«

»

VPN users beware. Your IP address can still be visible

By Simon Davies

There are dozens of reasons why any smart Netizen might want to use a Virtual Private Network (VPN) service. These facilities allow you to enjoy an online Level Playing Field, avoiding censorship and dodging bad players such as trackers and malicious hackers.

The idea is simple. A VPN will mask your location and establish connection to sites in a way that gives the appearance that you are somewhere else. So, if you want to see a BBC program (often available only to UK visitors), a VPN should allow you to appear as if you are in the UK.

I constantly lecture rights activists on the usefulness of these services. They are one way to help bypass the pervasive site blocking that repressive countries enjoy so much.

Most VPN services are highly sensitive about their integrity. The Canadian based TunnelBear, for example, goes out of its way to remind users how much they care about user identity and privacy. These reassuring words are in the TunnelBear Privacy Policy:

TunnelBear explicitly does NOT collect, store or log the following data:

  • IP addresses visiting our website

  • IP addresses upon service connection

  • DNS Queries while connected

  • Any information about the applications, services or websites our users use while connected to our Service

That’s as explicit as any policy could be on the matter. Anyone reading those words would be left with the impression that TunnelBear simply doesn’t know the originating IP. Government agencies, litigators and aggressive sites technically cannot demand user information that does not exist. However, such things are not always as straightforward as they seem.

I was recently passing through Belgium and decided to check my account balance on a UK gaming site. Many EU countries do not permit access to such sites outside their borders. However I had set my Tunnelbear to Switzerland, where such access is usually permitted.

Surprisingly, I was blocked. More worrying still, the notice that appeared informed me that access was blocked under Belgian law. I reset the location to the UK, and ended up with the same notice.

Hang on… according to TunnelBear, this should never have happened. As far as the gaming site is concerned, I should have been located in the UK or Switzerland.

I constantly lecture rights activists on the usefulness of these services. They are one way to help bypass the pervasive site blocking that repressive countries enjoy so much.


Techies might suggest that I have not configured my OS and browser settings, but I have. They are set to maximum privacy and minimum disclosure (in Firefox, for example, you would type “about.config” in the the url bar and then click “geo.enabled” so that the field reads “false”).

Neither was I using any app that might circumvent those settings.

Curiously, when I checked with an IP locator, it recognised my location as Switzerland, indicating that the leak wasn’t systemic.

After some digging, I might have found the cause of this problem. A couple of years ago a huge security flaw was discovered in which a browser’s WebRTC (Real Time Communications) function could be infiltrated to track the originating IP address of users. I had imagined browser companies would by now have dealt with this issue, but apparently not. Web RTC is enabled by default.

To disable it, check out this page.

It would be useful to hear what the VPN says about this mystery, but sadly it has not responded for comment.