VPN vs Tor: Does a VPN Actually Make You Anonymous?
Does a VPN make you anonymous? No — a VPN does not make you anonymous; it makes you more private. A VPN encrypts your traffic and hides your real IP address from the websites you visit and your browsing destinations from your ISP, but it does this by routing everything through a single company that can see it all. You are not invisible — you are trusting one provider instead of your ISP. True anonymity means no one can link your activity back to you, and a VPN leaves that link intact through browser fingerprinting, account logins, cookies, and traffic leaks. This is the core distinction this post unpacks, and it’s why Tor — which splits trust across three independent relays so no single party sees both ends — answers a different question than a VPN does.
What’s the difference between privacy and anonymity?
In plain terms: privacy is keeping the contents of your activity to yourself; anonymity is making it impossible to connect that activity to your identity. They sound similar but they fail in completely different ways.
Imagine mailing a letter. Privacy is sealing it in an envelope so the postal worker can’t read it. Anonymity is making sure no one can prove you sent it — no return address, no handwriting match, no camera at the mailbox. You can have a sealed envelope (privacy) with your name printed on the outside (no anonymity). That’s exactly what a VPN gives you: a sealed tunnel that still has your fingerprints all over the payload inside.
A VPN delivers privacy well. It contributes only weakly to anonymity. The network layer — your IP address — is just one part of the problem; the larger part lives in your browser fingerprint, your cookies, the accounts you log into, your behavioral patterns, and your payment trail. A VPN touches none of those. So swapping your IP solves the smaller slice of anonymity and leaves the bigger slice fully exposed.
What does a VPN actually do?
Here’s the honest, accurate picture of what a VPN provides — no more, no less.
- Hides your real IP from websites. Sites see the VPN server’s IP, not your home IP.
- Encrypts traffic on untrusted networks. On public Wi-Fi or a hostile ISP, the tunnel defeats local snooping and basic Wi-Fi man-in-the-middle attacks.
- Hides your destinations from your ISP. Your ISP sees that you connected to a VPN, but not which sites you then visited.
- Bypasses geo-blocks and regional censorship. You appear to be in the server’s country.
That list is genuinely valuable. On airport Wi-Fi, or under an ISP that throttles or logs everything, a reputable VPN is the right tool. The problem starts when people treat that confidentiality as if it were anonymity.
What a VPN does not do:
- It does not hide who you are once you log into Google, Facebook, or your bank — your identity attaches to the session regardless of IP.
- It does not stop cookies or browser fingerprinting.
- It does not help if the provider logs your traffic and is legally compelled to hand it over.
- It does not protect you from malware, phishing, or a compromised device.
Does a VPN make you 100% anonymous?
No. The instant you authenticate to any account, your real identity is bound to that session — the VPN’s IP swap becomes irrelevant. And even if you never log in, several mechanisms quietly defeat VPN “anonymity.”
Browser fingerprinting is the big one. Your browser leaks a surprisingly unique signature: Canvas and WebGL/GPU rendering quirks, installed fonts, audio-stack behavior, screen dimensions, time zone, and more. The critical fact: your fingerprint is identical no matter which VPN server you connect through. Switching from a New York exit to a Tokyo exit changes your IP but not your fingerprint. EFF’s research — its original Panopticlick study, continued today in the Cover Your Tracks project — found that the large majority of browsers are uniquely identifiable (over 80% in that early dataset, and higher in browsers with more plugins or in some later academic samples). The practical point holds regardless of the exact number: a typical browser stands out enough to be re-identified across sessions, and a VPN does nothing about it.
Worse, the privacy regulations meant to help — GDPR and CCPA cookie-consent rules — have arguably pushed trackers toward fingerprinting, precisely because it requires no stored data and so sidesteps consent banners entirely. Clearing your cookies does nothing to fingerprinting. This is a defining tracking story of the mid-2020s: the industry is migrating from cookies to fingerprints, and neither a VPN nor incognito mode stops it. Mozilla shipped expanded “Phase 2” anti-fingerprinting protections in Firefox 145 (November 2025) in direct response — evidence that the threat is real enough for a major browser to fight it at the engine level.
Leaks bypass the tunnel. Two common ones:
- DNS leaks — your DNS queries escape to your ISP’s resolver instead of going through the VPN, revealing every domain you visit despite the “encrypted” tunnel.
- WebRTC leaks — your browser’s WebRTC stack makes STUN requests that can expose your real public IP even while the VPN is connected.
Mitigations exist (a kill switch, DNS-leak protection, disabling WebRTC or “non-proxied UDP”), but they’re off by default in many setups, and most users never check.
The “incognito + VPN = anonymous” myth. Incognito mode only prevents your browser from saving local history and cookies on your machine. It does nothing to your IP, nothing to your fingerprint, and nothing to what remote sites record. Incognito plus VPN is still fully trackable.
Can police or governments get my data from a VPN?
Only if the VPN logs it — which is the entire problem with the “no-logs” promise. A logging VPN is a single, compellable chokepoint that sees everything you do. The marketing claim “no-logs means nothing to subpoena” is true only when the provider genuinely keeps no logs. Free VPNs are the worst offenders here; many monetize by selling user data outright, making them the opposite of a privacy tool.
