back to article Mobile networks really hate Apple's Private Relay: Some folks find iOS privacy feature blocked on their iPhones

Some mobile networks in Europe, UK, and America have reportedly started blocking Apple's beta-grade Private Relay functionality in iOS 15. This opt-in feature works kinda like a VPN or kinda like Tor depending on how you squint at it: when enabled, it encrypts and routes your connection through two proxy servers in an attempt …

  1. Mark 65

    Pfft

    They also accused Apple of "undermining European digital sovereignty" with the functionality.

    They also accused Apple of "undermining additional revenue streams" with the functionality.

    1. stiine Silver badge
      Unhappy

      Re: Pfft

      That correction's still the understatement of the year.

  2. Steve Davies 3 Silver badge

    Cry me a river (of fake tears)

    as a revenue stream that they don't have to do anything for except collect the data dries up...

    Many here hate Apple and their walled garden but IMHO, efforts like this to stop the ISP's from selling their usage history is a good thing. Apple has issued a warning shot in this area of user privacy.

    If the ISP's win here, then VPN's will be next on their 'block at all costs' list.

    If your company requires you to use a VPN in order to access their network, just take a moment to consider the implications if that VPN was blocked by the ISP.

    They might well retaliate by charging you a big premium per month just to use a VPN.

    Seconds out... round 2.

    (where's the popcorn?)

    1. LDS Silver badge

      Re: Cry me a river (of fake tears)

      It's just Apple putting more barriers to others to monetize Apple cattle. Only Apple can monetize them - want to sell ads to Apple cattle? Pay the Apple tax.

      It's just a battle among bad people about who controls your data. You fearead the "Microsoft Network"? Enjoy the Apple one...

      1. gnasher729 Silver badge

        Re: Cry me a river (of fake tears)

        Nonsense. You can sell ads as much as you like. The only difference is: The ISP doesn't know which ads I see (none of their business anyway), Apple doesn't know which ads I see (none of their business anyway), and the advertiser doesn't know who is watching their ad, but they know someone is.

        1. Doctor Syntax Silver badge

          Re: Cry me a river (of fake tears)

          "he advertiser doesn't know who is watching their ad"

          And they don't know what that person's attitude to ads might be. Suckers.

        2. LDS Silver badge
          Facepalm

          "Apple doesn't know which ads I see"

          ROOOOOOTFLLLLL!!!!!

          You see the ads Apple is paid for to show you. There's also an SDK for that.

          "You can sell ads as much as you like"

          To display targeted ads you need the target. And the target is controlled by those who can profile users. If you can profile the user using your OS and your browser, while stopping everybody else to gather the same data, those wishing to display targeted ads have to pay you, and you only.

          People understand it, cattle don't - they are the product.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Apple doesn't know which ads I see"

            Apple's ad system has nothing to do with web browsing, therefore nothing to do with the relay service.

          2. Tilda Rice

            Re: "Apple doesn't know which ads I see"

            LDS:

            Apple isn't just promising not to log, it's saying the design makes that impossible. The Ingress Proxy doesn't know who you are beyond an IP address, or which site you're trying to access, so there's no way for Apple to spy on you; the Egress Proxy knows the site, but nothing about you, not the IP. Only your device knows everything.

            People understand it. Haters don't.

            1. doublelayer Silver badge

              Re: "Apple doesn't know which ads I see"

              Hold on. The person you replied to is indeed incorrect, but I suggest caution before attributing those protections to Apple's system. The description you have supplied represents what they've said, but there is reason to doubt it. They operate both the ingress and egress proxies, meaning it is technically possible for them to connect the network activities all the way through. This is in contrast to Tor, where each proxy is ideally run by independent people* who don't coordinate. Since it is possible for Apple's system to identify your path, you need to identify yourself to them, and if they did collect that information you wouldn't know about it, I think it can be dangerous to assume it functions in a way similar to Tor. It is an Apple-run VPN only, and you should only use it if you trust Apple to handle your traffic.

