Apple’s new Private Relay encryption feature aims to boost the privacy of iOS 15 browsers and apps.
When Apple announced a trio of new privacy features for its iCloud Plus subscription service in iOS 15 during the June WWDC event, the headliner was Private Relay — a browser-based encryption boost aimed at the growing number of people using virtual private networks for improved online privacy.
Now, with the release of iOS 15 on Monday (here’s how to download iOS 15), a more significant segment of Apple users will be able to test drive the proxy service.
Although Apple executives have begun positioning Safari’s new encryption service as a credible alternative to commercial VPNs, Private Relay is not a VPN in the strictest sense.
We’re still awaiting details on how the service works, but mistaking it for a VPN could be dangerous for those who rely on them for personal security and ineffective for those looking to circumvent government censorship.
On the other hand, Private Relay can be used with a conventional VPN, whether personal or corporate.
According to Apple developers, this means that Private Relay will currently ignore VPN traffic.
However, as additional research on its potential to prevent a shady VPN provider from identifying you emerges, the technology behind Private Relay could theoretically represent a significant leap forward for overall privacy among commercial (though not enterprise) VPN users.
With an encryption-centric underlying technology, it’s unlikely that Private relays will be offered in countries where it could interfere with domestic surveillance or violate anti-encryption laws.
Apple confirmed that Private Relay would not be available in China, the company’s largest market.
Additionally, Belarus, Colombia, Egypt, Kazakhstan, the Philippines, Saudi Arabia, South Africa, Turkmenistan, and Uganda will be without Private Relay.
Apple stated that it would offer a Private Relay only where local laws permit.
Still, other previously announced iCloud Plus privacy features, such as Hide My Email, may be available in restricted areas where local laws allow.
However, for the average US user, the addition of Private Relay to Safari represents a potentially game-changing shift in how browsers can be fundamentally reshaped to protect you from aggressive advertising tracking.
Rather than simply raising the bar for browser privacy, a peculiar piece of the underlying technology in Private Relay is poised to usher in a new era in the browser wars.
What distinguishes Private Relay from a VPN
There is no device-wide encryption available via the app
While many VPNs include a separate browser-only plugin, an actual standalone VPN is designed to encrypt all data that leaves your device via its app.
It will then generate a new IP address for you and connect you to one of its network of servers before redirecting you to your destination website.
However, only a portion of your device’s traffic is encrypted via Private Relay in Apple’s case.
Apple stated in its developer-focused presentation that Private Relay encryption protects only Safari, DNS-related traffic on your device, and a small subset of app-related traffic.
The developers noted that any connections your app makes over the local network or to private domain names would be unaffected, as will any traffic generated using a proxy.
In other words, do not expect any Private Relay protections or features if you use the Chrome browser on your iPhone.
There is no geoblocking
A VPN’s primary feature is bypassing geographic restrictions and global access to content via an open web.
Some individuals use this feature to access streaming media services and watch their home country’s entertainment catalog while traveling.
However, VPNs enable users to circumvent geo-restrictions and safely access critical information and news for those living in countries where censorship and oppressive regimes are prevalent.
Private Relay is purpose-built to work around geoblocking and does not conceal your general region or city from internet providers or authorities.
There is no obfuscation of web traffic
While encrypted web traffic generated by a VPN appears to be quite different from non-VPN traffic, the best VPNs disguise themselves as regular traffic through a process called obfuscation or, as it is sometimes referred to, VPN obfuscation.
Overcoming geo-blocking and evading organizational networks requires more than simply appearing from another location; it requires your traffic to appear inconspicuous. That is where VPN obfuscation enters the picture.
Although Apple occasionally uses the term obfuscation in a non-technical sense to describe how their traffic may appear to be regular traffic in certain circumstances when you use Private Relay to connect to a business or school network, Private Relay’s proxy server traffic is easily identifiable.
The service does not attempt to obfuscate itself using traditional VPN-style obfuscation.
As a result, Apple developers have explicitly advised business and school network administrators on accommodating this traffic or isolating it for exclusion by blocking the hostname of the iCloud Private Relay proxy server.
