Virtual Private Networks or VPNs can protect the privacy of your browsing, cloaking your online activities and making it much harder for websites, internet providers, advertisers, and a hacker sitting behind you in a coffee shop to see what you’re doing. Generally speaking, VPNs are a Good Thing, and Google offers one for free if you’re paying for storage. So should you be using it?
Google’s VPN, known as VPN by Google One, is only available if you’re a Google One customer—that is, if you pay Google for cloud storage beyond the 15GB that everyone gets for free. You need to pay for 2TB ($10 a month) of storage or more, so users on the 100GB ($2 a month) and 200GB ($3 a month) don’t qualify for the VPN benefit.
At the higher end you can go all the way up to 30TB if you really want to, which will set you back a not inconsiderable $150 a month. However, as long as you’ve signed up to a plan that gets you 2TB of space or higher—what Google calls “premium” plans—you’ll have access to the Google One VPN on your phone.
Enabling the VPN couldn’t be much simpler. Open up the Google One app for Android or iOS, scroll down the options on the Home tab, and you should see an Enable VPN button somewhere among the benefits you’re entitled to. The next screen lets you toggle the VPN on or off, and specify certain apps that should be excluded from using it (in case any of them have problems connecting).
What you don’t get with the VPN by Google One is much in the way of settings: You can’t choose which servers to connect to, or pretend to be somewhere else in the world, because Google handles all of this automatically (when you appear online, sites will still see you as coming from the country that you’re currently in). If you need more flexibility, a more fully fledged VPN package might be better.
What’s more, the VPN tunnel you’re connecting to is maintained and operated by Google. Google promises to “never use the VPN connection to track, log, or sell your browsing activity”—in other words, your activities won’t be recorded, beyond all the recording that Google already does. If you want to know more about the technical details of Google’s VPN, the company published a white paper on the subject.
Using any VPN involves a degree of trust, because you’re essentially putting your browsing activities into the hands of the VPN operator. Most of them—Google included—will promise not to keep permanent records of this activity, but short of breaking into their data centers and having a look yourself, it’s hard to verify this.
It’s a question of whether or not you trust Google to be responsible with your browsing history (which may already be logged by Chrome and the other Google services you use). If you’re letting Google track what you watch on YouTube and what you search for in Chrome and where you go on Google Maps, using the Google VPN isn’t going to change that.
Last year Google commissioned an independent company called NCC Group to audit the security and privacy protections built into VPN by Google One. The report raised several concerns, but Google moved to fix the majority of them, and overall the Google VPN was given a thumbs up from a security and privacy perspective.
“NCC Group found the product to have a very robust security posture,” the report concludes. “The consulting team determined that the use of modern operating system libraries and strong, openly standardized cryptographic protocols enabled Google to provide a VPN which benefits its users with immediate security enhancements for their network traffic.”
It’s worth noting that no VPN is 100% safe from bad actors, particularly if those bad actors are also employees at the VPN company. The auditors acknowledged that the Google One VPN was the same as other VPNs in this respect, but that procedures were in place to “impede” malicious employees from accessing data without authorization.
“Ultimately, NCC Group determined that while the supplemental cryptographic privacy protections did not categorically eliminate the opportunity for Google to violate its privacy claims, they did provide a framework within which the application can provide authentication and authorization for users without sending identifying information to the VPN nodes,” the report stated.
Proton, the company responsible for ProtonMail and other technologies, raised another concern about Google’s VPN. ProtonMail founder Andy Yen has said that Google’s advertising and data profiling business are in conflict with the ethos of what a VPN is supposed to be, pointing out that “the very purpose of a VPN is to prevent the type of surveillance that Google engages in on a massive and unprecedented scale.”
Increasing use of VPNs is detrimental to Google, so the introduction of its own software could be seen as an attempt to try and grab hold of some of that data—even if Google won’t be able to track you as comprehensively as it would without any VPN at all. If people are using VPNs, Google execs perhaps have reasoned, they might as well be using Google’s.
Another argument against using any VPN, including Google’s, is the impact it has on the speed of your connection. Google promises that its “best-in-class network architecture” will keep your data flowing quickly, though you’ll have to try it out for yourself to determine whether or not there’s a noticeable impact on web browsing and app use. Using any VPN also uses up more battery life and data, and again this is something you’ll need to monitor on an ongoing basis.
Everything considered, deploying a VPN when you connect to the web is worth doing to protect your online privacy and security as much as possible. The next question is who you trust most not to peek at your data and to handle it in a responsible way—and whether you choose Google or any of the other VPN providers, we’d recommend doing as much research as possible on the company behind your encrypted connection to the web.