Can you be tracked while using a VPN?

So you’ve decided to use a Virtual Private Network (VPN) to be more private and anonymous online. But can can you be tracked while using a VPN? The short answer is: yes, but the type of VPN you use will make a big difference.

Quality VPNs can provide important privacy protections: they encrypt data and mask our IP addresses while we’re online. This makes it so that when you do something as simple as browse the web, you have a certain degree of anonymity behind the VPN. But, when it comes to internet tracking, things are not so simple.

The most blatant privacy risk is some notorious free VPN services. Some services like privacy-focused non-profits might indeed provide free VPNs which are secure and reliable. But the majority of companies offering free VPNs do so precisely to track, log, and sell user data wholesale. This is how these companies earn revenue, since clients are not paying them. There is a huge market of data brokers looking to capitalize on your personal information.

So can we still be tracked while using a paid and reputable VPN with explicit policies committed to maintaining our privacy? Unfortunately, yes. Web services we connect with will still be able to discern that a VPN is being used to connect, but this really isn’t the important thing. The way traditional VPN services centralize user data puts our privacy at risk. VPN logging or record keeping of metadata is. Data breaches from VPN servers can reveal useful information for parties trying to track what we do online.

Thankfully, decentralized VPNs (dVPNs) like NymVPN offer an architectural solution to this vulnerability of mainstream VPNs: they eliminate centralized servers.

If you’re new to the subject, read up on how internet tracking works and who is doing it.

How does a VPN prevent tracking?

Even before you access anything on the public web, a VPN secures and routes all your online activities through their own server(s). This effectively protects your data from outside interference and direct tracking by masking your identity in whatever you do online.

The first step is encryption: before ever leaving your device, your data is encrypted by the VPN so that once it travels to the VPN’s own servers, no external party can access the contents. The second step is IP address obfuscation: your true IP address is replaced with the VPN server’s own public address. If you’re accessing a website, the website will see the VPN connecting to it, but not you specifically.

A VPN can thus do a lot to mitigate direct attempts to track what you do online. Even if many modern websites now provide end-to-end encryption for users, VPNs guarantee that this encryption is in place by default. And since user tracking is done primarily through the IP addresses that link us directly to our Internet Service Provider (ISP), device, and geolocation, masking your own IP address is an important step in complicating online tracking efforts.

Learn more about how VPNs work to protect your privacy.

Who can see that you are using a VPN?

In principle, anyone you directly connect with online can potentially know you are using a VPN. VPN IP addresses are public, so a basic search will reveal the VPN service provider. However, outside parties will not be able to identify that it’s you behind the VPN’s address, at least not without additional tracking effort. So why does it matter if someone can see that you’re using a VPN?

Some online services are set up to block VPN use. Streaming services, for example, often prohibit known VPN addresses from accessing their contents (even if you are signed in through your personal account). This prevents users from accessing content exclusively available to foreign markets. Other cases might be work VPNs which require verified IP addresses of employees to connect for security, user authentication, or network monitoring.

Can your internet provider see you’re using a VPN?

Yes. Your ISP is your connection with the public internet. So even when using a VPN, your connection must first pass through your ISP. As we’ve seen, most VPN service providers use static and public IP addresses. So ISPs can easily identify when you connect to a VPN through them. ISPs will also be able to see VPN connection patterns, such as the port connections which VPNs typically use.

Don’t forget that there’s nothing wrong with using a VPN, and your ISP cannot see the content of what you’re doing because the VPN has encrypted it. They can only see the connections between your computer and the VPN’s server.

Can a website see I am using a VPN?

Yes. Like your ISP, a website will see the VPN’s IP address as the user connection. So in the case of well-known VPN IP addresses, they will see that a user, though not you particularly, are accessing the site through a particular VPN provider. If the website blocks known VPN services, this could prevent you from accessing the site and content you need.

Can my employer see I’m using a VPN?

Yes. Certain employers may not allow users to connect to work networks while using a VPN. This could be for network monitoring purposes or as a security measure. Users may have to turn off their VPNs for work sessions, which might make any simultaneous non-work traffic traceable (things downloading in the background, casual browsing, etc.). In this case, split tunneling with a VPN can be a good way of compartmentalizing when you use a VPN and for what kinds of traffic.

Can you still be tracked using a VPN?

Whether someone you’re directly connecting with can see that a VPN is being used is a very different question from whether you can be tracked while using a VPN. We’ve addressed the first, so now let’s consider whether we can still be tracked while using a VPN, and by whom.

Can my VPN service track me?

As we noted at the beginning, by using many of the free VPN services available, the logs of your online activities are at risk of being not only tracked, but sold to third parties. Without a payment incentive to keep clients happy, they use their software simply to collect data to sell on the open market. This is a privacy disaster.

Even more trustworthy VPN services, such as those with paying clientele they’d prefer to keep, can still “track” the online activities of users: they can keep logs of the metadata of user traffic through their servers. Metadata simply means data about other data. Since the content of what you do online is encrypted through the VPN, there is still revealing data around it that is visible to the VPN: when you connect to a particular website, for how long, etc. Many VPN services promise “no logs” or “zero logs” policies to assure clients of their privacy and the security of their metadata.

