TL;DR...watch this video.
This is an example of technology businesses using the general public's lack of understanding against it.
The first thing you need to understand, is that a lot of websites encrypt your data over the internet. Every time you sign into Google, Amazon, or your financial institution, your credentials, and everything you do on that site, are encrypted. In fact, if you look at the URL of any page you visit, and it begins with "http
s://", then everything you view from and send to that site is encrypted, so the only people who can see what you're doing are you, and that website. Email services are always encrypted, too, so that's a lie. Anytime you make a purchase online, your billing and shipping information is sent over an encrypted connection, so anyone trying to tap into your public wifi connection to see what data you're sending, is only going to see scrambled information.
Another common misconception is the notion that a VPN encrypts all your internet traffic, that's only half true. While everything you do on the internet is hidden from your ISP, and anyone else that might be peeking at your network traffic nearby, the VPN provider marks the end of the all-inclusive encrypted network. But the VPN doesn't host every website in the world, so the VPN sends your request to view a site into the world unencrypted. So your internet activity is hidden from monitors between you and the VPN server, but not between the VPN server and every website you goto. Think of it like a commute to work:
There are multiple routes you can take to get from home {your PC} to work {a website}, some slower or longer than others {the internet}, but ultimately you'll get to where you want to go. A VPN is like taking an underground tunnel to work: while you're underground {encrypted}, satellites {any other network device} can't see you (try using your GPS in an underground tunnel), but you have to come out of the tunnel {unencrypted} before you get to your destination, and that's where you're exposed.
The only way to be sure that anyone who might be watching your internet traffic can't see what your doing, is to make sure the URL begins with "http
s://" (the 's' stands for 'secure'). Any data exchanged from a website beginning with "http://" (no 's') is still visible to anyone between the VPN and the website. Also, a lot of VPN services use phrases like "protect your private data" to sell you a VPN subscription, but as long as you put your information out there, eg. phone numbers, email addresses, etc., it's not private, and companies like Google use ad services and analytical trackers on almost every website you visit, and once your data arrives at the website, every service on that page, whether you're aware of it or not, knows that you were there, and a VPN can't protect you from data collection by Google, Facebook, Microsoft, etc.
As for the location and IP address being exposed, most services are pretty far off from pinpointing your location. I blurred it in the screen shot above, but Avast said my IP address put me in East Andover, New Hampshire, which is incorrect. I used some IP locator sites to geolocate my "exposed" IP address, and the results varied wildly, and none of them got the right city.
Ultimately, a VPN is not an end-all solution to keeping your internet traffic a secret from everyone else in the world. It has its perks, for example, you can use a VPN server in another country to watch some Netflix content that isn't available to U.S. customers, but it's only a partial answer to security and privacy concerns. If you want to prevent companies from collecting data on you, get a VPN, install the uBlock Origin plugin for Firefox or Chrome to stop tracking services from tracking your internet activity, use your browser's incognito or in-private mode, and only enter your personal information on websites you trust, even then, only trusted websites with "http
s" at the beginning of the URL.
P.S. Most credit cards are stolen when a retailer's or credit bureau's database is hacked, not at the point of sale. If you use Paypal, Google Pay, or another online payment service for online purchases, your credit cards are much safer. However, a prepaid card for online purchases is the safest way to go, because even if Paypal or Google is compromised, the only thing the perpetrators will get from you is a disposable debit card with little-to-no value on it. But NEVER, EVER use your personal, bank issued debit card for online purchases.
P.P.S. I forgot to mention that any site with "https:" in the URL is only secure if the site's certificate is active, and you have a matching certificate installed on your device. If you visit an "https:" site where the certificate has expired, the browser will tell you it's not secure. Here's what to look for, depending on your browser:
Google Chrome*
Mozilla Firefox*
*
left: https /
center: http /
right: invalid certificate
