The main selling point of using Virtual Private Networks, or VPNs, is to protect your privacy. They prevent attacks from malicious hackers, stop your internet service provider (ISP) from peeking at your traffic, and mask your information to websites that collect your data. While these claims are generally accurate, there is one party that you should still be cautious about: the VPN companies themselves.
Before we get into how a VPN may track your browsing data, we'll explain how a VPN works. A VPN essentially routes your internet connection, provided by your ISP, through a secure, encrypted network powered by the VPN. This changes the IP address that websites can see while simultaneously obscuring your ISP's ability to see your traffic. These encrypted networks can simulate different IP addresses and locations, which is how you can trick a streaming service like Netflix into thinking you're in another country.
In this process, your traffic is passing through a third party, the VPN company's server. A VPN company may log all the traffic passing through their system, which essentially gives them a complete picture of a user's online browsing behaviour. While most reputable VPNs do not spy on their users and have no incentive to do so, it can happen, and there are several examples of this happening.
What Is A VPN?
VPN is an acronym for Virtual Private Network. The purpose of a VPN is to provide you with security and privacy as you communicate over the internet.
Here's the problem with the internet: It's inherently insecure. When the internet was first designed, the priority was to send packets (chunks of data) as reliably as possible. Networking across the country and the world was relatively new, and nodes often went down. Most of the internet's core protocols (communication methods) were designed to route around failure rather than secure data.
The applications you're accustomed to using, whether email, web, messaging, Facebook, etc., are all built on top of that Internet Protocol (IP) core. While some standards have developed, not all internet apps are secure. Many still send their information without any security or privacy protection whatsoever.
This leaves any internet user vulnerable to criminals who might steal your banking or credit card information, governments who might want to eavesdrop on their citizens, and other internet users who might want to spy on you for a whole range of nefarious reasons.
A VPN creates a private tunnel over the open internet. The idea is that everything you send is encapsulated in this private communications channel and encrypted so -- even if your packets are intercepted -- they can't be deciphered. VPNs are compelling and vital tools to protect yourself and your data, but they do have limitations.
A Virtual Private Network (VPN) creates a private connection by masking your IP address. VPNs help protect you by hiding your browsing history, location, and devices from hackers. By encrypting your data and using an IP address that is not your own, you can browse the web safer than without it.
How Does A VPN Work?
A VPN works by encrypting your information and sending it through a secure tunnel to a VPN server and back. Imagine this process as if you are using the pneumatic tube system to cash a check at the bank. On your end, you have sensitive information that you wouldn't want to share with anyone. You place your banking information within the carrier and into the pneumatic tube, where it is secure. At the same time, it is transported to the banker, who safely returns your sensitive information and currency.
A VPN works similar to this process. On your device, you enter an inquiry into a search engine. The VPN uses a VPN protocol to encrypt your data (placing it into the carrier) and sends it through a secure tunnel (the pneumatic tube) to a VPN server (the banker). The server decrypts the information and retrieves the answer to your search inquiry from the desired website (your desired currency). The server then encrypts the retrieved data and returns it to you through the tunnel for decryption back on your end. During this process, your information is kept private and inaccessible to anyone outside the tunnel system.
When the VPN server communicates your inquiry with the website you are trying to reach, the website sees the server's IP address instead of yours. Your IP address and all of the identifying information linked to it, such as your geographic location and browsing history, are kept private throughout the entire process.
However, a VPN only works if it is correctly enabled on your device. Therefore, you must understand how to get and set up a VPN on all of your devices, including smart TVs, game consoles, media stream devices, intelligent refrigerators, and anything with a Wi-Fi connection. You may also want to consider reading more about how a VPN works to determine where you can benefit from using a virtual private network and if connecting it to your router is right for you.
The Three Types Of VPN Data Logs
VPN providers have varying policies on how much data they retain from their users, so be sure to read the fine print before downloading or making a purchase.
Depending on their country of origin, different territories have specific laws regarding data retention. For example, despite claims on their website, VPN providers based in the US or EU will be required to log your data by their specific governing bodies.
