Tor vs VPN: which is actually more private in 2026?

"Should I use Tor or a VPN?" is the most common question we get, and most of the answers floating around the internet are some flavour of "depends on your threat model" — which is true but useless if you don't already know what a threat model is. This article gives you the actual answer for several specific use cases, with the trade-offs, the technical reasons, and the points where privacyscore.dev's score will reward each choice.

The thirty-second version

Tor and VPNs solve different problems, badly compared. A VPN moves your visible IP to one location and protects you from your own ISP and your local network operator. Tor moves your visible IP repeatedly across three independently-operated relays so that no single party knows both who you are and what you're doing.

If you summarise the difference in one sentence: a VPN is "trust this one company instead of your ISP"; Tor is "trust nobody, including the project itself, by design".

If you want a quick recommendation:

  • Whistleblowing, dissent, journalism, accessing the dark web, anything that's illegal-where-you-live-but-legal-where-you're-from → Tor.
  • Bypassing geo-blocks, hiding your IP from ad networks, public-WiFi privacy, accessing your home country's bank from abroad → VPN.
  • Just don't want your ISP knowing what you read → either works; VPN has better usability.
  • Avoiding browser fingerprintingneither on its own; Tor's browser is what defends, not the network. (More on this below.)

What each one actually does

How a VPN works

You install a client. The client opens an encrypted tunnel to a single VPN server somewhere — Switzerland, Romania, the US, wherever the company has a presence. All your traffic flows through that tunnel. Websites see the VPN server's IP address, not yours. Your ISP sees encrypted traffic going to a single endpoint and can't read its contents.

The trust model is: the VPN company can see everything you do — they're the new ISP, basically — and they promise via marketing copy and (sometimes) audits that they don't log it. Some companies have been audited (Mullvad, IVPN, ProtonVPN), some have been caught lying (PureVPN, IPVanish historically), most have never been independently checked.

What a VPN gives you:

  • Public-IP location laundering — sites see Switzerland, you're actually in Brazil.
  • Protection from local network adversaries — coffee-shop WiFi snoopers, your ISP, the cell carrier.
  • Geo-block bypass — Netflix US from Croatia, BBC iPlayer from anywhere.
  • A single point of failure — if the VPN is compromised, lies, or gets subpoenaed, every visit you made through it is traceable to you.

How Tor works

You install Tor Browser. When you load a page, the browser builds a circuit through three Tor relays:

  1. The guard relay knows who you are (your IP) but only knows you connected to a Tor relay, not what you wanted.
  2. The middle relay sees only encrypted traffic from one Tor relay to another.
  3. The exit relay knows what you wanted (it's the one talking to the website) but doesn't know who you are.

The three relays are operated by different volunteers in different jurisdictions. The math behind onion routing means no single party — guard, middle, or exit — has both the source IP and the destination URL. Even if a global adversary watched all relays simultaneously, they'd have to do statistical correlation across encrypted traffic to deanonymise you, which is hard.

What Tor gives you:

  • True anonymity at the network layer — no single trust point.
  • Access to .onion services (the dark web) — sites that exist only inside Tor, with no public IP.
  • The Tor Browser bundle — which is the real defence against fingerprinting, not the network itself (see below).
  • Slow speeds — typically 1-5 Mbps, sometimes worse, because every packet goes through three hops.
  • CAPTCHA hell on Cloudflare — most exit nodes have been used by abuse and Cloudflare aggressively challenges them.
  • Some sites block Tor entirely — Wikipedia edits, banks, anything that uses IP reputation.

The fingerprinting angle that almost everyone misses

This is where most "Tor vs VPN" comparisons fall apart. The network doesn't defend against fingerprinting. Switching to Tor without using Tor Browser doesn't make you any harder to fingerprint; it just changes which IP a tracker sees.

What actually defends against fingerprinting is Tor Browser — the customised Firefox bundle the project ships. Tor Browser:

  • Randomises canvas, audio, and WebGL on every read
  • Ships with a fixed set of system fonts to eliminate font-based fingerprinting
  • Locks the User-Agent to a single string shared by all Tor users
  • Disables WebRTC entirely
  • Letterboxes the window to a small set of standard sizes so screen-resolution can't identify you
  • Shares a JavaScript timer at low resolution to defeat timing-based attacks

The combined effect is that all Tor Browser users look identical at the fingerprinting level. A privacyscore.dev scan from Tor Browser scores 85+ because all the major fingerprinting signals are either randomised or normalised.

By contrast, using a VPN with regular Firefox or Chrome scores ~50-60: your IP is hidden, but your canvas hash, font list, WebRTC IPs, and User-Agent are all still uniquely yours, and a tracker can re-identify you across the VPN trivially.

This is why the recommendation "use Tor for fingerprinting privacy" really means "use Tor Browser". The network is incidental; the browser is the defence.

How privacyscore.dev scores Tor and VPN users

Our scoring engine treats anonymity-network detection specially. When we see a known Tor exit node IP or a recognised commercial VPN IP, we don't apply the usual -15 for "public IP visible" or -10 for "geo resolved to city level" — those penalties are about exposing the user's real location, and an exit node is doing exactly the opposite. Instead:

  • Tor exit detected → +10 bonus, IP/geo deductions skipped → typical net effect +35 vs the no-protection baseline.
  • Known commercial VPN detected (M247, Mullvad, ProtonVPN, NordVPN, ExpressVPN, IPVanish, others) → +8 bonus, IP/geo deductions skipped → typical net effect +33 vs baseline.
  • Unknown VPN or self-hosted WireGuard → no bonus, but no IP/geo penalty either, because the IP is geographically displaced from the user.

