Why You Probably DON’T Need a VPN for Travel (Advice from a Cyber Security Expert)

So many blogs say you need a VPN for travel that I almost believed it. Then I talked to a tech expert about online security while traveling. Here are some snippets of that conversation, including something that’s much more important for your online security – a password manager.

I’ll admit that for five years of travel blogging, I haven’t written a lot of practical stuff about travel. I’ve written a lot of stories and anecdotes to help people understand other cultures (and my own culture). But I’ve done very little about logistics. I just always thought everyone knew the boring, logistical stuff about credit cards, insurance, password managers and VPNs for travel – because I spend so much time researching these things, I assumed everyone else did, too.

But lately, some conversations with people who aren’t travel bloggers have gotten me out of my bubble. It turns out I’ve accumulated not only anecdotes, but also some logistical expertise that people may actually find useful. It’s a nice thing to realize.

Here’s the short answer: You probably do not need a VPN for travel (or any other time). VPNs are useful in very few situations (for example, when traveling in China or other places with internet censorship). Otherwise, if you’re visiting https websites, a VPN won’t do anything for you.

But there still are those few situations when VPNs are needed, and I’m going to explain what those are here, along with some of my experience with censorship and using a VPN in China.

FYI: I’m using affiliate links for these recommendations, which let me earn a commission off any purchases made through the links. Buying products or services through my links supports my work, and subsidizes the funny anecdotes and cultural stuff.

A Caveat About Blogs, VPNs and Travel

I decided to start this usefulness blogging project with VPNs because I lived in China, where a VPN is crucial to stay connected to the outside world, so I have some experience on the topic. Plus, they’re widely recommended as being important for travel.

That being said, there’s a reason a lot of blogs write about “the best VPNs for travel.”

You can make money from those affiliate commissions, as I explained above. Obviously, there’s nothing wrong with getting paid for helping readers figure out a solution to a problem. But I suspect a lot of bloggers don’t know much about VPNs and didn’t consult an expert. This leads to an over-emphasis on what a VPN can actually do for your traveling cyber security because, hey, there’s money to be made.

So I did consult an expert! He confirmed some things for me, and set me straight on others. VPNs are not always necessary, but do have their place.

Using a VPN in China: Censorship, Privacy and Learning My Lesson

The existence of a thing called a Virtual Private Network first came on my radar back in 2014 when I moved to China and realized how lost I was without the internet, in a country I didn’t know the first thing about.

The Chinese government doesn’t allow access to the New York Times (too subversive), Facebook (too American..?) or a lot of other foreign sites (too much fun…?). What’s blocked and what’s not in China (and other countries) changes regularly. If you’re planning a trip to China – or just curious – you can use this site to check what’s currently blocked.

This censorship is known as the Great Firewall of China, and you do need a VPN to get around it. This works because VPNs can make your internet connection appear to be coming from a different country. (I’m not going into anything technical here, but that’s the end result.) The Great Firewall of China only works on computers and phones that are in China, so if yours appears to be in San Francisco or Singapore, your access won’t be blocked.

I tried a lot of free VPNs when I lived in China, and they all sucked. They were full of ads. Data was limited. The software would sometimes refuse to let me online. Other times it would disconnect after a random amount of time – of course while I was in the middle of something illegal, causing me to lose my half-written Facebook message or my place in a New York Times article.

This is another area where I’ve realized lately that trying to get something for free is just not worth my time anymore.

True Story:

Near the end of my year teaching in China, a Chinese journalist released an environmental documentary called “Under the Dome.” The film was hugely popular in China, but was soon blocked. I watched it with a VPN and talked to my students about it, then wrote a blog post that I probably should have waited until I left China to publish. Maybe a week after I put it online, I got a call from one of the administrators at the university where I taught. I’ll never forget part of what she said: “You have your rights… but not in China.”

So what if you’re not in China…?

When you’re anywhere else in the world, VPNs theoretically keep your credit card info and passwords hidden from hackers on public Wi-Fi. Post-China, this was the main reason I started using a VPN again.

I used to think that if I used a credit card on public Wi-Fi without a VPN, I was basically just hoping that my bank info wouldn’t be stolen. Of course I also used to think I didn’t need a VPN because I’m so organized that I’d obviously never use a credit card on coffee shop Wi-Fi.

But shit happens, especially when traveling.

Maybe you’re in Alaska in late September and you have no cell service. You were planning on camping, but then it got really cold, so you need to book a place to sleep tonight. But you don’t even have the option of using cellular because – in the entire state of Alaska – Verizon only works in Juneau. So you have to use public Wi-Fi.

This happened to me, and I wished I already had a VPN downloaded.

