Can A VPN Really Keep You Anonymous? Here's What You Need To Know
Watch just about any YouTube video these days, and at the sponsor break you'll be told that your online security is in peril. The solution, they say, is a VPN. It's touted as a digital panacea that keeps your data private, protects you from hackers, and even spares you from data breaches. The claims are as many as they are bold, but one is remarkably consistent across brands: that a VPN will make you "anonymous." Gone are the days, they say, of Facebook trawling through your personal life for data, or state actors cataloging your Google searches and website visits.
Complete anonymity sounds great from a privacy perspective, but this is the internet we're talking about. Paying a quarter of a Netflix subscription a month to vanish like a deep-cover agent is too good to be true. Can a VPN really keep you anonymous? If not, what can it actually do? Read this guide before you head to the checkout with that YouTube sponsor code.
How do VPNs work?
One thing marketers in the tech world love to prey upon is the general public's difficulty comprehending tech. Let's look at what a VPN really is and what it actually achieves. VPN stands for virtual private network. In the simplest terms, all your VPN service is doing is encrypting and re-routing your internet traffic through one of its own servers in a location of your choosing. Your internet traffic from then on appears to originate from that server rather than your home IP address. The only major downside is that it will slow down your connection ever so slightly as a result of the encryption process and your physical distance from the server.
At the end of the day, all your VPN functionally does is change your digital location. It's an excellent tool for getting around geo-blocks, particularly to access regionally locked streaming content on platforms like Netflix. In this vein, marketers would make it seem like you're anonymous. Every time you connect to a VPN, in their eyes, you pop out one of their servers elsewhere in the world and then vanish upon disconnecting. But that's not really the case, and there are many reasons why.
VPN companies keep information on you
The anonymity claim is shaky at best when you consider that most VPN companies have you sign up with your personal email and pay with your credit card. To alleviate this, they frequently claim to have a "no-logging" policy. That is, they allegedly do not keep track of your online internet activity, saving only what is absolutely necessary to run the service. They often conduct independent third-party security audits to prove that they aren't retaining these usage logs, either. No logging would in theory mean that no one — not your VPN provider, not hackers, not even the government — could find out what you do online.
The historical record has proven that no-logging policies are something you should never fully trust. Some major VPN providers, like Nord VPN in 2019, have suffered security breaches that exposed users' browsing data. Some have cooperated with government investigations and handed over user data, such as PureVPN in 2017. Some flat-out lie about their no-logging policies, such as a handful of Hong-Kong based providers in 2020. Some get bought by larger corporations with a reprehensible, trust-demolishing past; ExpressVPN was acquired by Kape Technologies in 2021, a company that once distributed malware.
The point is, you never know if you can trust a VPN's no-logging policies. The only potential exception here is a provider like Mullvad, which lets you create an anonymous account and pay in cash by mail. At the very least, you should never trust free VPN services.
Your ISP knows you're using a VPN
Internet service providers (ISPs) are the only way you and I can access the internet, which becomes a huge problem when you find out they have no qualms about selling our browsing data. It's a myth that incognito mode prevents sensitive internet traffic from getting to your ISP, but VPNs do a great job preventing this. They effectively hide all your internet traffic from your ISP, provided you aren't suffering any DNS leaks. Before you get too excited though, here's the fly in the ointment: Your ISP still knows you're using a VPN.
A VPN obfuscates your true IP address from your destination address, but options are limited as far as hiding the fact that you're using a VPN from your ISP. Plus, your ISP can see how much data is going in and out even if it can't see what you're doing, allowing it to take a guess. Some ISPs don't like VPNs, and will throttle their users. VPNs like Surfshark use obfuscation technology to mitigate this and take on the appearance of normal internet traffic — though results will vary depending on your VPN, your ISP, and internet censorship efforts in the country where you reside.
At risk of being pedantic, anonymity would entail no one knowing you who are, especially your ISP. VPN obfuscation measures are welcome, but they aren't bulletproof. Don't hold out hope that you can always hide your VPN usage.
Your browser tells everyone who you are
A good VPN is only as strong as the tools you use to access the internet, and browsers tend to be the weakest link in the chain. Modern internet browsers aim to give you a smooth, convenient experience, and they collaborate with websites so they can serve you content in the best way possible and recognize you after repeat visits. Many employ cookies to retain your preferences and make it easier to log in. Some cookies are quite hard to avoid or get rid of, such as third-party cookies that tag along for the ride to other websites.
