Some Carriers Are Blocking iPhone Users From Enabling iCloud Private Relay

Some European carriers, including T-Mobile/Sprint in the United States, are blocking iCloud Private Relay access when connected to cellular data. As 9to5Mac reports, "This feature is designed to give users an additional layer of privacy by ensuring that no one can view the websites that they visit." From the report: Apple says that Private Relay is a feature designed to give users another layer of privacy when browsing the web. The first relay is sent through a server maintained by Apple, and the second is a third-party operator. The feature was announced at WWDC last June and initially slated for inclusion in iOS 15. Apple ultimately shipped the feature as a "public beta," meaning that it is disabled by default in the newest iOS 15 and macOS Monterey releases. You can manually enable it by going to Settings on your iPhone, tapping your name at the top, choosing iCloud, and choosing "Private Relay."

T-Mobile was among the carriers in Europe that signed an open letter expressing concern about the impact of Private Relay. The carriers wrote that the feature cuts off networks and servers from accessing "vital network data and metadata and could impact "operator's ability to efficiently manage telecommunication networks." In the UK, carriers including T-Mobile, EE, and others have already started blocking Private Relay usage when connected to cellular data. 9to5Mac has also now confirmed that T-Mobile is extending this policy to the United States. This means that T-Mobile and Sprint users in the United States can no longer use the privacy-preserving iCloud Private Relay feature when connected to cellular data. The report notes that T-Mobile appears to be "in the process of rolling it out," so some users might still be able to use the feature -- at least for now. "The situation could also could vary based on your location or plan," the report adds.

UPDATE: T-Mobile Says It Has 'Not Broadly Blocked' iCloud Private Relay, Blames iOS 15.2 Bug For Errors

Nothing to hide ?

[Superdad]

At a guess, it looks like the state, or the EU, or secret squirrel has leaned on them ... cos the private relay makes it difficult to see what the users are doing.

Somewhat predictable.

SD

Re:

[fermion]

It is much more likely the carriers are losing revenue. The companies we use to connect to the internet are in a unique position to collect our personal browsing and general I use information and sell it. In the US, in 2017, the only protection users had against these companies, comcast, Verizon, att, fully monetizing this information was eliminated. Apple has done work to protect users against tracking bugs in Facebook and Google, and this latest volley is prioritizing user privacy over the profits of the

Re:

[omnichad]

More specifically, most carriers throttle video to reduce quality and overall bandwidth. They do this by the simplest means possible, so this probably completely opens the floodgates for streaming video at full quality.

Re:

[allquixotic]

Private Relay does more than DNS encryption. I've heard it said that it's "not a VPN" several times, but when you enable iCloud Private Relay and visit whatismyip.com, the public IP that comes back is not your home IP, it's an Apple IP.

Seems pretty much like a VPN to me. The difference is really in implementation details: Apple layers their encryption so that neither they nor the "exit node" (to steal a term from Tor, but please note, Private Relay DOES NOT actually use the Tor network) knows both who you a

Re:

[beelsebob]

Tor is the right analogy here. It's an onion router, not a VPN.

Re:

[omnichad]

If your traffic is being relayed, it will show one of Apple's CIDR blocks.

Re:

[alexandre_ganso]

Telekom Hijacks DNS in Germany and replaces ads with their ads.

This could backfire

[u19925]

If T-Mobile can block iPhone specific features, then doesn't it open door for Apple to block certain iPhone features on T-Mobile? That can cause large defection to other carriers. What if Apple integrates this technology into Apple Pay in a way that Apple Pay will not work without cloud relay? Suddenly, T-Mobile users will not be able to use Apple Pay and the blame will fall on T-Mobile as iPhones are behaving identical way on all network and only T-Mobile is impacted. Customers will find that they can use Apple Pay using Wi-Fi but not on T-Mobile cell network.

Re:

[Cyrano de Maniac]

Later this year: "Wow, it's so unfortunate that your stores didn't have any of the newest model of iPhone to sell, but your competitors do. Those darn supply chains."

Re:

[Sique]

This is a very American view. In most of Europe, you don't have to buy the phone together with a plan.

