VPNs Promise Privacy But Often Deliver the Opposite

Internet neutrality isn’t guaranteed by swapping one watchdog for another.

Lately, we’re all increasingly exposed to ads inviting us — or pushing us — to subscribe to a VPN. They use an almost coercive tone: “They’re watching you,” “Your IP isn’t safe,” “Browse with real privacy.” It’s often said that marketing doesn’t create needs, it discovers them. And maybe that’s true. As we solve many of our basic issues — food, clothing, shelter, health, education — our “self” evolves toward new concerns: we still want to live well, but now also without being watched. New fears arise, but also new desires. And with them, solutions appear… or at least, promises of solutions.

VPNs (Virtual Private Networks) are marketed as definitive tools to “evade censorship,” “protect privacy,” or “freely browse the Internet.” However, that perception is quite simplistic — and in many cases, outright dangerous. In contexts where net neutrality doesn’t exist, or where the state controls the very infrastructure of Internet access, VPNs don’t guarantee freedom from censorship or preservation of privacy. In fact, providers can be blocked, pressured, or directly forced to hand over user data to governments (we’ll look at precedents for this later). But even without state intervention, we’re already handing over our data to so-called “trusted” third parties — like the same companies that sell us the illusion of total privacy. We delegate our security without really knowing whom we’re trusting.

In this article, we’ll try to explore why VPNs are not a magic solution, why it’s not enough to simply “change hands” in who controls the network, and how this illusion of privacy can backfire. We’ll look at their technical and legal limitations, real-world cases where they’ve failed, and why perhaps it’s time to think beyond VPNs when we talk — truly — about digital freedom, the kind that might become the real freedom in a world increasingly embedded in the metaverse.

It’s not about who controls access, but that no one should control it.

Once upon a time, there was the non‑metaverse…

The metaverse isn’t about putting on a 3D headset and psychophysically connecting to a virtual world — we’re already living in a primitive metaverse. When conversations happen through messaging apps, when our lives are selectively displayed on social media, and when we increasingly acquire products and services through screens, we’re already inside. And those looking to profit from this new environment know it well — from corporations to governments. Ultimately, everything is transactional, and the digital world accelerates that. The battle to win votes or sell more is equally an invitation to the algorithm and to social metrics. “Everything’s being sold,” a friend once told me, after getting a text message (yes, an old‑school SMS) offering him a car — just a week after browsing prices on a competitor’s site.

Google, Apple, Amazon, Cisco… examples are everywhere. And all of these major corporations are already involved in the VPN business. But it’s not just companies gaining ground — many governments around the world are now actively shaping the design of Internet access, especially when it comes to net neutrality. In some cases, they’re directly dismantling it, undermining the principle of equal treatment for data traffic in order to impose priorities, controls, or restrictions.

Net neutrality, sometimes referred to as network neutrality, is the principle that Internet service providers (ISPs) must treat all Internet communications equally, offering users and online content providers consistent transfer rates regardless of content, website, platform, application, type of equipment, source address, destination address, or method of communication (i.e., without price discrimination).[4][5]

Source: Wikipedia

What’s most worrying is that most of society doesn’t even know this exists. When it does appear in public discourse, it’s usually hidden behind vague headlines or framed as a debate over whether the Internet should be considered an essential public service. But the real implications are rarely explained: What interests are at stake? Who benefits? Who gets left out? There’s no real public conversation — just an agenda driven by those with the most power — and the most infrastructure — to decide.

Digital privacy is no longer the exclusive domain of cybersecurity‑focused software: wherever there’s interest, there’s a transaction — and wherever there’s a transaction, there are actors seeking to extract value. What was once an ethical–philosophical (even marginal) frontier defended by early cypherpunks has now become territory conquered by the major players.

Phil Zimmermann’s great contribution — the creation of PGP (Pretty Good Privacy) in 1991, at the dawn of mass Internet adoption — now seems to dissolve into a new possible dystopia: one in which even the discourse around privacy is co‑opted by the very entities doing the surveillance.

