5 Ways You Can Be Tracked Even While Using a VPN

VPN Is Not a Silver Bullet - Understanding How Tracking Still Works

A VPN is highly effective at hiding your IP address and encrypting your traffic, but the belief that "using a VPN makes you completely anonymous" is a dangerous misconception. A VPN protects only one segment of your communication path, and numerous techniques exist to identify individuals through other channels.

This article examines five specific scenarios where tracking succeeds despite VPN usage, with practical countermeasures for each. Start by checking your IP address on IP Checker to see how well your connection is currently protected.

Case 1 - DNS Leaks Exposing Your Destinations

Even with a VPN active, DNS leaks can route your DNS queries outside the VPN tunnel, revealing the domains you visit to your ISP or network administrator.

Why DNS Leaks Occur

• The OS sends DNS queries directly to the ISP's DNS server, bypassing the VPN tunnel
• Misconfigured VPN client DNS routing settings
• IPv6 traffic falls outside the VPN tunnel, leaking DNS queries over IPv6
• Windows Smart Multi-Homed Name Resolution sends parallel queries to DNS servers outside the tunnel

Countermeasures

• Enable your VPN client's DNS leak protection feature
• Activate DNS over HTTPS (DoH) to encrypt DNS queries
• Use your VPN provider's dedicated DNS servers
• Disable IPv6 or confirm your VPN tunnels IPv6 traffic
• Regularly test for leaks using IP Checker's DNS leak test

Case 2 - WebRTC Leaks Revealing Your Real IP

WebRTC enables real-time browser communication but can expose your actual IP address even while connected to a VPN.

How WebRTC Leaks Work

WebRTC sends STUN requests to discover optimal connection paths, disclosing both local and public IP addresses in the process. These requests can bypass the VPN tunnel, allowing malicious websites to extract your real IP via JavaScript. See our WebRTC leak guide for details.

Countermeasures

• Disable WebRTC in browser settings (Firefox: set media.peerconnection.enabled to false in about:config)
• Install a WebRTC leak prevention extension
• Enable WebRTC leak protection in your VPN client if available
• Test for WebRTC leaks on IP Checker while connected to your VPN

Case 3 - Browser Fingerprinting for Device Identification

Browser fingerprinting identifies users without relying on IP addresses at all. Even with your IP hidden by a VPN, the combination of browser attributes creates a unique identifier.

Data Used for Fingerprinting

• Browser type and version, OS type and version
• Screen resolution, color depth, device pixel ratio
• Installed font list
• Canvas API and WebGL rendering result hashes
• AudioContext API audio processing characteristics
• Timezone, language settings, keyboard layout
• Hardware concurrency (CPU core count), device memory

According to the EFF's Cover Your Tracks project, 83.6% of users with typical browser configurations have a unique fingerprint.

Countermeasures

• Set Firefox Enhanced Tracking Protection to "Strict" mode
• Use the Tor Browser, which has the most thorough fingerprint defenses
• Leverage browser isolation with separate profiles for different activities
• Install extensions that randomize Canvas and WebGL fingerprints

Case 4 - Cookie and Login State Tracking

A VPN encrypts your connection but has no effect on cookies stored in your browser. If you were logged into Google or Facebook before connecting to the VPN, that session persists, and the service provider continues tracking your activity.

How Cookie Tracking Works

Third-party cookies issued by advertising networks track your browsing across multiple sites. Changing your IP via VPN does nothing if the same cookie remains in your browser. Additionally, tracking pixels, localStorage, and IndexedDB serve as alternative persistence mechanisms.

Countermeasures

• Clear cookies and cache before connecting to your VPN
• Block third-party cookies in browser settings
• Use private browsing (incognito) mode
• Separate browsers by purpose (daily use vs. privacy-focused)
• Use privacy-focused search engines

Case 5 - VPN Provider Logging

When you use a VPN, the provider replaces your ISP as the entity relaying your traffic. Multiple cases have been documented where "no-log" VPN providers were found to be recording user data.

Notable No-Log Violations

• 2020: Seven free VPN providers including UFO VPN left databases containing 20+ million user logs publicly exposed
• 2017: PureVPN provided connection logs to the FBI despite claiming a no-log policy
• 2011: HideMyAss supplied connection logs to UK law enforcement, leading to the arrest of a LulzSec member

How to Identify Trustworthy Providers

• Regular independent security audits (Cure53, PwC, Deloitte)
• RAM-only servers that erase all data on reboot
• Headquarters in jurisdictions without data retention mandates (Panama, BVI, Switzerland)
• Open-source client applications
• Published warrant canaries

For more on choosing a VPN provider, see our VPN guide. To study privacy protection techniques systematically, privacy protection books can be a valuable resource.

Building a Multi-Layered Defense

The five tracking cases operate at different layers. Rather than relying solely on a VPN, combine defenses across each layer.

Defense Map by Layer

• Network layer: VPN + kill switch + IPv6 disabled
• DNS layer: DNS over HTTPS + VPN-dedicated DNS servers
• Browser layer: WebRTC disabled + fingerprint defenses + cookie management
• Application layer: Logged-out browsing + private mode
• Trust layer: Audited VPN provider + RAM-only servers

Calibrate Defenses to Your Threat Model

• Against ad trackers: VPN + cookie management + third-party cookie blocking
• Against ISP surveillance: VPN + encrypted DNS
• Against state-level surveillance: Tor + Tails OS + physical security measures

Minimizing your digital footprint requires reviewing your online behavior patterns alongside technical measures.

Latest Tracking Trends (2025-2026)

Third-Party Cookie Deprecation

Google Chrome is phasing out third-party cookies in 2025, but this does not end tracking. Replacement technologies like Topics API and Attribution Reporting API are building new tracking mechanisms independent of cookies. For a deeper understanding of both VPN and browser security, information security books are a valuable resource.

AI-Powered Traffic Analysis

Machine learning-based traffic analysis can now infer service types from encrypted VPN traffic with high accuracy, using features like packet size distributions, timing patterns, and burst characteristics.

Advanced Device Fingerprinting

Beyond browser fingerprinting, device-level techniques exploiting battery charging patterns, accelerometer calibration errors, and GPU rendering characteristics are being researched. These operate entirely independently of VPN protection.

Action Checklist

1. Verify your VPN-connected IP address has changed on IP Checker
2. Run a DNS leak test to confirm queries stay within the VPN tunnel
3. Perform a WebRTC leak test to check for real IP exposure
4. Clear browser cookies and cache; block third-party cookies
5. Check your browser fingerprint uniqueness on EFF's Cover Your Tracks
6. Review your VPN provider's audit reports and privacy policy
7. Confirm your VPN kill switch is enabled

Summary

A VPN is a powerful tool for IP masking and traffic encryption, but five tracking vectors - DNS leaks, WebRTC leaks, browser fingerprinting, cookie tracking, and VPN provider logging - can compromise your anonymity even with a VPN active. The key is to avoid treating a VPN as a silver bullet and instead build multi-layered defenses tailored to your threat model. Start by checking your connection on IP Checker and address each vulnerability one by one.