VPNs are often sold as a “privacy silver bullet,” but that framing causes more confusion.
A VPN does not make you anonymous.
It does not stop cookies, logins, browser fingerprinting, or payment-based identification.
What a VPN actually does is much narrower and more technical:
- It encrypts your internet traffic in transit
- It prevents your ISP or local network from seeing which destinations you connect to
- It makes websites see the VPN server’s IP instead of your real one
- That’s privacy at the network level, not identity hiding.
I wrote a detailed blogpost. Check it out.
It does, however, make a certain level of anonymity at least possible as long as you scrub your cookies regularly, never log into the same accounts over the VPN that you were using without it, and never buy anything over the VPN.
In the end, you have to sit down and ask yourself what information you’re trying to protect from whom, and how much trouble protecting it is worth. You don’t want your nosy cousin who works at your ISP to know you look at furry porn, well, a VPN should be good enough for that (provided you don’t use the ISP’s DNS). If you’re trying to conceal your actions from a nation-state-level observer, you’ve got a lot more work to do.
Browser fingerprinting is very effective in tracking users. VPNs are totally useless against it. Tor offers partial protection as they make all users look same. So if your looking for anonymity better use Tor. VPNs keep your data safe and browsing private.
Attempting to defeat browser fingerprinting (you can never be 100% sure you’ve defeated everything) without TOR is kind of an advanced subject, yeah, and one of which I have only shallow knowledge. A lot of it is Javascript-dependent, so allowing Javascript only on a whitelist basis should help (but is too tedious for a lot of people). Deliberately pissing in the pool by varying prominent identifiers like the User-Agent string should help. Canvas poisoning. Specialist browser extensions, some of which may be more effective than others. Running the blandest default-settings browser possible in the blandest possible default-settings environment (a container or live media inside a VM) could conceivably cause you to vanish into the noise, but may be highly inconvenient.
It’s worth considering who is likely to be interested in going to the trouble of browser fingerprinting in the first place. Small players have little use for the information and aren’t likely to accumulate enough to sell it for much money. So the problems are going to come from ad networks, large digital networks like Google and Meta/Facebook, possibly CDNs and service providers like Shopify if they think it’s worth their while, maybe some governments, and completely dishonest scam sites that think any money is good. Some of these can be avoided altogether if you work at it.
As far as I understand, a certain level of data hygiene will do wonders for even a basic setup.
For example, on our server, we have a container that maintains a kill-switched connection to a subscription VPN. Several other containers, including one with a browser, can only route their traffic through that container, and we don’t use any of them for anything personal or outside their intended purpose. We basically act as if there are completely different people on that connection, like we have a secret second family. Remote activity is done through a self-hosted VPN to the home network, then VNC to the containers.
If we want to use the subscription VPN on other devices, we connect to a different location and possibly use Tor browser for extra anonymity. No activity or information overlap, ever.