Apple Explains Scenarios Where iCloud Private Relay Won’t Be Helpful

We’ve already covered several reasons not to use iCloud Private Relay right now — not the least of which is that it’s still in beta — but now Apple is offering a more candid look at what its new VPN-like service will do for you — and what it won’t.

Apple has published a new white paper, Private Relay Overview, which explains the feature in more depth while also disclosing several scenarios in which Private Relay isn’t going to be all that helpful.

To be fair, we’ve known some of this for a while, at least in theory. iCloud Private Relay is a “VPN-like” service because it really doesn’t do everything that a VPN does. Most significantly, it won’t protect ALL of your network traffic, as it’s primarily designed to work with browsing the web in Safari.

Until now, however, we’ve kind of only known about these limitations from a high-level perspective. Beyond Safari, Apple had previously said that only “a small subset of traffic from other apps” was protected but hadn’t really elaborated on exactly what that meant.

Apple’s new white paper goes a long way to filling in those gaps. While the bulk of the document lauds the positive benefits of the service, it also provides some much-needed clarity about the places where you won’t benefit from iCloud Private Relay.

The Good, the Bad, and the Ugly

It’s important to understand that Apple’s primary goal for iCloud Private Relay is to protect your privacy when surfing the web. To that end, iCloud Private Relay offers some clever innovations that you won’t find on other traditional VPN services.

The most significant of these is the use of two independent servers to route your traffic, such that no single entity will be able to know both who you are and where you’re going. The first server, run by Apple, knows where the traffic is coming from but can’t read its ultimate destination — it merely routes that traffic to a second server is run by an independent cloud provider at arm’s length from Apple.

Private Relay helps protect users from this kind of unwanted tracking by ensuring the traffic leaving their devices is encrypted, and by sending their requests through two separate internet relays so that no single entity can combine IP address, location, and browsing activity into detailed profile information.

Apple

Conceptually, this is like writing a message, placing it in a sealed envelope addressed to the recipient, and then sealing that inside another envelope and handing it to an intermediate third party. This go-between knows that the envelope came from you, but they don’t open it. Instead, they pass it to another intermediary, who doesn’t know that it came from you. That person opens the envelope, reads the final address, and then sends it along to the final recipient.

It’s worth noting that Apple’s white paper appears to be written more for an audience of hosting providers and developers than its end users, so it also goes into details about how the IP addresses used by iCloud Private Relay can be trusted by servers and web hosts and emphasizes a few times that it “does not provide any methods to spoof location or circumvent regional content restrictions.”

While this is obviously a good thing for the content providers of the world, it’s one of the biggest reasons that iCloud Private Relay won’t replace a traditional VPN for many folks. Put simply; you’re not going to be able to use iCloud Private Relay to watch Netflix content from another country.

In the end, that’s largely irrelevant anyway, as iCloud Private Relay isn’t going to do anything with your Netflix traffic — at least not that traffic that comes from the Netflix app. As we mentioned earlier, it primarily works in Safari while also covering “unencrypted activity” in certain other apps — basically any web traffic from a third-party app that doesn’t already use an SSL connection.

Essentially, when it comes to third-party apps, Private Relay is merely working to plug a security hole that developers should already be taking care of themselves. If an app already uses secure connections — which any well-built app really should — that app’s traffic will not be sent through Private Relay.

Beyond this, Apple lists a few other key services that will not be protected by Private Relay, most notably those run by your cellular provider.

Cellular services, such as Multimedia Messaging Service (MMS), telephony services (XCAP), Entitlement Server access, tethering traffic, and Visual Voicemail, do not use Private Relay. These services are always accessed directly.

Apple

To be fair, many of these services already use their own encryption layer. It’s not like your cellular provider isn’t going to know who you are anyway — your iPhone obviously needs to identify and authenticate itself to access services like Visual Voicemail. Of course, MMS messages always originate from your cell phone number, and unlike iMessages, they pass through your carrier’s network anyway.

Some folks may be surprised that tethering traffic also won’t pass through iCloud Private Relay, but this makes perfect sense when you consider that most of the apps on your iPhone don’t use iCloud Private Relay either.

Again, this is not a VPN that blocks everything leaving your device — iCloud Private Relay is highly selective about what goes into that tunnel. The safest assumption is that only Safari will use it, and everything else is on its own.

That said, if you’re tethering from a Mac that has iCloud Private Relay enabled in macOS, then the connection through your cellular provider will be handled in the same way as it would if you were using a Wi-Fi network. Your browsing traffic from Safari will be protected by iCloud Private Relay before it leaves your Mac, at which point it doesn’t really matter that your iPhone isn’t sending it out via iCloud Private Relay.

Apple also clarifies that just about any managed network setting will override Private Relay. For most end-users, this means that if you’re using a traditional VPN, that will take precedence — you won’t end up having traffic go through both your VPN and iCloud Private Relay. Apart from being technically impossible, it wouldn’t make much sense to do that anyway.

Lastly, as we pointed out earlier this month, there are several scenarios where iCloud Private Relay simply won’t work at all, especially when you’re using corporate or school networks. Network administrators can easily take steps to block private relay — in fact, Apple specifically explains the proper way to do this in its new white paper, and it’s a relatively trivial change to make on most enterprise networks. So, don’t be surprised if you get a message at work or at school telling you that Private Relay isn’t available.