              * When you get a random path through the Tor network, you don't necessarily know that your path isn't controlled by a single person pretending to be from multiple operators. However, because you generate new paths frequently and have some control over how you route traffic, it is unlikely.

              1. peter_dtm

                Re: "Apple doesn't know which ads I see"

                Apple claim the egress proxy is 3rd party & out of their control. They may well know which egress server I’m talking to, but they don’t have (direct legal) access to any of the egress server logs.

                So the cut out is valid, Apple only know to which egress server you are connected, so they don’t know where you’re browsing.

      2. DS999 Silver badge
        Facepalm

        What a moronic take

        Apple already makes the browser and OS, so iCloud Relay doesn't make any change in their ability to "monetize" you. But it does make sure your ISP cannot.

        1. Stuart Castle Silver badge

          Re: What a moronic take

          There are enough talented hackers that hate Apple that I suspect if Apple did try and profile their users in the way you are suggest, that fact would be leaked within weeks, if not days.

    2. Fred Daggy Bronze badge
      Black Helicopters

      Re: Cry me a river (of fake tears)

      It already happens, at least in mainland europe. Worker tries to connect to IPSec VPN from home. Worked fine when tethered to mobile at the office. But no dice. Cue much tearing of hair out.

      Then we remember ... much crappery of ISP, most times their crappy cable box. Not blocked by the ISP per say.

      Fark.

      Almost never happens with Direct Access and it's sister-cousin, SSL VPN.

    3. Cederic Silver badge

      Re: Cry me a river (of fake tears)

      If they charge more for a service that doesn't block VPNs then at least they're giving people the choice. If they're making money from customers' data the fairest way of recompensing the customers is to give them a lower priced service.

      I suspect their competitors will offer the lower prices and still support VPNs though, so that'd be my choice.

      1. doublelayer Silver badge

        Re: Cry me a river (of fake tears)

        "If they're making money from customers' data the fairest way of recompensing the customers is to give them a lower priced service."

        I suggest an alternative:

        If they're making money from customers' data the fairest way of recompensing the customers is to fine the company under privacy legislation (if there isn't any, pass some first). Then, if the company hasn't entirely stopped doing it by the next day, fine them again. Continue until the data is private or the company has ceased existing.

        1. Charles 9 Silver badge

          Re: Cry me a river (of fake tears)

          Or the company lobbies the government to get the annoying law removed. Remember, they have deeper pockets and better connections...

          1. doublelayer Silver badge

            Re: Cry me a river (of fake tears)

            They will try, and they might succeed, but we have seen that it can be done despite their efforts if there are enough people willing to go to the effort required. GDPR may be poorly enforced, and CCPA may be significantly weakened from the original ideal, but the big data collectors didn't want either of them to pass and they were. They have also resulted in some action (definitely not enough, but they really do have the force of law). If they're going to fight, we have the option to fight back or crumble under the assumption that they cannot fail. They've failed twice and they can again.

    4. jollyboyspecial Bronze badge

      Re: Cry me a river (of fake tears)

      Except of course Apple themselves are only too happy to sell their user's personal and private data. As usual with Apple it's a case of do as I say not as I do.

      1. DS999 Silver badge

        Re: Cry me a river (of fake tears)

        Proof? Of course not, you're just a troll making claims you wish were true.

    5. iron Silver badge

      Re: Cry me a river (of fake tears)

      > If your company requires you to use a VPN in order to access their network,

      This is why the mobile companies will not block VPNs.

      Who wants to be known as the phone comapany that's "NOT for business!"

      Marketting would have a collective heart attack.

    6. martyn.hare

      Round 2: Phasing out of unencrypted DNS

      Crap ISPs will cry a river when they can no longer harvest diddly squat due to proper encryption in place.

      Just like root hints, there’s bugger all stopping standards bodies from telling DNS providers to start shipping keys/certs which reference IP addresses as a bootstrap to eliminate plain DNS. When combined with encrypted SNI in TLS 1.3 it signals the death knell for large scale snooping of traffic without consent.

