7 good reasons why a VPN isn't enough

With Americans spending over 10 hours of screen time daily across the various devices they own, this amounts to a lot of internet usage. Of course, all of this traffic goes through your ISP, and with the spectre of possible data breaches, this can create some real concern about your data and privacy.

Not to mention that over in the US, any fears along these lines have recently been compounded by the legislation which was passed earlier this year to overturn FCC privacy regulations, allowing ISPs to legally sell user data to the highest bidder in order to make additional profits. And of course, the UK has the equally worrying Investigatory Powers Act.

The solution that many folks have turned to is using any of the best VPNs to protect themselves. Sending your data through an encrypted tunnel has an obvious and appealing privacy advantage. After all, doing so should keep your internet activities safe from your ISP’s prying eyes, and its ‘big data’ mining operations.

However, while a VPN is an excellent start in terms of protecting privacy and your browsing history, realize that it is not a cure-all, and does not provide full online anonymity or complete protection of all data when used alone.

In this feature we’re going to discuss some of the limitations of using a VPN. You’ll also discover some ways you can upgrade your protection to stay safe online. While 100% anonymity isn’t realistic, there are definitely things you can do above and beyond simply activating your VPN and hoping for the best.

1. Free VPNs

Everybody wants a bargain, but even the best free VPNs should be selected with care. At least given the concerns regarding security and anonymity, because with a free VPN, you are essentially signing up for a service which only has one way to turn a profit: by selling your browsing information to the highest bidder.

Selling user data is a well-established practice of “free” VPN services. Even the honest ones also may have to limit the amount you download, or restrict certain types of traffic like streaming video to make sure everyone can use the service. Still, the only way they can know how much you’ve downloaded or what you’re doing is by analyzing your traffic, which puts your data at risk. 

While everyone has to make a buck, you are definitely better off using a VPN that you pay for, which at least has a responsibility to value your privacy – because it’s literally their business to make sure this is the case.

2. VPNs keep track of data

When it comes to a VPN, one of the differentiating points is how long providers keep your data. Most VPNs keep data for between 14 to 30 days, and also require a varying amount of information for when it comes to signing up for an account. Obviously, the less information you have to supply to create an account, the better (in case of a potential data breach).

Ideally, a provider should log as little user data as possible, so pick your VPN carefully bearing this in mind. For example, check out our ExpressVPN review which claims to not collect any browsing activity or traffic data, making it a standout in this area among rival VPN services.

The best way to be sure of exactly what data is gathered and for how long it's kept by your provider is to carefully read through their privacy policy. If this kind of information isn’t made available and/or isn’t clearly laid out, then you should think twice before using their service. If you’re paying for a subscription already, they don’t need this information. 

Naturally there may be some information your provider has to log, such as the e-mail address and password you use for the service, as well as your payment information. If you’re concerned about this, use a disposable e-mail address like Temp Mail to subscribe to a VPN along with a strong, unique password. (We recommend using Diceware). 

If you don’t feel comfortable leaving your payment information on file, some providers like ExpressVPN also accept payment in anonymous cryptocurrencies like Bitcoin. Ideally buy your Bitcoin using a dedicated ATM or from a vendor who takes cash for maximum privacy.

3. Geolocation data

When you visit a website, often it already knows where you are via geolocation data. This is sometimes useful, for example when searching for a chain restaurant, because you’ll get directed to the closest location. 

This data can be supplied via your PC, and even more so with a smartphone which has integrated GPS capabilities, along with many apps asking for permission to access geolocation data.

With a navigation app, most of us won’t quibble about granting permission to access location data – as obviously it’s vital – but many other apps request permission to collect this data as well, with no direct need for it. They can then easily build a database of a user’s travels, and time spent at locations – and the point here is that this will not get cloaked even with your web browsing going through a VPN service.

Your only protection in this case is your common sense and a keen eye when it comes to app permissions.

Apple devices like iPhones should show a notification that apps want to know your location. You can switch this on permanently when using the app or allow the app to know your location ‘just once’. You can also disable location services on an iPhone altogether.

Devices running Google’s Android are a different story altogether. In theory you can turn off Android location services but the company’s been fined in the past for not being clear about what data it collects about users. Google has also restricted mobile VPN apps in their ‘Play’ store which are capable of restricting Google ads, which could potentially contain your location data.

The bottom line in both cases is only to enable location services when absolutely necessary e.g. when you’re lost and need directions.

4. MAC addresses

A MAC (Media Access Control) Address is the unique identifier for each and every device on the network. There are several standards for this, and they all consist of a series of digits – for example MAC-48 addresses consist of six groups of two hexadecimal digits that make up a 48-bit number.

A MAC Address, via the first three octets which make up the Organizationally Unique Identifier (OUI), indicates the manufacturer of the device. As each MAC Address is supposedly unique, it also allows your ISP to track a device’s usage. 

In practice it actually is quite difficult to gather any very meaningful data about someone based on their MAC address alone but it certainly can be used to track your device’s movements. 

A VPN will not provide anonymity from this, and therefore some folks turn to MAC Address Randomization techniques in an attempt to provide a cloak.