There are three main types of data that your VPN can potentially record: usage logs, connection logs, and no logs.
Usage logs contain information like websites, apps, or devices you use. Connection logs will include your actual IP address, the VPN IP addresses you have access to, and data usage. Lastly, some VPN providers will not log anything at all.
With this, we know that while most VPNs are secure, they are not all entirely private. Check what information your VPN records before downloading.
But who exactly can see your data, even when using a VPN?
Who Can See My Data With A VPN, And What Can They See?
While useful as a first line of defence, VPNs do not make you completely invisible or untraceable on the internet. There are many other ways of tracking your online presence, revealing your personal information besides your IP address.
Here are a few services that can still see your data while you're connected to a VPN.
Internet Service Providers (ISP)
Without VPNs, internet service providers have access to everything you do online.
While VPNs help hide your information, ISPs will still be able to see your connection logs—the IP address of the VPN encrypted server, the time used, and even the amount of traffic to and from your device.
Despite having a VPN, many search engines can collect information on you because you have permitted them to use a unified profile.
For example, VPN users logged into their Google accounts while using the Google search engine will still have information about their search history linked to them. While Google currently offers a VPN service with its Google One subscription, its trustworthiness leaves much desired.
Social Media Sites
Similarly, staying logged in to social media sites such as Facebook can be used to attribute your browsing back to you.
This is also true for all the websites you have used to log in using your social media account as a single sign-on. Regardless of your IP address, data linked to your social media accounts is still accessible to advertisers.
If you think that a VPN can keep your sketchy search history from your employer while using the company laptop, you are mistaken. Unlike private commercial networks, VPNs provided for by companies often route your traffic to a company-owned network.
Despite being away from your office, employers have the power to monitor activity that might go against company policy. For example, sending sensitive documents, viewing pornographic material, or downloading pirated content may alert your company's security team. Many companies also have administrative access to your device and can view your browsing history locally.
Law enforcement agencies cannot track live, encrypted data that uses a VPN. However, they do have other ways of accessing your information. If you are suspected to be engaged in illegal activity or criminal behaviour, federal authorities can request your connection logs from your ISP to learn about your VPN provider.
Law enforcement can then request your VPN provider for your data. If your VPN provider does not have strict policies against logging, they will need to comply and turn over your information.
VPN Spying Incidents
The most high-profile incident of a VPN spying on its users came to light in 2018, with a controversy surrounding the Facebook-owned Onavo Protect app. Facebook released a VPN that claimed to protect and encrypt user traffic. Still, in reality, it was collecting sensitive information from users, such as websites they browsed and apps they opened on their devices. While Facebook did disclose that the app would forward information to Facebook, people that did not read the fine print may not have noticed.
Facebook would then funnel this data into the Facebook Research program, which powered Facebook ad sales and business development initiatives. It would also give Facebook insight into how users browsed competing apps, like Snapchat. You can read more on what happened in our piece on Onavo Protect.
Besides that, dozens of free VPNs were found to be spying on their users. A piece from Buzzfeed News reported that Sensor Analytics, an analytics platform used by investors and developers, owned multiple free VPN apps that collected user information without their knowledge. These apps had millions of downloads and did not explicitly state who they were owned by. The company would then migrate this browsing data into their analytics platform.
It would be best to be especially cautious of free VPNs and do not seem to have a paid version or transparent business model. There is a chance that these apps make a profit by harvesting user data and selling them to third parties.
No-logging Policies & VPNs
So should you use a VPN? If you do your research and select a paid VPN with a good reputation, then the chances are low that your VPN is spying on you.
The best way to avoid incidents like these is to look for VPNs with no-logging policies. These policies are an assurance that these companies will not log user traffic at all. Many tops paid VPNs such as NordVPN, ExpressVPN, and Mozilla VPN, have explicit no-logging policies on their websites and inside their apps. Having these on their websites means that they could be held liable if they break their guidelines.
