Privacy vs. Anonymity: What a VPN Actually Does
Most people use these terms interchangeably, but they mean different things when it comes to VPNs. A VPN gives you privacy: it hides your internet traffic from your ISP, your employer's network, and anyone monitoring the local network you're on. Your ISP cannot see what sites you visit or what you download. That is a real, meaningful protection for everyday use.
A VPN does not give you anonymity. The VPN provider knows your real IP address. You typically paid for the service with a credit card or PayPal, which links the account to your real identity. If the provider receives a court order, or if they secretly log data despite claiming not to, your identity is traceable. True anonymity requires either Tor (which removes the single point of trust) or a VPN where you've taken specific steps to delink payment from your identity.
Understanding this distinction shapes every decision below.
The Three VPNs That Actually Prioritize Privacy
Mullvad: The Gold Standard for Anonymity
Mullvad takes privacy further than any other mainstream provider. When you sign up, you get a random account number. No email address required. No name. You can fund the account by mailing cash or coins to their office in Gothenburg, Sweden. They also accept Monero (a privacy-focused cryptocurrency where transactions are untraceable) and Bitcoin.
Sweden is outside the Five Eyes intelligence alliance. Swedish law requires a court order before any data disclosure, and Mullvad's no-logs policy has been verified in practice: Swedish police raided their offices in 2023 and left with nothing, because there was nothing to take. Mullvad also underwent an independent security audit by Cure53 in 2020 and again in 2022, with results published publicly.
The trade-off: Mullvad's apps are functional but less polished than NordVPN or ExpressVPN. Server coverage is smaller (around 700 servers in 40+ countries). For users who need a specific streaming region or maximum server choice, Mullvad is not the right pick. For users who genuinely need privacy-first operation, it is the clearest choice on the market.
ProtonVPN: Swiss Law, Open Source, and Tor Integration
ProtonVPN is operated by Proton AG, the company behind ProtonMail. It is headquartered in Geneva, Switzerland, which sits outside both the Five Eyes and Fourteen Eyes intelligence alliances. Swiss privacy law is among the strongest in the world, and Proton has a track record of defending user privacy in Swiss courts.
The entire ProtonVPN codebase is open source. You can audit it yourself or review independent audits (Securitum performed an audit in 2022). ProtonVPN accepts Bitcoin as payment, which provides pseudonymous payment (not fully anonymous, but better than a credit card). For users who want to go further, ProtonVPN offers Tor nodes: traffic routes through the VPN first, then exits through Tor, adding an extra anonymity layer at the cost of speed.
ProtonVPN also offers a free tier that is genuinely private (not monetized through data) but with speed and server restrictions. For serious privacy use, the paid plan gives access to all features including Tor nodes and the Stealth protocol for bypassing VPN blocking.
IVPN: Privacy-Focused and Audited
IVPN is a smaller, independent provider that has positioned itself explicitly around privacy rather than marketing to the mainstream. Like Mullvad, it does not require an email address to sign up. Payment options include Bitcoin and Monero. The company is registered in Gibraltar, outside Five Eyes jurisdiction.
IVPN was audited by Cure53 in 2019 and 2022. Both audits are published in full on their website, including the findings and how they were addressed. This level of transparency is rare. IVPN's app has fewer features than larger providers but covers the essentials well: a kill switch, WireGuard and OpenVPN support, and multi-hop routing (sending traffic through two servers instead of one, so neither server alone can link your identity to your destination).
The No-Logs Claim: Who Has Actually Proven It
Nearly every VPN on the market claims a no-logs policy. Very few have been tested in practice. Two ways a no-logs claim gets verified:
- Court orders and law enforcement requests: PIA (Private Internet Access) had its no-logs policy confirmed twice in US court cases when subpoenas produced no usable data. Mullvad's 2023 police raid produced nothing. These are real-world verifications, not marketing.
- Independent audits: ProtonVPN, IVPN, Mullvad, and ExpressVPN have all undergone third-party audits of their logging infrastructure. The audit scope matters: some audits check only the apps, not the server configuration. Look for audits that include server-side infrastructure review.
