Private Relay

As I scroll through the list of WWDC21 sessions I don’t think I’m going to see any breakthroughs in Bluetooth support like I was hoping for this year.

However. However. iCloud Private Relay makes up for it. This will be huge. The keynote understated it. As is often the way, the impact isn’t because they came up with an original idea, but because it’s Apple who’s doing it. If certain companies were irritated by App Tracking Transparency, this is going to send them into conniptions.

Why am I getting so carried away? Well it’s kind of a VPN, with some Tor-like properties. The upshot is that if you browse in Safari, web servers won’t get your real IP address, only a random one that’s geographically similar. Apple has taken some nifty cryptographic measures working with external providers so that nobody can trivially correlate all your traffic to your Apple ID.

Realistically you’re still putting a lot of trust in Apple since they control the whole software stack. I wouldn’t rely on this if I was into doing crimes, but it should be quite enough to throw off advertisers and trackers who like to follow you around using your consistent IP address.

VPNs have been around forever of course. What makes this one special is that millions upon millions of iCloud subscribers are suddenly going to turn this on when they upgrade to iOS 15 and macOS 12. This will push huge amounts of general browsing through the system, blending lots of mundane traffic with anything that’s actually privacy-sensitive.

Websites are not going to be able to say “no” to Cloud Relay. Well they can, and some will try. Probably they will say it “reduces security” or some rubbish but it will be a very tough sell to get users to turn it off. Apple’s staked out the moral high ground perfectly here: “Why should I do that? You’re just trying to track me, aren’t you?”

Similarly, trying to block Private Relay on an internet connection that you provide would be very unpopular. If you block Tor traffic you only have a few angry nerds to contend with. The sheer number of Apple users will make it much harder to say no, and with so many users on the system, the people who are trying hard to maintain their privacy will no longer be drawing attention to themselves.

Apple’s egress policy is calibrated to perfection. If they let you escape from your own country then DRM content providers would have a legitimate argument that it can be used to circumvent commercial restrictions. Unlike many VPNs, that argument won’t apply—you will use a proxy located in the same region. This also preserves general website localisations, which are legitimately useful. I would be inclined to turn it off if websites sometimes displayed in German.

An advantage this system has over Tor is that you’re dealing with known, reputable companies at every step. I say that not to cast shade at the Tor Browser team specifically, moreso the network of relays and exit nodes whom you don’t know and are assumed to be potentially malicious. People who opt in to using Tor are interesting almost by definition so if there is a browser vulnerability or other leak that an exit node can feed in to unmask a user, perhaps they will. For my threat model, that bothers me more than trusting Apple’s proprietary software stack.

What remains to be seen is what Apple will do when there is criminal activity identified coming out of egress nodes, which will inevitably happen. As best I can tell their strategy will be telling law enforcement “I’m sorry, I can’t help you with that. Find another way.” Otherwise all of their marketing around this feature wouldn’t make any sense. How many governments will sit still for that, especially if this feature is affecting their clandestine mass surveillance? I really don’t know, but it’s an argument worth having.