When a well-lobbied Congress eliminated consumer privacy protections for broadband back in 2017, many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could simply use a VPN to fully protect their online activity. But we've noted repeatedly that VPNs are not some kind of panacea, and in many instances you're simply shifting the potential for abuse from your ISP to a VPN provider that may not actually offer the privacy it claims.
Top10VPN, for example, recently took a closer look at 150 VPN apps being offered in the Android marketplace and found that 90% of them violated consumer privacy in some fashion, either by the inclusion of DNS leaks, a failure to adequately secure and store user data, or by embedding malware:
"Simon Migliano, the head of this research, reports that at over 38 VPN apps tested positive for DNS leaks, exposing private data to hundreds of insecure links. Also, over 27 VPN apps were flagged as potential sources of malware when tested by VirusTotal.
Apart from this, the research also found intrusive permissions in over 99 apps. These permissions included user location, device information, use of the microphone, camera access and more."
Again, you'll see a lot of folks argue that we don't need meaningful privacy rules of the road because users can simply use a VPN to dodge the prying eyes of what has become all-pervasive marketing-driven surveillance online. When ISPs were busy lobbying to have the FCC's privacy rules killed, for example, their funded proxy organizations were quick to insist that killing consumer broadband privacy protections isn't that big of a deal -- because consumers could just protect themselves by using encryption and a VPN.
But as outlets like Wired have pointed out, a VPN won't help you if your wireless carrier is installing snoopvertising locally on your phone (remember CarrierIQ?). Nor is it a bulletproof solution for ISPs like Verizon that have creatively started modifying user packets to covertly track subscribers around the internet. Nor does it prevent you from an ISP charging you more to opt out of data collection (something AT&T and Comcast have both flirted with). A VPN also won't protect you from companies that have flirted with providing worse customer service based on your credit score.
So yeah, while a good VPN is a helpful privacy tool, a VPN in general still isn't some magic silver bullet for our growing privacy shitstorm. And in more than a few instances, a poor choice can leave you less secure than if you used no VPN at all.