Unfortunately, there are instances where the answer is yes. We've all heard stories of a VPN that's failed to provide privacy for its users. It's important to remember that not every VPN was created equal, and there are a bunch of reasons why a VPN might cause you to "get caught".
In this blog, we will look at how VPNs work, how they differ between providers, the universal limitations involved with VPN technology, and what you must do to ensure you are as safe as possible.
People use VPNs for a wide variety of reasons. That said, the primary purpose of a VPN is to gain online privacy. And most users agree that connecting to a VPN allows them to feel more relaxed while surfing the web.
This permits for internet use without fear that everything you do online is being monitored (highly important if you are living in a country where accidentally stumbling on something that is religiously or morally prohibited will get you in trouble).
A VPN provides this added comfort by preventing ISP tracking and by ensuring that Wi-Fi networks cannot snoop on your web visits. As a result, it is extremely hard for government agencies to figure out what you are doing online.
VPNs achieve this by encrypting your data and tunneling it to a VPN server.
Why may a VPN fail to provide privacy?
There are hundreds of consumer-facing VPNs on the market. Not every service was created with the same level of privacy and data security. When developing a VPN, there are some crucial factors that can make or break that service.
At ProPrivacy, our experts review VPNs to check for these key security attributes. If any of these privacy and security features are missing – or aren't working correctly – we warn readers that the VPN is not fit for gaining privacy online. In other words, the VPN could allow you to get caught.
Below we will highlight what these primary features and attributes are, and why they are important for ensuring that the VPN is working correctly.
Other VPN providers have a slightly weaker policy that permits them to store some connection logs. Those connection logs are benign and are only used to ensure that the service is running smoothly (without putting their users' privacy at risk).
Unfortunately, there are instances when a VPN policy will permit connection time stamps and session duration logs to be harvested alongside the user's home IP address. These connection logs are problematic because they can be used to mount a time-correlation attack.
This is what happened when PureVPN helped the FBI to catch a cyber-stalker. During that investigation, PureVPN provided details about which VPN server one of its users had connected to and at what time. This allowed the FBI to compare those connection records against logs acquired from web services employed by the suspect to engage in cyberstalking.
Although this type of time-correlation attack is highly targeted, and only usually carried out in serious criminal investigations, it is still creates a privacy flaw that can be exploited to betray the user's privacy. A true no-logs VPN cannot be exploited in this way.
A VPN's encryption is the first line of defense for your data. As a result, which encryption protocol the VPN provides, and how it implements that encryption is highly important. Some outdated protocols such PPTP are considered deprecated, this means that they are no longer secure against eavesdroppers.
Unfortunately, a CSIRO study revealed that some VPNs (particularly free VPNs) lie about the level of encryption they provide. During the study, some VPNs were found to implement no encryption at all. This is a huge security risk because it means that your data is not actually private when you use the VPN.
Other VPNs fail to implement their encryption to the highest standards. As a result, the data passing through the VPN tunnel is vulnerable to attacks and could be penetrated.
Weak encryption is hugely problematic because it could allow a hacker or government agency to access your data, and to determine what you are doing online.
When you use a VPN, it is vital for the VPN tunnel to be free of leaks that could betray your privacy. If a VPN has IP leaks, DNS leaks, or WebRTC leaks, this could result in your online habits being tracked by your ISP. It will also allow online services and websites to detect your actual IP address.
As a result, a leaky VPN is the easiest way to get caught out. That is why we always test for leaks when reviewing VPNs, and is why we provide an online VPN leak test tool that anybody can use to check whether their VPN is working correctly.
Even when a VPN has a no-logs policy (like the one described above), it is important to remember that your data must pass through the VPN's servers in real-time.
A VPN encrypts data between your device and its servers to prevent local networks or ISPs from being able to track your data and online habits. However, in order to resolve your DNS requests and route your traffic to its ultimate destination, it must decrypt your data and send it on the last leg of its journey (to the online service you want to access).
This creates the potential for the VPN (or for a government agency) to monitor that traffic in real-time (monitoring DNS requests is by far the easiest way to check what people are doing while connected to the internet or a VPN).
So how does a VPN tackle this?
To hinder this and ensure greater privacy for users, most VPNs implement shared IPs that multiple users log into concurrently. This limits the potential efficacy of real-time monitoring (and is a good reason to use multiple occupancy IPs for privacy rather than a dedicated static IP).
Can you trust a VPN?
It is also important to remember that, when you use a VPN, you are putting your trust in that provider. If the VPN has set up its servers badly and left vulnerabilities that could be exploited by hackers – or is untrustworthy itself and is opting to use the VPN as a data honeypot, your privacy could be at risk.
This is why it is essential to stick to recognized VPN providers that have a proven record of providing privacy, and that have (preferably) been independently audited to ensure the service is free of vulnerabilities.
Can you be tracked by websites when using a VPN?
Although a reliable VPN encrypts your traffic and sends your data via a secure tunnel, this does not mean that you can't be tracked via other means.
The most obvious example of this is when you log onto a service like Google or Facebook. When you log in to an account, the service knows exactly who you are – regardless of whether you access it via a VPN.
The same is true of trackers like cookies left in your browser. These are designed to track you every time you return to a website (or visit an affiliated website).
Thus, if an online service has left cookies (or other persistent trackers such as tracking pixels or flash cookies) on your machine, the service will know who you are and track you as you move around the web; even with a VPN connected.
Don't forget about apps!
It is also worth noting that Apps can track users using device level identifiers such as an advertising ID or MAC address. This app-level tracking still occurs when you use a VPN. Therefore, it is better for your privacy to use services via their website (rather than their app) if you want to prevent some tracking.
Why do some criminals get caught using a VPN?
When you commit a criminal offence using a VPN, your chances of being caught are infinitely higher because the government has greater incentive to track you down.
Under these circumstances, a VPN company could be served a warrant that forces it to start monitoring a particular user, or to provide information (connection logs next to an IP) that permits for a time correlation attack.
It is also worth noting that although your ISP cannot tell what you are doing online when you connect to a VPN, it can still use Deep Packet Inspection to determine that you are using a VPN, and it could figure out which VPN you are using by analyzing the IP address of the VPN you use.
A VPN can only provide ongoing privacy if it is storing zero-logs, and, even then, real time analysis could be used to monitor a specific user accused of committing serious crimes. As a result, a VPN is not a foolproof tool for preventing police forces from tracking down criminals.
Ultimately, if you commit serious crimes – such as hacking a bank – it becomes highly probable that the police will coerce the VPN company into complying with a warrant to provide whatever information it has, or to provide access to its servers to allow for investigation from that time onward.
Are VPNs legal?
Having a VPN that isn't illegal in itself. In fact, many businesses use VPNs to protect their data, and to ensure that their workers are safe when they use work devices out of the office on public Wi-Fi networks. Thus, VPNs are considered a legitimate tool used to gain data security and privacy.
Although a VPN is legal to have, it is important to remember that using a VPN to engage in crimes is still illegal and if you are discovered you could be prosecuted.
That is why it is essential to use a VPN that has strong encryption and privacy features that prevent leaks (DNS leak protection and a kill-switch) or that conceal VPN use from your ISP (obfuscation).