Relatedly I recently learned that Apple also has a "protect mail activity" option that seems to use private relay under the hood for email content. You can use this feature without actually enabling private relay for your whole machine.
Have to say I'm a big fan of apple trying to bring more of these features to average users. I had just finished prototyping my own mail server to do exactly what "hide my email" does when apple announced that feature and was very happy to be able to throw that code out in favor of something built into my mail client (although it was actually pretty fun to learn dovecot and postfix).
Protect Mail Activity helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity. When you receive an email in the Mail app, rather than downloading remote content when you open an email, Protect Mail Activity downloads remote content in the background by default — regardless of whether you engage with the email. Apple does not learn any information about the content.
In addition, Protect Mail Activity routes all remote content downloaded by Mail through two separate relays operated by different entities. The first knows your IP address but not the remote Mail content you receive. The second knows the remote Mail content you receive but not your IP address, instead providing a generalised identity to the destination. This way, no single entity has the information to identify both you and the remote Mail content you receive. Senders can’t use your IP address as a unique identifier to connect your activity across websites or apps to build a profile about you.
If you choose to disable Protect Mail Activity, the Hide IP Address feature will still mask your IP address using the same two-separate-internet-relays design.
They can tell that you used an Apple device to receive the email. They can't tell whether you actually opened it, or when, or where.
Not seeing the IP is also important for preventing linking: if you have data from other sources (your website, apps, etc.) this can link that activity to an identity for as long as your IP doesn't change. It's not perfect but that's the kind of thing advertisers like because they can see that, say, session A on a desktop computer which generated the email lead to session B on a phone which opened it and consider that all future activity linked to the session IDs from either client is the same person even when your phone moves to another network.
They’ll learn you received it, not when you opened it (as the image is downloaded either way), and won’t be able to get any metadata (ip based location, browser headers).
Gmail uses a similar technique to mask metadata, though iirc they do download the images only when the email is first read by the recipient.
If you don't open the email, and don't have the preview pane on, how would the image get downloaded either way?
If you do open the email, and the spammer maps, say, snotrockets@example.com to a unique AD-SRE21234.JPG filename and that image within the email is displayed, no matter if it goes through Apple's relay or not, wouldn't the spammer then be able to validate your address is both valid and actively opening spam mail at whatever time you opened it?
“ The ingress addresses are in two ASes: Apple’s own AS and the Akamai-PR AS. This is the same AS also present in the egress address collection and appears only to be used for Private Relay. We used a laptop with an active Private Relay session to prove that the ingress and egress address can be within the same AS and that both addresses were reachable behind the same last hop router address. Therefore, we could show that a single entity can observe both ingress and egress traffic and use techniques similar to The Onion Router (TOR) attacks to combine ingress client addresses with server addresses. This issue breaks Apple’s promise to prevent a single party from seeing both addresses on the network level.”
From a purely technical perspective, they could just force private relay for all Apple-bound traffic. Thailand would have to choose between working iPhones and blocking private relay.
Wikipedia disallows editing from iCloud Relay IP addresses, so not a great idea in general. And if you really think authoritarian governments are going to choose iPhones over control, well…
I was specifically suggesting doing this for Apple-bound communications, not for all traffic. In that situation blocking private relay would just break app store and other important functionality, rendering the devices borderline useless.
> And if you really think authoritarian governments are going to choose iPhones over control, well…
lol, Thailand doesn't even block VPNs. You really think they'd do something as drastic as banning Apple devices over this?
There are many authoritarian countries were banning iPhones would simply be unimaginable, there's no way they'd even think about doing that in places like Russia.
> Just break app store and other important functionality, rendering the devices borderline useless.
If Apple breaks laws isn't that what Governments should do? For instance in Europe (was it Netherlands ?).Apple has blatantly ignored a ruling on app store and allowed fines to accumulate. The government should have blocked the app store but instead let itself be bullied by Apple
> You really think they'd do something as drastic as banning Apple devices over this?
I dunno, but the feature is disallowed for a reason. It's more than a VPN because it's so much easier to use than VPNs are typically and I believe it's also enabled by default with iCloud.
They would need not to ban Apple devices, as Apple has a history of following local censorship and citizen spying laws, even if they violate human rights. They have never put an effort against governments, etc. like Google. See China, for example.
If history teach as anything is that autocratic government favors control over their people in lieu of apple devices. And capitalistic companies favors money in lieu of human rights.
How else could it be? It's simply not possible that all worldviews are equal. It's undoubtedly true that my view of the world is simply better than someone else's and vice-versa.
There are significant costs associated with something as visible as banning the sales of Apple devices. Governments are certainly capable of doing this, but the cost-benefit analysis does not necessarily add up.
