Apple’s Private Relay is a wonderful bit of technology. It hides your IP address from the sites you visit while taking special measures to maintain your privacy. Unlike a traditional VPN, Apple and Cloudflare can’t see both who you are and which websites you’re visiting. It’s a great pro-privacy concept that isn’t Apple-specific—any browser vendor could do this with the right partners.
Microsoft’s upcoming “Secure Network” feature for Edge looked like it was going to offer exactly the same thing, including using Cloudflare as a partner. Unfortunately it’s very different. The support article has been updated and it now explains what Cloudflare will see.
When requests are sent to the Cloudflare proxy, Cloudflare will observe your source IP, the destination IP address (website) you are accessing, source port, destination port, timestamp, and access token provided by Edge.
In other words, Cloudflare sees everything you’re doing. This juicy sentence is of course sandwiched in paragraphs of nice-sounding text about how rigorous and virtuous Cloudflare’s privacy practices are, and how they won’t divulge this information or block any websites unless, you know, they absolutely have to. Or if they mess up.
It’s not good enough. It’s not that I have anything against Cloudflare specifically. There’s probably nothing they could do in this situation to make it better. The design stinks; the state of the art has moved on. Apple has shown that we shouldn’t be putting blind faith in our VPN/proxy providers any more. I would sooner take my chances with ad blockers than put all my eggs in the Cloudflare basket. Imagine how much easier it would be to maintain TEMPORA when Cloudflare’s DCs are part of the route for so much “private” traffic?
So what should Microsoft be doing? Let me quote from the iCloud Private Relay Overview:
Private Relay is built on the principle that IP addresses that identify users need to be separated from the names of websites that users access. To achieve this separation, Apple has engineered an innovative dual-hop architecture in which users’ requests are sent through two separate internet relays operated by different entities.
The second internet relay (also known as the “egress proxy”) has the role of assigning the Relay IP address they’ll use for the session, decrypting the website name the user has requested and completing the connection. The second internet relay has no knowledge of the user’s original IP address and receives only enough location information to assign them a Relay IP address that maps to the region they are connecting from
The architects of this at Microsoft must know perfectly well what Apple was doing, and decided to take the less-private alternative. It’s disappointing and I would also like to know why they made that decision. Patents, foolishness, coercion or just a general lack of concern for the privacy of their users?