Think of how many websites you're logged into right now. YouTube doesn't suddenly forget who you are because your IP address changed. Even if you aren't logged into a website — assuming you've been there before — using a VPN won't suddenly make you into a ghost, either. To use an analogy, think of a VPN on top of your everyday browser like wearing a convincing disguise while having a name tag pinned to your chest. Anonymity won't even be within the realm of possibility.
Browser fingerprinting makes incognito mode irrelevant
"My VPN still hides who I am," you might be thinking, "as long as I enable incognito mode; there are no cookies or identifying information there." While you're right, many websites (particularly advertisers and trackers) have found a devilishly clever workaround to track you across the internet regardless of whether you're in private browsing mode or not. This is known as browser fingerprinting. It's so effective — and currently in a legal gray zone — that many businesses are turning to it over the soon-to-be-extinct third-party browser cookie.
Websites collect a treasure trove of information from your browser. This includes which browser you're using, whether you're on a mobile or desktop device, what your IP address is, which operating system you're running, what resolution your screen is, and so, so much more. You can find out how much information your browser shares with the web by default if you visit this link.
Simply put, the exhaustive amount of data the average website gathers on you can single you out based on your unique "fingerprint." You might be rocking Firefox, using a 1080p screen, browsing from the EST time zone, running Windows 11 version 22H2, and have other identifying factors that narrow you down among thousands (or even millions) of visitors across websites. Long story short, a VPN plus private browsing mode is, at best, a placebo for those who want total anonymity when browsing the web.
Your search engine tracks you
At this point, most are well aware they should be very, very careful what they type into Google. We all joke about asking the search engine giant "where to hide a dead body," but search results can easily make it into a criminal court case. On a lighter note, your search results are custom-tailored to you based on what you've searched in the past. It's made the average person hesitant to search for certain things out of a fear it will spoil future results, lead to unwanted ads, or scar their reputation should certain queries get leaked in a data breach. Whatever the reasoning, many toggle on their VPN whenever they want to ask that one weird question their intrusive thoughts are begging them to. They think, coupled with a private browsing tab, no one will know they searched for "is Snoop Dogg afraid of bees" at 2 a.m.
Let's assume for a second that browser fingerprinting isn't a factor, and therefore you can use a VPN with incognito mode to keep your guilty search queries a secret. Google may still know who you are. Business Insider reports that based on search history, the tech giant can make disconcertingly accurate predictions about the demographics you belong to, where you live, and more. Even after making multiple searches in incognito mode. If this concerns you, consider switching things up with a search engine like DuckDuckGo, which doesn't track you.
Your operating system tracks you
To all the Windows users out there, we've got some bad news. Your computer may be the biggest threat when it comes to user tracking. Microsoft's telemetry in Windows 11 is so gluttonous it begins collecting data on you the second you turn on a brand-new PC or install a fresh copy of Windows — even if you haven't yet connected to the internet. In fact, it's been harvesting your browsing habits since at least 2005, and in recent years been caught sharing what it gathers on you with hundreds of third parties.
Apple is not blameless, either. Despite its proud privacy-first philosophy, it collects a boatload of info from the get-go. The courts have taken the Cupertino tech giant to task on multiple occasions. In 2022, as one example, Apple was fined roughly $8.5 million for collecting user data without consent in France.
In short, your operating system can still keep tabs on you whether or not you're connected to a VPN. Both Windows and macOS are closed-source — that is, most of their code is proprietary and hidden from the public. We simply cannot know for certain how much data they collect. Switch to Linux if you want an OS that respects your privacy.
The government tracks you, too
The U.S. government (and many others) has comprehensive and sophisticated means of spying on you. What else is new? It's knowledge of surveillance state spying like the PATRIOT Act that drives a lot of the appeal for privacy tools like a VPN. After all, the best VPN services are often advertised as an excellent way to subvert government censorship and hide your browsing data from an overzealous Fed. Except... not quite.
While the VPN services you use may themselves have robust security the NSA can't crack, government agencies foreign and domestic have been injecting our phones with spyware for decades already. Take Pegasus, a pernicious spyware so sophisticated it can compromise your phone just by sending it a text message. The tool is a favorite of authoritarian regimes, but any entity with enough cash can buy it for themselves. While Pegasus primarily targets high-profile victims like journalists and activists, it has the potential to hack millions or billions of devices, according to The Guardian.
If you plan to use a VPN to undermine an oppressive regime, good luck. Your government could own your device in a heartbeat if it really wanted to. Even if you're just an average Joe who wants to curb unconstitutional overreach, a VPN offers only a tiny bit of anonymity. VPNs will help get around censorship blocks, but you'd have to be a tech wunderkind to stay entirely off the big man's radar.