The Tor exit list is refreshed every six hours from check.torproject.org/torbulkexitlist and held in Redis. The VPN detection is keyword-matched against the autonomous-system organisation string returned by our GeoLite2 lookup — "M247 LTD" matches, "Iliad" doesn't.

So if you're scoring 50 on regular Firefox and want a quick boost: turning on Mullvad bumps you to 83-ish. Switching to Tor Browser bumps you to 85+. Doing both gives you the same result as just Tor Browser, because we don't double-count.

The "VPN over Tor" and "Tor over VPN" debate

You'll see a lot of forum discussion on this. Briefly:

Tor over VPN (your VPN client is up, then you launch Tor Browser): your ISP sees you connected to a VPN, but doesn't know you're using Tor. The VPN provider sees you connected to a Tor guard. The exit and the destination see Tor exit traffic only. Use case: hostile network where Tor itself is censored or suspicious, or you want to hide the fact you use Tor at all.

VPN over Tor (Tor first, VPN inside the Tor tunnel): the destination site sees the VPN's exit IP, not Tor's. The Tor exit sees encrypted VPN traffic. Your ISP sees nothing meaningful. Use case: you need a stable IP for some service that blocks Tor exits but you still want Tor's anonymity properties up to the VPN entry. Rarely the right choice; complex to set up.

For 99% of users, neither is needed. Plain Tor Browser does what 99% of users want.

Specific situations

"I want to download torrents"

VPN. Tor explicitly says don't torrent over their network — every torrent connection makes hundreds of small requests that flood the exit relays and degrade service for everyone. Use a VPN that allows P2P (most do, AirVPN and Mullvad are the canonical recommendations).

"I'm in a country that censors the internet"

Tor with bridges. Tor's bridge system is designed exactly for this — entry points that aren't on the public list of Tor relays, hard to enumerate and block. Combined with one of the pluggable transports (obfs4, snowflake), Tor traffic looks like normal HTTPS to a censoring ISP.

"I just don't want ad networks tracking me"

Browser hardening + uBlock Origin. A VPN doesn't stop ad networks from tracking you — fingerprinting works fine across VPN switches. Get a fingerprinting-resistant browser (Firefox with RFP, Brave, LibreWolf) and an ad blocker, and you've solved 95% of the problem at the network layer doesn't help with.

"I want to access streaming services from another country"

VPN. Specifically a VPN with rotating IPs and a track record of bypassing the streaming services' VPN-blocking measures. Tor exits are essentially all flagged by Netflix and the others, so Tor doesn't work for this use case.

"I'm doing something the government would arrest me for"

Tor. With Tor Browser. On a hardened OS (Tails or Whonix). Don't ask the internet for advice. Read the Electronic Frontier Foundation's Surveillance Self-Defense guide. Talk to a journalist if you're whistleblowing — they have access to SecureDrop and know operational security.

"I want to hide my torrenting from a VPN that has a no-logs policy"

Mullvad or ProtonVPN. These are the two that have been independently audited and that don't keep logs. Mullvad in particular doesn't even ask for your email when you sign up — payments via cash or crypto, account is just a randomly-generated number.

FAQ

Is Tor illegal?

Not in any country with a functioning rule of law. It's illegal to do illegal things using Tor (the laws against the underlying activity apply), but using Tor Browser to read Wikipedia is not different from using Firefox to read Wikipedia. Some countries (China, Iran, Russia, UAE) actively block or surveil Tor traffic, and using it there is risky in practice even when not technically illegal.

Do I still need a VPN if I'm using Tor Browser?

For most users, no. Tor Browser handles the use cases a privacy-focused user has. The main exception: if you don't want your ISP to even see that you connect to Tor (which they can — Tor traffic is recognisable), use a VPN to hide that fact. This is "Tor over VPN" and it's mostly relevant in countries where Tor is illegal or suspicious.

Why does Cloudflare make me solve a CAPTCHA on every Tor site visit?

Because Tor exit IPs have been used by abuse, scrapers, and automated attacks for years. Cloudflare's reputation system flags them as high-risk by default. Some sites whitelist Tor explicitly (DuckDuckGo, the Tor Project itself, ProtonMail), most don't. There's a "Tor mode" Cloudflare offers to site owners that's friendlier to Tor users, but few enable it.

Does paying for a VPN with cryptocurrency make me anonymous?

Only if the VPN actually doesn't keep logs. Anonymous payment doesn't help if the VPN logs your incoming connections — they'd just have an "anonymous customer X with IP Y" log instead of "John with IP Y". The combination that works is: anonymous payment + audited no-logs policy. Mullvad and IVPN are the canonical examples.

Why does my privacyscore.dev score go up dramatically when I switch to Tor?

Three reasons stack: (1) we don't penalise the IP because it's the exit, (2) we don't penalise the geo because it's the exit, and (3) we add a +10 bonus. Plus, you're presumably running Tor Browser, which separately defeats canvas, audio, WebGL, and font fingerprinting. The combined effect is typically +35 to +45 points.