Tuesday, January 4, 2022

iCloud Private Relay White Paper

Apple (via John Wilander):

When Private Relay is in use, the user’s device opens up a connection to the first internet relay (also known as the “ingress proxy”). The software for the first internet relay is operated by Apple in locations around the world.

As the user browses, their original IP address is visible to the first internet relay and to the network they are connected to (e.g., their home ISP or cellular service). However, the website names requested by the user are encrypted and cannot be seen by either party.

The second internet relay (also known as the “egress proxy”) has the role of assigning the Relay IP address they’ll use for the session, decrypting the website name the user has requested and completing the connection. The second internet relay has no knowledge of the user’s original IP address and receives only enough location information to assign them a Relay IP address that maps to the region they are connecting from, conforming to the IP Address Location preference they selected in Private Relay settings. The second internet relay is operated by third-party partners who are some of the largest content delivery networks (CDNs) in the world.


To ensure only Apple devices and valid iCloud+ accounts can use Private Relay, the server performs device and account attestation using the Basic Attestation Authority (BAA) server prior to vending out tokens. To mitigate abuse, rate limiting restricts how many tokens a user’s device can retrieve per day.


Update (2022-01-07): Nick Heer:

Compared to some of Apple’s more detailed technical documentation, this white paper has noticeable omissions.

Update (2022-01-13): Howard Oakley:

Despite its careful design, Private Relay still does have problems with certain sites and services. Where possible, Apple is preferring to advise the user when a connection can’t be made, rather than expecting the user to build and maintain an exception list. Otherwise the service now appears quite robust and performs well.


From what I see, iCloud+ Private Relay almost invariably wins when it comes down to trust. And the fact that I currently pay less than $/€/£ 1 per month for my iCloud+ service.

John Gruber:

iCloud Private Relay is still officially in beta, but it’s been so reliable for me that I had to check just now that I’ve got it enabled on all my eligible devices.

Thomas Karpiniec:

It is therefore uncomfortable to admit that one platform, in one key aspect, has become the best. I’m talking about Safari. Yes, that dinky browser that only works on one brand of computer and never seems to keep up with web standards. I now feel like I’m compromising severely if I have to use anything else. Why on earth is that? Aren’t all browsers basically the same? Well no, it’s all to do with iCloud+ Private Relay.

7 Comments RSS · Twitter

On T-Mobile: “Your cellular plan doesn’t support iCloud Private Relay.”

So Apple for some reason gave the network operator the ability to turn it off, allowing T-Mobile to continue tracking its users.

This reminds me of when FaceTime was introduced. Apple allowed carriers to turn it off, and for a while many did.

I take that back. Apparently it’s due to this setting in iOS 15.2. https://www.iphonetricks.org/limit-ip-address-tracking-setting-on-iphone/

I don’t know how it got turned off.

Yeah, but it's so compromised in practice that it's nearly useless. For example, my RSS reader reveals all sorts of information about my preferences and beliefs to anyone listening in the course of downloading my feed lists from HTTPS endpoints, but private relay doesn't touch that traffic.

And, anyway, privacy shouldn't mean loss of identity. I'm all for pseudonymous VPNs with whom you trust your privacy for a price, if it means the option of being blinded to trackers, fraudsters, network operators and governments is available in the general case. (I also think IPv6 with fixed identifiers for everybody should be deployed, for the same reasons. And I was opposed to the whois cloaking enforced by GDPR.) But Private Relay arguably makes a much more compelling case for authoritarian policies to restrict its use, and that of other technologies, because it defaults to on and there's nobody, not even Apple, who can help if someone gets hurt. If a social media company can be contacted to track down a wrong 'un at the time a crime is committed, and all that is needed is the date/time and pseudonymous IP address that can be supplied, as evidence, to the VPN (bound by the same anti-abuse legislation) then we can have anti-abuse and privacy at the same time as well as relatively fixed pseudonymous identifiers guarded by gatekeepers of privacy against bad 'uns intent on surveillance.

And not being able to access geo-blocked content? Why, that can only be Apple's helping hand to the Great and the Good in the content industries ...

Correction: it seems that right now it doesn't default to on, at least not globally. OTOH I can well see it happening.

On my Mac, I've had to turn it off again for now. One reason are the "I'm temporarily off!" "I'm back!" notifications. I don't even know what the solution is there (maybe a status item in the menu bar would be better, while the feature is off), but in practice, I've found myself having it permanently off than always bugging me with a notification that isn't actionable anyway (but is, to be fair, important information). I suppose the service will get better over time, and then it won't matter.

The other reason, though, is that it seemed too wonky with my VPNs. I have multiple VPNs I connect to using Tunnelblick (basically, different company data centers), and some of them change DNS entries. But iCloud Private Relay also changes DNS entries, and if a VPN dis- and reconnects, I've found myself unable to resolve anything. Maybe 11.2 will handle that better (come to think of it, I'm not quite sure I've tested it again since the 11.1 upgrade).

Hey so I felt like a dummy when I said T-Mobile was blocking my iCloud Private Relay, and then it turned out there was a setting wrong.

But: https://9to5mac.com/2022/01/10/t-mobile-block-icloud-private-relay/

All I can say is it was on, somehow got toggled off, and is working now.

"When Private Relay is in use, the user’s device opens up a connection to the first internet relay (also known as the “ingress proxy”). The software for the first internet relay is operated by Apple in locations around the world."

In ma case this is not true, the first internet relay is not operated by Apple but by Akamai as are the all involved DNS servers (7) so we cant talk about some privacy as all the informations are kept by Akamai.

Leave a Comment