Skip to content
FALK
← Blog

The Agentic Age Will Fix Privacy

VPNs shift trust from your ISP to a VPN company. AI agents eliminate the need for trust altogether β€” the website never sees you.

VPNs were supposed to solve online privacy. You route your traffic through a VPN server, your ISP can't see what you're doing, and the destination website sees the VPN's IP instead of yours. That's the pitch. The reality is messier, and a different model is emerging that makes the whole thing obsolete.

The VPN trust problem

A VPN doesn't eliminate surveillance. It moves it. Instead of your ISP seeing your traffic, the VPN provider sees it. As Privacy Guides puts it: "VPN providers can also see and modify your traffic the same way your ISP could, so there is still a level of trust you are placing in them."

That trust has been broken repeatedly.

In 2017, PureVPN β€” a provider that marketed a "zero log policy" β€” handed over connection records to the FBI that directly identified a user. The logs showed which IP addresses accessed a specific VPN session, when, and which accounts were used. In 2016, IPVanish initially told the Department of Homeland Security they had no logs, then responded to a second summons with detailed connection timestamps and source IPs. HideMyAss gave up a user to the FBI after a court order in 2011.

These aren't edge cases. There's no industry standard that defines what "no logs" means. Each provider defines it differently, and there's no way to verify the claim from the outside.

The ownership problem

The VPN market has consolidated in ways that should make privacy-conscious users uncomfortable. Kape Technologies β€” formerly Crossrider, a company whose platform was widely used to distribute adware β€” now owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate. That's four of the most popular VPN services under one company with an adware history. Kape also acquired vpnMentor and Wizcase β€” two major VPN review sites that now rank Kape's own products in their top three.

Free VPNs are worse. A CSIRO study examining 283 Android VPN apps found that 38% contained malware, 75% used third-party tracking libraries, and 18% didn't encrypt traffic at all. SuperVPN leaked 360 million user records in 2023. Facebook's Onavo Protect was marketed as a privacy tool while funneling all user traffic through Facebook's servers for analytics.

VPNs don't solve fingerprinting

Even if you trust your VPN provider completely, you're still trackable. VPNs change your IP address. That's it. They do nothing about browser fingerprinting, and fingerprinting is how modern tracking actually works.

The EFF's Panopticlick study found that 83.6% of browsers have a unique fingerprint based on their canvas rendering, WebGL output, installed fonts, screen resolution, timezone, language, and dozens of other signals. With Flash or Java, that number reached 94.2%. Each browser carries roughly 18 bits of identifying entropy β€” enough to single you out from hundreds of thousands of users.

WebGL fingerprinting is particularly hard to defeat because it operates at the hardware level, extracting GPU rendering characteristics through JavaScript. A VPN has no effect on this. Neither does incognito mode.

According to the 2025 Web Almanac, 75% of desktop websites contain at least one third-party tracker, and Google trackers are present on 61% of all webpages. In February 2025, Google officially reversed its policy against fingerprinting-based tracking, allowing advertisers to use it. The UK's Information Commissioner's Office called the move "irresponsible."

So the state of play is: VPNs hide your IP but not your identity, the VPN provider becomes a new surveillance point you can't verify, the biggest VPN brands are owned by a former adware company, and the tracking industry just got the green light to fingerprint you regardless.

Agents change the model

When an AI agent browses the web on your behalf, the website never sees your browser. It never sees your IP address, your canvas fingerprint, your WebGL output, your installed fonts, your timezone. It sees the agent's infrastructure β€” an OpenAI or Anthropic server somewhere, with a generic fingerprint shared across millions of requests.

This isn't a privacy feature that was designed in. It's an architectural side effect. The agent runs its own browser environment server-side. When ChatGPT agent visits a website to research something for you, it uses its own virtual computer. Perplexity describes its requests as "targeted, one-off requests to retrieve current information" β€” the website sees Perplexity's infrastructure, not you.

Cross-site tracking via fingerprinting becomes meaningless when the fingerprint belongs to an agent shared by millions of users. There's no individual to track.

From browser sessions to structured queries

MCP (Model Context Protocol) pushes this further. Instead of an agent navigating a website like a human would β€” loading pages, parsing HTML, clicking buttons β€” MCP lets agents interact with services through structured tool calls. The agent asks for specific data through an API. The service responds with structured data. No browser session, no cookies, no fingerprint surface at all.

It goes from "a user browses a website" to "an agent queries a service." Your identity isn't hidden behind a proxy. It's absent from the interaction entirely. The service authenticates the agent's request through OAuth tokens, not browser cookies tied to your device.

The new trust equation

This isn't free, though. Agentic browsing creates its own trust problem: you and your AI provider. OpenAI, Anthropic, Google, whoever runs the agent, now sits between you and the web. They know what you asked for, even if the destination website doesn't know who asked.

And the risks are specific. TechCrunch noted that agents require "the ability to view and take action in a user's email, calendar, and contact list." The Future of Privacy Forum flagged that agents collect "granular telemetry β€” user interactions, action logs, performance metrics" that may qualify as personal data. Researchers have already found 30 vulnerabilities across 8 popular browser agents, including disabled privacy features and agents that autocomplete sensitive personal information.

But the comparison that matters is: what are you replacing? Today, every website you visit sees your IP, your fingerprint, your cookies. Your ISP sees every domain you connect to. If you use a VPN, the VPN provider sees everything the ISP would have. Browser fingerprinting tracks you across sites whether you consent or not, and 75% of websites run trackers.

With agentic browsing, one entity β€” the AI provider β€” sees your intent. The rest of the web sees nothing about you. That's not perfect privacy. But it shrinks the attack surface compared to what we have now, where your identity leaks to every site, tracker, and middleman in the chain.

Where this goes

The VPN model was always a patch. You took a leaky system β€” your browser broadcasting your identity to every server it connects to β€” and added a proxy in front of it. The proxy introduced its own trust problems, and it didn't address fingerprinting at all.

The agentic model doesn't patch the system. It replaces the interaction. The user stays home. The agent goes out. The websites, trackers, and fingerprinting scripts have no user to identify because no user showed up.

We're not there yet. Most browsing is still direct. Agents take on research, comparisons, specific tasks, not idle browsing. As they absorb more of what currently happens through browsers, the surface area for trackers shrinks. Not because we built better shields, but because we stopped showing up.

Want to build privacy-first agent integrations?