7 Reasons Not to Use iCloud Private Relay
Among this year’s collection of new privacy features in iOS 15 came iCloud Private Relay, Apple’s answer to a privacy-protecting VPN service. Like most of the services that Apple builds into iOS 15, it’s an approachable and easy solution for the average person to use. However, it also comes with a few drawbacks that you should be aware of.
In short, iCloud Private Relay works by routing all of your traffic through not one but two intermediate servers that exist at arms-length from each other. It’s a unique approach that’s never been taken before, as it creates a system where no single entity knows both who you are and where you’re going.
This is done through multiple layers of encryption, whereby the first servers that process your outbound traffic can’t read its destination. These servers strip out your personal information before passing your requests onto the tier of servers — ones that aren’t controlled by Apple — which can then unencrypt the headers that show where that traffic is destined to end up, so they can pass it on.
As a result, the sites you visit only see traffic coming from a generic IP address that can’t be traced back to you personally. This outbound address will always be located in your home country and time zone, but if you prefer, you can have iCloud Private Relay use an address in your general region.
This latter option is handy if you want websites to be able to provide more accuracy for things like local news and weather. Still, it's generic enough that sites will only know what city you’re coming from, rather than your specific neighbourhood.
More importantly, since thousands of people will be using these IP addresses, there’s no way for tracking networks to use them as a form of persistent identity to follow your activity around the web.
In a nutshell, those are the positive points about iCloud Private Relay, but that doesn’t mean there aren’t a few downsides as well. Read on for seven reasons why you may want to avoid turning on iCloud Private Relay.
It’s Still in Beta
First and foremost, Private Relay is still in beta. That means that there’s a good chance things won’t work as expected.
Apple is also being quite candid about this, noting that “some websites, networks, or services may need to make updates for Private Relay,” before it will work properly. It’s not just about other sites, however, since as with any beta product, there could be times when Apple is tweaking things that could result in Private Relay failing in various ways.
The bottom line is that if you have Private Relay turned on and you’re having problems accessing certain websites, the first thing you should do is switch it off. On an iPhone or iPad, you can do this in the Settings app by tapping on your name at the top and then going into iCloud > Private Relay (Beta).
On macOS, the option can be found in your Apple ID settings in System Preferences, but don’t just uncheck the box, as that doesn’t always work properly. Instead, click the Options button and choose Turn Off Private Relay.
It Can Slow Things Down
While we’re willing to chalk this one up to its “beta” status, we’ve repeatedly encountered times when browsing becomes almost glacially slow when iCloud Private Relay is enabled.
This is understandable since your traffic is going through two other servers before it reaches its destination. Even though these should be scalable, high-performance servers, it’s likely that Apple is still tweaking things to keep up with the demand. We’re optimistic that it will get better once iCloud Private Relay is out of beta. However, for now, until Apple’s virtual road work is done, you should expect delays in your online traffic.
Note that even when iCloud Private Relay is working properly, you won’t necessarily be able to trust speed tests. These may appear lower when Private Relay is enabled since it limits their ability to open up multiple simultaneous connections in parallel.
It Only Works with Safari
Unlike a traditional VPN, Apple’s Private Relay only works with Safari. While this does include most apps that provide an in-app browser, it doesn’t do anything for other types of connections, whether those are from third-party apps or other browsers like Chrome or Firefox.
This means that if you’re primarily a Chrome user, then it’s basically pointless to enable Private Relay, as it won’t do anything for you at all.
On the upside, this does provide a simple way to check if Private Relay is behind any browsing problems you may be having. If you can’t access a website in Safari, or everything seems to be dragging, try another browser like Chrome. If it works there, then Private Relay is the most likely culprit. If it doesn’t, then you may have other problems with your network connection.
Kids Can Use It to Bypass Parental Controls
If you have a router that offers built-in parental controls, you probably won’t want to let your kids use iCloud Private Relay on their devices, as they’ll be able to skirt right by them without any problems.
With Private Relay enabled, everything sent out from Safari on an iPad, iPhone, or Mac is encrypted in what’s effectively a sealed envelope addressed to Apple’s Private Relay servers. When this traffic hits your home router, it won’t be able to determine where it’s actually going.
