Are VPN Ads Overselling Your Safety?

VPN marketing versus reality - new study finds half the hype has holes

At the CHI ’25 conference, four Ruhr University Bochum researchers - Felix Reichmann, Jens Christian Opdenbusch, Karola Marky, and Marco Gutfleisch - unveiled the most wide-ranging audit yet of consumer-VPN promises. They began where real buyers do: Google. From 300 participants in five English-speaking countries on four continents (Australia, Canada, South Africa, the United Kingdom, and the United States) they collected 1,749 search terms that people would type when hunting for the best VPN security.

Using the top five Google hits for each query, the team pulled down 8,741 webpages, clustered near-duplicates, and hand-filtered until they had 302 unique pages representing 78 VPN brands. Every privacy or security statement on those sites was then coded for what it claimed to protect (“assets”) and from whom (“threat agents”).

Promises outpace technical reality

The verdict is stark: misleading VPN claims were abundant. Many of the statements were partially or outright false. Furthermore, only 157 pages - about 52 percent - mentioned any threat agent at all. Many sites, for instance, pledge total anonymity from Internet service providers (ISPs). They do this even though an ISP must still see the customer’s source IP and traffic volume to route packets, which was fuel for persistent VPN privacy myths.

Threats are named and then forgotten

Across the dataset the authors logged 60 distinct threat agents, yet more than half the pages never named one. ISPs topped the list, cited on 96 pages, followed by vague stand-ins such as “hackers” or “third parties.” Concrete actors like employers and mobile carriers barely registered.

Providers were far more eager to trumpet what they guard. The study counts 34 asset categories and finds that 80 percent of pages mention at least one. Generic phrases like “your privacy,” “your data,” or even “you/yourself” were common. But some pages went further, warning that ISPs could read end-to-end encrypted WhatsApp messages or steal passwords outright. These claims clash with observable VPN advertising facts.

Why vague marketing matters

Over-promising is not just academic hair-splitting. Inflated claims cement faulty mental models, leading readers to wonder are VPNs safe while they browse on public WiFi under a false sense of invincibility, the authors warn. Misplaced trust, in turn, erodes confidence in legitimate privacy tech.

What should change?

Because every country in the study already bans deceptive ads, the paper argues regulators should enforce VPN consumer protection rules already on the books rather than draft new ones. The ten most visible VPN providers generate 81 percent of the pages users encounter when they search for a VPN. Therefore, prioritizing these would yield the biggest immediate impact.

The authors also suggest that platform owners could help: an operating-system-level certification badge or pop-up explaining a VPN’s limits would give buyers instant context before installation.

What actions you can take with your VPN

Before you pick a provider, take a minute to map the real threats you face. A journalist working under censorship, for example, needs far more robust guarantees than someone mainly worried about their ISP reselling browsing data. Match those risks to the protections a VPN can verifiably deliver, and remember that no single tool is a silver bullet.

Look for specificity. Trustworthy sites name both the adversary (e.g., ISP metadata logging) and the limitation (doesn’t stop cookie tracking).
Demand proof. Independent audits, open-source clients, and reputable leak-test results outweigh “military-grade encryption” slogans.
Check jurisdiction. Where a company is incorporated determines how easily governments can compel logs.
Layer your defenses. Pair a VPN with HTTPS, secure messaging, and strong, unique passwords—especially for high-risk work like investigative reporting.

The bottom line is that VPNs remain useful, but this study shows the industry’s glossy sales pages often trade on myth more than math. Until clearer labels or tougher enforcement arrive, consumers—and reporters—must read the fine print behind the dragon-breath promises.

Written and Edited by Lizzy Schinkel & WhatIsMyIP.com® Editorial Contributors

Lizzy is a tech writer for WhatIsMyIP.com®, where she simplifies complex tech topics for readers of all levels. A Grove City College graduate with a bachelor’s degree in English, she’s been crafting clear and engaging content since 2020. When she’s not writing about IP addresses and online privacy, you’ll likely find her with a good book or exploring the latest tech trends.