If I want an iPhone with my plan, I just buy one at a shop of my linking, and put the SIM card of my carrier in. And then I use my iPhone. Done.

Re:

[Sique]

The whole idea that a phone set manufacturer can penalize a carrier by not selling its products via this manufacturer is American.

But to blatantly misunderstand someone and yell "communism" instead is very American too.

Re:

[cayenne8]

It's good to be American.

There's a whole lot of us that like and enjoy it.

Re:

[NoWayNoShapeNoForm]

Such a woeful misunderstanding of what goes on in America...and let's ignore the "red herring" argument on Communism.

Such a truly Euro-pee-an point of view regarding Americans and their wireless plans, and phones.

Sounds like you never knew that some wireless companies in the USA only sell SIM cards, like Mint Mobile (not a plug, just an example).

Sounds like you never knew that there are shoppes (Euro-pee-an speak, just for you), both "brick & mortar" and online, where you can buy "unlocked" phones like

Re: This could backfire

[Malc]

You don't have to buy your phone from the phone company in Europe, but many do, hence: https://shop.ee.co.uk/mobile-p... [ee.co.uk]

Last time I priced it out, it was £50 over two years to supply your own handset, so thereâ(TM)s clearly money in it for the providers.

Re:

[Sique]

Of course European providers still sell handsets and contracts as a bundle. There is a market for those bundles. But they are not the only game in town, and there is no longer the symbiotic connection between a handset and a plan. Each customer can easily disbundle by just putting another SIM card in the handset, or using the SIM card in another handset.

Re:

[Sebby]

What if Apple integrates this technology into Apple Pay in a way that Apple Pay will not work without cloud relay?

While I get your point, ApplePay doesn't need data to operate - I've been using it without any data plan just fine.

However your point does stand for potentially other features of iOS (Messages comes to mind).

Re:

[AmiMoJo]

It's probably as simple as an IP/DNS block.

Re:

[bhcompy]

Apple should absolutely block iMessage in retaliation. TMobile would hemorrhage users in the US

Re:

[tlhIngan]

Apple should absolutely block iMessage in retaliation. TMobile would hemorrhage users in the US

No, that inconveniences users more than T-Mobile.

Apple would want to hurt T-Mobile more than its users, so Apple will choose to simply allocate the latest and greatest phones to T-Mobile. T-Mobile customers will see the phones as constantly out of stock, while other carriers have it available. Eventually they will either choose to buy the phone unlocked, or switch to a different carrier.

Time to VPN

[drkshadow]

What this means to me is that it is VERY IMPORTANT that I get a VPN to use on my phone.

This is _very_ indicative of what the networks are doing with my data.

Re:

[Nuitari The Wiz]

Especially as the alternative of giving the data to the network is giving the data to Apple.

Re: Time to VPN

[viperidaenz]

Giving the data to the company that already makes the hardware, os, and browser that's already processing all that data?

Re:

[swillden]

Especially as the alternative of giving the data to the network is giving the data to Apple.

While I don't know anything about this feature beyond what I read in the summary, the fact that Apple is relaying through two servers, under the control of two different organizations, makes me think it's very likely that Apple has designed this so they don't get the data either.

The only reason I can think of to use two successive relays is to ensure that neither of the two relays can tell which user is going to which site. I'm thinking of something that's basically a very stripped-down mix network [wikipedia.org] proto

Re:

[cayenne8]

I'm thinking of something that's basically a very stripped-down mix network [wikipedia.org] protocol.

Wow..I'd not thought of the old mixmaster method of sending emails.

I wonder if that is still a working thing or if all the nodes have been taken over by 3 letter agencies?

Re:

[swillden]

I'm thinking of something that's basically a very stripped-down mix network [wikipedia.org] protocol.

Wow..I'd not thought of the old mixmaster method of sending emails.

I wonder if that is still a working thing or if all the nodes have been taken over by 3 letter agencies?

Every heard of Tor? It's the same concept. And, yes, I'd bet that a lot of Tor nodes are run by TLAs.