This isn’t about demonizing states or large corporations; the point is not to lose focus — and that focus should be on decentralization. Cypherpunks didn’t invent the VPN, but they did lay the cultural and cryptographic foundations that power its current role as part of a broader ecosystem of digital sovereignty. Their legacy is more closely tied to Tor, decentralized networks, end‑to‑end encryption, and anonymity — while VPNs originally emerged from the corporate world.

How VPNs work — and what they actually do

A VPN creates an encrypted tunnel between the user’s device and a remote server, so the traffic between those two nodes is protected. It uses tunneling and cryptographic security protocols like OpenVPN, WireGuard, or IPSec, preventing intermediaries — such as the local Internet Service Provider (ISP) or surveillance agencies — from reading or modifying data in transit. While this function is essential, protecting the origin of the connection (i.e., the user) is just as — or even more — important. In fact, as mentioned earlier, many VPN services are marketed more for this second function than the first. The VPN replaces the user’s real IP address with that of the remote server, helping to hide their location, bypass geographic restrictions, or evade local censorship mechanisms.

To summarize, the main technical functions of a VPN are:

• Encrypting traffic to protect privacy.
• Hiding the user's real IP address and location.
• Bypassing region-based blocks by simulating a connection from another location.
• Allowing secure remote access, as is common in corporate environments when employees or users connect to an internal network.

These functions help explain why VPNs are associated with digital freedom and anonymity. However, they also have fundamental limitations that affect their ability to guarantee net neutrality or unrestricted access.

VPNs do not prevent censorship

In authoritarian regimes or countries where net neutrality is not guaranteed, the state often controls the main points of Internet access and has legal backing to require Internet Service Providers (ISPs) to assist in surveillance, censorship, or selective content blocking. But this can also extend to VPN providers.

While in most countries VPNs are not classified as ISPs — since they don’t provide direct Internet access but instead encrypt and redirect user traffic — in other jurisdictions with heavy state control over telecommunications, VPN services are treated functionally as such. In these cases:

• The state can detect and block the use of unauthorized VPNs.
• VPN providers can be forced to hand over user data.
• Using a VPN without state authorization can be illegal and punishable.
• Net neutrality is absent, meaning any type of traffic can be discriminated against.

In short, VPNs are just a technical tool — they cannot enforce freedom or neutrality where the legal framework and infrastructure actively prevent it.

From discourse to reality: VPNs in the real world

As mentioned earlier, VPNs weren’t born out of altruistic movements or as a philosophical response in defense of digital freedom. They were created and developed by corporations — primarily to ensure secure connections within geographically distributed business networks. It wasn’t until later — with the rise of mass surveillance after 2001 — that VPNs became popularized as “solutions” for individual privacy.

But what about those platforms or companies that offer free VPN services, often bundled with something else (like a web browser, a security suite, etc.)? There’s a simple answer: “If you’re not paying for the product, you’re probably the product.”

There’s no Mother Teresa of VPNs — and if there is, she’s one of a kind.

Let’s look at some of the reasons that help explain the “free” model behind these services:

• Data collection (connection times, IP addresses, usage patterns) that can later be sold to third parties or used to build highly monetizable digital profiles.
• Market testing, using the user base to experiment with new services, measure real-world behavior, and validate usability models.
• Brand loyalty and reputation: offering a free VPN can be used as a marketing tool, for positioning, or as part of a corporate social responsibility (CSR) strategy — especially when bundled with a paid product.
• Freemium models: limited-speed versions, restricted number of servers, or capped data allowances — all designed to convert free users into paying subscribers. (And perhaps the most troubling question: what exactly does a “limited VPN” mean? What kind of protection is actually being provided?)

The paradox in all this is that people install a VPN to do the exact opposite of what often ends up happening: we delegate our privacy, thinking we’re protecting it.

Now, beyond what VPN service providers may offer, these tools operate within specific legal and jurisdictional frameworks. Ultimately, the limitations are also political and legal. And this is where the actions — or inactions — of states come into play: many have realized that free access to anonymity tools poses a threat to their capacity for control. That’s why they legislate, restrict, block, or outright criminalize their use.

Let’s now take a look at how this phenomenon manifests in different contexts.