Plus the internet is flooded with articles about how much personal info hackers can get from your computer just by being connected to the same Wi-Fi ­– even if you don’t use a credit card.

Then I talked to a real computer scientist.

The Truth About What VPNs Do (and Don’t Do)

I decided to check my online research with Peter Hansen, a cyber security researcher who’s also lived in China and studied specifically China’s Great Fire Wall. Suffice it to say, “an expert.” (My term, not his, because he’s humble.) And he sort of deflated my confidence in VPNs.

He told me that if you’re on a website that uses https instead of the older, non-secure http, then a VPN does not add any additional security. Any serious website (including this one!) is https. In Peter’s words:

“It doesn’t matter if it’s your social security number or a tweet, it doesn’t matter if you’re on your home Wi-Fi or a public Wi-Fi, it is simply not possible for anyone but you or the website you are connecting to to determine the contents of your communication. The only way for an attacker to get that information would be to infect your computer or the server with some kind of malware, but that is not something a VPN can protect you from.”

As long as the website is https – which about 90% of US websites are, including any legit financial site – then VPNs don’t help with security. (Websites based in some countries outside the US may be another question.)

Furthermore:

“On public Wi-Fi you are definitely at higher risk of attacks, however… they are not the types of attacks most people have to worry about. The attacker would have to be present on the same network as you, and sitting around in a coffee shop trying to infect everyday users is a very high-risk, low-reward venture for hackers. Being physically present at the scene of a crime puts them at high risk of arrest, and an individual credit card is only worth $10 to $20 to a hacker. They prefer to go after databases that hold 10’s of thousands of credit cards, from the safety of their homes.”

Okay, fine. Hacking me at the airport Starbucks is not very likely and not very smart. But it is possible, and people do dumb crimes all the time.

Other Good Reasons to Use a VPN:

So the security benefits of a VPN are not what they seemed, as long as you’re on a secure (https) site. But that’s not the only reason people use VPNs while traveling, just probably the most oversold reason. Some other uses:

• Privacy. Peter explained that if you’re talking to someone or submitting info on an https website, without a VPN, “Someone might be able to determine who you are talking to, but they will have no idea what was said.”

That’s sort of a relief, but maybe I don’t want someone to be able to determine who I’m talking to.

Plus, maybe you don’t want your ISP (internet service provider, which could include your university or your company, or your parents) to know what websites you’re on. Peter gave a good example: Maybe you’re a teenager questioning your sexuality, and your parents would not be cool with that, so you don’t want them to know you’re visiting websites about LGBT issues.

• Getting better prices on airlines tickets, for example, by appearing to be in the country where the airline is based. From what I’ve read on many blogs, this often works for domestic flights within a certain country, purchased from abroad.

I’m currently testing this and I’ll update this post when I’ve figured out how well it works.

• Streaming subscriptions like Netflix sometimes don’t work in other countries. So if you’re traveling in Turkey and want to watch Netflix, you might need a VPN – although sometimes Netflix won’t let you watch (regardless of where you are) if it detects that you’re using a VPN.

If you need a VPN for one of those reasons, or for avoiding censorship, here are the ones that made it to the top of my research (with more details – none very technical – further below):

The VPN I Recommend for Travel (& Other Choices)

So if you are traveling to a place like China, where you’ll need a VPN, or you decide to use one for one of the other reasons I explained above, here’s what I recommend:

1. TunnelBear: My favorite. Easiest to use, likely the most secure, and a good price. More info in my mini-review below. Click here to buy or to download the handy free version. (Click “pricing” at that link to access the free version.)

2. Private Internet Access: Cheapest of the technically good options – although I don’t love the company. Reasons why are below, or you can buy it here.

3. NordVPN: According to most reviews online, this is one of the better ones (along with TunnelBear). But it has one major security failure. Read my review below, or buy it here.

And one password manager: LastPass. (Reasons why are below.)

FYI: My Review Process

This is the first review I’ve published of anything! As you can probably see, I do an obsessive amount of research before buying almost anything, so I figured I might as well share it.

Whether it’s software companies, airlines, or whatever, I try to shop based on what the company stands for, not just prices and features. That’s for a couple of reasons:

1. What the company stands for is more interesting to me than what they make. I’m pretty bored by technology. I know it’s important, so I do my research. But I really couldn’t care less how VPNs work. How companies act often tells me more than a list of features.
2. I don’t just want a good product, I want a good company. I believe in the idea of voting with my dollar – it’s maybe the one thing that can make capitalism a force for good. This philosophy led me to get a master’s in sustainable business, and it’s why I spend hours researching sustainable clothing brands, airlines that pollute less, Greek islands that recycle all their plastic, and even the values espoused by VPN companies. If I’m going to give someone money, why not give it to someone who’s doing some good in the world?

