As to the title question, and trying to answer that in a non-technical way:
Imagine that the way you sent messages to people was to tell a young lad your message, send him out in the street, with him shouting the message on repeat loudly, for everyone to hear, until he finds some other lad who will take the message and continue on with it, doing the exact same thing. Eventually, after eight or ten shouting lads have retransmitted the message it will get to your recipient.
You would probably like for your recipient to be able to reply to you. So we should note that one part of your message was your own name and address.
So your message, overall, might have looked like:
Sally Milligan of 123 4th Ave E in New York City would like to buy a personal massage device!
And, again, this would have been transmitted through eight to ten shouting lads who are repeating the message continually over the length of the run.
If part of your message is a secret password for how to get into your safe, then it’s pretty clear how none of this is a great and wonderful way to do things from a security standpoint.
The internet was, fundamentally, designed by some bored college students and professors to be able to share programmer jokes across universities, not as a medium for secure transmission of financial information. They just went with something that was easy to make and had a lot of redundancy to ensure successful transmission.
Now, nearly everything wrong with the Internet, in terms of security, is solved through the use of something called TLS. It’s what your browser uses to decide whether to show a little padlock next to the URL. We’re currently trying to get the internet 100% on TLS so that the padlock symbol becomes redundant.
But there are two things that aren’t solved by TLS.
- The lads still carry your address around, shouting it the whole way.
- Similarly, they shout the address of the place that they’re sending the message to.
So, if Sally is buying a personal massage device, that will remain secret. People will simply know that she’s exchanging messages with Amazon.com, but won’t be able to find out anything else. They can mug the lad and he’ll just have a document written in jibberish.
If, on the other hand, Sally is exchanging messages with personalMassageDevices.com, however, then TLS might still largely blow some information.
VPN, essentially, solves this last little bit of privacy violation.
Sort of.
Basically, you sign a deal with a secret network. You’ll send shouty lads to the secret network, and they’ll be shouting, “I’m from Sally, at 123 4th Ave E! I’m going to the shadowy secret organization who lives in yonder warehouse!”
Everyone will know that, but if they mug the shouty lads, they’ll just find a piece of paper on him that’s written in jibberish.
The shadowy organization has stealth submarines that can’t be traced that route messages arround to their various warehouses around the world.
From the warehouses, shouty lads will emerge, saying “I’m from the secret organization! I’m going to personalMassageDevices.com!”
But there will be no mention of Sally nor where she lives. The shadow organization knows that information, but anyone not in the organization is out of luck.
Some time later, Sally will get a jibberish letter that she knows how to decode from the secret network.
Now if the secret network only connects to personal massage devices once per day and they only start doing that when Sally starts operating through them, they stop when she stops being a customer, and that only ever connect when Sally is actively interacting with them, then it may be possible to infer what she’s doing. But you’re basically relying on statistics, not definitive proof. And anything short of that scenario and you’re not going to have any idea what’s going on, by watching Sally and the secret network.
That is, unless the secret network is corrupt, poorly managed, was a front for the people you wanted to avoid, or have been compromised.