China: censorship and VPN blocking

China has banned the use of unauthorized VPNs since 2017 and applies advanced techniques like Deep Packet Inspection (DPI), port blocking, and full IP blacklisting of VPN servers. The Ministry of Industry and Information Technology requires licenses to operate VPNs, forcing companies to rely on what are essentially “privacy simulators.”

• In October 2022, China carried out mass blocking of TLS VPN servers — shutting down ports, then full IP ranges when users tried to circumvent the block (TechCrunch, 2022).

• Users attempting to access unauthorized VPNs face fines and income confiscation, such as a case in 2023 where a developer was sanctioned (ChinaDigitalTimes, 2023).

• Major tech platforms have removed VPN apps from their stores within China, including Apple (BBC, 2017) and Amazon (Infosecurity Magazine, 2017).

  Tim Cook justified Apple’s move by stating that the company “would prefer not to remove the apps, but complies with local laws where it operates.”

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data (packets) being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, eavesdropping, and internet censorship,[1] among other purposes.[2]

(Source: Wikipedia)

However, this technological tactic is part of a broader political strategy. According to recent reports, the crackdown on VPNs coincides with an intensification of the Chinese Communist Party’s propaganda apparatus, aimed at reinforcing the official narrative and minimizing access to alternative viewpoints or dissent (Talk N’ West TN, 2024).

Yet even if all this may seem limited to strict or distant regimes, the truth is we’ll later see more subtle masks hiding similar intentions.

Russia and Iran: strict regulation and state control

• Russia requires VPN providers to register their users and cooperate with state security. As a result, several providers have been fined or even shut down for non-compliance. To reinforce this effort, Russia passed laws that penalize the promotion of unauthorized VPNs (Investing, 2023).

• Apple removed 25 VPN apps from its App Store in Russia at the request of Roskomnadzor, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Reuters, 2024).

• Iran, since 2024, mandates state licenses for VPNs, which includes systematic handover of user data to intelligence services. A resolution from Iran’s Supreme Council of Cyberspace imposes strict restrictions on Internet access, further reinforcing state control over tools that enable censorship circumvention (Rferl, 2024).

VPNs that have handed over user data — willingly or under pressure

In a hyperconnected yet legally fragmented world, VPNs don’t operate as isolated islands. They are vulnerable links in a global chain — and there have already been several precedent-setting cases:

• In a case between Finland and Germany (2019), Finnish police forced a VPN provider to hand over user logs for a German investigation — despite the provider’s “no logs” policy (TorrentFreak, 2020).

• Some free VPN services have been caught selling user data to third parties, undermining the very privacy they promised. In one incident alone, over 1.2 TB of data from seven different VPNs was leaked (NordVPN Blog, 2020).

• Jurisdictions under the Five Eyes alliance — a surveillance cooperation network between the U.S., U.K., Canada, Australia, and New Zealand — require service providers to cooperate with state surveillance efforts (NordVPN Blog, 2018).

  “No logs” is a policy declared by certain VPN providers stating that they do not store user activity records — such as visited websites, IP addresses, or connection duration. In theory, this means that even if a government were to request such information, there would be nothing to hand over.

  — Adapted from the Electronic Frontier Foundation (EFF) and standard VPN privacy policies

  The problem also lies in the fact that even where VPN use is prohibited or heavily restricted, many citizens still rely on alternative services to bypass censorship. However, when those VPNs come from unknown or untrustworthy sources, the risk doesn’t disappear — it simply changes hands. Surveillance, loss of privacy, or even identity theft may no longer come from the state, but from opaque operators with no name, no face, and no clear jurisdiction. The traffic is still being watched — just by someone else.

  And as we’ve suggested, this phenomenon isn’t limited to authoritarian regimes. It also occurs in contexts with strong democratic traditions.

Net neutrality in the United States: freedom?

Surprisingly — or perhaps not — in a country as technologically influential as the United States, net neutrality is far from being a fixed, unquestioned principle. The concept has gone through significant ups and downs, driven by decisions from the FCC (Federal Communications Commission) and key court rulings.