Re:

[allquixotic]

This is basically how it works. Not sure if the mix network idea is exactly how they implement (no one but Apple knows), but the marketing does point that way. It's actually quite a decent feature... for the users. The reason that carriers wouldn't like that is blindingly obvious to anyone following the recent trends in ISPs (especially mobile carriers) thinking they can do whatever they want with your traffic, including throttling it, inspecting it, data mining it, etc.

Re:

[swillden]

What this means to me is that it is VERY IMPORTANT that I get a VPN to use on my phone.

This is _very_ indicative of what the networks are doing with my data.

Right, because it's much better that the VPN provider can do that with your data.

Re:

[swillden]

Right, because it's much better that Apple can do that with your data.

Given the structure of Apple's solution, I strongly suspect that Apple has designed it so they can't do that with your data. See my comment: https://slashdot.org/comments.... [slashdot.org]

Fuck Deutsche Telekom (T-Mobile)

[TheNameOfNick]

Nothing the carriers lose access to is for them to see. Their statement is a flagrant admission of spying on their customers.

Re:

[Canberra1]

The same logic applies to ordinary mail and package deliveries. If the mailman said he needed to open all letters and parcels for better delivery management - I would set the PittBull onto him. But one recalls it is illegal to open mail that is not yours. Others are right - Apple users have enough clout to ditch those who cant do their job properly - deliver the goddd..med packages.

Gobbledygook

[PPH]

vital network data and metadata and could impact operator's ability to efficiently manage telecommunication networks.

Get my packets from point A to point B as specified in the TCP headers. That's all the efficiency I want or need from them. If they have something else in mind, I'd like to hear it. If they can't put it in writing, it must be unethical. Or possibly illegal.

Re:

[jonwil]

"Efficiently manage telecommunication networks" probably means "being able to shove less important stuff like Netflix to the back of the queue when the network is congested"

Re: Gobbledygook

[sectokia]

no no ⦠net neutrality means everything is equal, a netflix stream is just important as video call to a doctor for a cancer patient.

Re:

[PPH]

a netflix stream is just important as video call to a doctor for a cancer patient

You pay for the QoS that you want. And I'm sure that if a network operator would identify someones call as being to a doctor, they'd get slapped with a major HIPAA violation.

Re:

[sconeu]

And I'm sure that if a network operator would identify someones call as being to a doctor, they'd get slapped with a major HIPAA violation

Actually, no. HIPAA applies to health care providers, health insurance provides, and contracted entities.

Nobody else has any restrictions under HIPAA.

Re: Gobbledygook

[PPH]

But the covered providers are required to use IT services that ensure that HIPAA privacy and security rules [hhs.gov] are complied with. So you couldn't hold an on-line conference with your doctor if either you or she used T-Mobile.

Re:

[sconeu]

Actually, HE can't use T-Mobile. You can. You can reveal your own info to whoever you want.

Re:

[ceoyoyo]

I expect it means "sell a list of everything you've looked at to whoever wants to pay us for it."

Re:

[NoWayNoShapeNoForm]

Maybe, but it might be something more like recoding the video stream to a lower quality. Most if not all of the transcoding platforms that I know of that are used by wireless carriers can only process HTTP traffic. That should be unencrypted traffic, right?

Since you can watch Youtube over a HTTPS connection, then supposedly the stream you are watching is protected by the HTTPS encryption and any attempt to transcode it would look like a MITM attack. Right?

So what is to stop a carrier from gaining legal acce

Re:

[thule]

What if going over a peering connection save 10 hops? But you can't use that shortcut being the device is forcing all traffic over the transit link due to the "relay" feature. I want to know more about the relay feature. If it is a VPN-like feature then it would break all the nice peering that the ISP setup. No one wants to go back to mid-90's Internet where all the traffic traversed a handful a backbone providers. Do we?

Re:

[allquixotic]

One of Apple's Private Relay relay node providers is Cloudflare. Another is Akamai. Between them, at least in the US, they have a presence in _most_ major and minor backbones. Follow the fiber -- pretty much everywhere the fiber is, these two companies have datacenters every few miles with edge servers and tier 1 peering with terabits of capacity.