If you’re using an Apple device such as an iPhone that was made from 2014 onwards, you’re in luck: your operating system will automatically generate a new, random MAC Address for you each time you connect to a wireless network. Just make sure to deactivate Wi-FI when you’re not using it, so next time your device will use a new MAC Address.

Both Windows and Android devices also have built-in features to allow you to generate random MAC Addresses. Check with the developer’s support page for more help with this.

Linux users can also create custom scripts to change their Mac Address from the command line. 

If you only use internet devices at home, you can also gain some security from connecting another router to the one supplied by your ISP. This will conceal the MAC Addresses of individual devices in your house: in other words your ISP won’t be able to tell exactly which devices are accessing the internet by analyzing MAC Addresses, and they’d only see the address of your other router. 

5. Traffic statistics

Even in the best case scenario with all traffic encrypted by a VPN, an ISP can still learn quite a bit about the user. By analyzing both the volume of data, and the features of the data, the ISP can glean quite a bit of information without any need to break the encryption.

This type of analysis is known as ‘side channel’ information. Additionally, the times that the internet is used can also reveal patterns of internet usage that could be potentially useful. A router’s Traffic Analyzer feature can, for example, easily indicate how much video streaming the user is doing.

Someone monitoring your ISP’s connection could, in theory, gain some idea as to the type of data you’re accessing. Even though the traffic is encrypted, the speed at which the data packs are downloaded, their destination and their overall volume can be used to identify some of what you access. 

For instance, if they see you’ve downloaded 10GB worth of data in 20 minutes, it’s very unlikely you’re just reading your emails. Some proof of concept research has been done to show this type of analysis can identify specific YouTube videos watched by VPN users but this is hard to implement in practice. It would take a very dedicated adversary a lot of time to analze your encrypted traffic to discover anything truly meaningful like specific websites you’ve visited or files you’ve downloaded.

If you want to stay extra safe though, we recommend using multiple types of encryption together. For instance, Shadowsocks works by encrypting your connection via a SOCKS5 proxy server. You could easily set this up in your web browser via any of the best proxy services, then also connect to your VPN. 

This won’t prevent your ISP from analyzing your data packets if they want to but will affect the packets’ destination and timing enough to make their job much more difficult.

6. DNS requests

DNS (Domain Name System) servers deal with the process of converting the web address typed into your browser into the numerical IP address that’s actually used to direct the packets of data to your computer with the requested information. In general, the default DNS is your ISP, which again gives the company a complete web history of each user’s visited sites.

This can certainly be changed, but a popular alternative DNS – – is Google Public DNS, which is hardly an anonymous solution. The issue is that even when using a VPN, the DNS resolution can still be performed by the ISP depending on the configuration of the VPN.

There is a method to have the VPN resolve the DNS requests with an alternate DNS, but this needs to be separately configured, or the VPN can be operated in ‘tunnel mode’ where all the data gets sent only to the VPN server, which then handles the DNS duties.

With a basic encrypted VPN not being the answer, there are free public DNS solutions that do not log requests – such as FreeDNS – which surfers are better off using from an anonymity point of view (whether that’s configured in the VPN client, or Windows itself).

Many reputable VPN providers such as ExpressVPN and NordVPN actually use their own DNS servers and route all your connection requests through them, meaning they can’t be detected by your ISP.

However, not all VPN providers who claim to do this actually follow through. This is known as DNS leak and puts your data at risk, as your ISP can still see which websites you visit, even when connected to the VPN.

To make sure your DNS data is safe, connect to your VPN then visit a DNS Leak checking site like IP Leak. This will show both your IP Address as far as the Internet’s concerned, as well as your listed DNS servers. If set up correctly, you should see your VPN Provider’s DNS servers, not those used by your ISP. 

7. History snooping

Long before ISPs were selling information to the highest bidder in the US, companies had come up with ways to spy on users, a practice that has unfortunately persisted. We’ll leave it to the conspiracy theorists to figure out if this is all about making additional revenue, helping the NSA, or worse.

Recent examples have included ‘super cookies’ from the likes of mobile carriers Verizon and AT&T, and the Blu phone issue which raised concerns about data being sent back to Chinese servers. Stories like these are enough to make your skin crawl, particularly as a VPN does not protect from this level of history snooping, because the spying is tied so closely into the device.

Super cookies are a particular worry as they’re usually held by your ISP. In theory this means you could reset your device to factory settings, only for your ISP to reinsert the super cookie into your web browser the next time you go online.

The only way to protect yourself from super cookies is to consistently use websites that support SSL/TLS encryption, along with a reliable VPN provider. As your traffic is encrypted, websites will find it harder to gather the necessary information to create a super cookie in the first place.

If you think there might already be super cookies created about you on the web, take the time to clear your web browser’s cache, as super cookies can use existing regular cookies to harvest information about you. You should also consider browsing the web only in incognito mode

Jonas P. DeMuro

Jonas P. DeMuro is a freelance reviewer covering wireless networking hardware.

With contributions from