Skip to content
PrivateAI
← Back to Home
mindset

The Real Reason Your VPN Isn't Protecting You (It's Not the VPN)

9 min readBy PrivateAI Team

You installed a VPN. You chose a well-reviewed provider, you connected to a server, and now there is a little shield icon in your menu bar telling you that you are protected. You feel private. You feel safe.

You are neither. Not because the VPN is bad — it is probably doing exactly what it claims. The problem is that what a VPN actually does and what most people think it does are two entirely different things. And the gap between those two things is where your privacy actually leaks.

What a VPN Actually Does (And Only Does)

A VPN — Virtual Private Network — does two things:

  1. Encrypts your network traffic between your device and the VPN server, preventing your ISP (and anyone on your local network) from seeing what websites you visit.
  2. Masks your IP address from the websites you visit, replacing it with the VPN server's IP address.

That is it. That is the complete list. Everything else — "total privacy," "anonymous browsing," "complete protection" — is marketing.

A VPN does not prevent websites from tracking you. It does not stop apps from collecting your data. It does not hide your identity from Google, Facebook, or Amazon. It does not protect you from phishing. It does not encrypt your email. It does not secure your passwords. It does not make you anonymous.

Understanding this distinction is the difference between actual privacy and security theater.

The Five Privacy Leaks Your VPN Cannot Touch

1. Browser Fingerprinting

Your browser broadcasts a unique combination of attributes every time you visit a website: screen resolution, installed fonts, browser version, operating system, language settings, timezone, graphics card capabilities, audio processing characteristics, and dozens more. Combined, these attributes create a fingerprint that is unique to your device — often unique enough to identify you across sessions, across websites, and across IP addresses.

A VPN changes your IP address. It does not change your browser fingerprint. Websites and ad networks that use fingerprinting (and most major ones do) can track you across every VPN server you connect to because your browser announces the same unique combination of attributes regardless of which IP address you use.

This is not theoretical. The Electronic Frontier Foundation's Cover Your Tracks tool demonstrates that the vast majority of browsers have a unique fingerprint. Your VPN is irrelevant to this tracking method.

What to do about it: Use a browser designed to resist fingerprinting. Firefox with strict privacy settings normalizes some fingerprint attributes. The Tor Browser is specifically designed to make all users look identical. Brave has built-in fingerprint randomization. This is a browser problem, not a network problem.

2. Logged-In Account Tracking

If you are logged into Google, Facebook, Amazon, or any other platform while using a VPN, those services know exactly who you are. Your IP address is irrelevant — you have identified yourself by logging in.

Google does not need your IP address to track you across the web. Your Google account, combined with Google Analytics (installed on approximately 85% of websites), Chrome sync data, and Android telemetry, provides a comprehensive profile of your online activity. A VPN hides your IP address from Google's servers, but Google already knows it is you because you are signed into Gmail in the next tab.

What to do about it: Log out of major platforms when you are not actively using them. Use separate browsers — one for logged-in activity (email, social media) and one for general browsing. Consider using privacy-focused alternatives: ProtonMail instead of Gmail, DuckDuckGo instead of Google Search, Signal instead of WhatsApp.

3. DNS Leaks and WebRTC Leaks

Even with a VPN active, your device may leak identifying information through DNS requests or WebRTC protocols.

DNS (Domain Name System) translates website names into IP addresses. If your DNS requests bypass the VPN tunnel and go to your ISP's DNS servers, your ISP can see every website you visit despite your encrypted connection. Many VPNs handle DNS internally, but misconfigurations, fallback settings, or operating system defaults can cause leaks.

WebRTC (Web Real-Time Communication) is a browser protocol used for video calls and file sharing. It can expose your real IP address even when a VPN is active, because it establishes direct peer-to-peer connections that may bypass the VPN tunnel.

What to do about it: Test for DNS leaks at dnsleaktest.com. Disable WebRTC in your browser settings (Firefox: set media.peerconnection.enabled to false in about:config). Use a VPN that runs its own DNS servers and forces all DNS traffic through the tunnel.

