On September 20, 2021, Apple released iCloud Private Relay (archive), a new capability embedded into iOS 15, iPadOS 15, and macOS Monterey. Its objective is to enhance the privacy and security of Apple users who surf the web in Apple’s Safari browser. This comes as an exciting news to privacy advocates, especially given Apple’s controversial plans for inspecting iCloud photos, a decision that has caused outrage in the privacy community.
In this report, we present an early analysis of iCloud Private Relay, aiming to validate the claims made by Apple on how this new feature can enhance user privacy. The report will get updated as we expand our findings.
Apple has offered some high-level insights on the architecture of iCloud Private Relay (archive), but, unfortunately, many details are missing on its technical design. The following excerpts are the only technical details we could find officially from Apple (we have highlighted important pieces):
iCloud Private Relay is a new internet privacy service offered as a part of an iCloud+ subscription that allows users on iOS 15, iPadOS 15, and macOS Monterey to connect to and browse the web more privately and securely. Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic. Internet connections set up through Private Relay use anonymous IP addresses that map to the region a user is in, without divulging the user’s exact location or identity.
The iCloud Private Relay service uses an innovative multi-hop architecture in which users’ requests are sent through two separate internet relays operated by different entities. This way, no single party — including Apple — can view or collect the details of users’ browsing activity. Private Relay validates that the client connecting is an iPhone, iPad, or Mac, so you can be assured that connections are coming from an Apple device. Private Relay replaces the user’s original IP address with one assigned from the range of IP addresses used by the service. The assigned relay IP address may be shared among more than one Private Relay user in the same area. The relay IP address presented to networks and web servers accurately represents the client’s coarse city-level location by default, allowing your network to receive relevant location information when attempting to enforce geo-based restrictions based on IP address.
When Private Relay is enabled, your requests are sent through two separate, secure internet relays. Your IP address is visible to your network provider and to the first relay, which is operated by Apple. Your DNS records are encrypted, so neither party can see the address of the website you’re trying to visit. The second relay, which is operated by a third-party content provider, generates a temporary IP address, decrypts the name of the website you requested and connects you to the site. All of this is done using the latest internet standards to maintain a high-performance browsing experience while protecting your privacy.
Based on the above excerpts from Apple, and also through experiments in a lab setting using Apple devices, it appears that a Private Relay connection has the following format:
|Safari (an apple user)| <==1==> |ingress relay (a proxy controlled by Apple)| <==2==> |egress relay (a third-party content provider, e.g., Akamai)| <==3==> |website|
Apple’s concise explanation of Private Relays leaves many questions lingering about the technical design of Private Relays, that can directly impact its privacy promises. In particular:
The protocol is mostly unknown! What is the “innovative multi-hop architecture” that Apple claims to be using? Is it borrowing ideas from the classic onion routing protocol (which is used by Tor), or has Apple come up with another architecture?
Does it really anonymize your IPs, as claimed by Apple? Apple claims that Private Relays anonymize the IP addresses of the users. How are they defining anonymity? By the metrics long-established in the privacy community, or perhaps based on their own definition of anonymity? Apple explains that “your requests are sent through two separate, secure internet relays.” So, if Apple’s “innovative multi-hop architecture” is just a 2-hop onion routing system, then by all means this is completely broken when it comes to anonymizing IP addresses. This is because, a 2-hop onion encryption can not provide by-design anonymity, as the two hops can decide to disclose your identity once needed. That is, at any time the third-party content provider (e.g., Akamai) can work with Apple to de-anonymize a misbehaving Safari client who is connecting through Private Relays. So, it appears that Apple is only promising you to not look into your connections.
What about other non-IP means of identification? Seems like Private Relays aim to anonymize IP addresses only. Ask a first year graduate student working on privacy, and they will enumerate a plethora of techniques other than IP addresses that can give away your online identity, e.g., cookies, various forms of tracking, and side channels. So, one wonders, is Apple doing anything about those other features? Protecting just the IP address and ignoring other forms of identification will only give users an illusion of privacy! (Actually, seems like people have already found some vulnerability that leaks the IP addresses of Private Relay connections, using a known WebRTC side channel!)
We thank David Fifield and many other people for giving us feedback.