The distinction between split-tunneling systems
Split tunneling is a convenient feature found in the majority of leading VPNs. It enables you to forego device-wide encryption in favor of encrypting just one or more apps on your device.
Thus, two “tunnels” of internet traffic are created.
This feature is advantageous in various situations, such as when you want to use a VPN to achieve faster torrenting speeds but still like to browse usually.
Private Relay offers a comparable feature, but it operates differently.
Even if you connect to your workplace’s private network, for example, you can use Private Relay.
Architecture with multiple hops
Numerous VPNs allow you to multi-hop (or “double hop”), which will enable you to cover your tracks more completely by connecting you to a series of servers one after the other before you reach a website.
Private Relay utilizes what the company refers to as “dual-hop architecture,” which is distinct from VPN multi-hop. When you use Private Relay, the two “hops” you make first provide you with a new, semi-anonymous IP address and then decrypt the website’s name.
What are our current understandings of Private Relay?
Private Relay serves two purposes. The first is to limit the amount of data advertising companies and Internet service providers can collect about your browsing activity.
The second objective is to ensure that Apple knows only who you are and not which websites you visit.
In contrast, the third-party servers that connect you to those websites know where you’re going and your approximate location but not your identity.
This is how it is accomplished. Privacy Relay is included in both the upcoming iOS and macOS versions, but it will work only if you are an iCloud Plus subscriber and have enabled it in your iCloud settings.
Once enabled and Safari is opened for browsing, Private Relay separates two pieces of information that could quickly identify you if delivered to websites in their entirety.
These are your IP address (the unique identifier for your computer) and your DNS request (the website’s address you want, in numeric form).
Private Relay then encrypts your DNS request and sends both the IP address and the now-encrypted DNS request to an Apple proxy server.
This is the first of two stops on the way to a website that your traffic will make.
Apple has already transferred the encryption keys to the third party running the second of the two stops, which means Apple cannot see which website you’re attempting to access via your encrypted DNS request. Apple is only aware of your IP address.
Apple’s server does not send your original IP address to the second stop, even though it has received your IP address and encrypted DNS request.
Rather than that, it assigns you an anonymous IP address that is roughly associated with your region or city.
However, the term “approximate location” can mean different things in different locations.
“It’s a very different technology, but with approximate location on the iPhone, the size of the area can vary depending on your location in the world, population density, and other factors,” an Apple spokesperson told CNET.
Using San Francisco as an example, the approximate size of that location could be reduced.
“I could be anywhere on the peninsula of San Francisco based on the approximate location. Thus, you may believe that I am up near Ghirardelli Square in the northern part of San Francisco, or the app may be receiving information that I am down near Cesar Chavez [Street].
It continues to obtain a precise location. It’s just that my exact location fluctuates within that general area to the point where no one knows where I am, “According to the spokesperson.
Once the new IP address has been assigned, the Apple proxy server forwards the encrypted DNS request and the newly given IP address to the next stop.
That second stop is another proxy server, this one not operated by Apple but by an as-yet-unidentified third-party company prepared to decrypt your DNS request.
Finally, that third-party proxy server decrypts your DNS request and sends it to your destination website along with your general location.
While the destination website cannot pinpoint your precise location due to the lack of your actual IP address, it can determine the region in which your device is located.
The technology that lies behind the curtain
With the second proxy server able to see which websites you’re visiting and your general location, the pressing question quickly becomes who’s running that third-party server, which Apple has thus far declined to answer.
Within hours of Private Relay’s announcement, it became clear that Cloudflare is at least one of Apple’s partners in powering Private Relay when app researcher Jane Manchun Wong confirmed on Twitter that she had been assigned a Cloudflare IP address while using the currently available developer version of Private Relay.
Wong’s tweet was quickly followed by a flood of other users noting the same findings and drawing comparisons between Private Relay and Cloudflare Warp, a proxy app.
Cloudflare was a crucial partner in Apple’s push to standardize a potentially game-changing feature of Private Relay: its in-browser use of a technology called Oblivious DNS-over-HTTPS, or ODoH.