One of the most notable cases occurred in 2014, when Internet provider Comcast was caught throttling Netflix traffic, applying network management practices that directly affected content quality and speed. The case triggered strong public and political backlash, exposing how ISPs could interfere with access to certain services — harming both competition and online freedom.

In response, in 2015, under the Obama administration, the FCC reclassified Internet access as a telecommunications service under Title II, imposing rules that prohibited blocking, throttling, and paid prioritization of traffic.

However, in 2017, during Trump’s presidency and under FCC Chairman Ajit Pai, these rules were repealed through administrative order, claiming they were excessive regulations that stifled innovation and private investment.

With the 2021 change in administration, President Biden and the FCC reignited the push for net neutrality. In 2024, they introduced the “Safeguarding Order”, reinstating many of the original protections and granting recourse mechanisms to consumers and small businesses.

Yet once again, with another shift in political leadership — following Donald Trump’s return to office — the tide turned. On January 2, 2025, the Sixth Circuit Court of Appeals (covering states like Ohio, Kentucky, Michigan, and Tennessee) ruled in Ohio Telecom Association v. FCC that the FCC lacked statutory authority to impose the order. The decision struck down the Safeguarding Order by judicial ruling before it could even take effect in those states.

Nature of the decision (January 2, 2025):

• It was a judicial ruling by the Sixth Circuit Court of Appeals, not a new FCC order.

• It struck down the 2024 restored rule, reverting the legal framework in that jurisdiction back to the previous standard (transparency regulation without Title II).

• The decision can be appealed to the U.S. Supreme Court, which will decide whether to review the case.

Full ruling: https://law.justia.com/cases/federal/appellate-courts/ca6/24-3497/24-3497-2025-01-02.html

But what’s the current situation, then? We can summarize it this way: At the federal level, there is currently no full net neutrality rule in effect following the court’s decision. Only a few state-level laws (such as those in California, New York, and Washington) maintain their own protections. The Sixth Circuit’s ruling is immediately enforceable — unless appealed and overturned by the Supreme Court. Until that happens, or until Congress enacts new legislation, there will be no uniform federal framework.

This fragmented landscape leaves consumers in a position where equal treatment of Internet traffic depends entirely on state law — and on future decisions from the Supreme Court or legislative action from Congress.

The justification behind this controversial move is the usual one: promote deregulation to encourage investment and competition in telecommunications. The argument claims that previous regulations were excessive and held back economic growth. In practice, however, deregulation often ends up favoring large corporations at the expense of digital rights.

For example, multiple reports and complaints have shown that certain telecom providers have granted privileges to their own services or to commercial allies, to the detriment of platforms like Facebook or Google — undermining the principle of fair and neutral competition. Telecom companies backed by streaming services may feel free to act aggressively, using practices such as usage caps and the creation of fast lanes for preferred content (The Verge, 2017).

Case studies and legislation in Europe, Latin America, and Africa

Europe: Balancing Privacy and Security with Emerging Challenges to Net Neutrality

In the European Union, while VPN use is not prohibited, concerns are growing over upcoming initiatives like ProtectEU and Chat Control, which could significantly impact user privacy by potentially requiring the installation of backdoors or the logging of metadata. These measures are driven by a legitimate and urgent need to investigate and combat online child sexual abuse material (CSAM), and they represent an important step toward protecting minors and ensuring digital safety.

However, the focus of the debate must also include the broader consequences for encryption integrity and net neutrality. Weakening these pillars could jeopardize the privacy of all users and open the door to greater abuses and vulnerabilities.

At the same time, Europe has been a firm defender of net neutrality. The Open Internet Regulation (EU 2015/2120) ensures that ISPs treat all data traffic equally — without discrimination, restriction, or interference — regardless of sender, receiver, content, application, or service. Its aim is to safeguard end users’ ability to access and share information freely, and to use and provide services and applications of their choice.

However, the growing pressure for increased surveillance and data access — as seen with ProtectEU and Chat Control — could create tensions with these principles. If ISPs are required to inspect or filter traffic, even for narrowly defined purposes, it could set a precedent that undermines the open internet ideal that net neutrality is meant to protect. The real debate should center on whether security imperatives can be balanced with the fundamental right to privacy and an open internet — one that includes the uninterrupted use of VPNs (or their future alternatives) as a core component of that openness.

