iCloud Private Relay for Low to Mid Level Threat Models
January 28, 2022•1,211 words
Apple's claim to be a privacy-respecting company feels both disingenuous and refreshing. On one hand, Apple logs quite a lot of user data that is not able to be user-deleted short of nuking an entire account; opts users into iCloud by default, which includes many aspects that are not end-to-end encrypted; and continues to work towards implementing controversial photo scanning technology it introduced in 2021 which has since been partially walked back. This list is not extensive but it is representative.
On the other hand, Apple actively rejects apps for privacy reasons; has developed end-to-end encrypted aspects of iCloud; and released quite a few privacy focused features including Privacy Nutrition Labels, App Privacy Report, and the subject of this blog post, iCloud Private Relay. Again, this list is not extensive but it is representative.
Apple's business model is admirable: primarily make money from charging a premium on hardware and services not by selling user's data. With this model it has propelled itself to be the first company to hit a $3 trillion market value. Apple's customers actually are its users and not its advertisers (unlike Google and Facebook). While the company's success is admirable, it demonstrates an unfortunate reality: if users are not paying with their data, they must pay more for the product, which prices many people out of some privacy-focused products.
One of those premium features is iCloud Private Relay. As part of Apple's iCloud+ offering, Apple created a dual-node proxy service for Safari that provides very real privacy protections.
What is iCloud Private Relay?
iCloud Private Relay is a privacy feature of Apple devices running iOS 15+, iPadOS 15+, and MacOS Monterey+ (a subscription to any iCloud plan is required) whereby all Safari and unencrypted app traffic are proxied through a series of two relays. The relays provide privacy benefits by ensuring that no one entity knows both the user's IP address and destination domain. This has the effect of hiding the user's IP address from the sites they are visiting (and the ads/trackers embedded on those sites), and hiding the sites they are visiting from Apple. The first relay, operated by Apple, receives the requesters' IP address but is unable to see the encrypted requested domain. Apple strips the IP address from the request and forwards it on to the second relay point, operated by a content delivery network (CDN) such as Cloudflare. The CDN decrypts the request and responds with the requested domain without knowledge of the requester's IP address.
It is a helpful mental shortcut to think of iCloud Private Relay as a "TOR lite" as it operates in a similar way but only routes traffic through two notes rather than five (note: iCloud Private Relay should never be used in place of Tor if the user relies on Tor for safety purposes, see "Caveats" section below).
Use Case
This feature is a great option for users with low to mid-level threat models and who are already invested in the Apple ecosystem. In contrast to what some in the privacy community might believe, it is not appropriate to holistically discount iCloud as a privacy-friendly option as long as its nuances are carefully considered. For example, iCloud does ent-to-end encrypt open Safari tabs, HomeKit Secure Video feeds and recordings, and iMessage (while iCloud Backup is turned OFF), to name a few.
iCloud Private Relay can be combined with content blockers and extensions to further enhance privacy inside Safari. Adguard is a great open-source option for this both on iOS and MacOS.
Perhaps the most underrated feature of iCloud Private Relay is its implementation within the "Add to Home Screen" action. On iOS and iPadOS, users can add a Safari bookmark to their Home Screen. Some websites support running these bookmarks in such a way that the bookmark acts like a standalone application, rather than simply opening a Safari tab (Twitter, for example, supports this). These native-looking web application runs through iCloud Private Relay because it is using Safari on the backend. This is a powerful option because it allows users to opt for web apps instead of a native apps that, by default, provide the developer with a lot personal device data (IP address for example). By replacing the native Twitter app with the Home Screen bookmark with iCloud Private Relay enabled, users maintain many of the same benefits of using the App but are also able to hide their true IP address. Replacing as many apps as possible with their Add to Home Screen counterparts puts more of the device's traffic through the iCloud Private Relay proxy. Opting for web apps over native apps enhances the user's digital minimalism, an important strategy is regaining some digital privacy and security.
A Few Technical Details
iCloud Private Relay can be enabled by going to Settings -> [name/Apple ID] -> iCloud -> Private Relay (Beta) -> Turn On (use "Use country and time zone" for more privacy with less relevant search results or "Maintain general location" for less privacy with more relevant search results). To check to see if it is working, see if "iCloud Private Relay" is shown here under "Organization".
To test if a website supports the Add to Home Screen web app, open the url in question in Safari. Navigate to Share Sheet -> Add to Home Screen. Once the bookmark is added to the Home Screen, tab on it. If it opens a Safari tab, it does not support web app-like features. If it opens in its own window, it does support web app-like features (though not notifications).
Native DNS resolvers are not fully integrated into the iCloud Private Relay framework. If a user utilizes a custom device-wide DNS solution, such as NextDNS or Adguard, DNS queries within iCloud Private Relay are only passed on to the custom DNS resolver for the primary domain, not all DNS queries within the page. As an example, if a user uses NextDNS to block youtube(.)com, NextDNS will successfully block them from accessing that site; however, YouTube videos embedded in Reddit posts will not be blocked by NextDNS because the request will not go through the custom DNS resolver. There are ongoing discussions between the NexDNS developers and Apple to fix this issue, but I would not count on a solution anytime soon.
iCloud Private Relay cannot be used in conjunction with a VPN. It is one or the other. iCloud Private Relay can be used in conjunction with Startpage's Anonymous View feature to add one more proxy to a user's Safari browsing activity.
Recommendation
I recommend iCloud Private Relay for users with low to mid-level threat models and who are already invested in the Apple ecosystem and a subscriber to iCloud. I think it is an underrated tool in the toolbox, especially for non-tech-minded individuals.
Caveats
At the time of writing, Safari on all operating systems was recently patched to fix a critical issue that lead to it leaking browsing activity due to its implementation of IndexedDB. Also, iCloud Private Relay is technically in Beta and in my testing, infrequently turns off without notification.