A Virtual Private Network (VPN) Connection can be tracked. There are a number of examples online where that’s happened and most major VPN providers warn against this.
My name’s Aaron and I’ve been doing cybersecurity for more than a decade. I’m also a lawyer! I, personally, use VPN to improve my privacy online. I also understand and respect its limitations.
I’m going to take you through how the internet works at a very high level to illustrate why a VPN connection can be tracked. I’ll even provide tips about how you can further hide your presence online.
Remember: the only way to not be tracked on the internet is to not use the internet.
Table of Contents
- Key Takeaways
- How Does the Internet Work?
- Can a VPN Connection Be Tracked?
- Should I Be Worried?
- Many internet servers log usage data such as date, time, and source of access.
- VPN providers log usage data, such as what sites you visited and when you visited those sites.
- If that data is combined, then your internet use can be tracked.
- Alternatively, if your records are subpoenaed from your VPN provider, then your internet use can be tracked.
How Does the Internet Work?
I covered how the internet works at greater length in my articles Can a VPN be Hacked and Is It Safe to Use Hotel Wi-Fi, I’m not going to rehash that completely and I’d encourage you to take a look at those articles to get a better sense of how the internet works.
I’ve used the analogy of the postal service to highlight how the internet works–there’s way more complexity to the internet, but it can be reduced to that conceptually.
When you visit a website, you become penpals. You send a bunch of requests for information to the website along with your return address (in this case an Internet Protocol, or IP Address). The website sends the information back with its return address.
That back-and-forth puts the website and its information on your web browser screen.
A VPN acts as an intermediary: you send your letters to the VPN service and it sends your requests on your behalf. Instead of your return address, the VPN service provides its return address.
Websites are hosted on servers–very large computers–which are externally provided or internally hosted. Those servers record logs of all requests made. Those logs are recorded whether for usage information, security purposes, or other data telemetry needs.
Can a VPN Connection Be Tracked?
Hopefully you can see why your VPN connection can be tracked. Requests between the VPN server and the target website, even if they’re encrypted, have an identifiable source and destination. Both ends of that connection can track that conversation.
If the connection is coming from a known VPN IP address, the website can even tell that you’re using a VPN connection.
Requests between your computer and the VPN server, which are encrypted, also have an identifiable source and destination. Both ends of that connection can track that conversation.
Since all of that activity generates logs and those logs are recorded, then with a little work and data correlation, there exists a connection between your computer and the information you request. In short, you can be tracked.
Should I Be Worried?
There are really four practical ways for someone to actually track you online if you use a VPN service. Otherwise, you’re relatively hidden using VPN.
Method 1: You’ve Done Something Illegal
Hopefully you’re not using a VPN for purposes that are considered illegal in your jurisdiction. If you are, then you’re engaging in activities which will allow enforcement authorities to use legal process to obtain your records.
In the case of criminal activities, this is the police using your country’s version of the warrant power–where a court can compel disclosure of identified server logs in furtherance of supporting prosecution for those crimes.
In the case of civil violations, like sharing copyrighted material improperly online through peer-to-peer sharing, the copyright holder can use your country’s version of the subpoena power–where a court can compel disclosure of identified server logs in furtherance of supporting monetary damages and enjoining, or stopping, the sharing.
In those cases, the police or the civil litigant can compel production of those records, collect those records, and compile your activities.
Method 2: Your VPN Provider Was Hacked
There are a few examples of major VPN providers being hacked over the past few years. Some of those hacks resulted in theft of the server log records for those providers.
Someone in possession of those VPN service logs who is also in possession of logs from other sites could potentially reconstruct your usage.
They would also need logs from the sites you visited, though, which isn’t a guarantee.
Method 3: You Used a Free VPN Service
I want to highlight an important principle of the internet here: if you’re not paying for a product then you’re the product.
Free services are often free because they have an alternative revenue stream. The most commonplace alternative revenue stream is data telemetry sales. Companies want to know what people do online to target ads and boost sales for goods and services. Data aggregators, like VPN services, have a treasure-trove of data at their fingertips, and sell that to fund their service.
If you use a paid VPN service, there’s an almost zero percent chance this happens to you. If you use a free VPN service, there’s almost one-hundred percent chance this happens to you.
If you’re using a free VPN service, you may as well not use VPN at all. The free VPN services collect all of your usage and package it neatly for resale. At least when you don’t use VPN, that data is disaggregated and typically only stored by the sites you visit, which are all ostensibly independently managed and operated.
Method 4: You’re Logged-In to Your Accounts
Even if you use a reputable VPN service, which hasn’t been hacked since you started using it, you can still be tracked online.
Here’s an example: if you’re logged in to your Google account on Chrome, even if you use a VPN, Google tracks and can see everything you do online.
Another example: if you’ve logged in to facebook on your computer and haven’t logged-out, so long as the websites you visit have Meta trackers enabled (many do), Meta collects information from those trackers.
Major service and social media accounts track what you do and where you go online. Again, if you’re not paying for the product, then you’re the product!
Here are some common questions about VPN tracking that I’ve answered below.
How Does Google Know My Location Using VPN?
You’re likely logged-in to your Google account. If you’re logged-in to your google account on the browser you’re using to browse with a VPN, then Google is able to see information about your computer, router, and ISP. That information is used to identify your location. If you don’t want Google to have this information, log out of your google account or use incognito/private browsing.
Can an Email be Traced If I Use a VPN?
Yes, but with difficulty. The header information on an email is generated independently of a VPN. Sometimes that contains IP Addresses. There’s a different process to trace emails, which conceptually operates similarly to web traffic generally, but VPN does not hide that trail. That being said, email servers and ISPs make that trail difficult to track. Here’s a fantastic youtube video about email tracing.
What Does a VPN Not Hide?
VPNs only hide your public IP Address. Everything else about what you’re doing isn’t hidden from the world.
Do Criminals Use VPN?
Yes. So do non-criminals. Using a VPN doesn’t make you a criminal and not all criminals use VPNs.
VPN connections can be tracked in some cases. The chances that you, specifically, are being tracked is very low. That assumes you’re not doing anything illegal and you’re not logged into social media accounts.
VPNs are a powerful tool to improve your privacy online. I would highly recommend using one. I would also highly recommend doing your research to make sure you’re using a legitimate service intelligently.
What do you think about data tracking and VPN? Do you use a VPN service? Let me know in the comments!