Since Cloudflare and Akamai are by and large responsible for delivering much of the web content we consume in the first place, the modern Internet is already large

Re:

[AmiMoJo]

Their (dubious) argument is that they need to manage the bandwidth available on the network, which requires them to know a bit about the type of traffic. Is everyone streaming TikTok or YouTube videos, or are they doing Zoom calls? They also want to be able to degrade the traffic somewhat based on its type, e.g. put YouTube in a low priority rate limited queue so that it only streams 240p video and reduces their costs/allows them to over-sell even more.

VPNs make it impossible to do that, which is one of the

Re:

[thegarbz]

Get my packets from point A to point B as specified in the TCP headers.

What packets? I mean if we can read the TCP headers of the individual connections we can act accordingly. But if every packet has the same TCP header: Some SSL connection to an iCloud server, what's there to do?

To be clear I think T-Mobile is bullshitting a lot, but your proposal also completely destroys the concept and capabilities of QoS on a network.

Re:

[PPH]

But if every packet has the same TCP header: Some SSL connection to an iCloud server, what's there to do?

Get my packets to the iCloud server. Nothing more, nothing less. If I want a higher QoS, I'll ask for it (my application will).

Re:

[thegarbz]

If I want a higher QoS, I'll ask for it (my application will).

How? We can't see your application. All we see is a tunnel to the iCloud server.
I think you didn't think your reply through, or didn't understand my post.

aha

[Tom]

The carriers wrote that the feature cuts off networks and servers from accessing "vital network data and metadata and could impact "operator's ability to efficiently manage telecommunication networks."

Let me guess: They didn't get more specific than that. They're not about to let us know which data that is and what for it is needed, right?

Re: aha

[d4fseeker]

No one seems to have mentioned throttling yet, so I'll put that in the hat of what the carriers like to do with your connections

Re:

[Anubis IV]

Throttling is still entirely possible. The only change here is that carriers won't be able to throttle your traffic based onits content or source, but that isn't something they should be able to do in the first place. After all, they're selling me X amount of data or Y throughput with "unlimited data" per month, so where I request my data from isn't any concern of theirs.

OP nailed it: they didn't state their reasons for objecting in detail because we all know that this is about monetizing the data. They can

Demand common carrier for all telcoms

[fustakrakich]

The problem cannot be resolved any other way

internet

[awwshit]

It is not the internet if you do not trust someone other than you to at some point handle your data. You have to trust someone.

Re: No. You don't.

[anonymouscoward52236]

Unless, as a consumer, you know the right thing to demand for, then yes you do. Most people don't know to demand for open hardware and open silicon cores. Thus, we have closed black boxes in our phones and desktops. Maybe you can use something like opencores and have your processor be extremely slow.

Even if all of the source on your phone is open source (not at all a thing in the iphone world and only 80% a thing in the Android world), your processor can still have any number of backdoors. And encryption do

Thanks for the heads up

[Smonster]

Since it was a beta feature I had originally decided to leave it toggled off. However after reading this I have reconsidered. While I am not on T-Moble I imagine they are far from the the only carrier snooping and monetizing my browsing habits.

Breaks peering agreements?

[thule]

I could see where this would, indeed, break how they manage the network. Peering allows a network operator to offload traffic that would normally go over their transit connections. If an iPhone user is watching Youtube or Netflix with this relay feature turned on, that means all the traffic that would normally go over those peering connections go over the transit connection. Not only does this cause more congestion, but it also costs more. Most congestion for Netflix and more congestion for the ISP.

Re:

[bhcompy]

At the same time it's none of their goddamned business, and this wouldn't be a thing if they weren't abusing their power already. The operators play peering games all the time with content providers, now someone is playing with them and they're unhappy. boo fucking hoo

Re:

[thule]

Peering games? Peering is critical to the modern Internet. Peering saved the Internet back in the late 90's.

By games are you're talking about how a well known company that was providing CDN services for Netflix? If so, then you should know that the company didn't want to pay for traffic when they fell outside their settlement-free agreement. Nothing wrong with another company trying to hold them to the contract.

