id=»article-body» class=»row» section=»article-body» data-component=»trackCWV»>
Apple touted its privacy work at its online WWDC event earlier this year.
Apple/Screenshot by Stephen Shankland/CNET
When Apple announced a trio of new subscription service in at event in June, the headliner was — a browser-based encryption boost, aimed at the who are turning to for better online privacy. Now, with iOS 15’s arrival on Monday (here’s ), a wider swath of Apple users will be able to test drive the proxy service for themselves.
Although Apple executives have begun positioning the new Safari encryption service as a , Private Relay is not, strictly speaking, a VPN. We’re still waiting on the details of how the service works, but confusing it for a VPN may prove dangerous to those who rely on them for personal safety, and ineffective for those seeking ways around government censorship.
On the other hand, Private Relay can be used alongside a traditional VPN, whether that’s a personal or company VPN. According to Apple developers, that currently means Private Relay will ignore the traffic of your VPN. The tech behind Private Relay, however, could theoretically represent a significant leap forward for overall privacy among commercial (though not enterprise) VPN users as additional research emerges on its potential to prevent from .
Read more:
With an underlying technology that centers on encryption, it’s unlikely Private Relay will be offered in countries where it may interfere with domestic surveillance or contradict anti-encryption laws. Apple confirmed Private Relay won’t be available in China, one of its most important markets. Private Relay will also be unavailable in Belarus, Colombia, Egypt, Kazakhstan, the Philippines, Saudi Arabia, South Africa, Turkmenistan and Uganda.
Apple said it will offer Private Relay only in accordance with local laws but that other announced iCloud Plus privacy features, like Hide My Email, may be available in restricted areas as local laws permit.
For the , however, Private Relay’s addition to Safari represents a potentially groundbreaking shift in how to better protect you from aggressive tracking by advertisers. More than raising the bar on browser privacy, however, a curious piece of underlying tech in Private Relay is poised to open a new chapter in the browser wars.
Read more:
<div class="videoPlayer " data-component="videoPlayer" data-video-player-options='"config":"policies":"default":11417438,"tracking":"can_partner_id":"canPartnerID","comscore_id":"3000085","comscore_home":"3000085","comscore_how_to":"3000078","comscore_news":"3000078","comscore_reviews":"3000087","comscore_videos":"3000088","comscore_sense_id":"cnetvideo","comscore_sense_home":"cnethome","comscore_sense_how_to":"cnethowto","comscore_sense_news":"cnetnews","comscore_sense_reviews":"cnetreviews","comscore_sense_videos":"cnetvideo","nielsen_cid":"us-200330","nielsen_vcid":"c07","nielsen_vcid_reviews":"c05","nielsen_vcid_home":"c07","nielsen_vcid_news":"c08","nielsen_vcid_how_to":"c09","nielsen_vcid_videos":"c20","uvpConfig":"mpx_account":"kYEXFC","playlist":["id":"646e97ad-5ff2-4747-9648-65ab27032d86","title":"iOS 15 best features: How Focus mode improved my iPhone","description":"Whether you\u0027re getting Apple\u0027s new iPhone 13 or holding onto a years-old iPhone 6S, iOS 15 will be available for download starting Monday, Sept. 20.","slug":"ios-15-big-changes-and-best-features","chapters":"data":[],"paging":"total":0,"limit":15,"offset":0,"datePublished":"2021-09-19 12:00:03","duration":440,"mpxRefId":null,"ratingVChip":"TV-14","primaryTopic":"id":"1c5a20d4-c387-11e2-8208-0291187b029a","author":"id":"","firstName":"","lastName":"","primaryCollection":"id":"2adf6930-fe69-4423-ab9c-9aae7f4f1fc2","title":"CNET First website
Apple Private Relay vs. a standard VPN
|
VPN |
Private Relay |
|
|---|---|---|
|
Your public IP (where you are and who you are) is encrypted, start to finish |
Yes |
Yes* |
|
Assigns you a new IP when you connect |
Yes |
Yes |
|
All outgoing data from your device is encrypted via the app |
Yes |
No |
|
You can overcome geo-location blocks and censorship to access media |
Yes |
No |
|
Your traffic blends in with everyone else’s via VPN obfuscation |
Yes |
No |
*Private Relay’s browser-based IP address encryption benefits are limited to Safari
How Private Relay is different to a VPN
No device-wide encryption via the app: While many VPNs offer a secondary, browser-only plugin, a true standalone VPN is designed to encrypt all of the information coming out of your device through its app. It will then assign you a new IP address, and connect you to one of its network of servers before spitting you out at your destination website. In Apple’s case, however, only some of your device’s traffic is specifically handled by Private Relay for encryption. In its , Apple said Private Relay encryption only covers Safari, the DNS-related traffic on your device, and a small subset of traffic from apps. Developers said any connections your app makes over the local network or to private domain names will be unaffected, and that any traffic that comes from using a proxy will also be exempt. In other words, if you use the Chrome browser from your iPhone, don’t expect any Private Relay protections or features.
