VPNs do not make you anonymous.
They make your traffic take a different first hop.
That distinction is less dramatic than the ad copy, which is exactly why the ad copy avoids it. The VPN industry built a giant marketing machine around vague promises of anonymity, total privacy, and invisible browsing. What the technology actually does is narrower, more boring, and still useful in the right situations.
The problem isn’t VPNs. The problem is the fantasy sold around them.
What a VPN Actually Changes
A VPN encrypts traffic between your device and the VPN server. The local network — your coffee shop WiFi, your hotel, your ISP — can’t easily read the contents of that tunnel. The VPN server then sends your traffic onward, so websites see the VPN server’s IP instead of yours.
Two things changed: the local network lost visibility, and your apparent IP shifted.
That’s it.
What a VPN Doesn’t Change
The VPN provider sees everything your ISP would have seen. You didn’t eliminate surveillance. You moved it. Your ISP used to see your DNS queries and connection metadata. Now the VPN provider does. You replaced one set of eyes with another.
“But they have a no-logs policy.” Maybe. You can’t verify it. VPN providers operate in jurisdictions chosen specifically for lax data retention laws. Their marketing says “no logs.” Their infrastructure is opaque. You’re trusting a company’s promise, not a cryptographic guarantee.
Websites still know who you are. You log into Google, Facebook, Twitter — they know your identity. The IP changed. Your cookies, your login session, your browser fingerprint didn’t. A VPN hides your IP from the site. It doesn’t hide you.
Browser fingerprinting still works. Your screen resolution, installed fonts, timezone, language, WebGL renderer, canvas hash — combined, these create a fingerprint that identifies your browser across sessions. A VPN changes none of this.
DNS can still leak. If your VPN isn’t configured to route DNS through the tunnel, your queries go to your ISP’s resolver in plaintext. You’re encrypted for everything except the part that reveals which sites you visit.
Your traffic patterns are visible. Even with encrypted tunnels, an observer can see how much data you’re sending, when, and to which VPN server. Metadata analysis doesn’t need content.
The Trust Shift Nobody Talks About
This is the core issue. Using a VPN means trusting the VPN provider with your traffic. For most people, their ISP is a regulated company in their own country, subject to legal process and oversight. Their VPN provider is often an opaque company registered in Panama, the British Virgin Islands, or some jurisdiction chosen because it sounds privacy-friendly.
Which one do you actually trust more?
I’m not saying ISPs are trustworthy. I’m saying the replacement isn’t automatically better. You traded a known entity for an unknown one and called it privacy.
Some VPN providers have been caught logging when they said they didn’t. Some have been acquired by companies with questionable track records. Some run infrastructure they don’t fully control. The “no-logs” claim is marketing until proven otherwise — and proving it requires an audit you’ll never see.
When VPNs Actually Help
VPNs are genuinely useful for specific things:
Public WiFi protection. On an untrusted network, a VPN prevents the local network from inspecting your traffic. This is the original use case and it’s still valid. Though with HTTPS everywhere, the attack surface on open WiFi is much smaller than VPN ads imply.
Bypassing geographic restrictions. Want to watch content that’s region-locked? A VPN endpoint in the right country gets you there. This is probably the most common actual use of consumer VPNs. It has nothing to do with security.
Evading ISP-level censorship. In countries where ISPs block specific sites by DNS or IP, a VPN tunnels past the block. This is a legitimate and important use case. For people in restrictive environments, VPNs are a real tool for access.
Corporate network access. The original VPN use case. Connect to your company’s internal network from home. Still widely used, still useful, has nothing to do with consumer VPN marketing.
What Actually Provides Anonymity
Tor. With significant tradeoffs.
Tor routes your traffic through three relays, each knowing only the previous and next hop. No single relay knows both who you are and what you’re accessing. The design assumes some relays may be compromised and still protects you as long as the full path isn’t controlled by one adversary.
Tor is slower. Many sites block Tor exit nodes. The UX is painful. It’s not suitable for streaming, gaming, or most casual use. But it was designed for anonymity. VPNs weren’t.
Even Tor has limits. Timing correlation attacks, browser fingerprinting, and user error can all deanonymize Tor users. Perfect anonymity doesn’t exist. But “imperfect anonymity by design” is still a fundamentally different thing than “no anonymity rebranded as privacy.”
The Advertising Problem
VPN companies spend more on YouTube sponsorships than most security companies spend on R&D. The ads are fear-based: “Hackers can steal your data on public WiFi!” “Your ISP is selling your browsing history!” “Without a VPN, you’re exposed!”
Some of this is true-ish. Most of it is wildly exaggerated. And the implied solution — “buy our VPN and all these problems disappear” — is flatly wrong.
The gap between what VPNs do and what VPN ads claim they do is one of the largest in consumer tech. People buy VPNs expecting anonymity and get an encrypted tunnel to a server they have no reason to trust.
I’m not anti-VPN. I’m anti-hype. Use a VPN when it solves a real problem. Just don’t mistake a different first hop for invisibility.