What Is iCloud Private Relay and How Does it Work?
What Is iCloud Private Relay?
When it comes to privacy, one of the internet’s biggest flaws has always been that, thanks to the way the DNS system works, ISPs can track which websites you visit. iCloud Private Relay is an Apple service, included as part of iCloud+, designed to remedy this, by making it harder to track users when they use Apple’s Safari browser. It masks a user’s DNS records and IP addresses. This also helps prevent activity tracking across network providers and websites, which prevents ad-targeting or phishing attacks built around user profiling. The system is designed so that no one but the user can monitor their online activity.
What Does iCloud Private Relay Do?
iCloud Private Relay keeps your internet activity private by hiding your IP address from the websites you visit. The service also encrypts your data as it leaves your device, which helps prevent man-in-the-middle monitoring and ensures anything you do request remains private. iCloud Private Relay keeps your website requests private by obfuscating your DNS queries.
How Does Private Relay Work?
iCloud Private Relay separates requests for internet resources from the identity of the requester. It does so by sending requests through two secure ‘hops’, or internet relays.
Your IP address remains visible to your network provider and also to the first relay, called the “ingress server” and operated by Apple. But the content is then sent through a second relay (the “egress server”), which is operated by a third-party content delivery network (CDN). These are known to include Akamai, Cloudflare, and Fastly.
That second relay sees an encrypted DNS request but knows nothing about who is making that request. DNS records are encrypted, and the actual IP address is separated from the query, so no one in the chain can see track your activity. When a request is made, the destination server can only see that the request comes from the egress server, which provides a temporary IP address unrelated to the user.
In use, those temporary IP addresses change over time for additional protection and can also be handed to another CDN for handling, making it even more difficult to track the user. The response is sent to the egress server which then sends it to the Apple-controlled ingress server in encrypted form. The data—for example, the website the user wants to visit—is then delivered to the user.
Apple never knows what content has been requested; all it knows is who to send the data to, while the third-party egress server is never aware of the user’s IP address. An exception is when a user requests regionally specific content. In those cases, servers sometimes demand an IP address. To manage this, iCloud Private Relay will not share the specific location but will provide an IP address that represents the region the user is in.
How Does iCloud Private Relay Protect Your Data?
iCloud Private Relay makes use of a host of internet transport and security protocols to do what it does. Two key technologies include the QUIC (Quick UDP Internet Connections) protocol used to handle multiple streams of data and Oblivious DNS over HTTPS (ODoH). The latter was jointly developed by Apple, Cloudflare, and Fastly. Technically, Apple’s ingress server routes data through a Mask iCloud URL (for example, mask.icloud.com), usually via port 443.
How Do Users Implement iCloud Private Relay?
iCloud Private Relay requires that the user is running iOS 15, iPadOS 15, or macOS 12 or later. It also requires an iCloud+ subscription. A user who meets those qualifications can enable Private Relay within the iCloud section of Settings (iPad/iPhone) or System Settings (Mac). When enabling iCloud Private Relay users can choose to maintain their general location, which is the best setting for access to websites, or to share only country and time zone, which makes a user’s location more obscure but means some sites won’t work for that user.
iCloud Private Relay may not always be the best security solution. For example, it will not work if a user visits a country in which the service is not provided; those include China, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines. Private Relay will notify you when it's unavailable and when it's active again, but while it is disabled network providers and website will once again be able to monitor your activity in Safari.
How Is iCloud Private Relay Different From a VPN?
While iCloud Private Relay does provide some security against user tracking and profiling, it is not a Virtual Private Network (VPN). Not only is the system designed so that it only works within Safari, but it will not function in some locations.
Another concern is that, due to the architecture of iCloud Private Relay, there are some websites, such as those reliant on IP filtering, monitoring, or rate-limiting that may not work without your IP address. In response, a user can choose to turn off the protection completely to visit the site, though it is also possible to turn Private Relay off on a specific per-site basis:
- Mac: Navigate to the site and in Safari’s View menu choose Reload and Show IP Address.
- iPhone/iPad: Navigate to the site, tap the Page Settings button, and then tap Show IP Address.
Some applications, including VPNs and internet filtering software, may require settings or extensions that are incompatible with this feature.
Is iCloud Private Relay Safe?
Nothing is ever completely secure in tech. When it comes to iCloud Private Relay, the service will funnel internet data requests made using Safari via Private Relay, but this protection is not foolproof. For example, Apple and its partners may be able to access the content of visited pages if they load over HTTP and not HTTPS. That the service does not work outside of Safari or in some nations also makes it a less secure alternative to classic VPN services.
Another concern is that iCloud Private Relay does reveal that a request is coming from an iPhone, iPad, or Mac and suggests that the request emanates from a user with an iCloud+ subscription.
Managing iCloud Private Relay
In some cases, IT may need to restrict the use of iCloud Private Relay on managed devices in favor of the official company VPN. Some enterprises may also have a policy that requires all network traffic to be audited. While any device using Private Relay inherently validates that it is an iPhone, iPad, or Mac and that the user has an iCloud+ subscription, Apple does let network admins disallow the feature on a per device level using MDM. While implementations vary, the Disallow iCloud Private Relay control (available within the Restrictions panel in Kandji) prevents use of the service. Apple has published additional information for server and network admins.