  3. A Non e-mouse Silver badge
    Big Brother

    Private Relay

    Is it really the carriers complaining about Apple's Private Relay, or are they being leaned on by the local spooks to complain about it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Private Relay

      Who's to say the spooks aren't sitting on a backdoor in Apple's VPN?

      1. Dan 55 Silver badge

        Re: Private Relay

        In the US the complaint from local carriers is lost revenue opportunities selling data, the US spooks have access to more data from abroad with Apple's VPN so they're pleased.

        Outside the US the complaint from local carriers is because local spooks aren't happy with Apple slurping data instead of themselves.

      2. Dave 126 Silver badge

        Re: Private Relay

        One reason is that the FBI, in addition with investigating terrorism and child abuse images, is also responsible for investigating - and so proactively seeks to prevent - espionage against US corporations.

    2. Forget It
      Happy

      Re: Private Relay

      I they want a

      paler variety (anag)

      of private relay

    3. mark l 2 Silver badge

      Re: Private Relay

      If the ISPs are moaning, its because it is effecting their revenue. They don't care about blocking access to site that the local authorities have deems inappropriate such as Thepiratebay, as often they will just block this at on their DNS servers, and if you use alternative DNS resolvers you can get around their 'blocks'

  4. Drew Schatt

    AT&T Blocks Private Relay as well

    At least in the states, AT&T blocks Private Relay as well. Quite disappointing.

  5. T. F. M. Reader Silver badge

    Privacy if **we** provide it

    I can understand that any ISP filtering won't work for VPNed traffic. However, a disclaimer in TOS seems to be more appropriate than blocking the traffic, especially if the customer hasn't asked for the filtering service. I'd even consider it reasonable to continue charging a few pennies for the filtering checkbox whether or not it is effective under the circumstances - refuse the add-on service if you don't want it.

    And then the situation is the same for VPN/Tor, right? Do they block other VPNs for the same reason? Ah, maybe none of them is big enough to bother... But why should all those harvestable and monetisable fruits of surveillance go to AAPL, eh?

    1. Annihilator

      Re: Privacy if **we** provide it

      Problem being, ISPs have been forced to do filtering by the government. Both for the justifiable kiddy stuff, but equally they got forced to block access to pirate bay and other technically legitimate sights. So yes, there is always some level of proxy involved, the implementation dependent on how much money they felt compelled to spend on it

      Remember the site-wide Wikipedia blocking that got inadvertently triggered because of the Nirvana album cover? Meant Wikipedia detected *all* traffic coming from the ISP’s proxy and assumed it was a DOS or similar, all because the ISP (I think it was O2) couldn’t be arsed to implement a transparent proxy for their filtering.

      1. Jellied Eel Silver badge

        Re: Privacy if **we** provide it

        Yup. Pretty much every country has regulatory requirements for lawful intercept and sometimes bulk data collection as well. Then there can be additional headaches, like huge fines for failing to prevent file sharing. Or regulatory requirements for adult verification, pron blocking etc etc.

        Not sure how LEOs would respond to being referred to Apple either. But from a technical PoV, it could make routing simpler if all iTraffic is just hot-potato'd off to the nearest Apple interconnect.

        As for telcos and ISPs flogging your data, I've never seen that done, or seriously considered. Mainly because it's a huge amount of data, and very little value. Just consider to typical SNR of a single visit to a single website. Run that via Wireshark, and just look at the number of sessions that get initialised to ad slingers, trackers, analytics and sundry carp slingers.

        1. Annihilator

          Re: Privacy if **we** provide it

          "As for telcos and ISPs flogging your data, I've never seen that done, or seriously considered"

          Plus, consider the number of grunts employed across the ISP industry. There will be several of them being massively underpaid, and not one of them has ever been disgruntled enough to even hint that it's being done.

  6. msknight

    Ooooohhhhh... this is going to get nasty! Popcorn icon please?

  7. Anonymous Coward
    Anonymous Coward

    '[Verizon] Customers who have opted out of such data collection in the past are also automatically enrolled in the "new" scheme.'

    "Call my lawyer"...

