For years, I assumed that switching on my VPN meant I was browsing anonymously. The marketing indeed suggests as much — phrases like “complete privacy” and “invisible online” are everywhere. But after digging into what VPNs actually do, I realized I’d been giving them far too much credit.
VPNs do mask your IP address, and that’s useful for certain situations. However, IP masking is just one layer of online tracking, and advertisers, websites, and even your VPN provider have other ways to identify you. Understanding these gaps forced me to rethink online privacy. I still use it, but I no longer treat a VPN as an invisibility cloak.
I stopped using browser VPNs after this—and you should too
You should avoid browser VPNs for security and performance reasons.
Your VPN provider sees everything your ISP used to
You’re not removing surveillance, but you’re just redirecting it
When you connect to a VPN, your internet traffic gets routed through your provider’s servers instead of going directly to websites. This means your ISP can no longer see which sites you visit, but your VPN provider absolutely can. You’re not eliminating surveillance; you’re just picking a different company to handle your data.
This is the part that bothers me most. Virtual private networks marketing makes it sound like your browsing becomes invisible, but the reality is that you’re shifting trust from your ISP to a company you likely know even less about. Many VPNs advertise “no-log” policies, claiming they don’t store any record of your activity. The problem is that some of these claims are nearly impossible to verify.
Your ISP is at least regulated and operates within a legal framework you can research. A VPN company based in another country may be harder to evaluate. Some are owned by larger corporations with unclear data practices, while others have changed ownership without notifying users. I’m not saying ISPs are trustworthy — they’re not. But before paying for a VPN, it’s worth verifying their no-log claims and asking whether you actually trust that company more than the one already providing your internet connection.
Browser fingerprinting tracks you even with a VPN
Your browser leaves a unique trail that VPNs can’t erase
VPN providers rarely mention that your browser leaves a unique signature on every website you visit, and masking your IP address does nothing to stop it.
Browser fingerprinting collects details about your system, including screen resolution, installed fonts, browser plugins, timezone, language settings, and even how your device renders graphics. Combined, these data points create a profile that’s often unique enough to identify you across sessions — no IP address required.
Advertisers and tracking companies know that people use VPNs, so they’ve moved to fingerprinting specifically because it bypasses IP-based privacy tools. You could switch servers ten times a day, and your fingerprint would remain consistent.
A VPN won’t help here because you’d need a privacy-focused browser like Firefox with privacy settings or extensions enabled, or the Tor Browser, which standardizes fingerprint data across users. Most people who run a virtual private network in Chrome have no idea they’re still being tracked through an entirely different method.
Cookies and logins completely bypass your VPN
Logging into your accounts tells companies exactly who you are
This one seems obvious in hindsight, but it took me a while to fully grasp: if you’re logged into Google, Facebook, or Amazon while using a VPN, those companies know exactly who you are. Your IP address is irrelevant since they identify you through your account.
The same applies to cookies. These small files sit in your browser and track your activity across sessions, linking everything you do back to a single profile. A VPN encrypts your connection, but it can’t interfere with data your browser willingly stores and shares. This is why targeted ads follow you even with a VPN running. You search for running shoes on one site, and suddenly, every website shows you sneaker ads. Your VPN didn’t fail — it just wasn’t designed to stop this kind of tracking.
First-party cookies are particularly tricky because they’re essential for things like staying logged in and saving preferences. Blocking them breaks most websites. Third-party cookies are easier to disable, but many browsers still allow them by default.
If you want actual privacy from these companies, you’d need to log out, use private browsing, and aggressively manage cookies. A VPN alone won’t cut it, and you need to take these extra steps yourself.
VPNs won’t protect from malware or phishing attacks
Encryption secures your connection, not your judgment
Virtual private networks encrypt your internet connection, but if you click a phishing link or download a malicious file, that encryption doesn’t help. The malware travels through the same secure tunnel as everything else. Encryption protects data in transit from being intercepted. It does nothing to analyze what you’re actually downloading or which links you’re clicking.
Phishing emails work the same way with or without a VPN. That fake bank login page will still capture your credentials because your VPN has no way of knowing the site is fraudulent. So you’re just securely connecting to a scam. Some premium VPNs bundle basic threat protection features like blocking known malicious domains. These are nice additions, but they’re not substitutes for proper antivirus software or careful browsing habits. They catch some threats, not all.
A VPN is a privacy tool, not a security suite. If you’re relying on it to protect you from malware, you’re leaving yourself exposed. You still need dedicated security software, and more importantly, you need to verify links before clicking them.
DNS and WebRTC leaks can expose your real IP
Technical flaws can quietly undo everything your VPN does
Even if your VPN works perfectly, technical flaws in your setup can leak your real IP address without you ever knowing. DNS leaks and WebRTC leaks are the two biggest culprits, and not every provider protects against them by default.
DNS leaks happen when your device sends domain name requests outside the VPN tunnel, typically to your ISP’s servers. This means your ISP can still see which websites you’re visiting, even with the VPN active. It defeats the entire purpose.
WebRTC is a browser feature used for video calls and real-time communication. The problem is that it can reveal your actual IP address to websites, even with a VPN running. Most browsers have WebRTC enabled by default, and many people are unaware that it can reveal their real IP. Free VPNs are especially prone to these issues. They often lack proper leak protection and may not route all traffic through the tunnel correctly.
The frustrating part is that you have to actively test for these leaks using online tools. Your virtual private network won’t alert you if something’s wrong. I’d recommend running a leak test to check whether your VPN leaks your IP or DNS immediately after connecting — sites like ipleak.net make this easy. If your real IP shows up anywhere, your VPN isn’t doing its job.
I still use a VPN, but now I understand its actual limits
A VPN is one tool, not the whole toolbox
I haven’t canceled my VPN subscription. It’s still useful for staying safe when using public Wi-Fi, bypassing geo-restrictions, and keeping my ISP out of my browsing history. But I’ve stopped pretending it makes me invisible.
Absolute privacy requires layering. Use a privacy-focused browser, manage cookies strictly, run regular leak tests, and stay logged out when it matters. Treating a VPN as the beginning of your privacy setup rather than the entirety of it is the only honest way to use one.
