Privacy in Public Wi-Fi: Beyond VPNs
Public Wi-Fi is convenient but deeply insecure. This article explains why VPNs alone cannot protect you and offers a practical, modern checklist for safeguarding your privacy on shared networks.
Public Wi-Fi is inherently insecure because network owners and nearby attackers can observe or manipulate unencrypted traffic. A VPN helps, but it is not enough to fully protect your privacy or data.
Prefer listening? Hit play below to hear this post come to life!
Powered by RedCircle
Why isn’t a VPN enough to stay private on public Wi-Fi?
A VPN encrypts your traffic between you and the provider, but it cannot fix local network attacks, malicious access points, browser fingerprinting, or data collection by the websites you visit. Public Wi-Fi leaks metadata like MAC addresses, device names, and connection histories; meanwhile, attackers use techniques such as ARP spoofing and Evil Twin networks to trick devices into connecting. A VPN only protects the transport layer, not the many other vectors that expose your identity or behavior.
What threats should you expect on today’s public Wi-Fi networks?
Public Wi-Fi environments typically involve:
- Evil Twin hotspots: Fake access points impersonating legitimate networks.
- Intercept and inject attacks: Local attackers modify traffic on unsecured sites.
- Captive portal tracking: Login pages often embed analytics, adtech, or device-fingerprinting scripts.
- Lateral movement: Other devices on the network may probe your laptop or phone for open services.
- Metadata exposure: Even encrypted sessions still reveal domains, traffic size, and timing patterns.
To ground this in current reality, researchers continue to uncover flaws in Wi-Fi chipsets and protocols. For example, recent reporting from Ars Technica highlights ongoing Wi-Fi driver vulnerabilities impacting major platforms: https://arstechnica.com/security/. Meanwhile, the Electronic Frontier Foundation maintains documentation tracking common surveillance vectors in public networks: https://www.eff.org/issues/privacy. For broader industry guidance, CISA’s wireless security advisories provide up-to-date recommendations: https://www.cisa.gov/topics/cybersecurity-best-practices.
What should you do instead of relying solely on a VPN?
- Enable system-level firewall rules to block all inbound connections on public networks.
- Use HTTPS-only browsing by enabling HTTPS-Only Mode in Firefox or upgrading via browser extensions like HTTPS Everywhere’s successor technologies.
- Disable auto-join for open networks to prevent silent connections to malicious clones.
- Use DNS over HTTPS (DoH) or DNS over TLS (DoT) to shield DNS metadata from local observers.
- Restrict background network activity by disabling unnecessary cloud sync or app auto-updates while on public Wi-Fi.
- Use privacy-respecting browsers or containers that reduce fingerprintability.
- Prefer mobile hotspots when handling sensitive information.
Which tools and services genuinely strengthen privacy on public Wi-Fi?
When selecting privacy tools, prioritize transparency, security track records, and independent audits. Here are three reputable examples mentioned frequently in the privacy community:
- Proton VPN – A security-focused VPN service with a strong privacy record: https://protonvpn.com
- Mullvad Browser – A privacy-hardened browser developed with the Tor Project: https://mullvad.net/browser
- NextDNS – A modern DNS service with encrypted DNS and tracking-protection options: https://nextdns.io
These are not silver bullets but components of a larger privacy strategy.
How can you evaluate the safety of a public Wi-Fi network quickly?
Look for these indicators before connecting:
- Does the network require a password, or is it truly open?
- Does the captive portal request personal information?
- Is the network name suspiciously similar to another nearby SSID?
- Is the venue a high-risk location such as airports or conferences?
- Do you see certificate errors when visiting HTTPS sites?
When in doubt, switch to your phone’s hotspot.
What key facts should you know before connecting?
| Fact | Why it matters |
|---|---|
| Open Wi-Fi is unencrypted | Anyone nearby can observe unencrypted traffic. |
| VPNs don’t hide device metadata | MAC addresses and probe requests remain exposed. |
| HTTPS protects content, not identity | Domain names and timing still leak. |
| Captive portals track users | Many embed analytics and fingerprinting scripts. |
| Device isolation varies by venue | Not all public networks block device-to-device access. |
FAQs
Is it safe to log into my bank account over public Wi-Fi?
Yes, if your browser shows a valid HTTPS connection, but using a personal hotspot is still safer.
Can a VPN stop Evil Twin attacks?
No. A VPN doesn’t prevent your device from connecting to a malicious access point.
Do browsers protect me from all tracking on Wi-Fi?
No. Browser protections help, but network metadata and device fingerprints still leak.
Should I randomize my MAC address?
Yes. Modern systems support MAC randomization, which reduces persistent tracking across hotspots.
Is mobile data always safer than public Wi-Fi?
Generally yes, because cellular networks offer authenticated, encrypted radio links by default.
What to do next
Audit your device’s public-network settings today and implement the seven steps above before your next trip.
*This article was written or edited with the assistance of AI tools and reviewed by a human editor before publication.
