Technologies

VPN trackers: Everything you need to know

Not all VPNs actually care about your privacy. Choose one that doesn’t track you.

Public concern over web tracking is higher than ever. That concern has been mounting for well over a decade, but we’re no better off now than we were then — pervasive tracking and unbridled data collection is still the lay of the land all these years later. Websites and apps deploy trackers that follow us all over the web and share the information they collect with third parties. Our ISPs collect hordes of data every time we go online, then sell it off to the highest bidder.

As a result, consumers are increasingly turning to virtual private networks to help them evade these tracking practices. But what can you do when it’s the VPNs themselves that are doing the tracking? As with any app or online service, it’s important to do your research and make sure you choose a provider that actually takes your privacy seriously. Just because a VPN company boldly states that it cares about your privacy doesn’t mean it’s true.

VPNs are supposed to protect your privacy online and help you fight back against the machine hell-bent on exploiting your data for its own gain. And gaining privacy from tracking is one of the main reasons you should seek the help of a VPN. But it can be difficult to sort through the various ways VPNs might track you. Here’s what to know about the different trackers VPNs use, and how they separate the best VPNs from the ones you should avoid.

First-party trackers vs. third-party trackers

Not all trackers are the same. For example, there’s a crucial difference between first-party and third-party trackers. There’s a similarly vital distinction between trackers used on a VPN’s website versus the ones inside a VPN’s app. In both cases, the second option will have much greater implications on your privacy than the former.

First-party trackers, also known as cookies, are used and stored by the websites you visit. They’re used for things like remembering your preferences, geographic region, language settings and what you put in your shopping cart. They’re also used by website administrators to collect data as you visit their sites, helping them better understand your behavior and figure out what will keep you on their site longer and buying more of their products and services.

Basically, first-party trackers are there to provide you with a smoother experience as you visit the websites you frequent. It would be annoying to have to set all your preferences each and every time you visit a site and to have to re-add each individual item to your shopping cart every time you click away from your cart.

A VPN company may use first-party trackers on its website to save your settings, display account-specific information after you log in and see what marketing channel brought you to its site.

Third-party trackers are different in that they are created by entities other than the site you’re visiting. After a site puts these trackers on your computer via your browser, they follow you across the websites you visit. They are injected into a website using a tag or a script and are accessible on any site that loads the third-party’s tracking code. But the big difference is that they’re used to track your online behavior and make money from you, rather than improve your online experience.

In simpler terms, third-party trackers exist to help companies bombard you with targeted advertisements based on your online browsing activity. Targeted advertising is big business, and there are mountains of cash to be made at the expense of your digital privacy.

That said, Apple and Google have begun shifting their policies regarding the use of third-party trackers in their respective mobile app marketplaces and have provided users more transparency and a much greater element of control when it comes to restricting how apps are able to track them. Google even proposed a solution to eliminating the use of third-party trackers altogether. That proposal, however, turned out to be a failure after people began pointing out the ways in which Google’s proposed alternative would make it even easier for the company to track and identify you for targeted advertising. Google was forced back to the drawing board and ended up shelving the idea for at least two years. Still, the industry is slowly showing signs of progress.

If a VPN company is using third-party trackers on its website for marketing purposes or to enhance your experience on the site itself, the tracking is easy to block in most cases. But when a VPN tracks you on its app, the alarm bells should start going off. In-app trackers should make you seriously concerned about what that VPN is really up to (Spoiler: It’s to make money from sharing your data) and should ultimately steer you away from that VPN altogether.

Why would VPN companies need to track you through their apps?

Simple answer: They don’t. Their apps would function just as well for you whether they tracked you or not.

But many VPN companies will employ trackers in their apps regardless of how much they say they care about your privacy. Those VPNs put users’ privacy at risk so they can make as much money as possible. And what some of these VPN apps track and share with third parties is actually quite alarming. This is the biggest reason we advise you to avoid using free VPNs.

What data is being collected by these trackers and who is it shared with?

The scope of data collection will vary greatly from one VPN to another, and will differ in terms of whether the trackers are being deployed on the VPN’s website or within the app itself. But let’s focus on trackers embedded within VPN apps themselves.

There are VPN apps out there that will track and share things like your user ID, device or advertising ID, usage data and even your location. They track this information just to sell it on to third parties for targeted advertising purposes, making money at the expense of your digital privacy. Any VPN engaging in such activity should be avoided at all costs.

When we say your data is being shared with third-party entities, we mean entities like data brokers and advertisers that put profits ahead of ethics. That information is also being shared with sites like Google and Facebook, meaning that even if you don’t have a Facebook account and you’re doing your best to stay away from big tech data hogs, your data is still being shared with them.