Before you sign up for a VPN, make sure that you meticulously check its website and read some trustworthy reviews first. Here are some of the questions you should ask before you sign up for even a free trial:
- Does the VPN have responsible ownership?
- Does it offer paid plans?
- Does the VPN have many trustworthy user reviews?
- Is the VPN verified by responsible third parties?
- Does the VPN have an explicit no-logging policy on its website?
Can You Be Tracked With A VPN?
When you connect to a VPN server, your IP address changes, and the data traffic on your device gets encrypted. Changing your IP address changes the location that's associated with you online. Meanwhile, encryption scrambles data, making it look like gibberish to anyone who tries to read it. If you're using a trustworthy VPN service, your browsing activities become illegible to snoopers.
However, this doesn't mean you're entirely untraceable online. Internet service providers (ISPs), websites, and even governments can determine whether you're using a VPN. They might not know what you're up to online, but they will have no difficulty with VPN detection. So, how can a VPN be traced?
How Can Your VPN Be Traced?
The best VPNs will not allow your IP to identify you. However, there are ways to identify VPN: traffic:
- VPN IP address. The IP addresses of VPN servers aren't difficult to recognize — there are even databases specializing in VPN detection that try to determine whether an IP belongs to a particular provider. When you access a website with a VPN on, it may be able to identify that you're using a VPN using your IP. However, this doesn't mean the website will know the person's identity behind the IP address — just that they are using a VPN.
- Port number. Some VPN protocols use specific port numbers to establish a connection. For example, OpenVPN (UDP) usually uses port number 1194, while OpenVPN (TCP) typically uses 443. So, the port number can give away the type of VPN connection you're using.
- Deep packet inspection. DPI is a process that inspects the structure of each passing data packet. It has many practical applications, like blocking spam or malware. However, it can also be used to identify VPN traffic. This is what the government of China uses to block VPNs.
In What Ways Can You Be Tracked Online?
- Malware. Accidentally installing malware on your device can result in severe issues like stolen personal information or even fraud.
- IP address. Unless you use a VPN, a proxy, a Tor browser, or any other privacy protection tool, your actual IP address is visible to the websites you visit.
- Cookies. Advertisers can track you across the internet based on cookies, whether you use a VPN or not. However, popular browsers like Google Chrome allow you to block cookies if you'd rather not have your internet habits saved and stored on the internet.
- Digital fingerprinting. More intrusive than cookie-based tracking, fingerprinting uses your computer settings, software, web browser preferences, and other similar things to make a digital portrait of you.
- DNS leak. DNS leaks can happen when a VPN or a DNS is not set up correctly, and your device gets hacked. These leaks can compromise your privacy by exposing your activity online. To avoid DNS leaks, use a VPN that provides you with your DNS addresses.
- Doxxing. Doxxing is a cruel practice that people use to expose someone's private information, like their home address or workplace.
As you can see, an IP address isn't the only identifier on the internet. Thus, a VPN isn't the only solution to online threats. Apart from anti-virus programs, we should also be cautious about suspicious links and emails.
Phishing is as old as the internet. And no one is safe from it because modern phishing tactics can be seamless. We can all feel a bit spaced out sometimes and not notice warning signs when they're there. Though, not losing common sense on the internet is crucial.
Protect Yourself With More Than A VPN
Using a VPN, the traffic between your VPN exit server and your final destination is still not encrypted. While tracing actions from your VPN IP address may not lead back to you, other interactions along the way can. Remember, there are multiple ways to trace your online usage back to you.
Additionally, not all VPNs are equal. A bad VPN can be just as dangerous as not having one at all. When choosing a VPN, make sure to check if they have a history of data leaks, operate in countries that do not require logging of user data, and support the devices you frequently use.
Securing Your Privacy
Protecting your privacy does not end with owning a VPN. There are plenty of ways that you can expose yourself if you aren't careful. Even something as simple as using identical passwords across different websites can compromise your security.
And if you sign in to websites, you can be tracked by that site even if you're using a VPN.