If you’re just using a VPN, how can your real identity/location be discovered (apart from you blatantly revealing it)?
Basically cookies and browser fingerprinting.
So when you first visit a website, it sends you a kind of “file” that your browser automatically saves and attaches to every future request to that site. Websites can use this to identify you. It’s necessary for example to keep you signed in into your accounts, but it’s also abused for tracking. You can avoid tracking cookies by using incognito mode and not signing into any of your accounts.
Browser fingerprinting is more nasty. Essentially, when you visit a website, it sends you some Javascript code that will be executed by your browser. It’s sandboxed, so that code should not be able to access any of the private data on your PC¹, but there are various pieces of information that can be collected. Individually, these may not be suspicious, but in total that’s enough datapoints to uniquely identify and track your browser. For example:
- Browser name and version
- OS name and version
- Screen resolution
- Number of CPU cores
- WebGL vendor
- Browser configuration (e.g. DNT, dark mode, etc.)
- Available sensors
- List of installed languages
- List of installed browser versions
- List of installed fonts
- Time zone
- Approximate location (derived from your IP address)
¹ ignoring side channel attacks (which are totally possible to exploit in JS)
Tor browser might be better (and freer) depending on what you want the anonymity for.
Metadata.
If you truly want to browse anonymously then use a portable OS like Tails:
- you VPN provider can just sell all your data for that sweet advertiser cash
- browser fingerprinting and other tracking tech server-side
- feds just supoena VPN provider for the deets
- because people log into websites whilst on their VPN to check Facebook or do banking
You go to website without VPN. You go to website with VPN. Welcome back says Mr Cookie. Also logging into any website. It doesn’t matter that your VPN keeps rotating that one login or visit without VPN means you are now identifiable. They just remove all the VPN IP addresses till they are left with yours. A lot of VPN’s also keep logs. They may say they don’t’ but that depends on the country they are based. Their servers are also based in countries that have to follow laws. There is no anonymity on the web at least not for you or I without a lot of work.
VPN was never intended to anonymize your traffic in the first place. It will merely redirect your traffic to somewhere else in the world, but if you, say, participate in a federal crime using your computer, the VPN provider usually has a track of your IP and can comply and tell it to the authorities. The primary purpose of a VPN is to create end-to-end encrypted tunnel to somewhere else. So I can, dunno, use FTP over Internet securely, as FTP is insecure protocol itself. But if the tunnel ends up going to the Internet, only thing you did is that you masked your true location and true IP. And due to the reasons mentioned above, even that you did not do properly. Why people thinks using VPN is improving security or privacy puzzles me.