If I use a VPN, can websites still track me?

Yes. Websites can track you through cookies, account logins, and browser fingerprinting independent of your IP address. A VPN hides your IP and encrypts transit, but it does not remove identifiers set by websites or browsers.

Are independent audits a guarantee that a VPN is secure?

No audit is a guarantee, but independent audits by firms such as Cure53, NCC Group, PwC, or Deloitte materially increase confidence by surfacing code defects, configuration errors, and logging practices. Audits should be recent, comprehensive, and accompanied by remediation.

Will a VPN protect me if my device is hacked?

No. If an attacker controls your device — via malware, keyloggers, or compromised firmware — they can exfiltrate data before it enters the VPN tunnel. Endpoint security is a prerequisite for effective use of a VPN.

Should I use Tor instead of a VPN?

Tor and VPNs solve different problems: Tor provides strong anonymity through onion routing but is slower and more complex; a VPN gives speed and convenience while protecting network transit. For high‑risk anonymity use Tor, or combine both with careful operational security, understanding the tradeoffs.

The VPN Privacy Illusion: What Your VPN Can and Can't Protect You From

A clear-eyed take on VPNs: they hide your IP and secure transit, but cannot erase cookies, fingerprinting, account tracking, or a compromised device—use them as one layer.

The VPN Privacy Illusion: What Your VPN Can and Can't Protect You From.

VPNs are marketed as privacy panaceas. The reality is more prosaic: a properly configured VPN hides your IP address and encrypts traffic between you and the VPN server, which is both valuable and limited. Critically, it is not a universal shield against tracking or compromise.

What a VPN actually does

At the network layer a VPN creates an encrypted tunnel between your device and a remote server, replacing your visible source IP address with the server’s IP. This prevents local network observers and your ISP from seeing the destinations you contact and makes mass surveillance of your home or mobile traffic far more difficult.

On technical terms, a VPN terminates your packets at a remote gateway, forwards them to their destination, and returns responses through the tunnel. Implementations commonly use OpenVPN, IKEv2, or WireGuard; each has different trade-offs between performance, simplicity, and auditability. WireGuard has largely been praised for a small, auditable codebase, but its static-key model has privacy implications that operators must manage carefully.

What a VPN cannot and will not do

A VPN cannot remove identifiers that exist at higher layers of the stack. Cookies, localStorage, and HTML5 APIs are set by websites and read by them regardless of your source IP, so a login cookie will continue to identify you even behind a VPN. This is elementary but often overlooked in marketing.

Browser fingerprinting is independent of your IP. Techniques that collect screen resolution, fonts, installed plugins, GPU signals, and subtle timing behaviors can produce a robust identifier that persists across IP changes. Research from EFF and academic groups shows that fingerprinting can re-identify users even when they switch addresses.

Account-level tracking — the fact that Google, Facebook, Microsoft, and countless ad networks place unique identifiers when you sign in — is unaffected by a VPN. If you log into a personal Google account while on a VPN, Google aggregates that session into your existing profile. A VPN does not anonymize authenticated accounts.

A VPN cannot protect a compromised endpoint. If your device has malware, a remote access trojan, keylogger, or a malicious browser extension, the attacker operates with the same privileges that you do. VPN encryption is irrelevant when the data is exfiltrated from inside the device before it ever reaches the tunnel.

Legal and jurisdictional limits matter. VPN providers can be compelled by court order to hand over logs or to assist law enforcement, and some providers operate under governments that impose surveillance obligations. No-logs claims are meaningful only when they are verifiable; independent audits and transparency reports matter here.

Known failures and infrastructure risks

Historically, VPN infrastructure has had vulnerabilities. The OpenSSL Heartbleed bug (CVE-2014-0160) taught the industry that bugs in widely used libraries can expose server memory — including session keys and other secrets — regardless of a vendor’s privacy promises. That remains a useful cautionary tale.

There are real-world incidents to learn from: NordVPN disclosed a 2018 breach in 2019 where a single rented server was accessed. The event underscored how operational mistakes and third-party providers can degrade privacy guarantees. Independent forensics and continuous auditing are the only realistic mitigations.

DNS leaks, WebRTC leaks, and misconfiguration

A VPN will not automatically prevent DNS or WebRTC leaks unless it is configured correctly. DNS requests that bypass the tunnel reveal the sites you visit to your ISP; WebRTC in browsers can expose your real IP via STUN requests. Those are practical failure modes and they require browser and OS configuration to fix.

Audits and code reviews catch many mistakes, so prefer providers with independent third-party audits by firms such as Cure53, PwC, Deloitte, KPMG, or NCC Group. Audits are not guarantees, but they raise the bar by finding implementation bugs, insecure defaults, or logging gaps.

So: is a VPN worth using? Yes — with realistic expectations

Despite their limits, VPNs remain a critical layer of defense. They defeat local network monitoring, secure your traffic on hostile Wi‑Fi networks, and make opportunistic mass‑surveillance more difficult. For journalists, dissidents, attorneys, and privacy-conscious citizens, that layer is often non-negotiable.

Use cases where VPNs are essential include: protecting connections on public Wi‑Fi, bypassing ISPs that engage in deep packet inspection, and evading simple IP‑based geo-blocking. For these scenarios a VPN provides strong, measurable benefits.

How to use a VPN correctly — realistic best practices

Operational hygiene matters: use antivirus and endpoint protection; keep your OS and apps patched; don't mix authenticated browsing with high‑anonymity goals; disable WebRTC or use a browser profile; use privacy‑focused browsers and extensions; combine VPN with browser isolation or a dedicated VM for sensitive tasks; prefer multi‑hop or Tor for high‑risk threat models.

Keep endpoints clean: patch OS and apps, run reputable endpoint protection.
Treat the VPN as a network tool, not an identity scrubber: log out of accounts, use separate browser profiles for anonymity.
Disable WebRTC in the browser and ensure DNS is routed through the tunnel to prevent leaks.
Prefer providers with recent independent audits and an open‑source client where feasible.
For the highest anonymity use Tor or use VPN-to-Tor configurations, understanding the performance and threat‑model tradeoffs.

How to vet a VPN provider — what to look for

Look for independent audits (Cure53, NCC Group, PwC), recent transparency reports, RAM‑only server claims (ExpressVPN calls theirs TrustedServer), an explicit no‑logs policy that has been tested in court, and a clear jurisdictional statement. Open‑source clients and published server configs increase trust by allowing public review.

Be skeptical of opaque claims. “Zero access” and “we never see anything” are marketing slogans unless backed by verifiable controls. Critically evaluate whether the provider can meet their promises under legal compulsion or if they outsource critical infrastructure to third parties without sufficient oversight.

Finally, combine layers. A VPN is most effective when it is one component of a defensible privacy posture: patched endpoints, browser hardening, account hygiene, and an understanding of your adversary. Privacy is a system property, not a single product.