The Online Safety Act has done something its architects may not have anticipated: it has driven record numbers of British internet users toward virtual private networks, tools once confined largely to corporate IT departments. The rush to protect personal data from broadband providers, government oversight, advertisers, and cybercriminals has been swift - but it has also created a hunting ground for the very criminals people are trying to escape.
Why Britons Are Reaching for VPNs
A VPN works by encrypting all internet traffic before it leaves a device, routing it through a remote server so that the user's real IP address, location, and browsing activity are hidden from outside observers. That includes internet service providers, who in the UK have legal obligations to retain certain browsing data, as well as advertisers who build detailed behavioural profiles from unprotected traffic. For remote workers, VPNs have long been standard practice - protecting corporate networks from interception when employees connect via public or home broadband. The same logic now applies to millions of private individuals who have concluded, not unreasonably, that their personal data deserves equal protection.
The Online Safety Act introduced a regulatory framework that, among other provisions, requires platforms to verify users' ages and content, raising legitimate concerns about what data is collected in that process and who holds it. That anxiety, combined with a broader post-pandemic awareness of digital vulnerability, has pushed VPN adoption well beyond its traditional early-adopter base.
The Free VPN Trap: Convenience With a Concealed Cost
Where demand rises sharply, opportunists follow. The promise of a free VPN is a powerful lure - especially for users who are new to the technology and unclear on how it works. The problem is structural. Running a VPN service requires real infrastructure: servers in multiple countries, bandwidth, security engineering, and ongoing maintenance. A legitimate provider covers those costs through subscriptions. A provider that charges nothing must recover costs some other way - and frequently, that means the user's data is the product being sold.
Many free VPN services log browsing history, IP addresses, and location data, then sell that information to advertisers and data brokers. This is not hypothetical; it is a well-documented pattern across the industry. The irony is stark: a tool designed to prevent data harvesting becomes one of the most efficient data harvesting instruments available, given that a VPN, by design, sees everything passing through it.
The threat does not stop at data sales. Cybersecurity researchers have identified malicious applications that impersonate legitimate VPN services entirely. Google issued a public caution in late 2025 about fraudulent VPN apps actively stealing data from devices they claimed to protect. These apps spread across multiple platforms and targeted users at scale. According to the company, the operators behind them impersonate well-known VPN brands or use social engineering - including sexually suggestive advertising or content tied to geopolitical events - to reach users who are actively seeking security tools.
Malware Bundled Inside Fake Security Apps
One of the more alarming recent discoveries was Klopatra, a Remote Access Trojan found embedded within an application called "Mobdro Pro IP TV + VPN." Once installed on an Android device, Klopatra granted attackers full remote control - the ability to monitor the screen, record keystrokes, simulate taps, and operate the device as if they were the legitimate owner. Banking credentials, passwords, and account details become accessible without the victim ever knowing the compromise has occurred.
Patricia Egger, Head of Security at Proton VPN, described the discovery to GB News as evidence of how far mobile malware has evolved. "An unethical VPN is one of the most effective data harvesting tools imaginable, with visibility into almost everything a person does online," she said. Her advice: download VPNs only from verified, trusted sources; scrutinise the permissions any app requests before granting them; and when evaluating a provider, examine whether they publish independent security audits, operate an open-source codebase, or run a bug bounty programme - all markers of genuine accountability.
What to Look For in a Trustworthy VPN
Not every free plan is malicious. Some reputable providers offer limited free tiers as a genuine entry point - ProtonVPN, for instance, offers a free option with a restricted server selection. The distinction lies in transparency: legitimate providers are explicit about what data they collect, publish audited no-logs policies, and do not depend on selling user data to sustain the service.
For users who want full functionality without risk, paid services represent better value than the cost suggests. Premium providers typically offer:
- Strong encryption protocols, including proprietary options optimised for speed and reliability
- Large server networks spanning dozens of countries, enabling access to geo-restricted content
- Coverage across multiple devices simultaneously, including smart TVs and streaming hardware
- Verified no-logs policies backed by independent audits
- Responsive customer support
The broader lesson from Britain's VPN surge is not that the tools are dangerous - they are not. Used correctly, from a reputable provider, a VPN meaningfully improves online privacy. The danger lies in choosing one carelessly, drawn in by the appeal of a free service from an unknown source. In a market where trust is the entire product, the question of who is asking for that trust - and why - matters enormously.