Malicious actors can see your browsing habits
Any tenacious enough hacker could compromise you, but at least VPN's encryption would make their job difficult, right? Perhaps not. VPNs have had a vulnerability since 2002 that security researchers were unaware of until only very recently — one that could give bad actors full, unencrypted access to your VPN-protected internet browsing. The exploit is called TunnelVision, and it basically allows someone with administrator access to your router (whether a person in charge of IT or a hacker) to exploit its DHCP server and view all your internet traffic even when your VPN claims it's secure. Only Android phones are safe; all other platforms can only mitigate the effects.
This is deeply concerning when on busy public Wi-Fi networks such as those at airports and cafes. Many people keep a VPN handy so they can protect themselves in these situations. A hacker who has compromised the router at your local Starbucks can then see everything you're doing through your VPN, such as visiting your bank accounts and accessing password managers.
Even your home router isn't safe. The best you can do here is update your router's firmware or replace it with a newer model. Make sure your router has at least WPA3 security with a strong password. Be cautious on public networks when out and about. Instead of using a VPN on public Wi-Fi to check sensitive info like bank accounts, use your mobile data if possible.
Your file metadata can identify you
There's one final way your anonymity could be compromised even while using a VPN: metadata. Metadata is the data that describes the data; think of a document's creation date, embedded GPS location for pictures taken on your phone, or the website you downloaded a file from. Metadata is nifty for organizing a digital photo album, but it can present a privacy issue when those photos make their way to the internet. Back in 2012, a Burger King employee posted a picture of himself stepping on containers of lettuce to the popular anonymous 4Chan forum, thinking he wouldn't be caught. 4Chan users found him within minutes. They were able to pull GPS location metadata from his pic and pinpoint the restaurant where it happened, after which they sicced local news outlets on him.
You can probably see where we're going with this. Again, assume nothing we've mentioned so far matters, and you log into an anonymous forum or social media platform with VPN to further conceal your true identity. The VPN won't protect you if the files you upload include incriminating metadata. Even if you never plan to brag about stepping on your local Burger King's leafy greens, form a habit of stripping EXIF data from your pictures before uploading them — really, check the metadata on any file you plan to upload if it might contain personally identifiable info. A VPN won't spare you a metadata "wardrobe malfunction."
The real reasons to use a VPN
We hope one thing is abundantly clear after reading this article: VPNs are not really a solution to anonymity. But don't take their weaknesses to mean they're useless. On the contrary, VPNs are a must-have internet tool for a few niche situations we all run into.
The most obvious one is to get around region blocks. Netflix, due to licensing issues, limits which content you're allowed to watch. It and other streaming giants have fought a losing battle to prevent you from using VPNs to widen your watchable catalog; so yeah, a VPN's still an excellent way to watch what's hot across the pond. You may also run into the occasional website that doesn't load, loads slowly, or blocks your connection; a VPN may help access it, and keep your IP address private in the process.
Even though your ISP knows you're using a VPN, it's still a good idea to connect to one to hide your internet traffic. Remember, ISPs shamelessly collect and sell all your browsing data; a VPN's whole schtick is making every effort to prove to you that it can't. Even an imperfect VPN is better than an ISP that treats your privacy like toilet paper. And though the recently discovered VPN exploit doesn't make using one on a public network foolproof, it's still a recommended practice over not using one at all.
How to actually be anonymous online
True online anonymity is a tall order, but it is possible if you know what you're doing. Before you decide to slip off the digital radar, consider whether you really need to be anonymous. Hiding your identity makes sense if you've got a high threat level, such as being an executive, a journalist, or a government employee, but most have little to gain from it. Good internet hygiene — restricting what info you give out, using blockers like uBlock Origin, avoiding sketchy links and questionable emails — is worth a lot more at the end of the day. But where there's a will, there's a way.
The first tip for true anonymity is ditching your VPN and browser altogether for Tor Browser. Tor routes your internet traffic through a series of relays to achieve the closest thing to technological anonymity possible. Your ISP will know you're using Tor, but other than that, your online activity will be as anonymous as it gets. Especially if you take the plunge into the dark web.
Second, forget Windows and MacOS. Use a Linux-based operating system that collects no user data, or better yet, use an OS designed for total anonymity. Tails and Whonix are the two leading choices. Tails lets you run the OS off a USB drive without leaving a trace, and Whonix works like an untraceable virtual machine. Both are free of charge.