However, since this data is centralized on the VPN’s own servers, or on the third-part company servers they rent, then this metadata is always vulnerable to being breached, targeted by cyber attacks, or subject to warrants for disclosure (or simply requests) by governmental or law enforcement agencies. So let’s consider these parties.

Can the police track you through a VPN?

At this point, the ability to track us while using a VPN changes significantly. This is because, when it comes to law enforcement and government tracking, we are dealing with external surveillance. All of the tracking agents we have considered so far are ones with whom we are directly connected via the VPN.

Law enforcement agencies are hard at work tracking targeted users online. Naturally, this could be for perfectly lawful reasons given the amount of serious criminal activities happening online (child pornography, sex trafficking, identity and financial theft, etc.). However, law enforcement tracking can also raise serious ethical questions regarding our privacy. New predictive policing strategies are one example, in which mass amounts of online user data is collected and processed by AI programs to identify possible perpetrators of future crimes.

Unlike direct connections online, law enforcement agencies would need to have access to your VPN’s metadata logs to track your activity: connections with sites or individuals, timestamps, durations, etc. Taken together, this can produce an entire browsing history of a user. However, tracking would require two things: that the VPN does in fact keep such metadata logs, and if so, that they’ve been convinced to turn them over. Some VPNs like NymVPN cannot have any logs by design, and others promise not to keep them, though they might anyway. Mainstream VPN services have been known to voluntarily cooperate with police requests for user records, and they can be legally compelled to regardless of their privacy commitments.

Can the government track you through a VPN?

Yes, but like the above case, this requires having lawful (or extra-legal) access to the VPN service’s data logs. Governments, or their intelligence agencies, can compel private VPN companies to disclose user metadata records in the name of national security. Again, this might be justified in some cases, but it also can be done in an extra-judicial manner. As a society, we’re left with an important ethical question: to what extent are security measures over-reaching, violating not only the digital privacy of millions of people, but also our constitutional rights?

Can big tech companies track you through a VPN?

Large tech companies, like Google and Meta, are some of the biggest agents of online tracking, harvesting the data of billions of users worldwide. These companies use tracking techniques which target your online activity beyond what is revealed by your IP address. This can involve cookies installed by the company on your web browser or adjacent software, allowing them to track your activities across multiple browser sessions. But the data collected about us might be shocking to some: entire histories of our movements, everything you’ve searched for online, the apps you use on your phone, personal messages, etc. They also use more advanced techniques like digital fingerprinting and traffic analysis to create profiles of your interests and desires so as to target advertising to you.

Can you be tracked if a VPN fails to connect?

Possibly. If your connection to the VPN goes down while you’re still active online, whether for just a second or an unnoticed period of time, your connection with the web will no longer have VPN protections. Your true IP address could be visible to parties you connect with or to external surveillance. Your data might also be vulnerable to hackers using techniques like a man-in-the-middle attack to access your traffic en route to the public web.

Many modern and high-quality VPNs now include a security feature called a kill switch to deal with this possibility. If your connection with the VPN drops, the kill switch immediately servers your connection with the internet to prevent your data being compromised. Not all VPNs have kill switches, however, so interested users should look out for this feature.

Decentralized VPNs for increased privacy

One thing should be clear from this list of parties who could be trying to track us while we’re using a VPN: they track us primarily by accessing our VPN’s servers where the metadata of our connections are logged. If this data were not centralized, all forms of tracking would be exceedingly difficult to accomplish. Not impossible, but very difficult. This is where the architectures of decentralized VPNs (dVPNs) come into play.

Instead of routing all user data through one central server, a dVPN distributes it through a decentralized network of independent and unlinkable servers (called nodes). But when it comes to how private and anonymous we can be, not all dVPNs are built the same.

Some dVPNs are single-hop, which means that, like traditional VPNs, they route our data through a single node. Randomization in selecting which node to use, of course, can complicate data tracking efforts. But other dVPNs, like NymVPN, take things a few steps further. NymVPN is multi-hop by default. Users can choose between a faster 2-hop dVPN mode and a 5-hop mixnet mode for more robust privacy protections for certain traffic (like sensitive communications).

What makes a mixnet different from a simple dVPN routing procedure are a number of additional privacy features. Advanced layered Sphinx encryption is used to protect data in transit through nodes. User data is mixed up and bundled with the traffic of other users to further challenge traffic analysis. And dummy packets are circulated throughout the network to distract precise tracking attempts.

How can you avoid being tracked online?

You have to start with a VPN. VPNs are important tools in protecting our privacy and being anonymous online. But as we’ve seen, they are not absolute guarantees that what we do with them will be secured. Tracking will always be a possibility, especially as technology advances. Thankfully dVPNs can now resolve a lot of the risks posed by the data centralization of traditional VPNs which makes advanced tracking possible in the first place.

Not all VPN users, of course, have the same privacy concerns: some may simply need a VPN for general privacy online, while others may need one to bypass censorship restrictions in their country. Others may be concerned about internet tracking by particular parties (like employers, law enforcement, advertisers, data brokers, governments, or even stalkers).

Whatever the case, NymVPN includes customizable options for users without sacrificing privacy and anonymity.