    1. Anonymous Coward
      Anonymous Coward

      "Call my lawyer"

      Who will charge you money to point at the Terms of Service...

    2. fidodogbreath Silver badge
  8. werdsmith Silver badge

    If the ISPs and networks lose revenue from this data then they will just recoup it through their tariffs. We (who are customers) will all pay for this privacy in the end.

    1. Anonymous Coward
      Anonymous Coward

      Yeah - I wonder how much money they make by selling my information. Maybe a few cents a year?

      I'm happy to pay a few cents extra for the ISPs who do not to try to monetise my browser history. That isn't an option of course.

      1. MiguelC Silver badge
        Mushroom

        Imagine if, when signing a new contract, you had to choose on of the following options "Do you agree for [CellCo name] to collect all your information and share it with our partners or would you prefer to pay an additional monthly [NNN] for privacy"

        1. Dan 55 Silver badge
      2. DS999 Silver badge

        Just look at Google and Facebook's earnings

        Both make basically 100% of their revenue from targeted advertising. So your privacy is worth quite a bit more than a few cents!

    2. Pascal Monett Silver badge

      ISPs and networks are being paid by the contract you signed up for to use their services. They do not need additional revenue, else they should have priced their contracts differently.

      1. Anonymous Coward
        Anonymous Coward

        re. They do not need additional revenue

        - but every little (extra) helps!

    3. Doctor Syntax Silver badge

      There is an alternative for any network bright enough to use it: be the one provider who doesn't block it. No need to raise prices to increase revenue, the extra customers will provide it.

      1. Charles 9 Silver badge

        Unless the price isn't enough to cover their overhead and the ones data-mining are actually loss-leading to undercut the competition.

  9. Anonymous Coward
    Anonymous Coward

    So, Apple basically exposed these data thieves?

    Well, well, well.

    Score one for Apple, I'd say. Even though their "protection" would still be subject to US law which is not exactly spectacular when it comes to protecting privacy, it was a good step as it popped an interesting privacy question. Let's see how long it takes for Max Schrems to ping this one into the EU privacy watchdogs.

    Yes, indeed, stock up on popcorn, this could get very interesting.

  10. Pirate Dave Silver badge
    Pirate

    Verizon

    I got the notice from Verizon about their over-eager sniffing last month and opted-out immediately. Fucking spooky shit. Whoever thought that up at Verizon needs to fuck themselves vigorously with a broken light-bulb until they realize what a horrible idea it was.

    It is seriously sad that the IT/Telecoms industry sees its customers as nothing more than milk cows full of juicy data to make the rich richer (and the Zucks Zuckier). I mean, I can sort of maybe understand the justification for "free" sites like Facebook, Google, etc. But not fucking Verizon, who I pay $800+/year for cell phone service. Fuckers!

    <and now, back to our regularly scheduled program>

    1. fidodogbreath Silver badge
      Thumb Up

      Re: Verizon

      ^^^^ What Pirate Dave said. ^^^^

  11. Barrie Shepherd

    I never thought I would give Apple credit for anything but in this case they seem to be doing "an acceptable thing".

  12. DS999 Silver badge
    Alert

    You can tell where there's a lot of money quietly being made

    From all the screaming when something new halts the silent gravy train!

  13. James O'Shea

    Calling T-mob

    I ran a little test. T-Mob is definitely allergic to Cloudflare's free 1.1.1.1 VPN service. If I turn it on, and am connected only to a T-Mob cell net, any attempt to use data, by web or email or anything else, results in a long wait and then a timeout. If I turn it off, and am connected only to a T-Mob cell net, I get more or less an instant, very fast, connection. If I have it on and am connected to a local 802.11 net, and I've tried two different nets, in a local eatery and at the office, again I have an instant, very fast, connection. Turning on Apple's Private Relay, I may or may not get the timeout when connected to a T-Mob cell net, it varies. I definitely don't have problems when on a local 802.11 net.

