How does a VPN work? Here’s how one can protect your privacy.
Everything you need to know about this IP address-changing service.
When you use the open internet, your identity generally remains unknown to other users. However, the device you’re on is always tagged with an IP (internet protocol) address, which can reveal details about where it’s located. To be more private, you can hide your true IP address with a VPN, or virtual private network.
However, a VPN is not a privacy panacea. If you’re thinking of using one, it’s best to know how a VPN works, what it’s capable of, and what others can still learn about you while you’re online.
To understand VPNs, you must understand the hidden structure of the internet
In order to do anything—access a website, stream a video, hold a Zoom call—you need to be able to send and receive data, which is often bundled into little digital packages.
Think of IP addresses as devices’ postal mailing addresses on the internet. Each website also has an IP address linked to the server that hosts it, and the domain name system (DNS) acts as a phone book that keeps track of which human-readable website names are correlated with which IP addresses. For example, one of PopSci’s IP addresses is 151.101.2.132. (You don’t need to type that in every time.) These IP addresses give routers—the postal processing centers of the internet, different from the home WiFi routers that connect you to the internet—information about where to send the data package, and how to get there.
These routers are operated by internet service providers like Verizon, AT&T, and Comcast, and contain maps of the larger internet. Once they decode the information contained in an IP address, they can plan an optimal route for the data. VPNs complicate this route a bit in the name of added privacy.
What is a VPN?
VPN technology was originally intended for enterprise needs—for businesses. But just because consumers have access to VPNs today doesn’t mean the concept has changed much. The general concept remains the same no matter who’s using it. You can think of a VPN as a digital P.O. box. It can receive messages, but it hides your actual home address.
“Each message [sent on the internet] carries not only the destination address but the source address—the sender and the receiver. You have to put a send and return address,” says Vyas Sekar, professor of electrical and computer engineering at Carnegie Mellon University. “The VPN is a middle person between the sender and the receiver. In this case, the sender can hide themselves from the receiver.”
That means if you want to view content on a website but want to hide who you are because you want to keep your browsing history private, a VPN can keep your identity in the shadows.
What does a VPN do?
VPNs are usually run by hosting providers, companies that operate physical servers that are connected to the internet, and also offer their services through the cloud. “They may have a pool of their own IP addresses, and they have servers that are relaying these messages,” says Sekar. “They may have different locations that you can choose from. They may have different servers distributed through the countries, and they have to be well-provisioned to handle this load.”
When you turn on a VPN service, either through an app on your phone or a plug-in extension on your browser, you won’t go directly to the website from your home network. Instead, your request will route through the VPN service, which then visits the website on your behalf. That way, you can still access the website, but it will look to the website like everything is coming from the IP addresses hosted by the VPN service.
[Related: You should switch to a browser with its own VPN]
Organizations and businesses can also use VPNs to prevent the public from accessing a private network. Some colleges, like Carnegie Mellon, will have specific resources that can only be accessed through IP addresses located on campus. “When you want to talk to a server inside a private network like CMU, you talk to a VPN server first,” Sekar explains. “That server tunnels under the gates that protect the private network. Instead of directly sending a package to my lab’s server, I’ll route my message through the CMU VPN server. It pretends that I never left the campus.”
Why use a VPN?
People use VPNs for different reasons. “One is for privacy,” says Sekar. “The other interesting use case is to break geofencing.”
For example, Netflix offers different content in different countries due to licensing variations across the globe. So if you wanted to see a movie that’s not available on Netflix US but is available on Netflix UK, you could use a VPN to pretend that you’re in the proper country.
[Related: The best VPNs of 2023]
Although VPNs are mostly legal, censorship-heavy countries will often try to block them because these services can allow users to bypass censorship systems. To continue the postal service analogy, if you wanted to get a note to someone whose address is on the no-send list at your local post office, instead of sending the letter directly to them, you’d send it to a middle person who would take your letter out of its envelope and put it into a new one with the recipient’s address on it, Sekar explains.
Can you still be tracked if you use a VPN?
VPNs don’t completely shield your privacy. “VPNs don’t prevent things like cookies or other kinds of information from leaking,” says Sekar. There might be things like targeted ads and banners that load on a webpage that are related to the browser sending information; that data may not go through the VPN. “It depends on how the VPN is configured,” Sekar explains. “It’s not really protecting you. It’s just hiding your location. VPNs can’t prevent tracking of user patterns.”
So, your actual privacy comes down to how reliable and trustworthy the VPN service itself is. You wouldn’t trust just anyone to handle your mail—you would want some assurance that they don’t have a history of reading people’s letters or selling the contents in the packages. The same goes for a VPN service, as low-quality ones could leak or sell your data.