So the question becomes: has “no-logs” ever survived contact with a court or a police raid? Yes — and the recent record is instructive:
- Mullvad, Sweden (April 2023). Police arrived with a search warrant intending to seize servers. They left empty-handed because Mullvad simply didn’t hold the data. Mullvad later completed its migration to RAM-only, diskless servers (September 2023) — a physical seizure now yields nothing because nothing persists to disk. This set the modern “seizure-resistant” bar.
- Windscribe, Greece (case dismissed April 11, 2025). Charges against founder Yegor Sak were dismissed after a Windscribe server in Finland was implicated in an alleged offence by an unknown user. The data center yielded only billing data naming Sak. The court found no evidence implicating him — a widely reported outcome treated in the privacy press as affirming that a genuine no-logs policy leaves no user activity data to hand over.
- Proton VPN, Switzerland. Proton publishes a transparency report and a warrant canary, operates under Swiss jurisdiction (only Swiss court orders bind it), and reports that it cannot satisfy demands for activity data because it holds none. It passed its fourth consecutive independent no-logs audit (Securitum, August 2025).
The takeaway: a genuine no-logs VPN, ideally on diskless infrastructure and independently audited, is a real defense. But that places enormous weight on choosing the right provider — which raises a question most people never ask.
Who owns my VPN, and why does it matter?
Because a VPN sees all your traffic, who is behind it is the whole game. Ownership and incentives matter more than feature lists.
A widely cited example: Kape Technologies owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate — and the review site VPNMentor that ranks them. Kape was formerly named “Crossrider,” a name that appeared in academic research on ad-injection software in the mid-2010s. None of that proves current wrongdoing, but a single company owning multiple major VPNs and a site that reviews VPNs is a conflict of interest worth knowing before you trust it with all your traffic.
Independent or foundation-owned providers frequently cited by the security community include Mullvad, Proton VPN, IVPN, Windscribe, and AirVPN. None of this is an endorsement — verify the current ownership, audit history, and logging policy yourself before trusting any provider. The point is structural: with a VPN, you are choosing one entity to see everything. That is the fundamental difference from Tor.
How is Tor different — and is it actually more anonymous?
Tor is built for anonymity, where a VPN is built for confidentiality. Instead of routing through one company’s server, Tor routes through three independent volunteer relays — an entry/guard node, a middle node, and an exit node — each wrapped in a layer of encryption (the “onion”). The crucial property: no single relay knows both who you are and where you’re going. The guard node sees your IP but not your destination; the exit node sees your destination but not your IP; the middle node connects them blindly.
That is the structural anonymity advantage in one line: a VPN means trusting one company; Tor means trusting that no single party in a decentralized network can link both ends. There is no Tor company to subpoena, and it’s free.
But Tor is not magic either, and overstating it would be as dishonest as overstating VPNs. Its real limitations:
- End-to-end traffic correlation. An adversary who can observe both the traffic entering the guard and leaving the exit can attempt to correlate timing and volume to deanonymize a user. This is Tor’s known weakness against a global passive adversary or a well-resourced nation-state. Research keeps refining these attacks — recent academic work continues to improve correlation accuracy under noisy conditions — but pulling it off at scale is non-trivial, and there is no public evidence that careful Tor users are routinely deanonymized. The threat is real chiefly for the best-resourced adversaries.
- Malicious or observed exit nodes can read any traffic that isn’t additionally encrypted. Always use HTTPS over Tor and avoid plaintext logins.
- Fingerprinting still applies unless you use Tor Browser as shipped — it standardizes fingerprints across all users, so don’t install plugins, maximize the window, or log into your real accounts.
- It’s slow, and some sites block known Tor exit IPs.
VPN vs Tor: which should I use, and when?
Neither is universally “better” — they solve different problems. Use this as a quick decision guide:
| Question | VPN | Tor |
|---|---|---|
| What it optimizes for | Privacy / confidentiality | Anonymity |
| Who you must trust | One provider (sees everything) | No single relay sees both ends |
| Hides IP from websites | Yes | Yes |
| Hides destinations from ISP | Yes | Yes (ISP sees only “using Tor”) |
| Stops browser fingerprinting | No | Only Tor Browser, used as shipped |
| Stops tracking once you log in | No | No |
| Compellable single chokepoint | Yes (unless genuine no-logs) | No central party to compel |
| Speed | Fast | Slow |
| Best for | Untrusted Wi-Fi, geo-unblocking, hiding traffic from ISP | Resisting linkage to your identity; censorship circumvention |
Use a VPN when you’re on untrusted Wi-Fi, you want to stop your ISP from profiling your destinations, or you need to bypass a geo-block. These are legitimate, everyday wins.
A VPN is privacy theater when you believe it makes you anonymous — when you log into personal accounts, accept fingerprinting and cookies, or trust a free provider that monetizes your data. In those cases the IP swap is cosmetic.