The benefit of Telegram and Signal doing this over a company like Apple is that they don't own a significant part of the smartphone and computer (and associated services) markets. This gives Apple a lot more control and influence over people and consequently carry a lot more responsibility in what they do. If I notice Signal doing something I like, it's far easier to convert to a competitor than it is for the average user to switch away from the Apple ecosystem once you're in it.
What significant local physical presence does Apple have in Thailand? They're setting up a factory there, kicking that out would hurt Thailand way more than it would hurt Apple.
Having to comply with local laws and regulations is sort of accepted when operating a business in a particular country. How would it hurt Thailand significantly more than Apple if they're ejected for not complying with legal requirements? And frankly, it's sort of moot. Apple is more than happy to comply with national governments. Just look at them pulling communication apps whenever there's a protest in <insert country with autocratic government here>.
> Therefore, we could show that a single entity can observe both ingress and egress traffic and use techniques similar to The Onion Router (TOR) attacks to combine ingress client addresses with server addresses. This issue breaks Apple’s promise to prevent a single party from seeing both addresses on the network level.
They've been a reliable provider both in Ireland and roaming abroad so I'm hesitant to switch. I always use a VPN anyway so the Relay situation is not a massive deal breaker for me.
This is basically a VPN for everyone using an Apple device, right? The question I have is whether Apple keeps (or can be compelled by law enforcement to produce) the logs of who you are and what you have browsed?
It's more secure than a VPN; the relay is run by two separate companies and neither of them can see enough traffic to know both those things, for either HTTP or DNS.
I guess my question is, sure, someone could to lengths to observe the in + out, but does Apple (and the other entity) decline to keep logs such that they at least could not be compelled to give up data that could link the two?
If the RIAA gets a court order to reveal who streamed something, shared illegally, etc. would they be able to comply?
The whole point of private relay is that apple does not have access to what sites you're loading. The article does a good unbiased description, but you can think of it as a single hop tor - enough to stop apple from knowing what you are loading, and enough to stop the egress point from knowing who is making a given request.
Someone who can monitor all the entry points and exit points can probably tie the connection together, but someone in that position can probably also do that for any other vpn service (Nord, proton, etc - though those providers don't have any privacy options).
It's a whitelist of apps that are tunnelled through the relay, but apps don't have to use any sort of special networking library, pure Berkley sockets work just fine through the relay. Also, anything that attempts to use port 80 goes through the relay, it doesn't have to be HTTP, as I said, plain BSD sockets work.
This whitelist is implemented using the regular macOS/iOS per-app firewall. Not only this is accessible to users, but the whitelist matches based on the Mach-O UUID, which is an arbitrary number put in by the linker...
The restriction on which apps can use iCloud Private Relay is trivially defeatable.
Private Relay hides your IP address and browsing activity in Safari and protects your unencrypted internet traffic so that no one-including Apple-can see both who you are and what sites you're visiting
Agreed, we can only speculate; personally I would be surprised if that was the "long-term" plan instead of just a push at the time to enforce industry best practices on its apps. My hunch would be such a move might be disruptive to certain apps (banking?) and they are allowing more time before tunneling everything, but this is just a guess.
See my other comment about how iCloud Private Relay works. There are basically almost no security measures that prevent you from using it with other apps. This leads me to speculate that Apple intends to eventually enable this globally, so they don't really bother now with trying to lock it down too much.
One really cool thing I discovered with Private Relay is that it will proxy an IPv4 address to IPv6. For example if you Google “what is my ip” you should see an IPv6 address in Google.
This kind of centralization I trust much less than just letting things go through my ISP. Way easier for the FBI and NSA to get information in bulk from Akamai than to target me at my ISP.
Getting a warrant on your ISP is demonstrably trivial (see many many cases over the years). All of your traffic goes through your ISP so you’re comparing a mechanism that endeavors to avoid allowing either end of the connection to know the target of the other, that is encrypted and so opaque to your isp.
Vs your isp knowing every site you go to? Or you could get a random VPN service, in which case you have another single company to serve a warrant, only unlike the relay case that vpn knows just as much as your original ISP.
“ As lawful interception takes place in the core network, and the initial 5G NR deployments leveraged the existing 4G EPC network, carriers were able to continue using their existing and compliant lawful interception systems to support their 5G NR deployments. Therefore, Law Enforcement Agencies (LEAs) considered 5G systems as nothing new, just “4G on steroids”. And from a Lawful Interception standpoint, they were right. Those initial systems supported the existing handover specifications such as 3GPP TS 33.106, 33.107 and 33.108 and could only support up to 1Gbps per subscriber bandwidth, since the Evolved Packet Core (EPC) was still 4G and there were capacity limitations on the EPC. Law”
I'm really amazed at what Apple has created with private relay. I see people complain, but I do _not_ see it as a replacement for Tor.
