iCloud Private Relay

The iCloud Private Relay is available for Apple users with an iCloud+ subscription. It encrypts users’ internet traffic and masks their IP addresses, which makes it sound an awful lot like a VPN. But it isn’t. Not by a long shot. In this article, we’ll explain what iCloud Private Relay is and why it doesn’t work like a VPN.

What is iCloud Private Relay?

The feature is designed to protect users’ privacy when browsing the web with Safari. Apple says that, when enabled, the iCloud Private Relay ensures that “no single party — not even Apple — can see both who you are and what sites you’re visiting”.

iCloud Private Relay became available in 2021. It requires a subscription to iCloud+ and an appropriate Apple device i.e. one running iOS 15, iPadOS 15, or macOS Monterey – or any subsequent Apple operating system. According to Apple, iCloud Private Relay is not available in all countries or regions.

How does iCloud Private Relay work?

When Private Relay is enabled, outgoing requests are sent through two separate, secure relays before reaching the internet.

When you try to access a website from Safari, the information about the website you’re looking for is encrypted – but your IP address isn’t – and sent to the first relay (the “ingress proxy”). This relay is operated by Apple.

Your request is then sent to the second relay (the “egress proxy”), which is operated by Apple’s third-party partners. As your IP address is hidden, the partner generates a temporary IP address, which is rotated for additional security. It then decrypts the name of the website you requested, and connects you to the site.

How iCloud Private Relay handles HTTPS requests
Image courtesy of Cloudflare

As the above diagram demonstrates, Apple and your ISP can see your IP address but not where you’re trying to reach online. This is inverted for the second relay’s operators, who cannot see your IP address, but can see where you’re trying to get to. It is this division that protects users’ privacy.

How do VPNs and the iCloud privacy relay compare?

While there are many similarities between the two services, there are also some key differences – the most important of which are discussed below.

Device protection

VPN: Yes

iCloud Private Relay: No

A VPN encrypts all internet traffic flowing to and from a user’s device, whether that’s generated from a Skype call, Netflix app, or a torrent client. The iCloud Private Relay only encrypts traffic flowing to and from the Safari browser. Any internet connection outside of the browser is not protected. This leaves users vulnerable to DDoS attacks when playing app-based games or man-in-the-middle attacks when using unsecured public wi-fi networks.

IP address spoofing

VPN: Yes

iCloud Private Relay: Not really

Virtual Private Networks (VPNs) tend to have large server networks. Some, like CyberGhost, have more than 11,600 servers, while IPVanish has 40,000+ IP addresses available from its 2,200+ servers.

VPN users can change their IP address simply by choosing a server and connecting to it. Their IP address becomes that of the server they’ve connected to, which can be anywhere in the world. A VPN like ExpressVPN has servers in 105+ countries, for example.

The iCloud Private Relay is far more limiting. Users receive a temporary IP address, but cannot get one from a different country. Apple says, “Internet connections set up through Private Relay use anonymous IP addresses that map to the region a user is in, without divulging the user’s exact location or identity.”

This lack of choice makes the iCloud Private Relay unsuitable for those hoping to access geo-restricted content from streaming services like Netflix. By contrast, those who use the right VPN, can access international streaming services simply by connecting to a server in the relevant country.

DNS leak protection

VPN: Yes

iCloud Private Relay: Yes

The better VPNs, such as NordVPNSurfshark, and ExpressVPN, have their own servers to resolve DNS queries. This prevents third-party network intruders and ISPs from being able to see which websites users are visiting.

iCloud Privacy Relay also keeps your DNS queries private. It encrypts queries sent through the access network and the first Apple-owned relay. The requests are only decrypted by the second relay, which is operated by a third-party content provider such as Cloudflare, but doesn’t have the users’ original IP address. DNS queries therefore cannot be tied to individual users.

Connection speed

VPN: Impacted

iCloud Private Relay: Not impacted

VPNs route users’ traffic through an additional server before it reaches the internet. If the user has chosen a server in a country far from their current location, the traffic has to travel that extra distance. This takes time. The encryption process takes an additional toll on speeds. However, for the best VPNs, the drop in speed is negligible. Using Surfshark as I write this, my own connection speed only increases by 1.2 Mbps if I disconnect.

The top five fastest VPNs in our most recent speed tests all had average download speeds in excess of 250 Mbps per second – which is plenty fast enough for everything from intensive gaming to watching 4K video.

Apple says that its iCloud Private Relay service has no “noticeable impact” on browsing speeds or performance. However, posts to its developer forumcommunity site and other forums suggest otherwise.

How to set up iCloud Private Relay on an iPhone, iPad or iPod touch

If your device has iOS 15, iPadOS 15 or later, you can follow these instructions to enable iCloud Private Relay:

  1. Go to Settings > [your name] > iCloud.
  2. Tap Private Relay, then turn it on using the toggle switch.
  3. Tap IP Address Location if you want to change your location settings.

Set up iCloud Private Relay on your Mac

If your Mac has macOS 12 or later, you can follow these instructions to enable iCloud Private Relay:

For macOS 12:

  1. Click on the Apple icon in the corner of the screen.
  2. Select System Preferences.
  3. Click Apple ID.
  4. Click iCloud.
  5. Select Private Relay.
  6. Click Options if you want to change your location settings.

For macOS 13 or later:

  1. Click on the Apple icon in the corner of the screen.
  2. Select System Settings.
  3. Click [you name].
  4. Click iCloud.
  5. Select Private Relay.
  6. Toggle Private Relay to On.
  7. Click Options if you want to change your location settings.

Have there been any issues with the iCloud Private Relay?

In 2021, not long after iCloud Private Relay was launched, a security researcher discovered a vulnerability when it was used with iOS15 that could leak users’ true IP addresses. The leak was found to occur through WebRTC, a browser API that allows websites to establish direct communication between website visitors. The researcher suggested using a VPN to mitigate any risks while waiting for Apple to release a patch.

Note that many VPNs also suffer from WebRTC leaks. You can disable WebRTC in your browser, either in the settings or using an extension.

In 2022, a team of academics from the Technical University of Munich, in Germany, found instances where the first relay – which is supposed to be an Apple server – was hosted by Akami. The problem is that Akami also hosts some of the egress servers, so would theoretically be able to link users with the web pages they’re visiting. This, says the researchers, “breaks Apple’s promise to prevent a single party from seeing both addresses on the network level”.

Should I use iCloud Private Relay?

If you’re already an iCloud+ subscriber, then yes. It prevents your ISP spying on your online activity and makes browsing safer more generally. If, however, you’re considering signing up to iCloud+ specifically for iCloud Private Relay, then you’re better off spending the money on a VPN subscription. You’ll get better protection for all online activities and gain access to country-specific online services too.