Virtual Private Networks, or VPNs, are a common way for Internet users to mask their location. Basically, using a VPN makes it look like you are actually visiting a website from somewhere else in the world. About 20% of European Internet users make use of VPNs, primarily so they can gain access to services such as Netflix that are not available in their home countries. However, many people in other parts of the world use VPNs to get around censorship in countries under oppressive regimes.

Unfortunately, researchers at Queen Mary, University of London, found that 11 of the 14 most popular VPN services actually leak user data, meaning that people using those services aren’t actually securing their identity.

The problem is called “IPv6 leakage,” and it occurs because the VPN services in question aren’t as up to date as some of the websites out there. Increasingly, network administrators are using a protocol called IPv6 to run their websites, which replaces the earlier IPv4. Unfortunately, most VPN services only protect users’ IPv4 traffic, so as long as they stick to sites that still use IPv4 they’re fine, but if they use any sites with the newer protocol, their information can get out.

Queen Mary researchers set up two kinds of hacker attacks to test the VPNs: “passive monitoring,” which collects information that comes through the monitoring program naturally, and DNS hacking, where the hacker masks their activity as part of another site, like Facebook.

In either case, 11 of the 14 VPN providers tested failed to protect users’ IPv6 data, meaning that anyone monitoring such data would be able to tell that a user was trying to mask their activity. From there it’s simply a matter of tracing that data to the actual person and, under an oppressive regime like that in North Korea, arresting them.