Mobile networks really hate Apple's Private Relay: Some folks find iOS privacy feature blocked on their iPhones Some mobile networks in Europe, UK, and America have reportedly started blocking Apple's beta-grade Private Relay functionality in iOS 15. This opt-in feature works kinda like a VPN or kinda like Tor depending on how you squint at it: when enabled, it encrypts and routes your connection through two proxy servers in an attempt …
as a revenue stream that they don't have to do anything for except collect the data dries up...
Many here hate Apple and their walled garden but IMHO, efforts like this to stop the ISP's from selling their usage history is a good thing. Apple has issued a warning shot in this area of user privacy.
If the ISP's win here, then VPN's will be next on their 'block at all costs' list.
If your company requires you to use a VPN in order to access their network, just take a moment to consider the implications if that VPN was blocked by the ISP.
They might well retaliate by charging you a big premium per month just to use a VPN.
Seconds out... round 2.
(where's the popcorn?)
It's just Apple putting more barriers to others to monetize Apple cattle. Only Apple can monetize them - want to sell ads to Apple cattle? Pay the Apple tax.
It's just a battle among bad people about who controls your data. You fearead the "Microsoft Network"? Enjoy the Apple one...
Nonsense. You can sell ads as much as you like. The only difference is: The ISP doesn't know which ads I see (none of their business anyway), Apple doesn't know which ads I see (none of their business anyway), and the advertiser doesn't know who is watching their ad, but they know someone is.
ROOOOOOTFLLLLL!!!!!
You see the ads Apple is paid for to show you. There's also an SDK for that.
"You can sell ads as much as you like"
To display targeted ads you need the target. And the target is controlled by those who can profile users. If you can profile the user using your OS and your browser, while stopping everybody else to gather the same data, those wishing to display targeted ads have to pay you, and you only.
People understand it, cattle don't - they are the product.
LDS:
Apple isn't just promising not to log, it's saying the design makes that impossible. The Ingress Proxy doesn't know who you are beyond an IP address, or which site you're trying to access, so there's no way for Apple to spy on you; the Egress Proxy knows the site, but nothing about you, not the IP. Only your device knows everything.
People understand it. Haters don't.
Hold on. The person you replied to is indeed incorrect, but I suggest caution before attributing those protections to Apple's system. The description you have supplied represents what they've said, but there is reason to doubt it. They operate both the ingress and egress proxies, meaning it is technically possible for them to connect the network activities all the way through. This is in contrast to Tor, where each proxy is ideally run by independent people* who don't coordinate. Since it is possible for Apple's system to identify your path, you need to identify yourself to them, and if they did collect that information you wouldn't know about it, I think it can be dangerous to assume it functions in a way similar to Tor. It is an Apple-run VPN only, and you should only use it if you trust Apple to handle your traffic.
* When you get a random path through the Tor network, you don't necessarily know that your path isn't controlled by a single person pretending to be from multiple operators. However, because you generate new paths frequently and have some control over how you route traffic, it is unlikely.
Apple claim the egress proxy is 3rd party & out of their control. They may well know which egress server I’m talking to, but they don’t have (direct legal) access to any of the egress server logs.
So the cut out is valid, Apple only know to which egress server you are connected, so they don’t know where you’re browsing.
It already happens, at least in mainland europe. Worker tries to connect to IPSec VPN from home. Worked fine when tethered to mobile at the office. But no dice. Cue much tearing of hair out.
Then we remember ... much crappery of ISP, most times their crappy cable box. Not blocked by the ISP per say.
Fark.
Almost never happens with Direct Access and it's sister-cousin, SSL VPN.
If they charge more for a service that doesn't block VPNs then at least they're giving people the choice. If they're making money from customers' data the fairest way of recompensing the customers is to give them a lower priced service.
I suspect their competitors will offer the lower prices and still support VPNs though, so that'd be my choice.