This was the most satisfying thing to hear an expert confirm for me: Yeah, he said (and I’m paraphrasing), they all use basically the same technology, so what matters is how much they care about keeping your info safe. 

In other words, beyond what each company stand for, the products they offer are pretty much the same.

These are the features every VPN on this list has:

• They all use AES-256 bit encryption. I don’t know what it means, but they all brag about being the best because of it. (I’m kidding! I looked it up. It’s important.)
• They all give you unlimited data with a paid plan.
• You can use all of them on multiple devices at the same time. (TunnelBear and Express allow 5. Nord allows 6. Private Internet Access allows 10.)
• All of these companies say that they never log or record any of your browsing, so they couldn’t turn it over to anyone else (or any government) even if they wanted to.

Review of a Few VPNs For Travel: Slightly More Detail

After trying a few myself and reading lots of in-depth reviews from both travelers and tech people, I was going to suggest three VPNs for travel, with caveats for two of them. Then I talked to Peter and he made the caveat for one a lot more important:

• NordVPN gets some of the most consistent good reviews from tech magazines, but Peter pointed out a big problem.

I had read about one of Nord’s servers being hacked earlier this year. It’s been fixed, and I figured this could happen to any company. PCMag said they downgraded Nord’s rating from 5 to 4 stars because of it. (But previously, it was the only one with 5 stars, and did remain an “editors’ choice” there and at other reviewers.)

Then Peter told me that, yes, any company could get hacked. The problem was that this company hid it. In his words:  

“A hack of some kind can happen to anyone, even the best run companies. The problem with Nord was how it responded. They apparently knew about the hack for months without telling anyone and only admitted fault when someone else revealed it. A responsible company would inform their users of a potential threat to their privacy as soon as they are aware of it.”

On the other hand, what I liked about Nord was that they say they support civil liberties organizations including Amnesty International, and provide free or discounted VPNs to journalists and activists. (It’s possible other do the same, but I didn’t find any communications about it.) I can get behind those things, but not if they slack on basic security or are otherwise untrustworthy.

Most sources still call Nord a good choice, but maybe it’s better to stay skeptical on this one. Plus, at $84 for one year or $12 a month, it’s not cheap. It is however the only paid VPN I’ve seen with a student discount.

(All VPNs offer better prices per month if you commit to a longer subscription – often with plans up to 3 years. I’ll usually just mention the one-month and one-year prices.)

• TunnelBear is the only VPN I haven’t found a reason not to like. I find it easy to use to the point of being foolproof, and I think it offers the best product at the best price. One year is $60, one single month is $10.

It’s also reviewed as being one of the fastest and having the best privacy policy of any VPN (including being the only one to have an independent security audit done and publish the results). While it offers fewer countries to connect from (23) than other VPNs, that doesn’t matter to most people. And it does offer Italy, which means you can buy domestic Italian flights or train tickets in my former expat home and possibly get a better deal by appearing like you’re physically there. (Here’s the site I recommend for buying Italian train tickets.)

It also has free version that gives you 500mb of data per month. Most VPNs offer a money-back guarantee, but no free-forever version. (You can try Nord or Express for 30 days and get your money back if you don’t like them. Private Internet Access only gives you seven days.)

You don’t really need to understand what you can do with 500mb of free data (but the answer is not much), because the amount of data remaining is clearly displayed in the app. And even the free version doesn’t have ads.

• Private Internet Access is the cheapest of the well-rated VPNs I’ve seen (about $40 for a year, or $7 for a month). So that’s one selling point… but honestly I just don’t like it. The first way this company annoyed me was with their tacky slogan “Always Use Protection.” Really? Is the internet still run by bros?

The second, more objective thing that bothered me: They prominently display this quote on their site from the well-known tech review site PCMag: “Private Internet Access out-performs and out-features the competition.” I thought that was odd when I read it, because I had just finished reading PCMag’s latest VPN review. The article did say the product was good, but definitely did not say it was the best or that it “out-performed the competition.” So I scrolled down and found in tiny letters at the bottom of the page that the quote was from 2012 (AKA one internet-century ago).

To me, this kind of advertising is just sleezy and deceptive – and it makes me wonder what else this company is sleezy about. But hey, if you’re looking for something super cheap and apparently well performing, it could do the trick, although I haven’t tried it.

Wildcard VPNs – Especially for China

I haven’t tested these, but wanted to mention what I’ve learned about them.

