VPNs in 2026: Useful Tool or Overhyped Security

I had Norton Internet Security on my first real PC. Paid for it, renewed it annually, watched it slow my machine to a crawl, and slept soundly knowing I was protected. The padlock icon. The little shield in the system tray. The annual renewal email that said something like "Your digital life is at risk — renew now to stay safe." I was, as the kids now say, a mark.

The VPN industry has been running that same playbook for about a decade. Sponsor every YouTube channel with a pulse. Show the hooded cartoon hacker. Promise that one subscription stands between you and digital annihilation. The marketing is so omnipresent that NetworkChuck — a well-regarded networking educator — opens his latest VPN explainer by acknowledging his own conflict of interest with genuine self-awareness: he's been paid by NordVPN to make this video, which means, as he puts it, he has to be "extra harsh to have any shred of dignity left." He invites viewers to grade him from 1 to 10, with a 1 meaning "I'm a trash goblin that sold out."

I appreciate the framing. The question is whether the content earns the posture.

What a VPN actually does (and doesn't)

The core technical argument NetworkChuck makes is solid and worth laying out plainly. A VPN doesn't encrypt your web traffic — HTTPS already does that, and the vast majority of the web runs HTTPS. What a VPN does do is hide the metadata layer that HTTPS leaves exposed: which sites you visited, how often, and when. Your ISP and anyone else in a position to sniff your traffic can still see that you went to a specific domain even if they can't read what you sent there. The site names, the frequency, the timing — that's the profile that ends up in an advertising data broker's warehouse.

To demonstrate this, NetworkChuck runs a live Wireshark packet capture in Kali Linux — showing DNS lookups visible in plaintext traffic even with DNS-over-HTTPS enabled, because the Server Name Indication (SNI) field in the TLS handshake leaks the destination domain. He credits networking educator David Bombal for surfacing this in an earlier video, and it's a legitimate point that security-minded users often gloss over. Even reasonably hardened browsing configurations leave fingerprints. A VPN wraps all of that in WireGuard encryption and substitutes the VPN provider's IP for yours, so what the sniffer sees is nothing useful.

That's the real value proposition. Not "protection from hackers." Not anonymity. Metadata hygiene.

The trust problem, and why Norton's ghost haunts it

Here's where the Norton analogy stops being cute and starts doing actual analytical work. The old all-in-one security suites sold you protection and delivered something considerably more modest — virus definitions that were perpetually a step behind, bloated system overhead, and the comforting illusion of safety that sometimes made users less careful because they felt covered. The VPN industry inherited that same structure: sell a feeling, deliver a partial reality, renew annually.

NetworkChuck takes the trust objection seriously, and it's the sharpest part of his video. In 2017, PureVPN — which marketed itself aggressively on a "no-logs" promise — provided user logs to law enforcement during a cyberstalking investigation. The logs that didn't exist, existed. He quotes the scenario accurately: "their logs that don't exist helped unmask a netstalker." The "no-logs" claim, it turns out, was marketing language rather than a technical architecture.

His answer to this is a three-part checklist for evaluating a VPN provider: RAM-only server infrastructure (no persistent storage to hand over), multiple independent audits from third parties rather than self-certification, and jurisdiction in a country without mandatory data retention laws. He uses NordVPN as his example, noting the company's Panama-based registration under its parent entity Tefincom, and claims it has passed multiple independent no-logs audits. Both points are broadly accurate, though worth treating with appropriate skepticism: the jurisdiction argument is a standard piece of VPN marketing that depends on that jurisdiction remaining stable and the company remaining there, and audit claims should ideally come with specifics about who conducted them and when. Take "Panama means you're safe" with a modest grain of salt.

But his underlying logic holds: if you're going to be on the internet, you're going to trust someone with your traffic. The question is whether you'd rather that be your ISP — which has direct regulatory exposure and demonstrable motivation to monetize your browsing data — or a VPN provider you've evaluated against reasonable criteria. That's not a settled argument in favor of VPNs. It's a genuine tradeoff, and NetworkChuck presents it as one.