"If they're making money from customers' data the fairest way of recompensing the customers is to give them a lower priced service."
I suggest an alternative:
If they're making money from customers' data the fairest way of recompensing the customers is to fine the company under privacy legislation (if there isn't any, pass some first). Then, if the company hasn't entirely stopped doing it by the next day, fine them again. Continue until the data is private or the company has ceased existing.
They will try, and they might succeed, but we have seen that it can be done despite their efforts if there are enough people willing to go to the effort required. GDPR may be poorly enforced, and CCPA may be significantly weakened from the original ideal, but the big data collectors didn't want either of them to pass and they were. They have also resulted in some action (definitely not enough, but they really do have the force of law). If they're going to fight, we have the option to fight back or crumble under the assumption that they cannot fail. They've failed twice and they can again.
Crap ISPs will cry a river when they can no longer harvest diddly squat due to proper encryption in place.
Just like root hints, there’s bugger all stopping standards bodies from telling DNS providers to start shipping keys/certs which reference IP addresses as a bootstrap to eliminate plain DNS. When combined with encrypted SNI in TLS 1.3 it signals the death knell for large scale snooping of traffic without consent.
In the US the complaint from local carriers is lost revenue opportunities selling data, the US spooks have access to more data from abroad with Apple's VPN so they're pleased.
Outside the US the complaint from local carriers is because local spooks aren't happy with Apple slurping data instead of themselves.
If the ISPs are moaning, its because it is effecting their revenue. They don't care about blocking access to site that the local authorities have deems inappropriate such as Thepiratebay, as often they will just block this at on their DNS servers, and if you use alternative DNS resolvers you can get around their 'blocks'
I can understand that any ISP filtering won't work for VPNed traffic. However, a disclaimer in TOS seems to be more appropriate than blocking the traffic, especially if the customer hasn't asked for the filtering service. I'd even consider it reasonable to continue charging a few pennies for the filtering checkbox whether or not it is effective under the circumstances - refuse the add-on service if you don't want it.
And then the situation is the same for VPN/Tor, right? Do they block other VPNs for the same reason? Ah, maybe none of them is big enough to bother... But why should all those harvestable and monetisable fruits of surveillance go to AAPL, eh?
Problem being, ISPs have been forced to do filtering by the government. Both for the justifiable kiddy stuff, but equally they got forced to block access to pirate bay and other technically legitimate sights. So yes, there is always some level of proxy involved, the implementation dependent on how much money they felt compelled to spend on it
Remember the site-wide Wikipedia blocking that got inadvertently triggered because of the Nirvana album cover? Meant Wikipedia detected *all* traffic coming from the ISP’s proxy and assumed it was a DOS or similar, all because the ISP (I think it was O2) couldn’t be arsed to implement a transparent proxy for their filtering.
Yup. Pretty much every country has regulatory requirements for lawful intercept and sometimes bulk data collection as well. Then there can be additional headaches, like huge fines for failing to prevent file sharing. Or regulatory requirements for adult verification, pron blocking etc etc.
Not sure how LEOs would respond to being referred to Apple either. But from a technical PoV, it could make routing simpler if all iTraffic is just hot-potato'd off to the nearest Apple interconnect.
As for telcos and ISPs flogging your data, I've never seen that done, or seriously considered. Mainly because it's a huge amount of data, and very little value. Just consider to typical SNR of a single visit to a single website. Run that via Wireshark, and just look at the number of sessions that get initialised to ad slingers, trackers, analytics and sundry carp slingers.
"As for telcos and ISPs flogging your data, I've never seen that done, or seriously considered"
Plus, consider the number of grunts employed across the ISP industry. There will be several of them being massively underpaid, and not one of them has ever been disgruntled enough to even hint that it's being done.
Well, well, well.
Score one for Apple, I'd say. Even though their "protection" would still be subject to US law which is not exactly spectacular when it comes to protecting privacy, it was a good step as it popped an interesting privacy question. Let's see how long it takes for Max Schrems to ping this one into the EU privacy watchdogs.
