Virtual private networks are designed to preserve online privacy by encrypting internet traffic and hiding IP addresses that can be used to determine user location. Most users are aware of this when they try to access a website or service when they are overseas. The IP address generally triggers the loading of a URL in the local area and may restrict access to a U.S. service or site. A VPN can be used to circumvent such restrictions and limitations. For example, a U.S. user traveling in Europe might be blocked from accessing paid streaming services that the user could access if he or she were physically located in the U.S. A VPN masks the local European IP address and can enable the person to view U.S.-based content.
A VPN server, then, replaces an IP address with its own as it passes the encrypted data to the public internet. For example, if you live in New York, your IP address will show that you are connecting from New York. However, if you connect to a VPN server based in Amsterdam, the IP address appears to indicate that the user is based in the Netherlands.
SEE: Brute Force and Dictionary Attacks: A Guide for IT Leaders (TechRepublic Premium)
On the surface, VPNs seem to hide the digital footprint of a user. However, they are not a guarantee of complete anonymity. For example, ISPs are aware of when someone is using a VPN, but they can’t view specific online activity protected by a VPN, such as browsing history, DNS queries, downloaded files and personal data. However, VPNs are useful in preventing Big Brother — in the form of various government agencies — from snooping on users and where they visit online. The use of an encrypted VPN tunnel offers a large measure of protection against unwanted eyes.
But VPNs are not a panacea. If a system is hacked, a cybercriminal can learn what is going on, regardless of the VPN. And under certain circumstances, the police and government agencies can be granted access to VPN data.
Featured Partners
How can police track a VPN?
Most of the time, police are not allowed to track online behavior or gain access to VPN data. But serious crimes alter the equation. In the event of a major crime, the police can make a request to receive online data from a user’s ISP. If a VPN is being used, the VPN provider can be asked to provide user details. For example, law enforcement has been able to access VPN data to track down child predators and internet stalkers. VPN logs enabled investigators to find the perpetrators actual IP addresses. A direct IP address is not going to be available to the police, as VPNs encrypt data and route it via their servers. But other data provided to the police by a VPN provider may make it possible for them to figure out where a user is located.
What information can the police obtain from your VPN?
The police can legally apply to obtain certain types of information from a VPN provider. This includes: logs of all the websites a user visited and services used while connected to the VPN, as well as actual IP addresses; connection logs can provide law enforcement with details such as the time someone used a VPN to connect to a server; and billing information that shows your mailing address and banking details.
That said, some VPN providers promote a no-logs policy, i.e., they say their service does not store any logs in order to provide a further layer of anonymity. When the provider is forced to comply with a request for access from the police, there won’t be any data to pass on. But in most cases, there is some kind of data to be found. Billing information is typically available, which is why those wishing for secrecy prefer to pay in cryptocurrency. Further, some of those that say they have a no-logs policy, keep some kind of logs on the down-low. The privacy statement should tell the tale. And if a provider can’t provide a security audit or some form of independent verification of their privacy credentials, they may be quietly logging some data.
In addition, VPN providers vary in their level of cooperation. Some are happy to provide information to the police when provided with the right paperwork. Others are largely uncooperative. But even for them, enough pressure can be brought to bear that they are forced to comply.
Can police track IP addresses?
If the police can gain access to VPN connection logs, they may be able to find a user’s actual IP address along with other information related to data usage and the times the user most commonly connects to the VPN. If the police obtain such broad access, they can generally put the pieces together to identify a specific user device and determine the user’s identity.
Can live traffic be tracked?
The good news is that there is almost no way to track live, encrypted VPN traffic. Law enforcement can only obtain data, if available, about websites visited and so on. Otherwise, hackers and snooping government agencies are generally blocked by the fact that the data is encrypted.
There are exceptions. If a user device is hacked, or a VPN provider is infiltrated, malware can quietly feed VPN-protected data to hackers and cybercriminals. Security basics such as not clicking on malicious links and suspicious emails apply, as do all the usual cautions about not falling prey to social engineering tricks and scams.
Similarly, keeping operating systems, applications and VPN software up to date via patching is recommended. Vulnerabilities should be addressed to prevent breaches. And in very rare instances, hackers may obtain the very encryption keys used to safeguard VPN data. That allows them access to VPN traffic.
How do nations’ data retention laws impact VPN tracking?
Certain countries have data retention laws and others don’t. When data is sensitive, it is best to select a VPN provider in those nations that are privacy conscious. Some regions make it clear that the provider has no legal obligation to share user data with governments. The British Virgin Islands, Panama and Switzerland provide a high degree of user data protection.
Other nations may be more cooperative with law enforcement. For example, certain nations mandate that data must be retained for certain periods or within national boundaries. That means there is a data store somewhere containing VPN user data. This may, in turn, open the door to agencies within that country being able to request or seize data from VPN companies in their area of jurisdiction. Countries to watch include the U.S., U.K., Australia, Canada, New Zealand, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Sweden, Spain, Israel, Japan, Singapore and South Korea. VPN providers in those countries pose some data risk. In fact, all of these countries are likely to cooperate with each other in forcing the VPN provider to pass on user information.
There are also highly regulated countries like China and North Korea where the Internet is blocked unless nationally approved sites and browsers are used. China has devised many ways to detect and restrict usage of VPNs being used to subvert its content-restriction mechanisms. Anyone in China should suspect that their data is available to any government agency that wishes to review it.
Can VPNs be tracked by anyone in general?
The more technically astute the individual, the higher the possibility they may be able to track VPN data in some way or another. Although the VPN changes an IP address and encrypts data, there are some ways to prevent anonymity. Netflix has been aggressive in finding ways to prevent any VPN user from illegally accessing country-specific content. Few VPNs can now get around these protections.
A hacker can also use malware to infect a device and reveal an actual IP address and confidential data. Be aware, too, that cookies may give the game away. Even with all protections in place, VPN users may be thwarted by a cookie cache containing preferences, websites visited, IP address, shopping cart history and more.
In addition, sophisticated users, agencies and businesses can harness browser fingerprinting to profile people based on the OS and software installed on their device, their time zone, hardware specs, screen resolution and other unique identifiers of an individual’s digital fingerprint. By cross-referencing all of this, the identity of the user can be located or at least narrowed down.
Are corporate VPNs private?
On the corporate side, users of a corporate VPN may be subject to snooping from their own enterprise. Employers are generally permitted to track user activity online if they wish, and that applies to VPNs. It all depends on the commercial VPN in use. Some do prevent employers from tracking employee data. Others allow it. But companies are probably going to opt for those VPNs that provide them with evidence that a user is involved in espionage, intellectual property theft, malicious activity or visiting unproductive websites such as porn or entertainment. Those in a corporate environment using corporate VPN tools, therefore, should be aware of the risk and liabilities of using some commercial systems.
And how about the good folks at Google? They are past masters at tracking everything that does anything across the web. That includes tracking a user, regardless of whether they use a VPN or not. All you need to do is sign in to a Google account, browser or service and “Google is watching you.”
As an experiment, log into a VPN, then use a Google search engine or service and look for a very specific product, something you have never searched for before such as a Stetson hat or crystal lampshade. Over the next day or two, see how many ads you suddenly get served on that item.
User tips
For anyone wishing to keep their IP address or data private by using a VPN, the moral of the story is simple.
- Adhere to standard security practices while using a VPN such as patching, anti-malware and avoid social engineering scams.
- Use paid VPNs and avoid free ones.
- Verify your VPN provider doesn’t store anything and seek independent verification.