No geo-blocking: A key feature of a VPN is the ability to overcome and access global content on an open web. Some use that feature to access streaming media services while abroad and watch their home country’s entertainment catalog. But for those in countries burdened by censorship and oppressive regimes, VPNs offer the ability to circumvent geo-restrictions to safely access crucial information and news. Private Relay is explicitly designed to comply with geo-blocking and does not hide your general region or city from internet providers or authorities.
No web traffic obfuscation: Encrypted web traffic created by using a VPN looks a lot different than non-VPN traffic, but the best VPNs camouflage themselves to appear like normal traffic in a process called obfuscation or, as it sometimes specified, VPN obfuscation. The ability to overcome geo-blocking and escape organizational networks relies on more than appearing to be from a different location; it relies on your traffic looking inconspicuous. That’s where VPN obfuscation comes in. Although Apple at times uses the term obfuscation in a non-technical sense to describe how their traffic may appear as normal traffic in some contexts, when you’re using Private Relay to connect to a business or school network, Private Relay’s proxy server traffic is readily identifiable and the service makes no effort to obfuscate itself with traditional VPN-type obfuscation. Accordingly, have clearly offered instructions to business and school network managers on how to make allowances for this traffic, or how to isolate it for exclusion by blocking the hostname of the iCloud Private Relay proxy server.
Split-tunneling differences: A handy feature found among most leading VPNs, split-tunneling is an option that allows you to forgo device-wide encryption, in favor of encrypting only one or more apps on your device. Thus, you create two «tunnels» of internet traffic. This feature is helpful in several use-specific cases, like if you want to use a but you’d like to continue browsing normally. Private Relay has a similar feature that works differently. You can still use Private Relay even when you connect to your workplace’s private network, for instance.
Multiple hop architecture: Many VPNs offer you the option of multi-hopping (or a «double hop»), which allows you to better cover your trail by connecting you to a series of servers, one after the next, before you land at a website. Private Relay offers what it calls «dual hop architecture,» which is different from VPN multi-hopping. When using Private Relay, the two «hops» you make first give you a new, semi-anonymous IP address, and then secondly decrypt the name of the website you’re requesting.
Read more:
What we know about Private Relay
Private Relay has two end goals. The first is to limit how much data advertising companies and ISPs can see about your browsing. The second goal is to ensure Apple can see only who you are and not what sites you’re visiting, while the third-party servers which get you to those sites can see where you’re going and your rough location but not who you are.
Here’s how it’s done. Privacy Relay is built into both the forthcoming iOS and MacOS versions, but it will only work if you’re an iCloud Plus subscriber and you have it enabled from within your iCloud settings.
Apple
Once it’s enabled and you open Safari to browse, Private Relay splits up two pieces of information that — when delivered to websites together as normal — could quickly identify you. Those are your IP address (who and exactly where you are) and your DNS request (the address of the website you want, in numeric form).
Once the two pieces of information are split, Private Relay encrypts your DNS request and sends both the IP address and now-encrypted DNS request to an Apple proxy server. This is the first of two stops your traffic will make before you see a website. At this point, Apple has already handed over the encryption keys to the third party running the second of the two stops, so Apple can’t see what website you’re trying to access with your encrypted DNS request. All Apple can see is your IP address.
Although it has received both your IP address and encrypted DNS request, Apple’s server doesn’t send your original IP address to the second stop. Instead, it gives you an anonymous IP address that is approximately associated with your general region or city.
That approximate location can mean different things in different places, however.»It’s obviously very different technology but in general with approximate location on the iPhone, the size of the area can change depending on the place in the world you are and population density and things like this,» an Apple spokesperson told CNET.
Using San Francisco as a hypothetical example, the size of that approximate location could narrow.
«With the approximate location, I could be anywhere in the peninsula of San Francisco. So you could think that I’m up at the northern end of San Francisco near Ghirardelli Square or the app could be getting information that I’m down near Cesar Chavez [Street]. It still gets a precise location. It’s just that my precise location bounces around within that general area in such a way that no one knows where I actually am,» the spokesperson said.
Once it has assigned the new IP address, the Apple proxy server sends the encrypted DNS request and that new IP address to the next stop. That second stop is another proxy server, one not run by Apple but by a currently unknown third-party company that’s ready to decrypt your DNS request.
Apple
Finally, that third-party proxy server decrypts your DNS request and sends it to your destination website along with your general location. While the destination website can’t pinpoint your exact location because it doesn’t have your true IP address, it can still see what region your device is in.
The tech behind the curtain
With the second proxy server’s ability to see what websites you’re requesting and your general city, the pressing question quickly becomes who’s running that third-party server, a question Apple has so far declined to answer.
Within hours of Private Relay being announced, however, it became evident that Cloudflare is at least one of Apple’s partners in powering Private Relay when app researcher Jane Manchun Wong took to Twitter to confirm while using the currently available developer version of Private Relay. Wong’s tweet was followed by a wave of other users noting the same results, drawing comparisons between Private Relay and proxy app Cloudflare Warp.
Cloudflare was a primary to standardize the potentially game-changing element of Private Relay — its in-browser use of something called Oblivious DNS-over-HTTPS, or ODoH.