ExpressVPN has audits and a no-logs claim, but it was acquired by Kape Technologies in 2021, a company with a controversial history in adware. Some privacy researchers have flagged this as a concern. It does not mean ExpressVPN logs data now, but the ownership change is worth knowing before you choose it for serious privacy work.
Threat Model: Who Are You Hiding From?
Privacy tools should match the actual threat. Three levels:
- ISP and commercial tracking: Any reputable no-logs VPN solves this. NordVPN, Surfshark, ProtonVPN, Mullvad all work. This covers the majority of users.
- Employer network monitoring, public Wi-Fi: A VPN on your personal device routes around your employer's network filter. This is legal in most jurisdictions for personal devices on personal networks (not company devices on company networks). Any of the above providers handle this well.
- Targeted government surveillance or legal proceedings: This requires Mullvad-level operational security (anonymous sign-up, Monero payment, no email account) or Tor. A VPN alone is insufficient if a government can compel the provider. Jurisdiction and payment anonymity become critical.
Five Eyes, Nine Eyes, Fourteen Eyes: Why Jurisdiction Matters
Intelligence-sharing alliances affect which VPN providers can be legally compelled to hand over data. The Five Eyes (United States, United Kingdom, Canada, Australia, New Zealand) have the broadest mutual intelligence sharing. Nine Eyes adds Denmark, France, Netherlands, and Norway. Fourteen Eyes adds Germany, Belgium, Italy, Spain, and Sweden.
Switzerland, Panama, and Gibraltar are outside all three alliances. This is why ProtonVPN (Switzerland), IVPN (Gibraltar), and NordVPN (Panama) choose those jurisdictions. It does not make them immune to legal pressure, but it means requests must go through local courts with stronger privacy protections than US or UK subpoenas.
Payment Privacy: Why This Often Gets Ignored
Most users pick a VPN, pay with a credit card, and consider the privacy box checked. Credit card payment creates a direct link between your real name, your bank account, and your VPN subscription. If that subscription is ever linked to an IP address in a legal proceeding, your identity is established instantly.
Options ranked by privacy:
- Cash by mail (Mullvad): No digital trail. Best option for maximum anonymity.
- Monero: Transactions are private by design. Wallet addresses are not publicly traceable. Accepted by Mullvad and IVPN.
- Bitcoin: Pseudonymous, not anonymous. Bitcoin transactions are public on the blockchain. With enough analysis, payments can be traced to exchanges where KYC (Know Your Customer) was required. Accepted by Mullvad, ProtonVPN, IVPN.
- Credit card or PayPal: Fully traceable to your identity. Fine for most use cases. Wrong choice if anonymity from the VPN provider itself is the goal.
VPN Plus Tor: When to Combine Both
ProtonVPN's Tor nodes route your traffic through the VPN first, then exit through the Tor network. This adds a layer of protection: the Tor entry node sees the VPN server's IP, not your real IP. If the Tor entry guard is compromised, it still cannot identify you because the VPN sits in front of it.
The practical cost is significant. Tor adds several hundred milliseconds of latency and reduces bandwidth substantially. Streaming is not practical. Browsing becomes noticeably slower. This setup is appropriate for high-stakes use cases: journalists communicating with sources, activists in countries with active surveillance, or anyone for whom a single compromised point of the network creates unacceptable risk.
For everyday privacy from ISP tracking or commercial data collection, VPN alone is sufficient. The added complexity of VPN over Tor is not worth it for general use.
The Bottom Line
For most users who want strong privacy without complexity: ProtonVPN is the clearest recommendation. Swiss jurisdiction, open source, audited, Bitcoin payment, free tier available, Tor integration if needed.
For users who need maximum operational anonymity, including hiding their identity from the VPN provider itself: Mullvad. Random account number, cash payment, verified no-logs by police raid, outside Five Eyes.
For users who want an audited independent alternative with multi-hop support: IVPN.
The big-name providers (NordVPN, ExpressVPN, Surfshark) are fine for everyday privacy from ISPs and commercial tracking. They are not the right choice if you are seriously concerned about provider-level trust.