Latin America: Freedom within Regulatory Frameworks and Net Neutrality as a Pillar

In most Latin American countries, VPN use remains legal, and its coexistence with net neutrality and data protection frameworks is key. The region generally leans toward protecting online freedoms, with net neutrality playing an important role in that focus. Let’s look at some relevant examples:

• Brazil: The Marco Civil da Internet (Brazil’s Civil Rights Framework for the Internet) is a landmark piece of legislation that explicitly protects net neutrality. It ensures that ISPs cannot discriminate in how data packets are handled, guaranteeing a level playing field for online services and applications — including those accessed through VPNs. It’s true that ISPs are required to retain traffic logs for up to 12 months for judicial purposes (which reflects a balance between freedom and oversight), but the commitment to net neutrality remains firm. A clear example: an ISP cannot offer a data plan that speeds up access to one streaming platform while throttling others — that would violate the core principle.
• Argentina and Uruguay: Both countries have received an adequacy decision under the EU’s General Data Protection Regulation (GDPR). This facilitates cross-border VPN operations without imposing additional obligations, which is a positive step for the free flow of data and services. As for net neutrality, while their laws are not as explicit as Brazil’s, both regulatory frameworks generally support non-discrimination in traffic. In Argentina, the Law on Audiovisual Communication Services (Law 26.522) has in some interpretations been seen as indirectly supporting neutrality. In Uruguay, regulation and policy tend to favor non-discriminatory access to the Internet, although there is no specific net neutrality law.
• Chile: The 2024 reform of the Data Protection Law established a Data Protection Agency and reinforced users’ digital rights. While it doesn’t directly limit or restrict VPN use, this advancement in personal data protection is important for the broader digital ecosystem. Chile was the first country in Latin America to pass a net neutrality law — Law 20.453 (2010) — which prohibits ISPs from blocking, interfering with, discriminating against, or otherwise restricting any user’s right to use, send, receive, or offer any legal content, application, or service over the Internet.

Africa: Direct Restrictions and Content Control with Challenges to Net Neutrality

In some African countries, direct VPN restrictions are framed as efforts to control “illegal content,” a definition often left vague. This typically overlaps with weaker or nonexistent net neutrality frameworks. While countries like Egypt, Morocco, South Africa, and Nigeria have more flexible or structured approaches to VPN use — with specific limitations — others maintain much stricter policies.

• Tanzania (2020 regulation, effective since 2023): The country prohibits the use of VPNs without prior approval from the regulator. Noncompliance can result in fines or even prison sentences if the service is not registered. This is one of the most restrictive VPN regulations globally. The lack of strong net neutrality legislation in Tanzania allows ISPs more freedom to manage traffic, which can include throttling or blocking services — particularly those deemed problematic by the government. This creates an environment in which both VPN use and access to content are restricted.
• Malabo Convention (in effect since June 2023): This African Union–wide cybersecurity and data protection framework may lay the foundation for tighter national-level regulation. While it aims to strengthen cybersecurity, it could also pave the way for increased restrictions on tools like VPNs — especially if not accompanied by robust net neutrality protections. Notably, the Convention itself does not explicitly address net neutrality, which means national implementations may lack clear safeguards against traffic discrimination.

It’s worth adding that Egypt, Morocco, South Africa, and Nigeria stand out as key players on the continent due to their more developed digital markets and better-defined regulatory frameworks — and that’s why they’re mentioned specifically. However, there are important differences: Egypt applies strict penalties for VPN use aimed at circumventing blocks, backed by deep packet inspection techniques; Morocco regulates the import of cryptographic technologies and exercises a certain degree of control over critical content; South Africa generally allows widespread VPN use but restricts it when it comes to bypassing copyright protections; and Nigeria, while having less specific regulation, promotes dynamic digital growth with a focus on expanding access and improving infrastructure. Despite these differences, all four countries offer a relatively more open environment and greater expectations for progress on net neutrality and digital rights compared to other African nations.

