← field notes

How VPNs Actually Work and What They Don't Hide

someone opens an app, taps a button, and a little shield turns green. a label says protected. and in that moment a lot of people feel something close to invisible, as if a curtain has dropped between them and the whole watching internet.

some of that feeling is earned. a VPN really does hide certain things, and it hides them well. but it also leaves wide open a set of things most people assume it covers, and the gap between those two lists is where almost every misunderstanding about online privacy lives. this is an honest walk through both.

what a VPN actually is

strip away the marketing and a VPN is a simple idea. it is an encrypted tunnel from your device to a computer somewhere else, run by the VPN company, and from that computer your traffic continues on to the rest of the internet.

instead of your laptop talking directly to a website, it talks to the VPN server, and the VPN server talks to the website for you. two things change as a result. the people near you on your own network can no longer read what is inside the tunnel, and the websites you visit see the VPN server’s address instead of yours. everything else underneath stays the same.

the encrypted tunnel

picture the connection as a sealed pipe. before any page loads, your device and the VPN server agree on a shared secret and start scrambling everything that passes between them. to anyone watching from outside, the pipe is opaque. they can see that a pipe exists and roughly how much flows through it, but they cannot read the contents.

this is real encryption, not a slogan. the question that decides everything is who is standing where, and what each of them can actually see. a sealed pipe protects what is inside the pipe. it says nothing about the two ends, where the pipe opens. one end is your device, which knows everything because it is you. the other end is the VPN server, where the seal is broken so your request can carry on.

who sees you on your local network

start with the people closest to you. the other devices on the cafe wifi, the person who runs that network, the router in the corner. without a VPN, these can see a surprising amount, especially which sites you connect to, even when the pages themselves are encrypted. they watch the outside of your traffic, the destinations, and that alone tells a story.

switch the tunnel on and that story goes dark for them. all they see is one steady encrypted connection to a VPN server. not which sites, not which pages, just that you are talking to a VPN. this is the part a VPN genuinely does well, and it is the real reason careful people use one on networks they do not control.

who sees you at your provider

step one hop further out, to your internet provider. your provider carries every packet you send, so normally they have a clear view of which services you reach, built up over time into a quiet record of your habits. in many places that record can be kept, sold, or handed over when asked.

the tunnel changes this too. with a VPN running, your provider sees encrypted traffic going to a single VPN server and little else. they know you are using a VPN, they can see how much data moves and when, but the destinations are hidden from them. this is the honest core of the pitch. a VPN takes the view your local network and your provider used to have, and it closes it. that is genuinely useful, and it is also where the genuinely useful part ends.

the part the marketing skips

here is the pivot. your traffic does not vanish inside the tunnel. it comes out the other end, because it has to, or no website would ever load. and the place it comes out is the VPN server, the one machine owned and operated by the VPN company.

at that exit point, the encryption you trusted is unwrapped so your request can continue to the wider internet. which means the VPN provider sits in exactly the position your internet provider used to sit. they can see where your traffic is going. you did not erase the watcher. you moved the watcher, from a company you did not choose to one you did.

your trust moved, it did not disappear

so a VPN does not make you anonymous. it changes who is in a position to watch you. before, it was your provider and anyone on your local network. after, it is the VPN company, and your provider can only see that the company is involved.

whether that is an improvement comes down to one question. do you trust the VPN company more than the people you took the view away from. that is not a technical question, it is a judgment about a business you usually know very little about, and a great deal of VPN marketing is built to stop you from asking it.

the logging question

because the VPN can see your traffic at the exit, the only thing standing between that visibility and a permanent record is the company’s own policy and honesty. many advertise a no logs promise, meaning they claim not to store who connected where and when.

the honest part is that a no logs claim is exactly that, a claim. some companies have backed it up, through independent audits or through court cases where they genuinely had nothing to hand over. others quietly logged the whole time and were only caught when the records surfaced. the promise is also shaped by things you cannot see from the app: the laws where the company is based, the servers it rents from others, and the fact that any business can be sold and its policy changed on a quiet afternoon.

the website still sees a device

follow your traffic out of the VPN and on to the website, because people assume the site is fooled. the site does see a different address, the VPN server’s, instead of your home one. but the address was only ever one signal, and a fairly weak one.

the moment a page loads, it can study the device behind that address. the browser and its version, the fonts installed, the screen size, the way the graphics hardware draws a hidden image. stacked together these form a fingerprint specific enough to recognize the same device again, on a new address, in a new session. the VPN changed the return address on the envelope. it did nothing about the handwriting inside.

logging in undoes the whole thing

then there is the simplest hole, the one no encryption can touch. the moment you sign into an account, you have told that service exactly who you are. it does not matter that your address points to another country. you handed over your name when you logged in.

this is why a VPN does almost nothing for the privacy of your everyday accounts. checking email, scrolling a feed, shopping while signed in, in every one of those cases you identified yourself on purpose. the tunnel protected your traffic from the network around you, and then you walked up to the service and introduced yourself by name.

the anonymity myth, and what a VPN is actually good for

put the pieces together and the promise of total anonymity falls apart. the device is still recognizable by its fingerprint. accounts still name you the instant you log in. the VPN company can still see your traffic at the exit, and your provider can still tell you are using a VPN at all. anyone who tells you a tool makes you completely untraceable is selling the feeling of that green shield, not the reality underneath.

none of this makes a VPN useless. on a network you do not control, it stops the people sharing that network from watching where you go, and it takes your destination history away from your provider. it gives you a different apparent location, which has real and ordinary uses. those are solid, concrete benefits, and the trick is to want it for what it does, not for what the advertising hints at.

so think about it clearly. name what you actually want hidden, and from whom. if the answer is the cafe wifi and your internet provider, a VPN fits almost perfectly. if the answer is the websites themselves or the platforms you log into, the real exposure is elsewhere. then ask the question the marketing avoids: who is the company at the other end, what do they keep, and has anyone independent ever checked.

if you remember one thing, make it this. a VPN does not erase the need to trust someone. it moves that trust. it takes the view away from your local network and your internet provider, and it hands that same view to the VPN company instead. that can be a genuinely good trade. but it is still a trade, not an escape. the green shield never meant invisible. it only ever meant the watcher has changed.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →