You can be tracked through a VPN. The documented cases.
Short answer
Yes, in several documented ways. A VPN masks your IP address from the sites you visit and encrypts traffic between your device and the VPN server. It does not make you anonymous. It shifts trust from your ISP to your VPN provider and introduces several failure modes that most people do not account for.
What a VPN actually does
A VPN creates an encrypted tunnel between your device and a VPN server. Traffic leaving the VPN server carries the VPN’s IP address, not yours. Your ISP sees that you are connected to a VPN but not what you are doing inside the tunnel. The sites you visit see the VPN’s IP address, not your real one.
This is genuinely useful. It prevents your ISP from logging your browsing history and selling it. US carriers have documented histories of selling location and traffic data. A VPN removes them from visibility into your traffic. It protects you on public networks against basic interception attacks. It bypasses geographic content restrictions.
What it does not do is make you untraceable. There is a specific set of scenarios where a VPN provides no protection, and understanding them is more useful than marketing copy.
Documented tracking methods that bypass a VPN
Browser fingerprinting does not use your IP address. It collects your browser version, installed fonts, screen resolution, time zone, language settings, installed plugins, and dozens of other signals to create a unique identifier. This fingerprint is stable across VPN connections. A site that fingerprinted you without a VPN will recognise the same fingerprint with a VPN. No IP involved.
Account login is the most obvious bypass. If you log into Gmail, Facebook, or any account-linked service while connected to a VPN, those companies know your identity regardless of your IP. Your location can be inferred from your activity patterns, from the IP addresses of your contacts, and from historical login patterns that establish where you normally connect from.
DNS leaks occur when your device sends DNS queries outside the VPN tunnel. DNS requests resolve domain names to IP addresses. If your DNS queries go to your ISP’s resolver rather than through the VPN, your ISP can see every domain you visit even if the traffic itself is encrypted. Most reputable VPNs prevent this by default. Not all do. Test yours at dnsleaktest.com.
WebRTC leaks expose your real IP address through a browser API used for video and audio calls. Some browsers use WebRTC in ways that bypass the VPN and reveal your real IP to sites that request it. This is disabled by default in some configurations and not others. Extensions like uBlock Origin can mitigate it.
VPN provider logs. Your VPN provider sees all your traffic. If they log it and receive a lawful request, they hand it over. Proton VPN and Mullvad have both faced government data requests and produced nothing because they genuinely hold no logs. Other providers have produced logs that led to arrests. Free VPNs have documented histories of logging and selling the traffic data they claimed not to collect.
Correlation attacks are used by actors with visibility into both ends of the connection. If an adversary can see traffic entering the VPN network and traffic leaving it, they can correlate the timing and volume patterns to identify which VPN user is visiting which destination. This requires significant infrastructure. It is used by state-level adversaries and is not a realistic threat for most people’s threat models.
The VPN providers that have been tested in practice
Proton VPN received a Swiss law enforcement request for user data in 2021. Their response: no data to provide. Their no-logs policy held under a real legal request, not a marketing claim. The audit and the court response together make a stronger case than either alone.
Mullvad had their offices raided by Swedish police in 2023. Police left with nothing because no data existed to seize. Mullvad does not require an email address to sign up, accepts cash payment, and generates account numbers randomly. This is what a no-logs policy looks like when tested.
Both of these are meaningfully different from VPNs that publish no-logs policies without any external audit and have never faced a real request. The policy is the claim. The audit and the legal response are the evidence.
Frequently asked questions
Does a VPN protect me from my employer?
Not on a work device. If the device is managed by your employer’s MDM, they can see traffic regardless of a VPN. On a personal device on your home network, a personal VPN prevents your employer from seeing traffic through any network monitoring they might have access to. It does not prevent them from seeing what you do on company systems.
Is incognito mode plus a VPN anonymous?
No. Incognito mode prevents local browsing history from being saved. It does not change what the VPN provider sees, what the sites you visit see, or how fingerprinting works. The combination is better than neither. It is not anonymity.
Can law enforcement compel a VPN to identify a user?
They can issue the request. Whether it produces anything depends on what the provider actually retains. A provider that holds connection logs can be compelled to produce them. A provider that holds nothing produces nothing, regardless of legal pressure. The Proton and Mullvad cases are the operative examples: the legal mechanism existed, the data did not. The lesson is to choose the provider before you need them, not after.
Does a VPN protect against state-level adversaries?
Against most threats, yes. Against an adversary with visibility into both ends of an encrypted connection, no. Correlation attacks are the documented limit of VPN protection. They require infrastructure that only state actors and large platforms reliably have. For journalists, NGOs, and anyone whose threat model includes a state adversary, a VPN is one layer in a chain that also includes Tor, compartmented devices, and operational discipline. A VPN alone is not the answer to that threat model.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
