If you think your VPN makes it impossible for websites such as Google and Facebook to track you, this might come as a shock.

What a VPN Actually Does & How That Helps You

All a VPN does is … route all of your traffic through a server. Generally, that connection is encrypted in such a way that only you and the server can decrypt, but there’s no guarantee. Routing all of your traffic through an encrypted connection does_ have a lot of benefits, but not so much if you want _anonymous access to the internet.

Accessing Blocked Sites

One of the many uses of a VPN is to access sites which are blocked on your local network, such as your school’s or workplace’s. This works because all traffic is sent through the VPN server, meaning the local network can’t see which websites you’re accessing. Since they can’t see which websites you’re visiting, they have no way to selectively allow or disallow access to websites. However, they can simply block access to the VPN server.

Another thing to note about this method is that a lot of the places that block websites also block access to VPN’s. Most places that block VPN’s do this by only allowing access to ports 80,443, and a few others that are required for internet access. Since a lot of VPN protocols, such as L2TP and IKEv2, use special ports, they’re rather easy to block. Some VPN providers get around this by running their VPN on TCP port 443, the same port used for HTTPS website traffic. But, even that can be blocked by using deep packet inspection, so there isn’t a foolproof way to access blocked sites.

Hiding Your Real IP(somewhat)

Since all of your traffic is sent through the VPN server, websites can only see the IP address of the VPN server, and not the address of your connecting device. Be warned, however, that there are still ways for websites to figure out your real IP address(more on that later).

If you’re a PHP dev, or at least understand some PHP, here’s an explanation: if someone is using a VPN, $_SERVER['REMOTE_ADDR'](what the web server shows as the connecting IP) will be the IP of the VPN. This doesn’t mean there aren’t other ways to figure out the IP. All it means is that the current connecting IP address is reported as the VPN server’s.

Hiding Your Traffic From Your ISP

One thing a VPN will hide your traffic from is your ISP(Internet Service Provider). Assuming the connection to the VPN server is encrypted, which it probably is, the only thing your ISP can see is a connection to a VPN server. They can also probably detect that you’re using a VPN, especially if it’s on a non-web port.

This is beneficial in a lot of ways, but one of the most important is that it prevents ISP throttling. Since net neutrality is no longer a thing, ISP’s in the United States are free to do whatever the f*** they want with your internet speeds and/or access to websites. Net neutrality ensured that your ISP would treat your access to Netflix and their own streaming service the same: as fast as possible to ensure a good user experience.

Now, they’re free to slow down all websites that compete with them, or flat out block websites they don’t agree with. And, as many Americans live in an area with only one option for internet, there’s really nothing to do if your favorite website gets put on the slow lane. Luckily, a VPN somewhat restores equal-ish access to the internet. Your ISP can either slow down or block all of your VPN traffic, but not selectively depending on which website you’re visiting.

Remember:

All a VPN does is route all of your traffic through a server.

What Your VPN Does NOT Protect You From

While VPNs can be useful in certain cases, they don’t protect you from everything. Here is an incomplete list of what a VPN will not protect against.

Your VPN Provider

All using a VPN does is shift the danger from your ISP to your VPN provider and/or their ISP. Remember, data is only encrypted until it reaches the VPN server. All requests to unencrypted content will still be sent unencrypted over the internet. This is yet another reason to be using HTTPS for important websites. HTTPS ensures that there’s at least one layer of encryption until a request reaches its destination, protecting against the majority hackers.

The biggest risk when using a VPN is the VPN provider itself. If you’re using a paid, name brand provider, you’re probably fine. On the other hand, if you’re using a free VPN, they’re probably selling your data. All companies exist to make money, so be sure to know where the money is coming from. If you’re not directly paying money for VPN access, how are they supposed to make money? A common solution is to store and sell your data(possible to your ISP, or services such as Facebook and Google), which defeats the purpose of a VPN for many users.

Solution: Use a high-quality _paid _VPN service.

DNS

Your computer can’t just access “google.com”, or any other website. It must first convert the domain name into something it can send across the internet: an IP address. In order to make that conversion, your device sends a request to a DNS server which has a list of domain names and their respective IP addresses(it’s actually much more complicated than that, but close enough for the purposes of this post). The problem with this is that the provider of whatever DNS server(s) you’re using(likely your ISP’s) can keep a list of all domain names you’ve asked to resolve tied to your IP. While a VPN makes sure websites can’t see your IP address, some VPN services don’t route DNS queries through them.

Solution: Use a tool like this to ensure your DNS servers change when on your VPN.

Cookies

Cookies are pieces of information that a website tells your browser to store. Each time you visit that website again, your browser sends the cookies over. This is required in the modern internet and allows websites to store information about your specific session(e.g. to keep you logged in, store opt-ins/opt-outs, etc.). While cookies can be very useful, they can also be used to track you, regardless of your IP address.

For example, if you’ve ever visited a site without a VPN, a website can store a cookie and the IP address you used for that visit. Then, even when you’re on a VPN, they can use the cookie to know it’s still you, and therefore your IP. By the way, there are tools to figure out if an IP belongs to a VPN server or not. One such tool is a simple IP lookup; if the ISP is a VPN company, then the traffic is probably coming from a VPN server. This can be used in combination with cookies to figure out the last IP address you used to access the site that does not belong to a VPN.

Solution: Disable cookies, or at least clear them when you switch your VPN on or off. Be warned that disabling cookies will probably break the internet for you. Thank you, GDPR, for all of the consent pop-ups we have to deal with now.

Logins

As previously mentioned, logins often rely on the use of cookies. They have the same drawbacks, with a few added bonuses for tracking. Similar to finding the previous IP used that wasn’t a VPN via cookies, the same method can be used on an even bigger scale: your account. Now, instead of just finding the previous non-VPN IP address on that particular browser, the website can do the search on every device you’ve ever used to login.

To make matters worse, it also allows websites to build and sell profiles about you. Since you’re probably using the same email and/or username for a ton of websites, it’s much easier to build a list of all websites you use and how you use them. While cookies allow for tracking just your actions on one website in one browser, logging in allows for tracking across multiple websites and multiple devices and/or browsers.

Solution: Don’t log in unless absolutely necessary. If you have to, use different emails and usernames for all of your services.

Other Information

Cookies, logins, and even your IP address aren’t the only ways to track a user. For example, navigation services can keep track of your location, and possibly sell it to other companies.

Solution: Go live somewhere with no internet. It’s the only way to stay private in the modern world.