Yes, indeed, stock up on popcorn, this could get very interesting.
I got the notice from Verizon about their over-eager sniffing last month and opted-out immediately. Fucking spooky shit. Whoever thought that up at Verizon needs to fuck themselves vigorously with a broken light-bulb until they realize what a horrible idea it was.
It is seriously sad that the IT/Telecoms industry sees its customers as nothing more than milk cows full of juicy data to make the rich richer (and the Zucks Zuckier). I mean, I can sort of maybe understand the justification for "free" sites like Facebook, Google, etc. But not fucking Verizon, who I pay $800+/year for cell phone service. Fuckers!
<and now, back to our regularly scheduled program>
I ran a little test. T-Mob is definitely allergic to Cloudflare's free 1.1.1.1 VPN service. If I turn it on, and am connected only to a T-Mob cell net, any attempt to use data, by web or email or anything else, results in a long wait and then a timeout. If I turn it off, and am connected only to a T-Mob cell net, I get more or less an instant, very fast, connection. If I have it on and am connected to a local 802.11 net, and I've tried two different nets, in a local eatery and at the office, again I have an instant, very fast, connection. Turning on Apple's Private Relay, I may or may not get the timeout when connected to a T-Mob cell net, it varies. I definitely don't have problems when on a local 802.11 net.
I am currently on hold with T-Mob support. I expressed my displeasure at having VPNs blocked, pointed out that I'd been with T-Mob for nearly two decades (I started when the hot cell phone was a Motorola Razr) and that I really, really, REALLY wanted to know what in God's name they thought that they were playing at. T-Mob Support had a look at my account, at the number of lines and and the length of time that I'd been with T-Mob, and became most apologetic. I'm holding for transfer to 'someone technical' who can 'permanently fix' this 'unfortunate problem'. You'll notice that they failed to admit that the 'problem' might have been caused by them. They really don't want to lose all the beautiful cash that I feed them.
Of course the wireless telcos hate Apples privacy feature; it uses encrypted traffic they can't intercept. Which is technically no big deal, except it means they can't inject their ads in place of the served ads, and otherwise manipulate the data feed by snooping far too low level for comfort.
Face it. The only reason the incumbents get away with the terms of their "agreements" is a) we have no alternative and b) they have all the lawyers.
That's an issue with carrier-purchased Android devices, but Apple is very controlling about their hardware. It's annoying for the user who wants lots of access, but one perk of their stance is that carriers don't get to load unwanted software onto the phones they sell. It's still locked to them, so better to buy an unlocked version.
If you have to buy a carrier IOS device, it's generally safe. I wouldn't suggest anyone get a carrier Android device ever.
Actually, our network guys at work hate it. Not because we are planning to sell the data or anything. More because we have hundreds of wireless access point spread across multiple buildings and the fact it uses a different MAC when it connects to a different access point is causing problems for the software we use to manage the access points.
We have thousands of users. It’s entirely possible for the average user to connect to many access points each day, so if their device is using different MAC addresses every time, the software will be dealing with thousands of MAC addresses that are no longer in use.
I don’t know how long it keeps any record of the MAC address, but if it’s a few days, the system is probably dealing with hundreds of thousands of unused MACs.
Where I work the end user needs to register their MAC address before the device being allowed to join the network. In practice this means turning off private address for the work wifi. I don't know how turning off private address will interact with private relay, but your company might look at introducing a similar registration requirement.
Yup, I found I was enrolled in CEP -- despite having CPNI (Customer Proprietary Network Info -- a.k.a selling your private info to whoever) set to "no." Needless to say I've opted out of CEP too. I'd CONSIDER it if it gave me even a minor benefit (like more relevant banner ads).. but it doesn't since Verizon WIreless is not running a banner ad network and so has no control over what banner ads show up on any sites other than their own.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
