We mentioned earlier that everyone's threat model is different, and they may have different expectations of what they want the personal VPN to do. There are some common reasons to use a personal VPN, but personal VPNs may not be the best way to address those concerns. Know what you want to do before evaluating the right personal VPN for you.
Threat Model Concern 1: Insecure Networks
This is a common concern, and taps into why corporate VPNs came about. You want to communicate on the Internet and you don't trust the network (such as a public Wi-Fi network in coffee shops and restaurants, hotels, airports, car dealerships) you are on. Many places offer Wi-Fi networks just because their competitors do. Even dentist waiting rooms (yes, experienced firsthand). Yes, there are dangers from other people who are physically there with their own laptops attacking, sniffing, injecting and whatnot. The other danger is that the network itself was set up in an insecure manner so that a remote attacker can redirect traffic and carry out other activities. I mean, do you really expect your dentist to know how to set up Wi-Fi securely?
Even so, the dangers posed from public Wi-Fi networks are, in fact, low. When traffic wasn't encrypted in the old days, it was easier to do Man-In-The-Middle (MITM) attacks, and the devices that would make up the infrastructure (Wi-Fi access points aka WAPs, routers, etc) were usually a mess.
This was why a lot of companies had those corporate VPNs to begin with - the road warriors with their laptops wanted to access work resources from anywhere, and their IT departments wanted to protect those users.
Today, most traffic is encrypted, and done so in a way that is resistant to MITM attacks (e.g. certificate pinning). There are still dangers, but due to the sheer volume of users, traffic, and access points one could say the haystack has grown exponentially with a zillion more needles in that haystack. Your chances of attack from public Wi-Fi are in fact low.
With some good laptop hygiene (patches up to date, multi-factor authentication turned on, firewalling features enabled, etc) you are pretty rock solid, but a personal VPN does provide extra protection.
Threat Model Concern 2: Prevent Tracking.
Most non-technical people complain about how they do not want to be tracked but they don't always understand what that means. These people may use personal VPNs because they heard that VPNs prevent tracking, not realizing that personal VPNs can thwart some types of tracking, but not all.
If you want to avoid getting tracked while browsing the web and cookies are used, a personal VPN won't help. All the VPN does is ensure the cookies are delivered encrypted via a different route than normal. There are better tools for tracking via web browser, such as browser extensions or privacy-oriented web browsers.
Another form of tracking relies on the IP address to pinpoing your physical location and what service you are communicating with. Depending on your situation, you might want to restrict that information, so a personal VPN is a good choice for that.
Then there is data collection from the Internet service itself. If you are on ShopBecauseYouAreVerySadInside.biz and you don't want the service to collect information on where you are physically, a personal VPN will work. If you are trying to prevent the service from “harvesting” data about your actions while you are using the service and “using” them to make recommendations, we’re back in cookie territory and personal VPNs won't help.
Threat Model Concern 3: Bypassing the ISP or Geographical Limitations
If you are concerned your ISP is watching your traffic, a personal VPN might be of some help. You want to grab some torrents but your ISP restricts the access to torrent sites? That's something to check, since some personal VPNs support torrents and some don’t. If you are trying to avoid a repressive government who blocks access to and from different sources of information on the Internet, a personal VPN can work well in this case (with some caveats we’ll cover later). A personal VPN is often not well-suited for things like trying to get around specific geographical limitations associated with a particular online service, such as trying to access a video streaming site in another country. These services often can recognize the traffic is anonymized via a VPN or network proxy of some sort and will still deny the traffic.
Why Use a Personal VPN, Then?
Personal VPNs have a lot of expectations, and they aren't suited for all of them. But there are some scenarios that are ideal for personal VPNs.
Intended Usage 1: Laptop on a public network.
Let’s say you’re on a trip for a conference and have your personal laptop with you. You want to get online to check your email and social media calendar so you can attend the best parties, so you hop on the conference Wi-Fi network. Sure, you’d done a few basics like patch up before you left and turn on the firewall features on the laptop, but you are concerned because someone sniffing the traffic could see your laptop check for operating system updates. That would reveal what OS you have, your patch level, and other software information that attackers are looking for when preparing targeted attacks.
Any time you put in a website to visit into the browser, a DNS query looks up the iP address of the server you are looking for. This happens in plaintext, so someone sniffing that network may not be able to see what information you are viewing (thank you HTTPS) but they can certainly see what websites you are going to. Just the names of the sites could say a lot about you personally - a website dedicated to supporting people with AIDS, an adoption site, dating and porn sites, gaming sites, and so on. This information could be used against you in any number of ways, including fuel for phishing attacks if the person is able to determine who you are.
In our scenario, you are wearing your conference badge which may have your name on it, a QR code with more personal information, and of course there is the sacred business card exchange between people having conversations at a conference. If your would-be attacker is able to figure out your email address, they could send you a phishing email pretending to be one of those websites you frequent.
Reality check: is this scenario likely to happen? No, it is certainly not likely. Odds are you are not a high level target being chased down like Jason Bourne. If you are, great - a personal VPN might be one item amongst many to consider (also you should use an alias and maybe a disguise when attending conferences, or just watch the conference videos online later and not attend).
Intended Usage 1: Human rights volunteers
You are a human rights volunteer, and you travel a lot. You help people organize, you lead protests and marches, and you are probably on a lot of government lists. You want to make sure you are not being tracked while online. You may not need to hide your identity, but the people you are helping may not want their identity revealed. You also want to ensure that you can get online to get the word out and coordinate various events, so you need to bypass any blocked web services. This is a classic personal VPN scenario, and while you might not be a human rights volunteer this could be a scenario that sounds familiar enough to adapt to your needs.
Intended Usage 1: Questionable behavior
While I would never advocate criminal behavior, there is a class of online “behavior” that could come off as somewhat questionable. For this scenario, you are an investigative reporter, and you want to not only protect your sources, but you want to protect yourself to a large degree as well.
As an investigative reporter you need to be able to get information from informants which might be providing extremely sensitive material. As a result you might be targeted simply because of who you talk to, including having your communications being monitored by foreign governments while traveling. In this case you will have a number of tools in your arsenal, but a personal VPN would be one of them as it is needed to help protect you while accessing resources online while doing your job, especially while taking your laptop outside your office or home networks.