    I am currently on hold with T-Mob support. I expressed my displeasure at having VPNs blocked, pointed out that I'd been with T-Mob for nearly two decades (I started when the hot cell phone was a Motorola Razr) and that I really, really, REALLY wanted to know what in God's name they thought that they were playing at. T-Mob Support had a look at my account, at the number of lines and and the length of time that I'd been with T-Mob, and became most apologetic. I'm holding for transfer to 'someone technical' who can 'permanently fix' this 'unfortunate problem'. You'll notice that they failed to admit that the 'problem' might have been caused by them. They really don't want to lose all the beautiful cash that I feed them.

    1. heyrick Silver badge

      Re: Calling T-mob

      It's been an hour, you still on hold? Ba-da-du-da-bip your call is important to us da-du-ba-ba....

      1. James O'Shea

        Re: Calling T-mob

        I have a 'ticket'. They are 'addressing the problem'.

  14. msobkow Silver badge

    Of course the wireless telcos hate Apples privacy feature; it uses encrypted traffic they can't intercept. Which is technically no big deal, except it means they can't inject their ads in place of the served ads, and otherwise manipulate the data feed by snooping far too low level for comfort.

    Face it. The only reason the incumbents get away with the terms of their "agreements" is a) we have no alternative and b) they have all the lawyers.

  15. Jason Hindle

    How is Private Relay different to firing up Express VPN?

    I’ve never been aware of any mobile network trying to block me from doing that (except the networks in China).

  16. s. pam
    Megaphone

    Simples to get around

    Buy your iPhone unlocked-carriers cannot install their own crappy monitors

    1. Charles 9 Silver badge
      WTF?

      Re: Simples to get around

      And then they just consider any unlocked phone as suspect. That's how they get you, these days. Any attempt to stray from the sheep's fold is immediately marked as suspect, regardless of the reason.

    2. doublelayer Silver badge

      Re: Simples to get around

      That's an issue with carrier-purchased Android devices, but Apple is very controlling about their hardware. It's annoying for the user who wants lots of access, but one perk of their stance is that carriers don't get to load unwanted software onto the phones they sell. It's still locked to them, so better to buy an unlocked version.

      If you have to buy a carrier IOS device, it's generally safe. I wouldn't suggest anyone get a carrier Android device ever.

  17. Emir Al Weeq

    TOR

    Interesting that the article mentions EE in the UK. They've not been bothered by TOR users on their network for years. This comment (and many of my previous ones) was posted using exactly that.

    Maybe those like me number too few for them to care.

  18. Stuart Castle Silver badge

    Actually, our network guys at work hate it. Not because we are planning to sell the data or anything. More because we have hundreds of wireless access point spread across multiple buildings and the fact it uses a different MAC when it connects to a different access point is causing problems for the software we use to manage the access points.

    We have thousands of users. It’s entirely possible for the average user to connect to many access points each day, so if their device is using different MAC addresses every time, the software will be dealing with thousands of MAC addresses that are no longer in use.

    I don’t know how long it keeps any record of the MAC address, but if it’s a few days, the system is probably dealing with hundreds of thousands of unused MACs.

    1. yetanotheraoc Silver badge

      private address

      Where I work the end user needs to register their MAC address before the device being allowed to join the network. In practice this means turning off private address for the work wifi. I don't know how turning off private address will interact with private relay, but your company might look at introducing a similar registration requirement.

    2. peter_dtm

      Disabling private MAC address is a separate option, and has nothing to do with Private Relay. Although both are set from the same settings page,mand both are set per network and annoyingly default to ON. And frequently get reset to on by iOS upgrades

  19. Henry Wertz 1 Gold badge

    CEP

    Yup, I found I was enrolled in CEP -- despite having CPNI (Customer Proprietary Network Info -- a.k.a selling your private info to whoever) set to "no." Needless to say I've opted out of CEP too. I'd CONSIDER it if it gave me even a minor benefit (like more relevant banner ads).. but it doesn't since Verizon WIreless is not running a banner ad network and so has no control over what banner ads show up on any sites other than their own.

  20. Anonymous Coward
    Anonymous Coward

    can't access "vital network data and metadata"

    surely, not vital for their bottom line?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like