Imagine you're sitting at a coffee shop. You open your laptop, connect to their Wi-Fi, and hit the big button on your VPN app. It turns green. Connected. Protected. You can now browse the web without worrying about bad guys or the government. So you take a bite out of your croissant and take a sip of your latte. In the time it took you to do that, your VPN dropped connection and never bothered to tell you.
I know this because I studied it. As part of my MSc in Information Security at UCL, I conducted independent research evaluating how NordVPN and ProtonVPN communicate security state to their users combining a heuristic evaluation, cognitive walkthrough, and qualitative analysis of 150 real user reports. What I found was that 31% of users in my sample had browsed without protection while their interface still showed connected.
Before getting into the failures, it's worth being clear about what a VPN actually does. A VPN creates an encrypted tunnel between your device and a private server. That's it. It was originally built so employees could securely access company networks from home. Somewhere along the way it got rebranded as a personal privacy tool, which it was never really designed to be. All a VPN actually does is move the question of who you trust. Before, your ISP could see your traffic. Now your VPN provider can. That's not necessarily more secure, yet VPN companies have aggressively marketed themselves as privacy shields and the gap between what people think they have and what they actually have has become a security problem in itself.
The root cause of that gap is something I'm calling the False Trust Anchor. As a species we are hardwired to rely on our senses to make sense of the world. When we can't see how a system works under the hood, we look for visual shortcuts to fill in the gaps. The human brain takes shortcuts. When you see a green light or a padlock icon, you don't consciously evaluate your security state you feel safe and move on. Cognitive scientists call this System 1 thinking: fast, automatic, based on pattern recognition rather than analysis. VPN interfaces are built around this. One icon turning one color. The problem is that icon doesn't explicitly represent the state of security underneath it. Your brain stays anchored to the last clear signal it received. You feel protected because you remember connecting, not because you are connected. It is not a failure of the user. It is a property of specific design choices.
A concrete example. ProtonVPN ships with the kill switch off by default. The kill switch is the feature that cuts your internet connection if the VPN drops, preventing your real IP from being exposed. A novice user doesn't know this feature exists, doesn't get a tutorial, and has no way of knowing they need to turn it on to actually be protected. The interface shows connected. The user feels safe. The kill switch is sitting there disabled.
NordVPN has a different version of the same problem. It uses a padlock icon as its primary trust symbol, and research consistently shows that users interpret padlocks as a signal of overall safety 74% according to one study. Reasonable enough. But during the connection handshake the window where your device is negotiating the encrypted tunnel and you are most exposed NordVPN replaces the padlock with a country flag. The trust symbol disappears at exactly the moment it is most relevant. Does your grandma know she's connected now? Does she know that the flag means safe and the padlock meant something different? ProtonVPN's version of this is using purple as its connected state colour. In almost every cultural and design context green means safe and red means danger. Purple means nothing to most people. It forces users out of automatic pattern recognition and into conscious interpretation a small friction that matters when people are making fast decisions about whether they are protected.
The finding I keep coming back to is the NordVPN disconnect menu. When you want to disconnect, you click on the app and see a list of options. At the top: Pause for 5 minutes. Below that: Pause for 15 minutes. Then 30 minutes, 60 minutes, 24 hours. Then, at the bottom: Disconnect. This is a nudge a deliberate ordering of choices designed to keep you in their ecosystem rather than give you clear control over your security state. Suppose you're in a rush and you meant to hit disconnect but accidentally hit pause for 24 hours. Your traffic is now unencrypted for the rest of the day. The interface doesn't warn you. There is no confirmation. You won't know until something goes wrong.
There is also what I'm calling the double click trap. NordVPN replaces the Connect button with Cancel in the exact same spatial coordinates during the connection handshake. If you click fast or your mouse has a double click issue, you could cancel the connection and minimize the app without ever realizing you never connected. There is no auditory alert, no notification, no confirmation that the action you just took was successful. At least ProtonVPN mitigates this with a non-interactive pop-up that forces the user to acknowledge the state change before proceeding. That is the right instinct.
What strikes me about all of these failures is that none of them are technically hard to fix. A default kill switch is a configuration change. Consistent colour semantics is a design decision. Separating disconnect from pause is a menu reorder. Moving cancel out of the connect button's coordinates takes an afternoon. An auditory alert when the VPN drops is a single system call. These are not engineering challenges. They are product priority decisions. And right now, the product priority is clearly the user's perceived security state, not their actual security state. For a tool people are trusting with their privacy, I feel that difference matters.
I do think consumer VPNs have done something genuinely valuable they brought encryption to hundreds of millions of people who would never have configured it themselves. But the interface has become a liability. For a lot of people these may feel like niche criticisms, but in there lies the paradox of security. The more people feel safe, the less they think about whether they actually are.
This post is based on independent research I conducted evaluating NordVPN and ProtonVPN's desktop interfaces through heuristic evaluation, cognitive walkthrough, and qualitative analysis of 150 public user reports. If you want the full methodology and findings, the paper is available here.