VPN for Journalists and People at Risk
Key points
- For high-risk users, a VPN is one layer and not a complete protection plan.
- Tor is built for stronger anonymity, while a VPN trusts one provider.
- Start with a clear threat model: who you are protecting against and how.
- A VPN does not stop phishing, device compromise, or account-level identification.
On this page
- Start With a Threat Model
- What a VPN Honestly Does
- What a VPN Does Not Do
- VPN and Tor: Different Goals
- Choosing a Provider Carefully
- Layers, Not a Single Tool
- Protecting Sources and Communications
- When a VPN Is the Wrong Tool
- Where a VPN Is Not Enough, and How to Think About Your Threat Model
- Summary
- Frequently asked questions
This guide is different from our others, because the stakes are higher. For journalists, activists, and people facing real risk, getting privacy advice wrong can have serious consequences. So we will be careful and honest, and we will not oversell what a VPN can do. A VPN is one layer of protection. It is not a silver bullet, and for high-risk work it is rarely enough on its own.
If you are in genuine danger, treat this as a starting point and seek guidance from organizations that specialize in protecting people at risk. Our goal here is to be honest about where a VPN fits and where it falls short. For the basics of the tool, see our introduction to VPNs.
Start With a Threat Model
The single most important idea is the threat model. Before choosing any tool, get clear on three questions. Who are you protecting against? What can they actually do, technically and legally? And what exactly do you need to keep safe, your identity, your sources, your location, or your communications?
The answers change everything. A VPN that fits a journalist worried about a local network may be the wrong tool for someone facing a powerful adversary with legal reach. There is no single right tool, only the right tool for a specific threat. Skipping this step is the most common and most dangerous mistake.
What a VPN Honestly Does
Within a threat model, a VPN does a few specific things. It encrypts your traffic so the local network and your internet provider cannot see which sites you visit. It hides your IP address from the sites you reach, replacing it with a shared server address. On an untrusted network, that is genuine protection, the same kind we describe in our guide to using a VPN on public Wi-Fi.
That is the honest extent of it. A VPN narrows what the network and your provider can observe. It does not make you anonymous, and our VPN privacy guide explains why "you move trust, you do not remove it" is the accurate way to describe it. For at-risk users, that single shift, from your provider to the VPN company, is itself part of the threat model.
What a VPN Does Not Do
This section matters most for people at risk, so we will be blunt. A VPN does not protect a device that has already been compromised. If spyware is on your phone, encryption of your traffic does not help. It does not stop phishing, which is a common way targeted individuals are reached. And it does not hide you from services you log in to, because your account is your identity regardless of your IP.
It also concentrates trust in one provider that can see your connection metadata. For a casual user that trade is fine. For someone facing a serious adversary, a single trusted party is a real consideration. These gaps are why a VPN cannot stand alone in a high-risk plan, and why thinking it can is dangerous.
Tip: if your safety depends on staying unidentified, do not rely on a VPN alone. Consult a digital security organization that works with journalists and at-risk people, and build a plan around your specific threat.
VPN and Tor: Different Goals
Tor comes up constantly in this context, and the comparison is worth understanding. Tor routes your traffic through several volunteer relays, so no single relay sees both who you are and where you are going. That layered design aims for stronger anonymity than a VPN, at the cost of speed. A VPN sends your traffic through one provider, which is faster but means trusting that one party. Our full comparison of a VPN and Tor goes deeper.
| Factor | VPN | Tor |
|---|---|---|
| Trust model | One provider sees your connection | No single relay sees both ends |
| Speed | Fast, good for daily use | Slower by design |
| Anonymity goal | Reduces network-level exposure | Built for stronger anonymity |
| Best fit | Privacy on untrusted networks | High-risk anonymity needs |
For the most sensitive work, Tor or purpose-built tools are often more appropriate than a VPN. For protecting daily traffic on networks you do not control, a VPN is reasonable. Many people at moderate risk use both, for different jobs.
