When Apple pushed iOS 15 out to more than a billion devices in September, the software update included the company’s first VPN-like feature, iCloud Private Relay. The subscription-only privacy tool makes it harder for anyone to snoop on what you are doing online, by routing traffic from your device through multiple servers. But the tool has faced pushback from mobile operators in Europe—and more recently, by T-Mobile in the US.
As Private Relay has rolled out over the past few months, scores of people have started to complain that their mobile operators appear to be restricting access to it. For many, it’s impossible to turn the option on if your plan includes content filtering, such as parental controls. Meanwhile in Europe, mobile operators Vodafone, Telefonica, Orange, and T-Mobile have griped about how Private Relay works. In August 2021, according to a report by the Telegraph, the companies complained the feature would cut off their access to metadata and network information and suggested to regulators that it should be banned.
“Private Relay will impair others to innovate and compete in downstream digital markets and may negatively impact operators’ ability to efficiently manage telecommunication networks,” bosses from the companies wrote in a letter to European lawmakers. However, Apple says that Private Relay doesn’t stop companies from providing customers with fast internet connections, and security experts say there’s been little evidence showing Private Relay will cause problems for network operators.
Apple’s Private Relay isn’t a VPN—which carriers freely allow—but it has some similarities. The option, which is still in beta and is only available to people who pay for iCloud+, aims to stop the network providers and the websites you visit from seeing your IP address and DNS records. That makes it harder for companies to build profiles about you that include your interests and location, in theory helping to reduce the ways you’re targeted online.
To do this, Private Relay routes your web traffic through two relays, known as nodes, when it leaves your iPhone, iPad, or Mac. Your traffic passes from Safari into the first relay, known as the “ingress proxy,” which is owned by Apple. There are multiple different ingress proxies around the world, and they’re based in multiple locations, Apple says in a white paper. This first relay is able to see your IP address and the Wi-Fi or mobile network you are connected to. However, Apple isn’t able to see the name of the website that you’re trying to visit.
The second relay your web traffic passes through, known as the “egress proxy,” is owned by a third-party partner rather than Apple itself. While it can see the name of the website you’re visiting, It doesn’t know the IP address you’re browsing from. It instead assigns you another IP address that’s near where you live or within the same country, depending on your Private Relay settings.
The result is, neither relay knows both your IP address and the details of what you’re looking at online—whereas a typical a VPN provider will process all your data. Also unlike a VPN, Apple’s system doesn’t let you change your device’s geographic location to avoid regional blocks on content from Netflix and others.
Private Relay’s potential scale, relative to VPNs, may have prompted telecom concerns. “It is far more accessible than a VPN that you have to download and register for and set up separate payment for,” says Nader Henein, a research vice president specializing in privacy and data protection at Gartner. Apple has made Private Relay opt-in while it is still in beta, although it’s still potentially available to millions of subscribers. (Apple has bent to some local laws and not made Private Relay available in China, Belarus, Kazakhstan, Saudi Arabia, and a handful of other countries.) “The concern is that a lot of people are just going to switch it on, and it's going to obscure a large part of the network from the network operators,” Henein adds.
However, he says if telecoms companies do imagine they’ll lose sight of how people are using their networks, they should present their evidence transparently by making their modeling public. Equally, Henein says, to address questions about European “data sovereignty,” Apple should make clear what companies it has partnered with for the feature—it says they are some of the largest content delivery networks—and the locations of the relays.
“While I agree that in certain custom ways this potentially might complicate some technology planning or management, in general we must stress that there is no issue here,” says Lukasz Olejnik, an independent privacy researcher and consultant. He says that while network operators are likely to lose access to metadata that can describe where users connect to their services, this shouldn’t be a barrier to them understanding what’s happening more broadly across their networks. “Telecom operators should already be comfortable with network neutrality, so simply managing the lower technical layers of the networks,” Olejnik says. “It should not be their problem with what happens in the upper layers.”
Multiple mobile network operators have not responded to questions about their plans for Private Relay at the time of writing. It is unclear whether the companies have changed their positions since complaining to European regulators last summer. In a statement to 9to5Mac, T-Mobile US said any limits on Private Relay have happened across its network because accounts have parental controls enabled and content filtering isn’t compatible with Apple’s tool. The publication says some users have seen the block despite not having filtering enabled. Other reports say that Private Relay clashes with T-Mobile's existing content filtering. Within Private Relay’s settings, Apple says that networks that need to audit traffic or perform content filtering will block access to Private Relay. It says this may include companies, schools, or mobile network operators.
“Private Relay makes it impossible to enable the potential security protections, like ones aimed at parental settings aimed at children,” Olejnik says. “But this should be a conscious decision left to the user.” A guide from UK mobile network EE says that because it can’t see what you’re browsing, it isn’t able to moderate content for those with parental control settings turned on—it also says data plans with unlimited access to some games, music, and video will not operate properly. In evidence submitted to the UK’s parliament, network operator BT Group, which owns EE, said Private Relay would pose “significant challenges” if it is needed to block websites or services under the UK’s planned internet safety laws. However, many of these concerns apply equally to traditional VPNs too.
“From a state security perspective, it creates the same obfuscation as does any VPN,” Henein says. If law enforcement wanted to ask for people’s online activity, then there isn’t much change. “The network operators will not be able to help you in the same way as if that person were using a VPN.”
- 📩 The latest on tech, science, and more: Get our newsletters!
- The metaverse-crashing life of Kai Lenny
- Indie city-building games reckon with climate change
- The worst hacks of 2021, from ransomare to data breaches
- Here's what working in VR is actually like
- How do you practice responsible astrology?
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