The fingerprinting thing, which would have sounded unhinged in 1998

There's a section in the video where NetworkChuck walks through browser fingerprinting — the technique by which advertisers and trackers identify you not by your IP address but by the composite signature of your browser configuration: screen resolution, installed fonts, active extensions, timezone, language settings. He runs the EFF's "Cover Your Tracks" tool live and confirms he's "not protected."

He moves through this fairly briskly, but I want to dwell on it for a second, because this is where the entire framing of "VPN = privacy" collapses most visibly. In 1998, if you'd described a system in which corporations maintain a persistent identity for you based on your monitor's pixel dimensions and the fonts your operating system happens to have installed, a reasonable person would have called the FBI. Now it's just Tuesday. Your VPN hides your IP. Your IP is, per NetworkChuck's own estimate, about 5% of how you get tracked. If you're still logged into Google, if cookies are still following you around, if your browser fingerprint is stable — and it almost certainly is — your VPN is doing metadata hygiene on one narrow channel while the rest of the tracking apparatus operates unimpeded.

This doesn't make VPNs useless. It makes the marketing around them almost comically overblown. The cartoon hacker can't see your DNS queries. LinkedIn can still profile you from your browser extensions. Progress.

When the tool actually earns its subscription

The cases where a VPN provides meaningful, concrete value are narrower than the industry admits but more interesting than the dismissive "just use HTTPS" crowd allows.

Public Wi-Fi is the obvious one — hotel networks, airport lounges, coffee shops — where you have no idea who's operating the network or what they're logging. A VPN on sketchy hotel Wi-Fi is reasonable hygiene, not paranoia.

The anti-harassment angle is underrated. If your IP address resolves to a neighborhood-level location — which it often does — a VPN is a meaningful defense against targeted harassment, swatting attempts, or DDoS attacks from people who've gotten hold of your address. For streamers, security researchers, journalists operating in hostile environments, or really anyone with an online presence who'd prefer not to be physically locatable, that's a real use case.

The geo-unblocking utility is modest but genuine. Shared IP addresses get flagged and blocked by streaming services constantly, which is why dedicated IP options (where you're assigned a stable IP tied to your account) are worth considering if that's your use case — though NetworkChuck correctly notes that a dedicated IP reintroduces a degree of traceability, since it's linked to your account credentials.

And then there's the event-driven scenario: the UK's Online Safety Act has pushed toward age verification requirements for certain online content, though the implementation timeline has been complicated and is still evolving. Laws change. What was freely accessible last year sometimes isn't this year, and not always for reasons most people find compelling. VPN demand spikes when regulations tighten, and that's not an accident.

The bundling problem, which I'll just say plainly

NordVPN has, in the video's telling, evolved from a VPN into something closer to a full security suite: malware blocking, phishing protection, dark web monitoring for stolen session cookies, URL cleaning, email protection. NetworkChuck's framing is that this is a feature — "trick your family and friends into using a VPN that actually protects them."

I'd put that differently. Bundling a metadata-hygiene tool with antivirus features, dark web alerts, and a crypto wallet address checker is exactly what Norton did in 2003. It's how you justify the price point, expand the addressable market, and blur the product category until users can't evaluate what they're actually buying or whether any individual feature works. The dark web cookie monitoring is genuinely interesting — session cookie theft is a real and underappreciated attack vector — but it belongs in a standalone product where it can be evaluated on its merits, not buried in a subscription marketed primarily on VPN brand recognition.

That's not an argument against using NordVPN. It's an argument for knowing what you're paying for and why, rather than letting the suite's complexity make you feel comprehensively covered. That feeling is the product Norton sold too. It didn't always correspond to the coverage.

NetworkChuck earns a better-than-average grade on the conflict-of-interest transparency. The technical content is accurate and well-demonstrated. The trust framework is honest about its own limits — "can I prove any of that? No," he says about the Panama jurisdiction argument, which is more candor than most sponsored content manages.

What the video can't fully escape, because the sponsor relationship makes it structurally impossible, is the question of whether the average person paying $5–$15 a month for a VPN subscription is buying meaningful security improvements or buying the system tray shield. The answer, as with most consumer security products, is: it depends entirely on your threat model, your usage patterns, and how much you trust the provider's infrastructure claims. Which is a much less satisfying answer than the cartoon hacker would suggest — but it's the one that's actually true.

Mike Sullivan covers the technology industry for BuzzRAG.