If you’ve downloaded iOS 15, you might have noticed something different about your iCloud account. Apple is upgrading all paid iCloud accounts to something it calls iCloud+. It includes several interesting new features on top of the existing iCloud storage, sync, and cloud features, but the most interesting might be something Apple calls iCloud Private Relay. At first, it sounds like a VPN: your web-browsing traffic is encrypted and sent through a relay to hide your exact location, IP, or the contents of your browsing traffic.
It’s not a VPN, though. Not quite. There are important differences, which we’ll describe here. But iCloud Private Relay may be enough for most people, giving the most obvious benefits of a VPN to millions of users who would never consider signing up for one. Here’s what this Private Relay feature is, how it works, and how it’s different from a traditional VPN.
Update 01/12/21: Some users are reporting that some carrier features are blocking access to iCloud Private Relay. Apple has added new wording to iOS 15.3 beta to clarify the situation.
How do you turn on iCloud Private Relay?
iCloud Private Relay is a free upgrade in iOS 15 for anyone who pays for iCloud storage either separately or as part of an Apple One bundle. To turn it on, head to the Settings app, then tap your Apple ID name at the top. Then tap iCloud and Private Relay (Beta) and flip the toggle green to turn it on. You can also choose between two IP address locations: General “so that websites can provide local content in Safari” or broader country and time zone for more anonymity.
What is iCloud Private Relay?
When Private Relay is enabled, all of your browsing activity in Safari will be routed through two internet “hops,” or relays. Your data is encrypted and then sent to Apple, so your ISP can’t see any of your web browsing requests. Once at Apple’s proxy server, the DNS request (the thing that points a domain name like “macworld.com” to a specific server IP address) and your iPhone, iPad, or Mac’s IP address are separated. Your IP address is retained by Apple, while your DNS request is passed on, encrypted, to a “trusted partner” that has the decryption key, along with a fake intermediary IP address that is based on your approximate location. Apple didn’t name its partners, but some web sleuths have figured out that they are major internet backbone companies such as Akami, Cloudfare, and Fastly.
This means that Apple knows your IP address but not the name of the sites you’re visiting, and the trusted partner knows the site you’re visiting but not your IP (and therefore not who or where you are). Neither party can piece together a complete picture of both who you are and where you’re going.
The website you’re visiting typically gets your exact IP address and DNS request, so it can easily build a pretty detailed profile of exactly who you are, where you are, and where you’re going online. Combine that with a few cookies, even innocuous-seeming ones, and it’s pretty simple to have your entire online activity profiled, tracked, traced, and sold to advertisers (and others).
What iCloud Private Relay does is make the websites you’re visiting totally ignorant of this information, so the sites can’t build profiles of your activity.
The IP addresses Apple uses in place of your real one are still roughly approximate to your general area; it’s not enough to identify you personally, but it will allow sites that use your IP address to deliver local news, weather, sports, or other info to keep working fine. There’s an option to use an even broader IP address, but it might make some of those sites work incorrectly.
Note that Apple does not allow you to choose an IP address or even a region, and won’t ever make it seem like you’re coming from a totally different place. In other words, if you want to use it to access geographically locked content in Netflix or other online services, you’re out of luck.
How is iCloud Private Relay different from a VPN?
As cool as this Private Relay feature is, it’s definitely not a VPN. It will do a great job of preventing profiling of your web activity based on your basic connection data. But it has a lot of shortcomings compared to a real VPN. Some of these include:
It only works with Safari, not any of the other apps or web browsers you use. Technically, some other DNS info and a small subset of app-related web traffic will use it, but it’s best to think of it as a Safari-only thing.
It’s easily identifiable as a “proxy server,” which many large networks like those at schools or businesses will not work with. Most good VPNs disguise themselves to look like regular non-proxy traffic.
As mentioned, it can’t hide the region you’re connecting from, only your specific IP location, so you can’t access content locked out of your region or experience websites as if you’re connecting from another country.
If all you really want to do is stop websites from building a profile of you and selling it around to advertisers and data brokers, then using iCloud Private Relay on your iPhone, iPad, or Mac is a great option. It’s fast, easy, and if you already pay for any amount of iCloud storage, you’ll get it for free.
You should know that, as of iOS 15.1 and watchOS 8.1, iCloud Private Relay and Mail Privacy Protection do not work on Apple Watch. If you use the Mail app on your Apple Watch or open a web link (say, sent to you via Messages), the watch will use your real IP address.
If you want real privacy and security for everything you do on the Internet, or want to access content that’s available in countries other than your own, you’ll still need a VPN. Fortunately, we have some VPN recommendations for you.
Can your carrier block iCloud Private Relay?
Yes, your cellular provider can disable the feature. In iOS 15.3, Apple has tweaked the wording in Settings in iOS 15.3 to let people know what’s going on:
Private Relay is turned off for your cellular plan. Private Relay is either not supported by your cellular plan or has been turned off in Cellular Settings. With Private Relay turned off, this network can monitor your internet activity, and your IP address is not hidden from known trackers or websites.
A few carriers in Europe have disabled the feature for some users, and T-Mobile here in the U.S. has done so for some of its customers. This is not always malicious, or merely about collecting and selling user data (though it could be, in some cases!). Some carriers provide content filtering features like parental controls, and iCloud Private Relay prevents them from working. In order to ensure compatibility with these features, iCloud Private Relay must be disabled.
The more elegant solution, of course, would be to allow users to enable iCloud Private Relay and simply warn them that such features may not work on that device, rather than taking the choice out of their hands entirely.