Re:

[bhcompy]

More like fights between providers like Netflix and ISPs (as an example) impacting other services/vendors because the ISP would route Netflix through an already saturated exchange and cause it to fail. Games like that have collateral damage and cause lasting effects for vendors who are in no way involved nor have the financial or political power of either primary party to the fight. Fuck ISPs

Re:

[thule]

Ya know there was another party involved during that era, right? It wasn't Netflix vs ISPs. It was Netlfix's CDN (Cogent) vs the ISPs. Look up Cogent in a peering map. Cogent has been very, very savvy in their peering agreements. Taking on Netflix turned out to be a very bad idea for them. It pushed them outside of their peering agreements. Unfortunately the dump press used the drama to spin for the politics of Net Neutrality even though peering has nothing to do with prioritizing packets or traffic shaping

Re: Breaks peering agreements?

[anonymouscoward52236]

This whole train thread somehow revolves around Netflix. Apple would be very not smart to not cut out a hole so that Netflix traffic goes direct. Remember, Netflix doesn't work with VPNs. Netflix sees a lot of subscribers coming in over one IP and guess what? Your whole subnet is labelled (by Netflix) as a VPN.

We all know what needs to be done

[DontBeAMoran]

Nuke them from orbit, it's the only way to be sure.

Break out the PR big guns.

[SuricouRaven]

Why haven't they said that the feature hides terrorists and pedophiles yet? That's the go-to justification in these sorts of situations.

Re:

[omnichad]

Because people would just bring up iMessage. For the same reasons.

Re:

[CoolDiscoRex]

Why haven't they said that the feature hides terrorists and pedophiles yet? That's the go-to justification in these sorts of situations.

Apple is already going to scan your images to see if you are a pedophile. Just as soon as the commotion dies down a little more. They care about your privacy, you know?

Private relay requires iCloud+ subscription

[edi_guy]

Not sure if it's based on location (USA) or cell provider, but when I went to activate this beta feature Apple notified me that I would need to subscribe to iCloud+ at 99 cents per month. Not saying it's good or bad, just is. I'm not against paying for things that add value to me. But this one I will pass on for the time being.

Re:

[cayenne8]

Not sure if it's based on location (USA) or cell provider, but when I went to activate this beta feature Apple notified me that I would need to subscribe to iCloud+ at 99 cents per month. Not saying it's good or bad, just is. I'm not against paying for things that add value to me. But this one I will pass on for the time being.

This feature is indeed an extra benefit you get when you sign up for iCloud.

Well if you want more than I think the free bit they give you with purchase of a phone.

I did it for back

Re:

[drhamad]

That's correct, it's an iCloud+ feature. iCloud vs (first tier, $0.99) iCloud+ is: 5 GB vs 50 GB, Hide My E-mail, Private Relay, Custom e-mail domains, HKSV

This is tracked in GSD-2022-1000065

[seifried]

This is tracked by the #GSD https://globalsecuritydatabase... [globalsecu...tabase.org] in GSD-2022-1000065 ( https://github.com/cloudsecuri... [github.com] ) if you have any updates (especially additional carriers) please let us know (file a PR/issue/tweet @ us). Thanks

Great wall of Apple?

[Gabest]

Why does Apple route traffic through itself like China? Are they trying to spy on everybody? Sound like a terrible idea. Or an anti-trust case against other VPN providers, at least.

Re:

[allquixotic]

No. Read up on what iCloud Private Relay does. First, it's opt-in by the user. Second, it uses double encryption, so that neither Apple nor their transit partners (basically, companies with a lot of servers in a lot of datacenters and a huge amount of network capacity) can see both _who you are_ and _what site you're visiting_. And if the destination site is using HTTPS, neither one can see the traffic payload either - only you and the site owner can see the traffic. It doesn't MITM any crypto protocols you

Re: Great wall of Apple?

[anonymouscoward52236]

Apples produces your hardware and software. And its closed source. They already spy on everybody. Choose something better.