Choosing a Provider Carefully
If a VPN is part of your plan, provider choice carries more weight than usual. Because the provider can see your connection metadata, you want one with clear policies, independent audits, named ownership, and a record of how it responds to legal requests. We publish our own practices on our transparency page so you can evaluate rather than trust blindly. Avoid free-only apps with unclear funding, since the cost of getting this wrong is far higher for you than for an average user.
Layers, Not a Single Tool
The honest conclusion is that safety for at-risk people comes from layers, not one product. A VPN can be one layer for network privacy. Around it you need careful device hygiene, strong account security with two-factor authentication, caution against phishing, and tools matched to your specific threat. Our guide to VPN account security covers part of that, but for serious risk, expert guidance tailored to your situation matters more than any single article.
Protecting Sources and Communications
For journalists, the threat often centers on sources, and that raises questions a VPN alone cannot answer. A VPN protects the network path of your traffic, but it does not encrypt the contents of a message end to end, and it does not hide who you communicate with from the services you use. If protecting a source is the goal, the tools that matter most are encrypted messaging built for that purpose and careful habits about metadata.
Think about the whole chain, not just one link. Where are your notes stored? Who can access your devices? What does a service learn simply from the fact that two accounts talked? A VPN can reduce what a network observer sees, which is useful, but the sensitive parts of source protection live in choices a VPN does not touch. This is exactly why the threat model comes first.
When a VPN Is the Wrong Tool
It is worth naming the cases where a VPN can give false comfort. If your adversary can compromise your device directly, the encryption of your traffic does not matter, because they are reading from inside. If your adversary can compel the VPN provider to hand over connection records, a single trusted party becomes a single point of pressure. And if your goal is true anonymity rather than network privacy, a VPN aims lower than that by design.
In those situations, leaning on a VPN as your main shield is a mistake that can put you or your sources at risk. The safer move is to recognize the limit, step back to your threat model, and choose tools built for the specific danger you face, ideally with help from people who do this work professionally.
Where a VPN Is Not Enough, and How to Think About Your Threat Model
A VPN does real work. It hides your IP address from the sites you visit, and it protects your traffic when you are on a network you do not control, like a hotel or cafe. But if you are a journalist or someone facing a serious adversary, it helps to be clear about what a VPN does not do. The first step is to build a threat model. Ask who might want your data, what they can do, and what happens if they get it. Your answers should shape your tools, not the other way around.
Here are the honest limits to keep in mind:
- A VPN provider, including vpn.now, can in principle see connection metadata such as the times you connect. A provider is a point of trust, and it can be reached by legal process. This is not the same as anonymity.
- If you need strong anonymity, Tor is built for that purpose, and some people run Tor over a VPN. A single commercial VPN is not a substitute for it.
- The device matters more than the network for a targeted person. Malware, a compromised phone, or someone with physical access can defeat any VPN, because the problem is no longer the connection.
- Protecting a source needs more than a VPN. Think about secure-drop style tools, separate devices kept for one task, and careful habits around the metadata you leave behind.
None of this means a VPN is pointless. It is one useful layer, and for everyday safety on untrusted networks it does its job well. The point is balance. If you are at genuine risk, treat the VPN as part of a plan, not the whole plan, and match each tool to the threat you actually face. Calm, careful habits protect you more than any single product can.
Summary
- For high-risk users, a VPN is one layer of protection, not a complete plan.
- Start with a threat model: who you face, what they can do, and what you must protect.
- A VPN encrypts traffic and hides your IP, but it moves trust to the provider.
- It does not stop phishing, protect a compromised device, or hide logged-in accounts.
- Tor aims for stronger anonymity by routing through several relays; a VPN trusts one party.
- Safety comes from layered tools and, for serious risk, expert guidance tailored to you.
If a VPN fits one layer of your plan, our plans and pricing page explains exactly what each option does and does not do.
