Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

How Apple iCloud Private Relay works

The new iCloud Private Relay will protect users who have an iCloud+ subscription

Last updated

In a WWDC developer video, Apple has further explained what protection its iCloud Private Relay will give users, plus how exactly it works to increase privacy.

Announced at the WWDC 2021 Keynote, iCloud Private Relay is a new feature for Apple users which will prevent third-party companies determining web-browsing habits. It's not going to be available in all countries, but for those that it is, Apple has produced a system that it claims will greatly protect users, yet not also slow down their internet.

"When someone accesses the internet, anyone on their local network can see the names of all of the websites they access based on inspecting DNS queries," says Tommy Pauly of Apple's Internet Technologies group, in a new video for developers.

"This information can be used to fingerprint a user and build a history of their activity over time," he continues. "No one should be able to silently collect all of this information, whether it's a public Wi-Fi operator, another user on the network, or an internet service provider."

Pauly also describes how servers can see a user's IP address when they access a site, and says that "even worse," those servers can "fingerprint user identity" across different sites.

"These are big problems for user privacy, and in order to fix them, we need a new approach that has privacy built in by design," he says. "iCloud Private Relay adds multiple secure proxies to help route user traffic and keep it private."

"The proxies are run by separate entities," continues Pauly. "One is Apple, and one is a content provider."

Apple does not say which firm, or firms, are the other entity. Delziel Fernandes, also from Apple's Internet Technologies group, refers instead solely to what he calls ingress servers, run by Apple, and egress servers, run by other firms.

"When a device tries to access a server, it first sets up a network connection to the ingress proxy," says Fernandes. "This connection is set up using an IP address assigned by the network provider... [and the] egress proxy then forwards these requests to the destination servers by choosing an IP address that maps to the device's city or region."

Apple's illustrative diagram of how iCloud Private Relay works Apple's illustrative diagram of how iCloud Private Relay works

What this means for the user is that Apple doesn't track which websites they're accessing. And neither the egress server company nor the destination website can track their identities in any way.

What web and network traffic will be protected by iCloud Private Relay

It does not cover all internet traffic, however. Apple says that iCloud Private Relay will apply to:

  • All Safari web browsing
  • All DNS queries as users enter site names
  • All insecure HTTP traffic

What web and network traffic will not be protected by iCloud Private Relay

Apple says that it will also apply to "a small subset of traffic from apps." However, it also listed multiple categories of internet traffic that will not be protected by iCloud Private Relay:

  • Local network connections
  • Private domain name queries
  • Traffic using a regular VPN
  • Internet traffic using a proxy

This is similar to how a VPN works, but iCloud Private Relay is not intended to be an Apple-branded VPN. Apple says that the Private Relay guarantees that users can't use the system to pretend to be from a different region. This allows developers to enforce region-based access restrictions.

There are features developers can access within iCloud Private Relay that mean they can ask for a user's specific location — if the user allows, and if the app requires it. But otherwise location data is set by the egress server. That third-party and presumably trusted company adds an IP address "that maps to the device's city or region."

So a site or a service gets some location data and it's broadly right, it's correct enough to be useful for, say, a store showing its prices in the right currency or content-gating by geography.

The new iCloud Private Relay is to be introduced alongside macOS Monterey, iOS 15, and iPadOS 15 when they launch later in the year. It will require an iCloud+ subscription, and users will have to choose to turn on Private Relay — though it is likely to default to on.

"Private Relay is built into iOS and macOS, so you don't need to do anything to adopt it from your app," Pauly told developers. "It's also important to understand that it won't always be affecting your app. It will only apply when a user is an iCloud+ subscriber and has Private Relay enabled."

Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.



35 Comments

maestro64 5029 comments · 19 Years

The only question why would you want your VPN traffic to run through Apple’s relay service as they suggest, it’s just another layer of latency you have to deal with,  

I’m assuming it keeps your ISP from spying on you as well, since it has secure encryption connection between safari and the websites your visiting. The ISP should only see random data going to the Apple relay server.

22july2013 3736 comments · 11 Years

Google won’t be copying this feature because Google’s raison d’être is to profit from your identity. Google might not even sell Android to hardware companies which copy this feature. This will be an Apple exclusive. However VPN companies may try to copy this. I wonder if Apple trademarked the phrase “private relay.”

I wonder if Amazon or Google could own and operate the “egress servers.” Are they “trustable?” I suspect there could be different egress server companies in each country. The reason Private Relay may not be available in some countries is that Apple knows it can’t get trusted egress server companies in those countries. (I.e., not simply a legal prohibition.)

Warrants issued to both the ingress and egress server companies might be able to get user identities. 

I look forward to some character in a TV detective/cop show saying, “We can’t locate the user, because they are using Apple’s Private Relay.” That will sell a few Apple devices. 

robaba 228 comments · 4 Years

Good.  Now do this with encryption keys.

daveinpublic 633 comments · 12 Years

I love the direction Apple is going with this.

I think they've realized they have an open lane to the finish line here, a set of features they can release with zero competition. Because they have the only business model that allows this type of innovation.

But, still, I think Google and others will follow. Just more slowly and cautiously. And that's the reason I love it, it's going to make privacy more asked about, a more main stream and desirable feature. Companies will start competing on privacy, not wanting to be the most egregious offender. And I do think you'll see die hard Android geeks switching over, noticeable amounts.

In the past, it almost seemed like companies were competing to have the most violations of privacy. Facebook is obviously a troll in this area, but what really upset me was how they bought Oculus and then recently required a FB login to even use your Oculus headset. They did this around the time they started banning FB users for sharing any Hunter Biden stories. And at the same time, they started saying that you have to have a FB login in 'good standing' to use your Oculus headsets. What's the worst thing that could happen, if my social media site has complete control over whether I use my entire OS or not?

rob53 3312 comments · 13 Years

I have to wonder if the US government will look at this feature as "yet another" anti-competitive attempt at locking in Apple users. I'm sure 99.99% of Apple users will enjoy this default capability but there will be companies, like @22july2013 mentioned, who won't like it and will go crying to their lobbyists to force the government to stop it. The interesting thing is this feature is something that would actually help secure Apple users web activity and therefore their information, which is something we've been trying to do for decades. Now that it's finally happening, along with the potential for encryption keys, thank you @robaba, our own government thinks Apple is getting too powerful. Of course they are and we love it! We want security whether we know it or not and that's what bothers our government as well as all others. This will make it even more difficult for the NSA, FBI and radical police agencies to sniff our absolutely valid computer use in an attempt to profile every US citizen. This is not a conspiracy theory, we've been seeing it in everyone's news articles. We want our constitutional rights to privacy, whether some people think we have them or not. Way to go Apple!