It's really awesome that iCloud Private Relay uses protocols Apple helped develop / spearheaded at the #ietf for standardization – It is using MASQUE (https://t.co/nPBvN4vcoJ) with Oblivious DoH https://t.co/c3wQsExXAA) using QUIC and HTTP/3
— Paul Wouters (@letoams) June 8, 2021
What’s all the fuss about ODoH? It’s poised to resolve a significant issue that has perplexed privacy advocates since 2018, when Mozilla pioneered a method of routing internet traffic called DNS over HTTPS, or DoH, from within a browser as part of a previous browser-encryption collaboration with Cloudflare.
As a testament to its anti-surveillance effectiveness, the new method earned Mozilla the laughable title of “Internet Villain of the Year” in 2019 from a UK ISP lobby – implying that the privacy technology had the potential to disrupt ISPs’ business models, which are based on sucking up, bundling, and selling as much of your usage data as possible.
Though hailed as a privacy breakthrough, the new method was not without flaws.
CNET’s Stephen Shankland dug into those flaws when Mozilla enabled DoH for US Firefox users in early 2020.
The most serious of which is that DoH could centralize DNS activity and provide businesses with a new method of tracking you online.
Among DoH’s criticisms, the most forewarning quote came from Bert Hubert, the creator of the PowerDNS software.
“I find it extremely disappointing that Mozilla decided this was a good idea on behalf of all users it deems American,” Hubert wrote in an email. “While encrypted DNS is beneficial, it is critical to consider who you encrypt your DNS with…
They did not conduct surveys, for example, on how people would feel about providing Cloudflare with a record of all their internet activities.”
In theory, ODoH would reduce the amount of personally identifiable information Cloudflare obtains about a user compared to DoH.
However, Cloudflare has not been without security concerns. Cloudbleed was a vulnerability discovered in 2017 that affected websites that used Cloudflare’s products.
Cloudflare resolved the issue, but the breach exposed usernames, passwords, messages, and potentially personally identifiable information.
The ODoH protocol came under fire in January when digital privacy advocates at the Electronic Frontier Foundation warned that it could ultimately facilitate more censorship than it combats.
“One possibility concerns us: Using ODoH enables software developers to easily comply with censorship regime requirements by distributing their software without disclosing the identity of the users they are censoring,” the EFF stated.
In other words, by using a reputable ODoH proxy that refuses to resolve censored websites, software companies can make inroads into heavily censored countries such as China and Saudi Arabia, as long as the censorship is baked in, for example, by distributing an edited version of the software.
“This would absolve software developers of any responsibility for disclosing a user’s identity to a government that could put them in danger, but it also facilitates the act of censorship.
This is not possible in a traditional DoH. Allowing developers to evade responsibility by facilitating ‘anonymous’ censorship is a concerning prospect, “The EFF stated.
Cloudflare did not respond to a request for comment from CNET.
Apart from Apple’s reluctance to disclose their proxy partners, another potential stumbling block for Private Relay users may be their private school or business networks.
While most leading VPNs employ techniques to blend in with non-VPN traffic, proxy servers are easily identified and blocked by most private networks.
This means that individual campuses and businesses will be responsible for allowing proxy traffic from Apple devices.
Apple stated that if you do not comply, you will be unable to use the service.
At the moment, more is unknown about Private Relay than is known.
We anticipate that additional details and documentation about Private Relay’s gears will emerge as the fall release of iOS 15 and the new macOS/iPad OS approaches.
Given that Apple has a history of slowly leaking discrete partnerships – dating back to its Maps-TomTom collaboration – we also expect to learn more about the nature and scope of its associations with third-party intermediaries.
Until then, Apple’s decision to block user DNS requests via Private Relay may allow the company to distance itself from the contentious debate over encryption more broadly in which it has recently become embroiled.
What remains to be seen is whether the tech giant’s adoption of the new ODoH protocol will encourage other browsers to adopt their implementations in place of the more widely used DoH.
Even if Private Relay falls short of being a full-fledged VPN, Apple may well view it as a win-win: it gets to wrap itself in the privacy flag (a continuing differentiation upsell to users versus Google and Facebook) while collecting more minor and fewer user data by default – potentially avoiding subpoenas from government agencies.