In a WWDC developer video, Apple has now explained in more detail what protection the new iCloud Private Relay will offer users and how exactly it works to increase privacy.
Announced at the WWDC 2021 keynote, iCloud Private Relay is a new feature for Apple users that is designed to prevent third parties from tracking users' browsing habits. It will not be available in all countries. But for those where it is available, Apple has developed a system that it says protects users to a high degree without slowing down their internet. explained Tommy Pauly, from Apple's Internet Technologies Group team:
When someone accesses the Internet, everyone on their local network can see the names of all the web pages they access based on inspection of DNS requests. This information can be used to create a fingerprint of a user and build a history of their activities over time. No one should be able to silently collect all this information, whether it's a public WiFi operator, another user on the network, or an Internet service provider.
“These are major problems for users’ privacy”
Pauly also describes how servers can see a user's IP address when they access a website, and explains what these servers can do with "fingerprints of user identity" across different websites.
These are big problems for user privacy, and to fix them we need a new approach that has privacy built in. iCloud Private Relay adds multiple secure proxies that help route user traffic and keep it private. The proxies are run by separate entities. One is Apple and one is a content provider.
Apple does not say which company or companies the other entity is. Delziel Fernandes, also from Apple's Internet Technologies Group, instead speaks only of so-called ingress servers operated by Apple and egress servers operated by other companies.
When a device attempts to access a server, it first establishes a network connection to the ingress proxy. This connection is established using an IP address assigned by the network provider… [and the] egress proxy then forwards these requests to the destination servers by choosing an IP address associated with the device's city or region.
For the user, this means that Apple does not track which websites they access. Neither the company that runs the egress server nor the target website can track their identity in any way.
What web and network traffic is protected by iCloud Private Relay?
However, it won't cover all internet traffic. Apple says iCloud Private Relay will apply to:
- The entire Safari web browsing experience
- All DNS queries when entering site names
- All insecure HTTP traffic
What web and network traffic is not protected by iCloud Private Relay?
Apple explains that it will also apply to "a small subset of app traffic." However, it also listed several categories of internet traffic that are not protected by iCloud Private Relay:
- Local network connections
- Private domain name queries
- data traffic via a regular VPN
- Internet traffic via a proxy
It works in a similar way to a VPN, but iCloud Private Relay is not an Apple-branded VPN. Apple says that Private Relay ensures that users cannot use the system to pretend to be from another region. This allows developers to enforce region-based access restrictions.
iCloud Private Relay: Apple users have the choice
There are features developers can access within iCloud Private Relay that mean they can ask for a user's specific location - if the user allows it and if the app requires it. But otherwise, the location data is set by the egress server. This third and presumably trusted company adds an IP address "associated with the city or region of the device." So a website or service gets some location data and it's broadly correct, it's correct enough to be useful, for example for a store displaying its prices in the correct currency or for content mapping by geography. The new iCloud Private Relay is set to launch alongside macOS Monterey, iOS 15 and iPadOS 15. It will require an iCloud+ subscription and users can decide whether to have Private Relay enabled or disabled. Pauly concludes:
Private Relay is built into iOS and macOS, so developers don't need to do anything to adopt it in their own app. It's also important to understand that it won't always affect your own app. It will only apply if a user has an iCloud+ subscription and has Private Relay enabled.
iOS 15, iPadOS 15, macOS Monterey, watchOS 8 and tvOS 15 will be rolled out this fall. According to Apple, all updates will be made available as public beta in July. (Image: Apple)
