To start with, the obligatory
explanation of how VPN works.
VPNs are a subject of marketing and do suffer from the same issues. In the distribution there are bullshit claims, exaggaerated or misleading statements, and truth. In various proportions, but the first part is something I rarely see. Much more often the second case: claims, that may be deceiving to the general population.
VPN removes LAN and ISP from the equation. This is nothing more than shifting the issue elsewhere. While both cases are identical from technical perspective, the privacy and security implications are not necessarily the same. In the most basic scenario you must choose between two entities: the ISP and the VPN. The VPN provider may be more trustworthy
(1) than the ISP, depending on one’s situation. Putting that in the game theory perspective, we are dealing with two variables, each being a probabilistic distribution.
(2) If the ISP variable is already degraded to a single, unacceptable value, choosing the unknown case is likely to be the better choice. If that wasn’t enough, local network may be malicious and VPNs do protect against this.
(3) Of course the problem is, that most of the advertising audience will never use the VPN in such circumstances. This is why it is an exaggerated claims. But not strictly false.
Some other statements are so exaggerated, they are on the edge of being false (but still strictly not false). They usually appeal to unreasonable fears. Fears that are not completely wrong, but are greatly inflated. For example: falling a victim of DDoS, and retaliatory attack or being harmed in the meatspace. This does in fact happen and VPNs do provide protection against this. The catch? Not only the threat is orders of magnitude less likely than people expect it to be, not only people themselves subvert the protection, but they fail to recognize random campaigns are more likely to hit them than targeted attacks.
My primary concern are VPNs that claim to be “free”. There is no way they are honest, yet people fall into that trap. They turn victim’s computer into an open relay to proxy traffic from other “free” tier users, they force the user into paid plan by artificially handicapping the service quality, or the “free” service is a temporary offer to attract victims. To people advertising “free” VPN I have one message: the one between the index and the ring finger.
(1) For any definition of “trustworthiness” you choose. I leve it imprecise here, not making too many assumptions.
(2) Here I assume the distributions are similar. This is not necessarily the case in all real world examples. And that may be a subject of a debate, but the discussion would be about deviations from this central assumption.
(3) Pushing for HTTPS made the practice practically obsolete, but some risks remain.