• Astrill is currently the best VPN for China, according to several friends I checked with who live in China. Which VPN works best in China can change regularly, but Peter confirmed that avoiding censorship is really what Astrill focuses on. (Although that doesn’t mean it’s perfect. In China, you’ll still have to deal with the disconnections and slowness I mentioned above.) It costs about $100 a year or $16 for a single month, making it the most expensive of all the top VPNs I’ve looked at. So unless you’re going to China (or another country where government firewalls are the main battle) and want what the expats use, I don’t see why it would be worth the price.

• ExpressVPN: I just wanted to mention this one because it’s recommended specifically for travelers by a lot of blogs – although I’m not sure why. At about $100 a year, or $13 for a month, it’s among the most expensive. The reviews say it’s good, but my research didn’t convince me it’s the best or worth the price. The only benefit I could find is that it lets you choose from servers in 94 countries (more than any other option I’ve seen). But unless you have a specific reason you want to connect from a certain country, that won’t matter.

• ShadowsocksR is what Peter called, “one of the most reliable ways to dodge the Great Firewall in China, but… it does require a little more than just downloading a program.” If a computer scientist says that, I assume it’ll get the job done – if I can ever figure how to set it up. But if you’re looking for something specifically for China, this is expert recommended. Here’s info on how to download and install it.

Summary (What I Did)

My advice after all this research is to download the free version of TunnelBear on your phone and computer right now. Even if you’re not planning to always use a VPN, it’s a good tool to have just in case. And even if VPNs aren’t necessary for financial security, the privacy factor is still worth some thought.

This is doubly true when you travel. Maybe you’re in a strange country and have to submit a reservation request on a hostel’s website that isn’t https. Even if you don’t have to give credit card data, you probably don’t want the person next to you, or your anyone else, to be able to see your travel plans. 

The next time I’m abroad and realize OH SHIT I FORGOT TO PAY MY CREDIT CARD BILL, I’ll know it’s not quite as big of a deal as I’d thought. But still… do I want a stranger next to me in a coffeeshop to know my name, the websites I’m visiting, or anything else about me without me knowing that he knows? It’s just creepy.

So if you’re worried about privacy or have any other use for a good VPN, I’d still go with TunnelBear, which is what I’ve been using. If you just want a VPN for one short trip, the one-month, no-commitment price is $10 with unlimited data – a little less than many competitors.

What’s More Useful Than a VPN for Travel?

One thing that’s more useful than a VPN for travel security (and at home) is a password manager. I’ve been using LastPass for years and I’m happy with it. While Peter helped me understand why most people don’t need a VPN for security, he confirmed that most people do need a password manager, and that LastPass is a good option.

It does what it should, is pretty easy to use on desktop and mobile, has good customer support, and costs less than other equally well-rated options.

This is how it works: Password managers let you always use long, uncrackable passwords without ever writing them down anywhere. You create a single strong password and use it to login to the software where all your other passwords are stored. The program also creates tough passwords automatically when you create a new account on any website, and automatically fills them when you login.

Doesn’t that put all my eggs in one basket?

Yes, but as Peter confirmed, the type of attack where a hacker gets into one of your accounts (because it has a weak password), then uses that to get into other accounts (because they share the same weak password, username, or both) is very, very common.

Here’s a terrifying thought from Peter:

“This is so common that if you have been using one password many times for a good period of time, it has probably already been compromised one or more times.”

You can use this website to check whether your passwords have already been stolen.

On the other hand, a hacker getting your single, very tough-to-crack password and getting into your password manager is much less likely:

“The drawback of these managers is that you have a single point of failure. If your single password is discovered then attackers will have access to all of your accounts. These types of attacks, however, are extremely rare, while shared-password attacks are extremely common, so immunizing yourself from the common attack at the expense of a more serious problem in very rare cases is a wise trade-off to make.”

I used the free version of LastPass for a couple years and only upgraded to a “Families” subscription because it allows my husband and me to have separate accounts, but share individual passwords – without sharing all of them. We wouldn’t be able to do that with two separate free accounts. It costs $4 a month and I think it’s well worth it for the convenience.

Or, if you want the same simple interface for everything, TunnelBear also makes a password manager called RememBear. I haven’t used it but if you try it, let me know what you think.

One More Cyber Security Tip

Don’t use public USB charging stations! Those ports are a much more appealing target for hackers than sitting around waiting for someone to do something interesting on public Wi-Fi. (Probably because the attacker doesn’t have to be there to get away with it. As Peter said, “An attacker can set that up and walk away from it, so they don’t have to be sitting around suspiciously.”)

What other logistical travel things you want to know about? Let me know below in the comments or drop me an email.

Help more people find this article! Share on: