Citation note: Statistics on this page are drawn from peer-reviewed academic research, government reports, and standards-body publications. Where possible, links to the original source are provided. Research from 2010–2022 reflects conditions at the time of publication; the VPN and browser landscape evolves continuously.
Browser fingerprinting
Fingerprint uniqueness
- 83.6% of browsers tested by the EFF Panopticlick project (2010, n=470,161) had a unique fingerprint identifiable without any cookies or login.
Source: Eckersley, P. (2010). How Unique Is Your Web Browser? EFF / PET 2010. - A 2016 IEEE study across 118,934 browsers confirmed fingerprinting effectiveness, finding that browser type and version, screen resolution, installed plugins, language, and timezone together achieve near-unique identification in desktop browsers.
Source: Laperdrix, P. et al. (2016). Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. IEEE S&P 2016. - Canvas fingerprinting alone was found to produce a distinct hash in approximately 5.7% of browsers in isolation; in combination with other attributes it contributes substantially to overall uniqueness.
Source: Acar, G. et al. (2014). The Web Never Forgets. ACM CCS 2014.
Fingerprinting adoption on the web
- The 2014 "Web Never Forgets" study found canvas fingerprinting scripts on 5% of the top 100,000 Alexa websites, making it one of the most widely deployed tracking technologies at the time.
- A 2018 Princeton WebTAP study of the top 1 million sites found fingerprinting scripts on approximately 1 in 7 sites, including font probing, canvas, and WebGL.
Source: Englehardt, S. & Narayanan, A. (2016). Online Tracking: A 1-million-site Measurement and Analysis. ACM CCS 2016.
Countermeasures
- Brave Browser's randomised fingerprinting, as measured in a 2021 study, reduces cross-session linkability significantly, though some entropy remains due to hardware differences.
Source: Laperdrix, P. et al. (2020). Browser Fingerprinting: A Survey. ACM TWEB 2020. - The Tor Browser achieves the strongest fingerprint uniformity by targeting a uniform set of screen sizes, disabling JavaScript by default in the highest security mode, and replacing Canvas API return values with a constant stub.
VPN and DNS leaks
DNS leak prevalence in VPN apps
- Ikram et al. (ACM IMC 2016) analysed 283 Android VPN apps from Google Play. Key findings:
- 18% implement tunnelling without encryption — traffic is sent in plaintext despite appearing to use a VPN.
- 66% do not apply any privacy controls to DNS traffic, meaning DNS queries can be seen by the ISP.
- 38% of apps were flagged as potentially malicious by VirusTotal scanners.
- 16% inject JavaScript or intercept traffic for advertising purposes.
- Hildenbrand, E. et al. (PET 2015) tested 14 commercial VPN clients and found IPv6 traffic leakage in several clients that did not handle dual-stack networks, revealing real IPs when an IPv6 connection was available alongside the VPN tunnel.
Source: Hildenbrand, E. et al. (2015). A Glance through the VPN Looking Glass. PET Symposium 2015.
Windows DNS leak vector
- Microsoft's Smart Multi-Homed Name Resolution (SMHNR), introduced in Windows 8.1 and enabled by default in Windows 10 and 11, sends DNS queries to all available network resolvers simultaneously for speed. With a split-tunnel VPN, this causes DNS queries to be sent to both the VPN's DNS server and the ISP's DNS server. SMHNR cannot be disabled by the VPN client unless it installs a system-level network driver or uses a full-tunnel configuration.
Reference: Microsoft DNSSEC and Smart Multi-Homed Name Resolution documentation.
WebRTC IP exposure
- WebRTC uses the Interactive Connectivity Establishment (ICE) protocol (RFC 8445) to collect network addresses for peer-to-peer connections. The ICE candidate gathering process contacts STUN servers, which return the public IP address — bypassing any SOCKS proxy or application-layer VPN tunnel that doesn't route UDP at the system level.
- By default, all major browsers (Chrome, Firefox, Edge, Safari) expose local and public IP addresses to any page running WebRTC JavaScript. This is specified behaviour in the W3C WebRTC 1.0 specification, not a bug.
Reference: W3C WebRTC 1.0: Real-time Communication Between Browsers, Section 4.3 (RTCPeerConnection API). - Since Firefox 42 (2015), Firefox offers the
media.peerconnection.enabledsetting to fully disable WebRTC. Chrome does not provide a built-in toggle; users require an extension or must use Brave, which exposes WebRTC policy via the privacy settings panel.
IPv6 leak exposure
- Many residential ISPs have deployed IPv6 alongside IPv4. A VPN that tunnels only IPv4 traffic leaves IPv6 connections to route natively, exposing the real IPv6 address. The share of internet users with IPv6 connectivity reached over 45% as of 2024 according to Google IPv6 statistics.
Reference: Google IPv6 Adoption Statistics. - A VPN with IPv6 leak protection must either tunnel IPv6 traffic through the VPN or block all outbound IPv6 traffic while the VPN is active. "IPv6 leak protection" in marketing material varies — some clients block IPv6, others route it.
What VPNs do and do not protect against
| Threat | VPN helps? | Notes |
|---|---|---|
| ISP seeing destination IPs | Yes | Traffic goes to VPN server, not destination |
| ISP seeing DNS queries | Partial | DNS leak possible on Windows (SMHNR) |
| Sites seeing your real IP | Yes | Site sees VPN exit IP (unless WebRTC/IPv6 leak) |
| WebRTC IP exposure | No | Browser-level; VPN doesn't intercept WebRTC UDP |
| IPv6 real IP exposure | Partial | Only if VPN explicitly handles IPv6 or blocks it |
| Browser fingerprinting | No | Canvas/WebGL/audio operate above the network layer |
| Cookie and session tracking | No | Requires clearing cookies; VPN doesn't touch these |
| HTTPS traffic content | No | TLS handles content encryption, not the VPN |
Test your own exposure
Sources and further reading
- Eckersley, P. (2010). How Unique Is Your Web Browser? EFF/PET Symposium. coveryourtracks.eff.org
- Laperdrix, P., Rudametkin, W., & Baudry, B. (2016). Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. IEEE S&P 2016.
- Acar, G. et al. (2014). The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. ACM CCS 2014.
- Ikram, M. et al. (2016). An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps. ACM IMC 2016.
- Hildenbrand, E. et al. (2015). A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients. PET Symposium 2015.
- IETF RFC 8445 — Interactive Connectivity Establishment (ICE). datatracker.ietf.org/doc/html/rfc8445
- W3C WebRTC 1.0 Specification. w3.org/TR/webrtc/
- Google IPv6 Adoption Statistics. google.com/intl/en/ipv6/statistics.html
Frequently asked questions
What percentage of VPN users experience DNS leaks?
Research varies significantly by platform, client, and configuration. Ikram et al. (2016) found 66% of the 283 Android VPN apps studied did not apply DNS privacy controls. For desktop VPN clients, the prevalence is lower but Windows SMHNR creates a structural leak risk for any split-tunnel VPN that does not install a network driver. MyIPScan's own DNS Leak Test can show you your specific configuration's behaviour.
How unique is a browser fingerprint on a typical desktop?
The original EFF Panopticlick study found 83.6% of desktop browsers were unique. Modern browsers with privacy settings (Firefox with Resist Fingerprinting, Brave) reduce this significantly, but hardware-level differences (GPU, screen resolution, installed fonts) continue to provide entropy. Mobile browsers tend to be more uniform due to standardised hardware and more restricted API access.
Does a VPN stop browser fingerprinting?
No. A VPN routes and encrypts network traffic but has no effect on the JavaScript APIs used for fingerprinting — Canvas, WebGL, AudioContext, navigator properties, and screen geometry are all processed inside the browser sandbox before any network request is made. Only browser-level countermeasures (Brave's noise injection, Firefox's Resist Fingerprinting, or the Tor Browser's uniform profile) reduce fingerprint entropy.
Can I tell if my VPN has a WebRTC leak right now?
Yes. The WebRTC Leak Test uses the RTCPeerConnection API (the same mechanism websites use) to collect ICE candidates in your browser and compares the public IP in those candidates against your VPN exit IP. If they differ, your real IP is exposed. The test works without installing anything.
Are these statistics current?
The underlying research was conducted between 2010 and 2022. VPN client quality and browser privacy features have improved substantially since the 2015–2016 studies. The structural vulnerabilities — WebRTC, IPv6, Windows SMHNR — remain relevant because they are architectural features of the platforms rather than bugs in specific software. Statistics about fingerprint uniqueness remain broadly accurate for un-hardened browsers.