4. App-Level Data Collection

Your phone's apps collect data independently of your network connection. Your VPN encrypts the traffic between your phone and the VPN server, but it does not prevent apps from collecting and transmitting your location (via GPS, not IP), contacts, photos, browsing history, usage patterns, keystroke timing, accelerometer data, and microphone input.

A fitness app that tracks your GPS location will transmit that location data to its servers through the VPN tunnel. The data is encrypted in transit, sure — but it still arrives at the app company's servers with your precise coordinates, your account information, and every detail the app has permission to access.

The VPN protected the data in transit. It did nothing about the data being collected in the first place.

What to do about it: Audit app permissions aggressively. Remove permissions that apps do not need for their core function. Uninstall apps you do not use. On Android, consider GrapheneOS, which provides per-app permission controls far beyond stock Android. On iPhone, review the App Privacy Report in Settings.

5. Your Own Behavior

This is the biggest privacy leak of all, and no technology can fix it.

If you use your real name on social media, post photos with location data, share your daily routine, connect your accounts to each other, use the same username across platforms, reuse passwords, click on phishing links, and voluntarily hand over personal information to every website that asks — a VPN is a locked door on a house with no walls.

The most sophisticated privacy setup in the world cannot protect someone who voluntarily publishes their home address, workplace, daily schedule, and family members' names on Facebook. And most people do exactly that.

What to do about it: This is a habit problem, not a technology problem. Minimize the personal information you share online. Use different usernames for different platforms. Never reuse passwords. Assume that anything you post publicly will be indexed, archived, and searchable forever.

Start with a VPN that does its job honestly

Mullvad VPN does not ask for your email. It does not track usage logs. It costs the same for everyone. It does exactly what a VPN should do — encrypt your traffic and mask your IP — without pretending to do more.

Learn More

The Privacy Stack: What Actually Works

A VPN is one layer. It is not the foundation. Here is what a real privacy stack looks like, ordered by impact:

  1. Behavior: Minimize what you share. Use different identities for different contexts. Never reuse passwords.
  2. Browser: Use Firefox or Brave with strict privacy settings. Separate browsers for logged-in and anonymous activity. Install uBlock Origin.
  3. Email: Use a privacy-focused email provider. ProtonMail and Tutanota do not scan your emails.
  4. Search: Use DuckDuckGo, Startpage, or Brave Search instead of Google.
  5. Messaging: Use Signal for private conversations. End-to-end encryption by default.
  6. Password manager: Use a password manager to generate unique passwords for every account. This prevents credential-stuffing attacks and eliminates password reuse.
  7. VPN: Encrypt your network traffic and mask your IP address. This handles ISP surveillance and local network threats.
  8. DNS: Use encrypted DNS (DNS-over-HTTPS) from a provider like NextDNS or Quad9.

Notice that the VPN is seventh on the list. Not because it is unimportant — but because the six things above it matter more for most people's actual privacy.

Key Takeaways

  • A VPN encrypts your traffic and masks your IP. It does not make you anonymous, private, or untraceable.
  • Browser fingerprinting tracks you regardless of your IP address. Use a privacy-focused browser, not just a VPN.
  • Logged-in accounts identify you completely. A VPN is irrelevant if you are signed into Google.
  • Apps collect data independently of your network connection. Audit permissions and remove what is unnecessary.
  • Your own behavior is the biggest privacy leak. No technology can fix oversharing.
  • A VPN is one layer in a privacy stack, not the whole stack. Start with behavior, browser, and account hygiene before worrying about network encryption.

The VPN industry has done a remarkable job convincing people that privacy is a single product you install. It is not. Privacy is a set of habits, tools, and decisions that work together. A VPN handles one piece — the network layer. The other pieces are up to you. And until you address them, that shield icon in your menu bar is telling you a story that is not quite true.

Get the PrivateAI weekly briefing

Privacy tools, local AI setups, and digital autonomy strategies for people who actually care about owning their data. Join 2,000+ readers.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.