Unfortunately, far too many VPN apps will track and share your data with all kinds of third parties. That’s why it’s crucial to scrutinize the data sharing practices of any VPN you’re considering. (We do this as part of our review process and thoroughly vet a VPN’s data policies before we recommend it to anyone.)

The concern is real

VPNs are often quick to claim that the data they’re tracking and sharing with third parties is anonymized and not identifiable or tied to your personal information. That sounds great, but something like a device ID can still be used to identify you personally when other data points tied to your online behavior and interactions with the app are matched to that ID. It doesn’t actually take that much to connect the dots and identify you online.

Researchers have shown that 99.98% of users could be re-identified in any anonymized dataset using only 15 data points. The more data points an app is collecting about you, the easier it is for others to identify you online, even if the data being collected isn’t necessarily personally identifiable information.

Find out what data they’re collecting and tracking

Luckily, it’s becoming easier and easier to see what VPN companies are collecting and tracking when you use their apps. For one, reputable VPNs are getting increasingly transparent about what data they collect and what kinds of trackers they may or may not be implementing on their sites and apps. VPNs know that their reputations rely on actually walking the walk when it comes to protecting user privacy. So transparency is key.

On top of that, since Apple introduced its App Tracking Transparency functionality in its App Store, you now have a much clearer picture of any application’s tracking practices. You can now see if any app you’re looking to download wants to track you and share your data with third parties and you can easily deny those permissions. Google introduced similar functionality with its recent Android 12 release.

In addition to scrutinizing a VPN app’s tracking practices, you’ll want to scour its privacy policy to see what kinds of trackers it uses, what data it collects and who it shares that data with. If you notice that a provider you’re looking at is sharing user data with an abundance of third parties, or if the provider isn’t up front or totally transparent about its practices, then it’s best to move along and find something else.

When you do your research, you’ll see that the best VPNs don’t resort to such unscrupulous tracking practices. Part of our review process includes vetting the data collection practices of each provider. Though the VPNs we recommend, like Surfshark, NordVPN and ExpressVPN, may collect certain types of connection data when you use their apps, they don’t deploy in-app trackers.

While these VPNs may deploy cookies on their websites, they’re transparent about exactly what those cookies are there for and how they help improve website functionality and aid in advertising their services across the web. Their third-party trackers can also be blocked via your browser settings.

Always check a VPN’s privacy policies, and their apps in the App Store and the Play Store to learn more about the trackers they deploy on their websites and apps. The important thing to keep in mind here is that the apps of our recommended VPNs will not track you like the apps of some other less-than-trustworthy VPNs.

How to fight back against tracking

If you don’t want your VPN app to track you, you’ll want to take a few precautions.

With Apple’s App Tracking Transparency in place, iOS apps have to get your explicit permission before they are able to track you. If you deny that permission, the app developer won’t have access to your device’s advertising ID and won’t be able to track you or share that ID with third parties.

You can even deny any and all apps on your iOS device from even asking you if they can track you in the first place. All you’d need to do is head over to your settings menu and disable tracking. Similarly, if you’re an Android user, you can manage your app permissions to limit tracking on an app-by-app basis by navigating to your Privacy Dashboard.

Keep in mind that even if you deny an app access to your advertising ID, that doesn’t necessarily prevent it from sharing other data with third parties. A new bit of investigative research from Top10VPN showed that 85% of the top free VPNs in Apple’s US App Store will still share your data with third-party advertisers even after you’ve explicitly denied their requests to track you. Even if they don’t have access to your advertising ID — according to Top10VPN’s research — these free VPN apps still track and share information like your IP address, device name, language, device model and iOS version with advertisers without your consent. This is all information that can be used to identify you, and the research is a pointed reminder of why we recommend staying away from free VPNs.

If you’re concerned about VPN companies using trackers on their websites and sharing data with third parties, then you can use a privacy-focused browser like Brave or Firefox, or use a tool like the Duck Duck Go’s browser extension to your current browser. Options like these will help you to easily prevent websites from tracking you as you browse the web. If you’re not willing to part ways with your existing browser or install an extension, there are various settings you should change to protect your privacy and limit tracking.

Next steps

Websites and apps will routinely do whatever they can to track your activity across the internet to churn as much money out of the targeted ad machine as possible. But the tide is finally turning as people have begun to realize exactly how invasive the practice is and how detrimental it can be to our digital privacy.

