According to TechRadar, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a direct warning telling iPhone and Android users to stop using personal VPN services. The agency’s guidance, published in a document dated November 24, 2025, argues that these VPNs simply shift privacy risks from your internet service provider to the VPN provider, often increasing your overall attack surface. CISA specifically highlights that many commercial VPNs have questionable security and privacy policies. This warning is part of a broader effort to combat advanced commercial spyware, with malicious VPN apps being a common Trojan horse for threat actors. The alert echoes recent Google security findings about fake VPN apps designed to steal browsing history and financial credentials.
A surprisingly blunt warning
Here’s the thing: this is a pretty dramatic statement from a federal agency. We’re used to them giving nuanced advice, like “choose carefully” or “look for these features.” But “do not use a personal VPN” is about as blanket as it gets. It basically throws a huge question mark over an entire multi-billion dollar industry that’s built on promises of privacy and security. And you have to wonder, what prompted this level of urgency now? The link to fighting commercial spyware is telling. It seems like state-sponsored hackers and other sophisticated groups are using fake or compromised VPN apps as a primary infection vector. That’s a serious escalation.
The real target is probably free VPNs
Now, CISA’s warning says “personal VPNs,” but let’s be real. They’re almost certainly aiming at the shady end of the market, especially the countless free VPN apps. I think we all know the old saying: if you’re not paying for the product, you are the product. Those services have to make money somehow, and data harvesting is a very lucrative model. Injecting ads, tracking your browsing to sell to data brokers, or even quietly installing malware—it’s all on the table. The agency’s point is that you’re trading a known entity (your ISP, which is regulated) for a complete unknown that might be outright malicious.
So, are *all* VPNs bad?
That’s the big question, right? CISA’s guidance doesn’t really make a distinction, which is frustrating. Because the core issue isn’t the technology itself—encryption is good!—it’s the business practices of the provider. A trustworthy VPN should have a few non-negotiable features. A strict, independently audited no-logs policy is number one. You need proof they aren’t storing your data. Robust protocols like WireGuard or OpenVPN are essential. And critical security features like a kill switch, which cuts your internet if the VPN drops, and DNS leak protection are absolute must-haves. Without these, you’re just playing security theater.
The impossible burden on users
And this is where the practical problem lies. CISA’s warning, while well-intentioned, puts the entire burden of verification on the user. How is an average person supposed to know if a VPN’s “no-logs” policy has been *truly* audited, or if that audit was any good? How can they verify the integrity of the encryption? It’s an asymmetric information problem. We’re told to avoid a whole category of tool because the market is flooded with dangerous counterfeits, but given no clear, official way to identify the safe ones. That leaves people with a tough choice: ignore the warning and risk a dodgy app, or follow it and lose a tool many use for legitimate privacy. Not a great set of options.
