How Apple iCloud Private Relay works
In a WWDC developer video, Apple has further explained what protection its iCloud Private Relay will give users, plus how exactly it works to increase privacy.
Announced at the WWDC 2021 Keynote, iCloud Private Relay is a new feature for Apple users which will prevent third-party companies determining web-browsing habits. It's not going to be available in all countries, but for those that it is, Apple has produced a system that it claims will greatly protect users, yet not also slow down their internet.
"When someone accesses the internet, anyone on their local network can see the names of all of the websites they access based on inspecting DNS queries," says Tommy Pauly of Apple's Internet Technologies group, in a new video for developers.
"This information can be used to fingerprint a user and build a history of their activity over time," he continues. "No one should be able to silently collect all of this information, whether it's a public Wi-Fi operator, another user on the network, or an internet service provider."
Pauly also describes how servers can see a user's IP address when they access a site, and says that "even worse," those servers can "fingerprint user identity" across different sites.
"These are big problems for user privacy, and in order to fix them, we need a new approach that has privacy built in by design," he says. "iCloud Private Relay adds multiple secure proxies to help route user traffic and keep it private."
"The proxies are run by separate entities," continues Pauly. "One is Apple, and one is a content provider."
Apple does not say which firm, or firms, are the other entity. Delziel Fernandes, also from Apple's Internet Technologies group, refers instead solely to what he calls ingress servers, run by Apple, and egress servers, run by other firms.
"When a device tries to access a server, it first sets up a network connection to the ingress proxy," says Fernandes. "This connection is set up using an IP address assigned by the network provider... [and the] egress proxy then forwards these requests to the destination servers by choosing an IP address that maps to the device's city or region."
What this means for the user is that Apple doesn't track which websites they're accessing. And neither the egress server company nor the destination website can track their identities in any way.
What web and network traffic will be protected by iCloud Private Relay
It does not cover all internet traffic, however. Apple says that iCloud Private Relay will apply to:
- All Safari web browsing
- All DNS queries as users enter site names
- All insecure HTTP traffic
What web and network traffic will not be protected by iCloud Private Relay
Apple says that it will also apply to "a small subset of traffic from apps." However, it also listed multiple categories of internet traffic that will not be protected by iCloud Private Relay:
- Local network connections
- Private domain name queries
- Traffic using a regular VPN
- Internet traffic using a proxy
This is similar to how a VPN works, but iCloud Private Relay is not intended to be an Apple-branded VPN. Apple says that the Private Relay guarantees that users can't use the system to pretend to be from a different region. This allows developers to enforce region-based access restrictions.
There are features developers can access within iCloud Private Relay that mean they can ask for a user's specific location — if the user allows, and if the app requires it. But otherwise location data is set by the egress server. That third-party and presumably trusted company adds an IP address "that maps to the device's city or region."
So a site or a service gets some location data and it's broadly right, it's correct enough to be useful for, say, a store showing its prices in the right currency or content-gating by geography.
The new iCloud Private Relay is to be introduced alongside macOS Monterey, iOS 15, and iPadOS 15 when they launch later in the year. It will require an iCloud+ subscription, and users will have to choose to turn on Private Relay — though it is likely to default to on.
"Private Relay is built into iOS and macOS, so you don't need to do anything to adopt it from your app," Pauly told developers. "It's also important to understand that it won't always be affecting your app. It will only apply when a user is an iCloud+ subscriber and has Private Relay enabled."
Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.