In principle, this isn’t a bad thing. In fact, it’s the whole point of Private Relay in the first place. Just like your home router can’t intercept and analyze this traffic, neither can your school, employer, or ISP.
The problem, of course, is that the same feature that keeps all of your family’s traffic private from your ISP also keeps your kids’ traffic private from you. If you rely on the parental controls on your router to block your kids’ access to the darker corners of the internet, you’ll need to either make sure they can’t use Private Relay, or you’ll need to switch over to using Apple’s Screen Time, which enforces these controls directly on their iPhone, iPad, or Mac.
While Screen Time doesn’t currently offer a way to specifically prevent kids from turning on Private Relay by itself, you can block this by disallowing all “Account Changes” under Content & Privacy Restrictions.
Note that time-based parental controls on your router should still work fine — as long as kids’ devices aren’t using the Private Wi-Fi address feature. Your router will still know what devices traffic is coming from. It just won’t be able to determine where that traffic is actually going.
Keep in mind that, for the same reason, some organizations may choose to block Private Relay, since it not only prevents filtering of traffic but auditing of that traffic as well. There’s not much you’ll be able to do about this — after all, it’s their network, their rules.
You May Have Problems Using Some Sites
Private Relay uses the latest security protocols that some smaller and older sites may not yet properly support. In this case, you’ll have problems making connections to those sites.
To be clear, every site on the internet should be up to speed, and if they’re not, you should be wary about visiting these sites in the first place, as they’re potentially insecure. Further, even smaller sites are generally served by hosting providers who take care of ensuring that everything is up to the latest standards. This isn’t a matter of web design, but rather the underlying communication protocols used between servers.
The other problem, however, is that you’re using a block of IP addresses that are shared by thousands of others. Some sites may distrust these IP addresses on sheer principle, while others may end up blacklisting them due to misbehaviour by others.
For instance, at this point, it’s impossible to edit or contribute to a Wikipedia entry when using Private Relay, since it blocks all proxy and VPN servers.
Apple recommends that hosts and service providers update their systems to recognize and trust Private Relay connections, adding that these are actually more trustworthy since they “validate that the client is an iPhone, iPad, or Mac and that the customer has a valid iCloud+ subscription,” and Apple “enforces several anti-abuse and anti-fraud techniques” before the traffic even leaves its servers.
Ultimately, however, nobody is obligated to trust these connections, and traditional fraud detection systems that rely on IP addresses could end up blocking many legitimate users due to the actions of a few.
It Doesn’t Bypass Geographic Restrictions
If you’re hoping to use Private Relay to watch stuff that’s only available on Netflix in another country, you’ll be disappointed.
Private Relay will always assign you an IP address that’s located in your home country and time zone. You can choose to use a more precise address that reflects your general location — usually whatever major city or metropolitan area you’re closest to — but you can’t get less precise than your home country.
Basically, Apple isn’t about to help you break these rules, and in fact, it’s made it clear to developers that their servers can trust the region assigned to the IP address that they see. If you want to bypass geographic restrictions, you’ll need to turn to a traditional VPN provider instead.
You Might Pay More for Certain Types of Data
If your ISP or cellular carrier offers certain “zero-rated” services, you’ll definitely want to avoid using Private Relay for these, as they’ll end up counting against your data allotment.
For example, if a carrier offers free access to stream music from Spotify, it can only do this by analyzing the traffic that passes through its servers. When it recognizes Spotify traffic, it excludes that from normal data charges.
In this scenario, however, since Private Relay hides all your browsing traffic from your ISP or carrier, it can’t exempt Spotify traffic, so this will encounter data charges in the same way as any other traffic.
While Net Neutrality promised to avoid this issue for those in the United States, it was killed off under the Trump administration and is now struggling to make a comeback.
The good news is that since Private Relay only works with Safari, zero-rated services that work through dedicated apps should still be fine — this traffic won’t be hidden from your ISP or carrier — but you’ll definitely want to avoid using these services in Safari when Private Relay is enabled.
It’s also worth noting that Private Relay can be disabled on a per-connection basis, so you could switch it off for your Cellular Data connection while still leaving it active on your home Wi-Fi network.