Anyone using iOS 15 must have noticed something different about their iCloud account. Apple is indeed upgrading all paid iCloud accounts to something it calls iCloud+. The latter includes several interesting features in addition to the existing ones for storage, synchronization and the cloud, but the most notable may well be iCloud Private Relay. At first glance, it looks like some kind of VPN/proxy: Internet browsing traffic is encrypted and sent through a relay or node to hide the exact location, IP or content viewed by the user. But it’s not really a VPN, since only certain requests are redirected. There are indeed important differences, which we will describe here. iCloud Private Relay may be enough for most users, bringing the most obvious benefits of a VPN to millions of people who would never consider purchasing a subscription.

Private Relay is an upgrade in iOS 15 for users who have purchased an iCloud storage plan, either separately or as part of an Apple One plan. To turn it on, head into the Settings app, then tap your Apple ID name at the top. Then tap on iCloud and Private Relay (Beta). It is also possible to choose between two IP address locations: General so that websites can deliver local content in Safari or Country and wider time zone for more anonymity. When Private Relay is enabled, all traffic in Safari is routed through two internet nodes, or relays. The data is encrypted and then sent to Apple, so the ISP cannot see any internet browsing requests. Once they arrive at Apple’s proxy server, the DNS query and IP address of an iPhone, iPad, or Mac are separated. The IP address is stored by Apple, while the DNS request is transmitted, encrypted, to a trusted CDN provider who has the decryption key, as well as a fake intermediate IP address based on your approximate location. Apple didn’t name its partners, but some netizens found them to be big internet backbone companies like Akami, Cloudfare and Fastly.

This means that Apple knows the IP address, but not the name of the sites visited, and the trusted partner knows the site visited, but not the IP. Neither party can form a full picture of who the user is and where they have been. A visited website usually keeps logs with the exact IP and DNS request, which allows it to easily establish a fairly detailed profile of each visitor, their location and their journey. Add to that a few cookies, even seemingly harmless ones, and it’s pretty easy to profile all of a user’s activity, track it, trace it, and resell that data. advertisers and other intermediaries such as Criteo, MediaMath or AppNexus.

Apple’s two-proxy system makes it very difficult for a given company to profile an Internet user’s activity on the web. (Apple Credit)

Le Relais Privé ensures that the websites consulted completely ignore the information concerning the Internet user, so that the sites can no longer establish an activity profile. The IP addresses that Apple uses in place of the user’s actual address always approximate their general region; this is not enough to identify him personally, but it will allow sites that use this IP address to broadcast local, weather, sports or other information to continue to function correctly. It is possible to use an even larger IP address, but some of these sites may not work properly. Note that Apple’s service does not allow you to choose an IP address or even a region, and will never give the impression that the user is from a totally different place. In other words, it is not possible to use this service to access geo-locked content in Netflix or other online services.

A lightweight VPN

As interesting as this Private Relay feature is, it is definitely not a VPN. It will do a great job preventing profiling of web activity based on basic login data. But it has many shortcomings compared to a real VPN. Here are a few: Relais Privé only works with Safari, like a VPN tunnel would, and not with any other apps or web browsers you use. Technically, some other DNS information and a small subset of app-related web traffic uses it, but it’s best to consider that it only works with Safari. It is easily identifiable as a proxy server, which many large networks like schools or businesses do not work with. Most good VPNs disguise themselves to look like normal traffic without a proxy. As we mentioned, it cannot hide the region you are connecting from, only your specific IP location. It is therefore impossible to access content blocked in one region or consult websites from another country. To benefit from real confidentiality and better security on the Internet, or to access content available in other countries, it is necessary to use a VPN with advanced functions such as NordVPN or PureVPN. However, it is necessary to download the latter, choose a subscription and configure certain options.

To simply prevent websites from creating a user profile, which will be resold to advertisers and data brokers, using iCloud Private Relay on an iPhone, iPad or Mac is a good option. It’s quick, easy, and included in the iCloud storage plan. But beware, since iOS 15.1 and watchOS 8.1, Mail’s Private passthrough and privacy protection do not work on the Apple Watch. Checking Mail or opening a web link (sent via Messages) will show the real IP address with the Apple Watch.

Operators at war with Apple

With users reporting that some carriers are blocking access to iCloud Private Relay, Apple added new wording to the iOS 15.3 beta to clarify the situation and explain to users what is happening: “Private Relay is disabled for your cellular plan. Either Private Relay is not supported by your cellular plan or it has been disabled in cellular settings. When Private Relay is disabled, this network can monitor your internet activity and your IP address is not hidden from trackers or websites. »

According to the British daily The Telegraph, some operators in Europe (Orange, Telefonica and Vodafone) have disabled this function for users, and T-Mobile, on 3e operator in the United States, has done this for some of its customers in the United States. These heavyweights have even filed a complaint with the European Commission to block Apple’s Relais Privé initiative. “The way in which private relay is implemented will seriously undermine European digital sovereignty,” argue these operators. Remember that the practices of operators are not always malicious and do not only aim to collect and sell user data (although this may be the case in some cases!). Some carriers provide content filtering features, like parental controls, and iCloud’s private passthrough prevents them from working. To ensure compatibility with these functions, Private Relay must be disabled. The more elegant solution, of course, would be to allow users to enable Private Relay and simply warn them that these features may not work on this device, rather than taking the choice away from them altogether.