More and more options are available to defend against tracking practices, and VPN companies are becoming increasingly transparent with consumers with regards to how they approach the subject and many are ditching tracking altogether. Unfortunately, many VPN companies still continue the practice and are sharing all kinds of tracking data with third parties. If you’re an iOS user, just take a look through the VPNs available in the App Store and take a peek at their «nutrition label» and you’ll see what we mean.

If you already have a VPN app installed on your device, check to see if it’s tracking you and sharing your data with third parties. If it is, it’s time to wipe it from your device for good and never look back, because it’s compromising your privacy rather than protecting it — which is the opposite of what a VPN should be doing.

Technologies

Today’s NYT Mini Crossword Answers for Thursday, May 22

Here are the answers for The New York Times Mini Crossword for May 22.

Looking for the most recent Mini Crossword answer? Click here for today’s Mini Crossword hints, as well as our daily answers and hints for The New York Times Wordle, Strands, Connections and Connections: Sports Edition puzzles.

Today’s NYT Mini Crossword is fairly easy, especially if you know recent trends in baby names. It also helps to have a slight knowledge of The Lord of the Rings, or at a minimum, be good at riddles. Need some help with today’s Mini Crossword? Read on. And if you could use some hints and guidance for daily solving, check out our Mini Crossword tips.

The Mini Crossword is just one of many games in the Times’ games collection. If you’re looking for today’s Wordle, Connections, Connections: Sports Edition and Strands answers, you can visit CNET’s NYT puzzle hints page.

Read more: Tips and Tricks for Solving The New York Times Mini Crossword

Let’s get to those Mini Crossword clues and answers.

Mini across clues and answers

1A clue: Part of a fleet
Answer: SHIP

5A clue: Answer to Gollum’s riddle in «The Hobbit,» which starts «This thing all things devours — birds, beasts, trees, flowers»
Answer: TIME

6A clue: «See ya!»
Answer: LATER

7A clue: Second-most popular girl’s name of the 2020s, after Olivia
Answer: EMMA

8A clue: Not keeping secrets
Answer: OPEN

Mini down clues and answers

1D clue: Sticker on an envelope
Answer: STAMP

2D clue: «I’d like another card,» in blackjack
Answer: HITME

3D clue: «Uhh, that is to say …»
Answer: IMEAN

4D clue: The «p» of m.p.h.
Answer: PER

6D clue: Name taken by the new pope
Answer: LEO

How to play more Mini Crosswords

The New York Times Games section offers a large number of online games, but only some of them are free for all to play. You can play the current day’s Mini Crossword for free, but you’ll need a subscription to the Times Games section to play older puzzles from the archives.

Technologies

What a Proposed Moratorium on State AI Rules Could Mean for You

Congressional Republicans have proposed a 10-year pause on the enforcement of state regulations around artificial intelligence.

States couldn’t enforce regulations on artificial intelligence technology for a decade under a plan being considered in the US House of Representatives. The legislation, in an amendment to the federal government’s budget bill, says no state or political subdivision «may enforce any law or regulation regulating artificial intelligence models, artificial intelligence systems or automated decision systems» for 10 years. The proposal would still need the approval of both chambers of Congress and President Donald Trump before it can become law. The House is expected to vote on the full budget package this week.

AI developers and some lawmakers have said federal action is necessary to keep states from creating a patchwork of different rules and regulations across the US that could slow the technology’s growth. The rapid growth in generative AI since ChatGPT exploded on the scene in late 2022 has led companies to fit the technology in as many spaces as possible. The economic implications are significant, as the US and China race to see which country’s tech will predominate, but generative AI poses privacy, transparency and other risks for consumers that lawmakers have sought to temper.

«We need, as an industry and as a country, one clear federal standard, whatever it may be,» Alexandr Wang, founder and CEO of the data company Scale AI, told lawmakers during an April hearing. «But we need one, we need clarity as to one federal standard and have preemption to prevent this outcome where you have 50 different standards.»

Efforts to limit the ability of states to regulate artificial intelligence could mean fewer consumer protections around a technology that is increasingly seeping into every aspect of American life. «There have been a lot of discussions at the state level, and I would think that it’s important for us to approach this problem at multiple levels,» said Anjana Susarla, a professor at Michigan State University who studies AI. «We could approach it at the national level. We can approach it at the state level too. I think we need both.»

Several states have already started regulating AI

The proposed language would bar states from enforcing any regulation, including those already on the books. The exceptions are rules and laws that make things easier for AI development and those that apply the same standards to non-AI models and systems that do similar things. These kinds of regulations are already starting to pop up. The biggest focus is not in the US, but in Europe, where the European Union has already implemented standards for AI. But states are starting to get in on the action.

