What Makes a VPN Actually Private? 5 Things to Check

The VPN market is full of products that claim to protect your privacy. Most of them do, in the narrow sense that they encrypt your traffic and hide your IP. But privacy protection varies enormously depending on how the product is designed, where it’s based, and what the provider logs.

Here are five things that actually determine whether a VPN protects your privacy.

1. Has the No-Log Claim Been Audited?

Every VPN claims not to log your activity. This claim is trivially easy to make and difficult to verify. The only meaningful check is a third-party audit.

A good no-log audit looks at a VPN’s actual server infrastructure and logging configuration, not just their policy documentation. It’s conducted by an independent firm with no financial interest in the outcome.

Look for:

• Who conducted the audit (are they a credible firm?)
• When it was conducted (older audits are worth less)
• What it covered (some audits are narrow in scope)
• Whether results are publicly available

Bonus points: has the provider been subjected to a real-world test, like a server seizure or law enforcement request that yielded nothing? That’s the most credible evidence possible.

If a VPN has no published audits, treat their no-log claim as unverified marketing. Many otherwise decent VPNs fall into this category.

2. Where Is the Provider Incorporated?

Jurisdiction determines what laws apply to the VPN provider. This matters for two reasons: mandatory data retention laws and law enforcement access.

Some countries require companies to store user data for defined periods and hand it over on request. A VPN based in such a country is operating in a structurally hostile environment for privacy, regardless of what their policy says.

The other factor is intelligence sharing. The Five Eyes (US, UK, Canada, Australia, New Zealand), Nine Eyes, and Fourteen Eyes are groups of countries that share intelligence. A VPN based in a Five Eyes country is more likely to be subject to intelligence requests than one based in Switzerland or Panama.

Jurisdiction matters less if the provider has no logs to hand over. But strong jurisdiction plus no logs is better than weak jurisdiction plus no logs.

3. What Happens If Your Connection Drops?

A kill switch is a feature that cuts your internet connection if the VPN drops unexpectedly. Without one, a momentary VPN disconnection exposes your real IP to whatever you’re connected to.

Not all kill switches are equal:

OS-level kill switches (sometimes called network lock) operate at the firewall level. If the VPN process dies for any reason, no traffic passes. These are the most reliable.

App-level kill switches work within the VPN client. They’re more vulnerable to edge cases where the client process itself crashes or is killed.

The other thing to check: is the kill switch on by default? Many providers include the feature but leave it off by default, meaning users who don’t know to enable it don’t get the protection.

4. Do DNS Queries Go Through the VPN?

When you visit a website, your device first makes a DNS query to look up the site’s IP address. If that query doesn’t go through the VPN, it’s visible to your ISP and anyone else watching your network, even if your browsing traffic is encrypted.

DNS leaks are a common failure mode. They can happen if the VPN doesn’t properly handle DNS routing, if your system falls back to the OS DNS settings, or if IPv6 DNS isn’t covered.

You can test this yourself: connect to a VPN, then visit a DNS leak test tool. It will show you which DNS servers handled your queries. If you see your ISP’s DNS servers, you have a leak.

Reputable VPNs route DNS through their own servers and test their products for leaks. Look for providers that explicitly mention DNS leak protection and test it yourself before relying on the VPN for anything sensitive.

5. Who Actually Owns the VPN?

The VPN industry has a significant private equity and consolidation problem. Many VPNs that appear independent are owned by the same parent company, sometimes one with a history of data collection or privacy violations.

Kape Technologies, for example, acquired multiple well-known VPN brands. Some VPN brands are owned by data analytics companies. The corporate parent’s business model may be in direct conflict with user privacy.

Checking ownership is straightforward: look up the company in a business registry, check Crunchbase for acquisition history, and search for news coverage of the brand’s ownership. This takes five minutes and can save you from accidentally giving your traffic to a company whose business model depends on analyzing it.

The Short Version

A trustworthy VPN has been audited by an independent firm, is incorporated in a privacy-friendly jurisdiction, has a functioning kill switch enabled by default, prevents DNS leaks, and is owned by a company whose business model is consistent with privacy.

Providers that check all five boxes exist. Do the research before trusting a VPN with your traffic.