Private Relay spreads to Edge

Update 18 May 2022: Most of this post assumed that MS would be following the same privacy practices as Apple. They are not.

I spotted some very pleasing news today. A few months ago I was fawning over iCloud Private Relay and I saidthis killer feature doesn’t have to be Apple-specific … dammit big tech, copy this idea!”. And they are!

Windows Central reports that Microsoft is developing an equivalent technology called “Microsoft Edge Secure Network”, which already has a moderately informative support page. I’m not quite excited enough to run Edge Canary builds on machines that I rely on day-to-day so I haven’t got to use it yet, but it’s already fairly clear how this will stack up against Apple’s offering.

The current interface, from the screenshot on Microsoft’s support page

There are some things in common. First, this is a feature of the web browser rather than a systemwide VPN. To me this makes a lot of sense. For most people the web browser is where the most tracking and passive surveillance occurs and also where they are doing their most sensitive interactions over the network, i.e. browsing topics or content they would rather keep confidential. A full VPN is more thorough but negatively impacts other traffic like video conferencing and games. A browser also ostensibly has oversight and control over all the ways identifying information could be leaked, although it’s no mean feat to make this watertight. By making Secure Network part of the browser it’s plausible that Edge for iOS could support it too, however there may be other constraints that make this difficult such as Apple’s requirement to use the iOS-provided WebKit.

Both Microsoft and Apple have chosen to partner with Cloudflare to handle egress of customer data. Microsoft already has a pretty comprehensive global network so hopefully this outsourcing is a deliberate choice to insulate themselves from the browsing data. Apple uses a scheme where the browser vendor is unable to see any of the URLs that the user is requesting and the egress partner is unable to correlate a given HTTP request with a particular user. I haven’t been able to find any similar documentation from Microsoft yet. In my experience Apple also uses Akamai for egress while Microsoft has so far mentioned only Cloudflare.

There are also some interesting differences. Microsoft clearly intends to make this freely available to anyone who has signed up for an MS account, albeit with only 1 GB of data per month. That’s more generous than Apple, which requires you to spend at least dollar or two per month to get on the minimum tier of iCloud+. I presume that once the feature is deployed more widely there will be a way to get more or unlimited data—hopefully either as a standalone payment or as part of an M365 account.

If they did continue with the concept of a Secure Network data quota that would be rather disappointing. It frames the feature as a “sometimes” thing that you only turn on when you’re doing something sensitive. This would be flawed for two reasons. As any fan of encrypted email will tell you, if you only encrypt some of your communications then it highlights to any observer that you’re up to something interesting. Secondly, privacy in the web browser is death by a thousand trackers. Even if you’re not researching some embarrassing medical condition, our aggregate browsing activity grouped by IP address gives advertisers plenty of insight into what we’re doing. Having a security feature that needs to be turned on every time you launch the browser or comes with tight limits doesn’t really solve the problem. With luck, the team at Microsoft has already thought about this and paying users will get the always-on experience.

The spread of this idea is super-exciting to see in general. Both Mac and Windows users will soon have the ability to browse with IP address anonymisation, without putting blind faith in some small foreign company or putting up with slow speeds. Microsoft has been on an uphill battle to differentiate Edge from the other browsers available on PC and this might give them a helpful push. Although Edge and Chrome share a lot of code, the fundamental thing that sets Edge apart is that Google gets most of its revenue from ads; Microsoft much less so. Microsoft has incentives to protect their users’ browsing data from third parties in a way that Google does not. (I am well aware that MS and Bing are enthusiastic to ingest your data to target their own advertising, which I turn off, but I think my point stands.)

And what of the Linux users? There’s Tor of course, with all the compromises and caveats that entails. Mozilla’s VPN is looking a little shabby in comparison to these Cloudflare-driven solutions, being a more-expensive repackaged Mullvad VPN that’s only available in a few countries. Brave’s Private Tor Windows offer a neat middle ground but still rely on the Tor network and it isn’t as hardened as the real Tor Browser. Hopefully one of these vendors (or another) will step up to provide something similar or FOSS users will be left behind.

In short, an exciting development. There aren’t many industry trends nowadays that make me think, “wow, this is really going to help users be more private online” but this one is going the right way.