What it does provide is the first private (again, not Tor-level private) VPN that incentivizes sites to allow the traffic. How does it do this?
- traffic is legitimate with a high degree of certainty (it's tied to an iCloud account that can be blocked, and more or less must be run on Apple hardware)
- sites that block private relay are potentially blocking a large audience of Apple users
With more anonymous VPNs there are fewer potential repercussions against malicious traffic, and it's harder to prevent users from abusing the system.
AFAIK only existing iCloud users on apple OS devices can use private relay. Apple doesn't need/care about the content of your session (it's routed through 3Ps). But what they can do is drop support for your icloud account, which prevents you from using private relay. Transitively tying it to active apple hardware IDs, via iCloud, also means theres a significant real cost to setting up to use this service. There's basically no way bulks scammers/scraping/manipulation/etc can afford that cost for their disposable use cases. This compares VERY unfavorably to the costs of farming gmail/microsoft/ISP accounts, from the scammers perspective.
I believe all OP is trying to say is that Apple controls ingress nodes, which the customer connects (authenticating with iCloud) to as the first hop; the destination and content of the packets is encrypted to the second hop and cannot be decrypted by them. But if Apple wants to stop your iCloud account from sending traffic through the relay it can do so at any moment. This should not be surprising, it's not an "open" relay but a premium service.
I am aware of the part of the reasoning you’ve described. What I’m trying to figure out is how “Apple can ban users” translates to “website owners will trust that traffic more.”
Apple literally cannot ban you for malicious or fraudulent traffic (assuming you believe them), so what is the difference between this and any other paid VPN service? Those also cost money.
Oh I see. Yea TBH I'm not sure what happens sure if hop 2 (e.g. Cloudflare) reports fraud/abuse "up" to Apple; whether Apple takes action or not. It would certainly be technically possible but would require cooperation between the two companies, that's the only guarantee I can find. Private access tokens are a real solution here, so maybe Apple does nothing in such a scenario and expects end sites to verify those.
> Authorization is performed by presenting a valid, anonymous token based
on RSA blind signatures. These signatures are sent as one-time-use tokens
to each proxy when establishing a connection, separating legitimate from illegitimate devices. The proxies can validate the tokens with a public key
to validate that the user is legitimate, without actually identifying the user.
> The following fields related to anonymous token issuance are logged as a part of Private Relay’s fraud prevention and anti-abuse measures, but cannot be correlated with connection information:
> • iCloud account, software version, and request timestamp
Sounds like both Apple and Cloudflare hops get the token. But Apple stashes a mapping of the token->iCloud account on its end, presumably to deal with fraud requests from Cloudflare. So my understanding then is if Apple gets a fraud/abuse request for someone's token from Cloudflare, it can and will banish your iCloud account from the service.
Edit: on closer reading I think I was wrong... The stated logged data could just be to rate limit the tokens you can request. It doesn't say they log the token itself, and they do say "cannot be correlated with connection information". So it seems you are right!
> They have repeatedly stated that they cannot see what any account is doing.
Do you honestly believe that? One of the most powerful telecommunication hardware companies in America, hilariously somehow NOT being in bed with government agencies? Perhaps Apple can't see your traffic, so by the letter of their statement, what they said is true... but the mystery boxes in locked rooms at Akamai, Fastly, and Cloudflare I'm sure can connect your traffic across the relay hops juuuuuuust fine.
Not to mention the other poster's important point of having the traffic effectively tagged to your iCloud account is stunningly probably very accurate. I knew this thing was bad news the moment I first read about it, now I feel even more strongly it is indeed America's version of the great firewall and social credit score impacted by your net traffic and the websites you visited pumped up on American steroids.
Cloudflare sitting as a proxy in front of tons of other websites otherwise in the wild closes the significant gap left by non-Apple device users.
I believe that that is what they have repeatedly said.
Is your position that Apple is doing some sort of scam on their paying users in order to compromise their privacy to random websites?
I did not bring up any law enforcement organizations, I was responding to the idea that since Apple can ban users, random website operators will trust their relay traffic more. This is a completely unrelated thing.
Ah - after re-reading the article, I think you’re correct.
That being said, there’s still a barrier to entry by having an i-device/i-account. I wonder if there would be a way for them to ban abuse since they have so much control over the ecosystem?
I discovered this because pihole blocks private relay by default and I was getting an error in the mail app that it wasn't able to protect my activity: https://apple.stackexchange.com/questions/429899/why-am-i-se...
Have to say I'm a big fan of apple trying to bring more of these features to average users. I had just finished prototyping my own mail server to do exactly what "hide my email" does when apple announced that feature and was very happy to be able to throw that code out in favor of something built into my mail client (although it was actually pretty fun to learn dovecot and postfix).