A layer issue: where does the real power lie?

When we connect to the Internet, we do so through a stack of protocols that go from the physical to the logical, from what transmits the data to what gives meaning to that transmission. Technically, we talk about layers such as:

• Network interface (physical layer),
• Internet (IP layer),
• Transport (TCP/UDP),
• Application (what we use: social networks, streaming, services, etc.).

The real dispute happens mostly between the transport and application layers. While the transport layer should be neutral—that is, allowing all data to flow without discrimination—the application layer has become the center of power where a few companies concentrate the design, monetization, and control of the digital experience.

The conflict between the application layer and the transport layer is not merely technical: it’s a fight for control over the layer that “adds value,” not necessarily the value that truly matters to users. In other words, it’s about who intermediates, who captures attention and data, who defines the rules of the digital experience. But in that struggle, the essential often gets lost: the real utility that people need or want. The layer that bills the most (or exerts the greatest political control) isn’t always the one that contributes the most. Meanwhile, the user remains trapped between competing layers, with none truly guaranteeing sovereignty, privacy, or real freedom.

Ultimately, we must ask ourselves: who intermediates and who is marginalized, who captures the data (and thus attention and decisions), and who sets the boundaries of the digital experience.

The solution? A decentralized network infrastructure.

The real long-term solution to ensure neutrality, privacy, and censorship resistance is a decentralized Internet infrastructure, collectively managed and maintained.

Among the most promising approaches are:

• Mesh and community networks: each node is an active participant that both provides and receives access. Projects like Althea or LibreMesh show how communities can self-organize to build local connectivity meshes without relying on large operators.
• Blockchain-based protocols for connectivity incentives: platforms like Helium or SpaceCoin use tokens to coordinate and reward nodes that provide coverage and bandwidth. Moreover, the success of Bitcoin and other cryptoassets has demonstrated the effectiveness of distributed incentive mechanisms in challenging and reshaping established power structures, confirming that blockchain-based models can be a real engine of change in the telecommunications ecosystem.
• Cooperatives and civil organizations: cooperative models like Guifi.net in Catalonia or neighborhood association initiatives that manage fiber optic or radio link infrastructure, avoiding dependency on centralized companies or governments.
• Hybrid P2P–blockchain systems: platforms that combine direct peer-to-peer data exchange with distributed ledger registration, allowing for both packet transmission and traceability of who provides which resources.

These solutions eliminate single points of failure and control, raise the cost of censorship, and democratize access to the Internet. By distributing both the transport and application layers among multiple participants (users, validators, etc.), they promote a de facto neutrality capable of resisting both economic and political pressures.

Conclusion (necessary)

When we talk about neutrality, privacy, and censorship resistance, it’s not enough to design decentralized protocols—we need a technologically aware and politically active citizenry.

When the blockchain world comes up, I often recall classes on Bitcoin (and its strong ties to network neutrality), where it’s said that if Internet access were restricted by a country or provider, using a “magic” VPN would be enough to bypass blocks. The reality, as we’ve seen, is quite different: everything depends on the country, the specific application, the provider’s policies, and the level of trust we place in each service. Not all VPNs are secure, not all apps allow circumvention of geolocation, and using software from unknown sources brings its own risks.

This apparent ease—this digital comfort—creates the illusion of freedom while reinforcing submission: we delegate our sovereignty to opaque actors in exchange for everything “just working” without effort. That’s why the real battle isn’t just fought at the transport or application layers, nor solely in the code of a mesh network or smart contract—it’s fought in people’s minds.

Only through digital education with civic awareness—where we don’t just learn how to use hardware or software, but also understand who controls the infrastructure, what values underlie each design, and how we can organize to transform it—can we become critical citizens capable of demanding real guarantees of neutrality and privacy. Without that foundation, any decentralized network risks becoming a “soft” surveillance system, as imperceptible as it is irreversible.

What good is a neutral system if the path to reach it is controlled?

And here lies the paradox: the only way to preserve online freedom is to renounce passive comfort and embrace technological civics.