Start with Your Threat Model
A VPN is one tool in a security stack, not a complete solution. Before choosing tools, define your threat model: Who are you protecting against? A VPN protects against ISP surveillance and network-level monitoring. It does not protect against an adversary with legal access to your VPN provider's logs, malware on your device, or social engineering. Journalists working on sensitive investigations and activists in authoritarian countries have different threat profiles than users who simply want privacy from their ISP.
VPN Choice Matters More for High-Risk Users
For general users, most reputable paid VPNs are adequate. For high-risk users (journalists covering organized crime, activists in countries with authoritarian governments, whistleblowers), the provider's jurisdiction, no-logs policy audits, and ownership structure matter significantly. Avoid VPNs owned by companies in 14-Eyes countries for high-sensitivity use cases. Mullvad (Sweden, accepts anonymous payment) and ProtonVPN (Switzerland, audited no-logs) are the top choices for high-risk users.
What a VPN Cannot Do
A VPN does not anonymize you from a determined adversary with legal authority. If a government subpoenas your VPN provider, the logs (if any exist) are accessible. A VPN does not protect against a compromised device. If your device has malware, all traffic can be monitored before it reaches the VPN tunnel. A VPN does not protect your metadata in all contexts -- cell tower location data, for example, is independent of your internet VPN.
Tools That Complement VPNs for High-Risk Users
Tor Browser: provides multiple layers of routing and is much harder to trace than a VPN alone, at the cost of speed. Tails OS: a live operating system that leaves no trace on the device you run it from. Signal: end-to-end encrypted messaging with disappearing messages. Qubes OS: compartmentalized computing where each application runs in an isolated virtual machine. For journalists working with sensitive sources, the Freedom of the Press Foundation's resources (freedom.press) provide detailed operational security guidance beyond what any single tool can offer.