What is iCloud Private Relay?
Apple’s iCloud Private Relay is a service available to iCloud+ subscribers who use iOS 15, iPadOS 15 and macOS Monterey. It makes your web browsing and online activities more private by concealing your IP address from the websites you visit and hiding addresses of the websites you visit from your internet provider.
Launched a public beta in August 2021 and It’s the product of a partnership between Apple and web infrastructure, security and content delivery firms including Cloudflare and Akamai to create a multi-stage proxying service that conceals your IP address while still leaving you able to access local geolocated services.
When you enable Private Relay in your iCloud settings, internet traffic to and from your device, including DNS requests, is encrypted and sent through two internet relays, one run by Apple, the other by, for example, Cloudflare. At the other end of the connection, you have a new IP address that cannot be linked to the one assigned to your connection by your ISP.
Save 81% on a VPN with SurfShark
Surfshark has dropped the price of its VPN to £1.94 a month. Head over to Surfshark now to pay a one time price of £46.44 for 24 months of Surfshark and save 81%.
- Surfshark
- 81% off
- £1.94 a month
What does an iCloud Private Relay connection look like?
With Private Relay enabled, you connect to the internet via your ISP as usual. From there, your connection goes to an Ingress Proxy server run by Apple. This can see your originating IP address, but your connection is encrypted – including metadata such as the address of the website you’re going to, so it it has no idea where you’re going.
Apple’s Ingress Proxy uses your IP address to assign you an anonymised geohash that indicates the rough geographical region your connection need to be shown as coming from. It then hands the connection over to an Egress Proxy run by a company such as Cloudflare. The Egress Proxy can see the anonymised geohash and the URL you’re going to, but it can’t see your originating IP address.
The Egress Proxy assigns you a new IP address that’s a good match for your physical location. It’s this which can be see by the site at the other end, effectively concealing your real originating IP address.
By doing this, iCloud Private Relay is designed to make it significantly harder for you to be identified by your online activity, used for user behaviour analysis, or for your online activity to be snooped on. While many privacy solutions such as a VPNs and proxies mess up your ability to access geolocated services, Apple has gone one better with hash-based geolocation accuracy and a pool of location-registered IP addresses, as well as anti-fraud measures to help reassure content providers that are traditionally leery of customers using proxying services of any kind.
How does Private Relay perform?
Security and privacy are important, but there’s a limit to how much performance most people are prepared to trade off.
Some beta users of Private Relay report that streaming services including Neflix have shown them content for the wrong country and or just rejected their connection because Private Relay has tripped Netflix’s anti-VPN measures.
Using iCloud Private Relay might even improve your connection speeds. Cloudflare says that “using Private Relay to reach websites instead of going directly to the origin server can result in significant, measured decreases in page load time for clients using Private Relay vs those that are not.” Users report variable performance, with some complaining of slowdowns across the board, while others observing higher latency but faster load times, and some ISPs warn that their services may be adversely affected.
Researchers have found that early versions Private Relay could lead your originating IP address via the WebRTC communication protocol, but this has now been resolved.
Save 81% on a VPN with SurfShark
Surfshark has dropped the price of its VPN to £1.94 a month. Head over to Surfshark now to pay a one time price of £46.44 for 24 months of Surfshark and save 81%.
- Surfshark
- 81% off
- £1.94 a month
FAQs
For more information on how all of this works, see Cloudflare’s iCloud Private Relay: information for Cloudflare customers, Akamai’s Powering and Protecting Online Privacy: iCloud Private Relay and Information for Akamai Customers, and Apple’s iCloud Private Relay white paper (PDF) and its Prepare Your Network or Web Server for iCloud Private Relay article.
The company operating the exit relay can see that a Private Relay user is receiving traffic, but cannot identify you or your IP address from the geohash identifying generated for your by the Ingress Relay.
No, websites you connect to will see an address issued to you by the Cloudflare egress proxy. However, if you log into a site you’re a member of using your usual account, all your interactions with the site will be logged and associated with your account as usual, just with the Cloudflare-issued IP address logged alongside that.
No. You can choose between an IP address location that shows your general location within a country, or one that only shows what country and time zone you’re in, for a bit of extra privacy, but you can’t use Private Relay as a region-shifting proxy. If you need to see what the web looks like from another country, check out our Best VPNs list.
No. Per Apple’s white paper, the performance metrics, region information, resource usage are kept with no associated identifying information: Connection properties and performance metrics; network and region information derived from IP address; anonymous token validation success rate and performance, and private Relay system resource usage. For anti-fraud and anti-abuse purposes, Apple says that iCloud account, software version, and request timestamp are also logged, but “ but cannot be correlated with connection information”.