Colorado passed a set of consumer protections last year, set to go into effect in 2026. California adopted more than a dozen AI-related laws last year. Other states have laws and regulations that often deal with specific issues such as deepfakes or require AI developers to publish information about their training data. At the local level, some regulations also address potential employment discrimination if AI systems are used in hiring.

«States are all over the map when it comes to what they want to regulate in AI,» said Arsen Kourinian, partner at the law firm Mayer Brown. So far in 2025, state lawmakers have introduced at least 550 proposals around AI, according to the National Conference of State Legislatures. In the House committee hearing last month, Rep. Jay Obernolte, a Republican from California, signaled a desire to get ahead of more state-level regulation. «We have a limited amount of legislative runway to be able to get that problem solved before the states get too far ahead,» he said.

While some states have laws on the books, not all of them have gone into effect or seen any enforcement. That limits the potential short-term impact of a moratorium, said Cobun Zweifel-Keegan, managing director in Washington for the International Association of Privacy Professionals. «There isn’t really any enforcement yet.»

A moratorium would likely deter state legislators and policymakers from developing and proposing new regulations, Zweifel-Keegan said. «The federal government would become the primary and potentially sole regulator around AI systems,» he said.

What a moratorium on state AI regulation means

AI developers have asked for any guardrails placed on their work to be consistent and streamlined. During a Senate Commerce Committee hearing last week, OpenAI CEO Sam Altman told Sen. Ted Cruz, a Republican from Texas, that an EU-style regulatory system «would be disastrous» for the industry. Altman suggested instead that the industry develop its own standards.

Asked by Sen. Brian Schatz, a Democrat from Hawaii, if industry self-regulation is enough at the moment, Altman said he thought some guardrails would be good but, «It’s easy for it to go too far. As I have learned more about how the world works, I am more afraid that it could go too far and have really bad consequences.» (Disclosure: Ziff Davis, parent company of CNET, in April filed a lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.)

Concerns from companies — both the developers that create AI systems and the «deployers» who use them in interactions with consumers — often stem from fears that states will mandate significant work such as impact assessments or transparency notices before a product is released, Kourinian said. Consumer advocates have said more regulations are needed, and hampering the ability of states could hurt the privacy and safety of users.

«AI is being used widely to make decisions about people’s lives without transparency, accountability or recourse — it’s also facilitating chilling fraud, impersonation and surveillance,» Ben Winters, director of AI and privacy at the Consumer Federation of America, said in a statement. «A 10-year pause would lead to more discrimination, more deception and less control — simply put, it’s siding with tech companies over the people they impact.»

A moratorium on specific state rules and laws could result in more consumer protection issues being dealt with in court or by state attorneys general, Kourinian said. Existing laws around unfair and deceptive practices that are not specific to AI would still apply. «Time will tell how judges will interpret those issues,» he said.

Susarla said the pervasiveness of AI across industries means states might be able to regulate issues like privacy and transparency more broadly, without focusing on the technology. But a moratorium on AI regulation could lead to such policies being tied up in lawsuits. «It has to be some kind of balance between ‘we don’t want to stop innovation,’ but on the other hand, we also need to recognize that there can be real consequences,» she said.

Much policy around the governance of AI systems does happen because of those so-called technology-agnostic rules and laws, Zweifel-Keegan said. «It’s worth also remembering that there are a lot of existing laws and there is a potential to make new laws that don’t trigger the moratorium but do apply to AI systems as long as they apply to other systems,» he said.

Moratorium draws opposition ahead of House vote

House Democrats have said the proposed pause on regulations would hinder states’ ability to protect consumers. Rep. Jan Schakowsky called the move «reckless» in a committee hearing on AI regulation Wednesday. «Our job right now is to protect consumers,» the Illinois Democrat said.

Republicans, meanwhile, contended that state regulations could be too much of a burden on innovation in artificial intelligence. Rep. John Joyce, a Pennsylvania Republican, said in the same hearing that Congress should create a national regulatory framework rather than leaving it to the states. «We need a federal approach that ensures consumers are protected when AI tools are misused, and in a way that allows innovators to thrive.»

At the state level, a letter signed by 40 state attorneys general — of both parties — called for Congress to reject the moratorium and instead create that broader regulatory system. «This bill does not propose any regulatory scheme to replace or supplement the laws enacted or currently under consideration by the states, leaving Americans entirely unprotected from the potential harms of AI,» they wrote.