
Every DNS query, every TCP connection leaves an exploitable trace long before the page appears in your browser. Precisely identifying the entities that collect these traces is the technical prerequisite for any privacy protection strategy, including VPNs.
Browser fingerprinting and post-VPN tracking: the flaw that the tunnel does not fix
A VPN encrypts traffic between your device and the exit server, then substitutes your IP address. This mechanism neutralizes inspection by the Internet Service Provider and masks your geolocation from websites. However, it does not affect browser fingerprinting, a technique that identifies a device by the combination of its screen resolution, installed fonts, active extensions, time zone, and the exact version of its rendering engine.
Read also : Discover how to optimize your home for a healthier and more comfortable living environment
Advertising networks cross this fingerprint with residual third-party cookies and tracking pixels to reconstruct a stable browsing profile, even if the IP address changes with each session. Recent technical guides remind us that changing IP is no longer enough to prevent profiling when the browser fingerprint remains the same.
We recommend pairing the VPN with a hardened browser (Firefox with resistFingerprinting enabled, or Brave in strict mode) and limiting extensions to the bare minimum. Each extension uniquely modifies the fingerprint, which paradoxically makes identification easier.
See also : How to Send a Vinted Go Package with Mondial Relay: Guide and Practical Tips
To find out who is tracking your browsing, you need to simultaneously examine DNS queries, WebRTC connections, and fingerprinting scripts loaded by each visited page.

Connection metadata at ISPs: what GDPR has changed in practice
Popular articles repeat that your Internet Service Provider “sees everything.” The reality is more nuanced since the combination of GDPR and EU Court decisions on data retention. European ISPs have gradually limited the long-term storage of browsing content.
In return, the exploitation of connection metadata (timestamps, exchanged volumes, destination IP addresses) is intensifying for network optimization and fraud detection. A VPN masks the final destination of your queries, but the ISP retains a record of your connection to the VPN server itself: duration, volume, frequency.
This distinction has a direct consequence: if an ISP can no longer read the content of your search history behind an encrypted tunnel, it can still deduce your connection habits (time slots, streaming volume, protocols used). Encryption protects content, not behavior.
Independent audits of no-log VPNs: technical criteria to check
The “no log” promise is only valid if verified by a third party. In recent years, major providers (ExpressVPN, NordVPN, Proton VPN) have subjected their infrastructures to recurring audits conducted by firms like PwC, Deloitte, or Securitum. The reports detail what is actually logged: connection metadata, performance diagnostics, billing data.
We observe that most users never read these reports. Here are the points to examine before choosing a provider:
- The frequency of the audit: a one-time audit guarantees nothing about current practices. Recurring audits (annual or semi-annual) are the reliable standard.
- The scope covered: some audits only pertain to servers in a specific country, not the entire network.
- Server technology: servers operating solely in RAM (without hard drives) physically prevent the persistence of logs after a reboot.
- The jurisdiction of the provider: it determines the legal retention obligations and possibilities for judicial requisition.

DNS queries and WebRTC leaks: two often-overlooked tracking vectors
Even with an active VPN, a DNS leak redirects domain name resolutions to your ISP’s server instead of the VPN resolver. The ISP then sees every site you visit, rendering the tunnel useless in this regard. Most DNS leaks stem from improper IPv6 configuration or poorly configured split tunneling.
The WebRTC protocol, used by browsers for audio and video calls, can expose your real local and public IP addresses by bypassing the VPN proxy. Disabling WebRTC in the advanced settings of the browser (or via a dedicated extension on Chrome) removes this vector.
To check the reliability of your configuration:
- Test for DNS leaks with a dedicated online tool after connecting to the VPN, ensuring that only the resolver of the VPN provider appears.
- Check WebRTC exposure in the browser’s development tools, network tab.
- Enable the kill switch (automatic disconnection if the tunnel drops) to prevent any unencrypted transmission during a micro-interruption.
Choosing the VPN protocol: direct impact on data protection
WireGuard offers a superior performance-security ratio compared to OpenVPN on most current configurations, thanks to a significantly smaller codebase (which limits the attack surface) and faster connection establishment. OpenVPN remains relevant in environments where traffic needs to be disguised as HTTPS to bypass a restrictive firewall.
IKEv2/IPsec retains an advantage on mobile devices due to its ability to quickly reconnect when changing networks (switching from Wi-Fi to cellular data). The chosen protocol directly influences resistance to traffic analysis attacks.
Online privacy protection never relies on a single tool. A properly configured VPN, combined with a fingerprint-resistant browser, encrypted DNS resolvers, and strict extension hygiene, forms a coherent set. Each layer compensates for the blind spots of the previous one, and none eliminates them all alone.