Use Tor (Tor Browser, unmodified) when the goal is genuine anonymity — separating your activity from your real identity, or circumventing censorship where being identified carries risk.
Should I use Tor over VPN or VPN over Tor?
This is the most-asked combination question, and the honest answer is: for most people, don’t combine them.
The two configurations:
- Tor-over-VPN (connect to the VPN first, then Tor): hides the fact that you’re using Tor from your ISP, and if you hit a malicious guard node it sees the VPN’s IP rather than your home IP. This is the easier and more practical of the two.
- VPN-over-Tor (Tor first, then VPN): hides Tor use from destination sites and protects post-exit traffic, but it’s harder to configure correctly and rarely worth it.
The critical caveat comes from the source itself. The Tor Project advises against casually combining the two: it recommends pairing a VPN with Tor only for advanced users who understand how to configure both without undermining their own privacy, because misconfiguration can reduce your anonymity or break Tor’s protections. For nearly everyone, the recommendation is Tor Browser alone, unmodified. The Tor Project did launch an experimental Tor VPN beta for Android in September 2025, but it’s explicitly labeled beta and not for high-risk use.
What’s the genuinely most anonymous setup? Tor Browser used as shipped, ideally on Tails OS (which routes everything through Tor and leaves no trace), with anonymous payment methods and no logins to identifiable accounts. Anything less is a trade-off — and it’s better to know exactly which trade-off you’re making.
Why does any of this matter beyond browsing?
Because the same trust question applies to everything you communicate, not just web pages. A VPN protects the transport but does nothing about who can see who you talk to or what a messaging service logs about your social graph. Metadata — who, when, how often — is frequently more revealing than content, and it survives a VPN untouched.
This is the design principle behind RVNT, and it’s why a VPN and an anonymity network aren’t interchangeable. RVNT routes its peer-to-peer traffic over Tor by default — 3-hop standard, with a 5-hop max-privacy mode plus a mixnet that batches messages, adds random delay, generates cover traffic, and pads everything to a fixed size to resist the exact end-to-end correlation that is Tor’s weak point. On top of that, sealed sender hides who-is-talking-to-whom from the infrastructure itself, so there is no single chokepoint — no VPN-style company, no central server — that sees both ends of a conversation. Where the honest limits sit is laid out in the threat model.
To be equally honest about RVNT’s limits: nothing here protects you from a compromised device, a contact who screenshots or forwards your messages, or a global passive adversary correlating all traffic at once. Those are the same hard limits Tor faces, and we’d rather name them than pretend they don’t exist.
The takeaway
A VPN does not make you anonymous. It gives you real, useful privacy — encryption on hostile networks, IP masking from websites, hiding destinations from your ISP — by moving your trust from your ISP to one provider that sees everything. That’s a fair trade for untrusted Wi-Fi or geo-unblocking. It becomes privacy theater the moment you call it anonymity, because fingerprinting, logins, cookies, leaks, and provider logging all walk right past it.
Tor answers the anonymity question a VPN can’t: it splits trust across three independent relays so no single party links both ends. It’s slower, it has its own real weaknesses, and the Tor Project sensibly tells most people to use Tor Browser alone rather than bolting a VPN onto it. Pick the tool that matches your actual threat — and don’t trust either of them on faith. Verify the logging policy, verify the ownership, verify the configuration. Don’t trust us, or them — verify.
Keep reading
All posts →-
The Anthropic Recall: How Centralized AI Threatens Decentralized Privacy
A breakdown of today's US government export control directive targeting Anthropic, the vulnerabilities of centralized AI architectures, and why decentralized, sovereign communications are vital.
5 min read -
Sealed Sender: Hiding Who Talks to Whom
A technical deep-dive on RVNT's sealed sender: how encrypting the sender certificate to the recipient hides the from-to routing pair, and how forgery, replay, and abuse are handled.
9 min read -
Chat Control, Explained: The EU's Fight Over Scanning Your Messages
EU Chat Control explained: what the CSA Regulation proposes, why client-side scanning breaks end-to-end encryption, the 2025-2026 timeline, and its current status.
11 min read -
Metadata Is the Message
"It's just metadata" is a dangerous phrase. Who you talk to, when, and how often can reveal more than what you said — and RVNT is built to minimize it.
9 min read -
Can Your Employer Read Your Messages? Workplace Surveillance Explained
Can my employer read my messages? Yes for work email, Slack and Teams DMs, and company devices. Here's what they legally can and can't see in 2026 — and how to separate personal from work.
11 min read -
RVNT vs Signal: An Honest Comparison
Signal is the gold standard for encrypted messaging. Here is where RVNT agrees, where it diverges, and the honest tradeoffs of each — no strawmen.
10 min read -
How to Contact a Journalist Securely: A Source's Guide
How to contact a journalist securely: SecureDrop, Signal usernames, the metadata problem, OPSEC, and the honest limits no encryption tool can fix.
12 min read -
How to Remove Your Information From Data Brokers
A practical 2026 guide to remove your information from data brokers: the free DIY opt-out process, California's DROP, paid services, and why removal is ongoing.
11 min read