that they will not divulge our information. 9. No notice the information they take and use is not limited to name or financial information. That the technology now exists to know exactly what you eat and when, where your child went all week from the time she got out of bed and went fr Classroom to classroom, or went to the Wawa after school, or got in the car with a boy and when she made it back home; mothers and fathers don’t know this is done 10. That much of the breaches and hacks are accomplished by very smart people to do harm but they also happen Because our data, which is used by all these players is thrown out into the digital world when some of their software is still inferior. 11. There is so much more. When you go out to read up on that VPN, make sure everybody, you also read a dozen privacy policies and all kinds of opinions about big data, personal data, Google, Facebook and even Charlie’s at the mall Oh, and yes, thought it was interesting they did not sipply the names of risky VPNs that came out of a study I dont know if FTC will load this. Hope so. .
CinCin57
February 22, 2018
There are some real serious scammers on the net and we need to have a good vpn that could also tell us where these calls are actually from. I think that these hackers are bright enough to still get to us! We need a way to be able to tell if these messages are coming from so we can protect ourselves. Some of them end up to be dangerous. So always be careful.
BoltmanLives
February 22, 2018
VPNs are a placebo gov'ts and others can infiltrate them and you are sharing your data specifically with Bob. There is NO PRIVACY on the public Internet
cybertweak
March 01, 2018

In reply to by BoltmanLives

That is 100% true. The Government and Google can access anything they want and no software will keep you private, For browser is good but I have read that the NSA may be able to exploit that also.
GB
February 22, 2018
Folks, the FTC is a government agency, and thus will not recommend a specific product or products. You'll have to do your own research.
Security Dude
February 22, 2018
An attorney wasted time writing this? No real new info here. Of course you should do your homework before selecting.... anything. And yes I’m on a vpn.
M
February 24, 2018

In reply to by Security Dude

I thought this was a very informative article and I am glad an FTC attorney spent the time to share it with me.
SES21
February 22, 2018
How about just providing a link to the VPN study you reference? In the vein of transparency, that's a reasonable expectation & I'm frankly surprised you didn't already include it in the article!
FTC Staff
February 23, 2018

In reply to by SES21

The link is available now: "Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

Anon1900
September 16, 2019

In reply to by FTC Staff

Thank you for updating the list, making it available.
Sadler
February 22, 2018
I have a feeling VPN recommendations (like mine) are being blocked because of FTC's comment policy about "sales pitches or promotions". That said, there are several very large antivirus companies that offer VPN service for around $30 a year. How secure are they? I have no idea. I trust them with my phone and computer security so I have faith they'll protect me on VPN as well.
FTC Staff
February 23, 2018

In reply to by Sadler

Sadler, This blog is moderated. We review all comments before they are posted.  We won’t post sales pitches or promotions. Please see our  Comment Policy for more information.

Buster
February 22, 2018
Use the built in VPN app most newer smartphones provide
bawii2
February 22, 2018
Without recommending a vendor or app, maybe you can recommend article or paper that has the research on strengths and weaknesses.
FTC Staff
February 23, 2018

In reply to by bawii2

You may want to read the article mentioned in the blog:

"Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

grendal-prime
February 23, 2018
I think a more important fact to bring to light here is the use of your own vpn server (or concentrator for lack of a better phrase). Like a corporate endpoint. I see this more than anything else and in fact find that is what most people want vpn technology for. This would be a situation where you have road warriors that need information from headquarters, or connecting two office locations together over broadband cable. If you don't know for sure where the server is, you really don't know where your data is being decrypted. There are a few opensource solutions for this that are very good, very cheep, deployable with full mobile app support.
Busyguy
February 23, 2018

I absolutely love you guys, The communication and awareness you provide. This is an article I wish was out there years ago! I am so thankful it is now! Youngins, Parents and Grandparents subscribe. People come together on this workforce to provide consumers, " which every walk on the planet is" with the best information for you ! The article hurt a bit personally but God bless you for the truth.

touloutracy
February 23, 2018
Thanks for the information.
Father Bob
February 23, 2018
Maybe this is something Consumer Reports can evaluate? Just a thought...
HoosierIU
February 23, 2018
I am aware of most of these issues with VPN's. I recently tried to pick one based on them. It is a daunting task for the consumer. I still haven't decided because they all have shortcomings.
RMM
February 23, 2018
I doubt the FTC could or would recommend any particular vendors/VPN solutions, regardless if the FTC surveyed them or not. A vendor/solution can change any component at any point. Plus, many factors are likely related to the end users configuration and usage of the products. Hence, each user needs to evaluate, configure and use appropriately.
Meeeeee
February 23, 2018
Since Ajit Pai is reportedly now under investigation, you might not want to use that one. Here's the answer for which ones not to use: The free ones. Companies need to make money to stay in existence. If you are not paying for their product, then your personal information is the product they are selling to make money. That will all be in the license agreement you just click "Agree" to and never read even if you could understand it.
DontUseYourEma…
February 23, 2018
It's typically a good practice to cite your references. For example, you cite a study, but don't provide links to the study. That would be helpful. Also, "VPN" implies encryption, because the only way to achieve privacy is through encryption. So, those "VPN" products that do not encrypt would not technically be VPN's. Although, I don't know what you would call them, other than scams.
FTC Staff
February 23, 2018

In reply to by DontUseYourEma…

We corrected the problem with the link: " Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

Special Sauce
February 23, 2018
This article was next to useless without whitepapers and links to the studies performed. I know the fed govt. will not endorse any private data apps, but a link to the study that showed what the various VPN apps do would have been a nice way for consumers to choose the right VPN for them. Now I have Google the study and find the whitepapers. Good advice, but next time include more links/whitepapers.
FTC Staff
February 23, 2018

In reply to by Special Sauce

We corrected the problem with the link: " Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."

idsmaster
February 23, 2018
In this case the only way we can trust a VPN will be to build one ourselves! Does anyone know a way to build one on cloud like AWS from scratch by open source products? This way we own our traffics, contents, and encryption.
MPM
February 23, 2018
There is also nothing to stop the less than totally scrupulous and honest to give misleading information. Granted the person asked may not know positively but, in such cases some people tend to say what they think would be the correct answer rather than a "IDK".
DoCitations
February 23, 2018

“Also, a group of technical researchers who studied almost 300 VPN apps found potential privacy and security risks with some VPN apps. According to the study, for example, some VPN apps did not use encryption; ” What group? What study? Citations. Otherwise you’re making it up.

FTC Staff
February 23, 2018

In reply to by DoCitations

Here is the link: "Also, a group of technical researchers who studied almost 300 VPN apps found (link is external) potential privacy and security risks with some VPN apps."