425 comments

[ 4.3 ms ] story [ 278 ms ] thread
Can someone explain how it’s possible to block this? Just stop the whole IP range from the network?
iPhones find the entry servers to Private Relay via DNS. If you drop those hostnames, then it's effectively blocked.
So with a custom dns server you are fine?

Edit: woodruffs above provided docs

Yes, but you can't set custom DNS for cellular networks without a configuration profile or an app, so it's unlikely that most people have that set.
While its trivial to edit DNS settings for wifi, its actually quite difficult to change your DNS server on the cellular profile on iOS as comment from Easton here rightly points out. I was kinda surprised the first time I found out you can't edit the cellular DNS server settings via the phone's Settings app.

One option that works for me to get custom DNS on iOS cellular connections (I like PiHole ad blocking on my phone) was to setup my own VPN connection to a VPS instance running PiHole for DNS and WireGuard for the VPN. Lets me get custom DNS, pihole adblocking over cellular so long as VPN isn't blocked by your cellular provider etc. Was two trivial Docker containers to get running, costs very little in AWS.

Same trick also lets me access region blocked TV services from my iOS devices over US cellular simply by turning a VPN on - I just stand up the containers on a VPS host based in source country and connect to that.

should let users run them

like Tor exit nodes, or obfs4 bridges

turn it into a war of attrition!

I'm not familiar with Private Relay's details, but based on the available public information: every connection is initiated through a proxy server controlled by Apple, so all Verizon (probably) has to do is detect that initiation pattern and/or figure out which IPs/subdomains are specifically responsible.

Apple can probably improve the situation by making Private Relay more like a VPN (instead of a fancy web proxy + DNS masker), including reusing the same IPs and domains that iCloud traffic is already going through.

Edit: Apple's docs show two well-known subdomains for Private Relay[1]. Blocking both of those is probably what Verizon's doing.

[1]: https://developer.apple.com/support/prepare-your-network-for...

Apple allows networks to block Private Relay:

"Network settings

Some organizations might be required to audit all network traffic by policy. To comply with such a requirement, these networks can block access to Private Relay. Users will be alerted that they need to either disable Private Relay for the network or choose another network. The fastest and most reliable way to do this is to return a negative answer from the network’s DNS resolver, preventing DNS resolution for the mask.icloud.com and mask-h2.icloud.com hostnames necessary for Private Relay traffic."

https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...

No, Apple built-in a feature for carriers to disable it.
I really hope this doesn't catch on, but I am concerned that settings has a message for this instead of it just mysteriously being not working. Makes me wonder if there is an official way carriers can block this?

I know at home since I have pihole setup I got an alert that private relay can't work on my home network.

If you block the domains that private relay uses, it won't work. Those are `mask.icloud.com` and `mask-h2.icloud.com`. Then it'll display a message informing you that it doesn't work. I imagine the carrier restriction just shows up in the carrier panel because there isn't a way to access the Internet on cellular via private relay if it's disabled.

[0]: https://developer.apple.com/support/prepare-your-network-for...

I guess thinking about it more, it would be fairly simple to say something like "if consistently can't setup private relay" and "on cellular" display this message.

For a moment I was thinking it would only trigger with something specific from the carrier, but I see little reason apple would actually work with them on this. They are not really in the business of making the carriers happy.

Edit: someone else pointed out it is actually a feature that the carriers can do. that... is disappointing.

From Apple's developer docs for Private Relay: they're probably displaying that message if either of the well-known endpoints returns NXDOMAIN[1].

They explicitly identify school and enterprise networks as legitimate cases where Private Relay needs to be blocked, so that's probably how carriers are doing it as well.

[1]: https://developer.apple.com/support/prepare-your-network-for...

> They explicitly identify school and enterprise networks as legitimate cases where Private Relay needs to be blocked

Why are these legitimate? Censorship is wrong even when schools do it.

"Legitimate" in the sense of "pre-existing policies," not "I personally believe this is morally acceptable."
I've heard from a tech in one of those "protect you child online" software companies that some American states hold their educational facilities liable for things kids do on school-issued computers (like Chromebooks) or networks (like school WiFi). If a kid Googles porn on a school laptop while doing homework and a parent gets angry, they could actually win a lawsuit in some places, and the situation would be worse if the school doesn't try their hardest to block such things from the school networks. Of course, this is from the perspective of a company selling block boxes, but apparently their story worked out.

It's silly (and honestly sad) legislation but these companies were scooping up customers everywhere. If the choice is between "block porn and circumvention" or "no student internet access", choosing the latter could have devastating effects on kids without stable internet access at home. In my opinion, these laws should obviously not reach so far, and anything but a basic DNS block should even be illegal in my opinion, but reality is rarely what I want it to be. In the end, private relays suffer from the same restrictions and DoH and other privacy-enhancing protocols.

(comment deleted)
"User begins blocking T-Mobile from future consideration."

I'm not using an ISP that prevents me from accessing perfectly legal Internet services. No matter how they want to brand themselves, today's telcos are ISPs, no more, no less.

When shopping for cell phone providers, our considerations are 1) complete Internet access, 2) coverage, and 3) cost. T-mobile could charge $5 a month for unlimited usage, but if they can't satisfy requirements #1 and #2, then #3 is moot.

If you’re in the US, have you found a wireless provider that meets your criteria?
As far as I know Verizon doesn’t block things. They have great coverage.

They’re not cheap.

Woo oligopoly!

They block private relay on my phone.
Strange, I'm on Verizon too and its not blocked
No kidding? If I go into Settings > iCloud > iCloud > Private Relay (Beta), I see:

> Private Relay is turned off for your cellular plan.

> Your cellular plan doesn't support iCloud Private Relay.

I’m on Verizon, and it works fine for me.
Verizon just blocked personal hotspot from my phone with the message that I would need to switch to a non-unlimited plan to reenable it.
That doesn't sound right at all. All of Verizon's unlimited plans aside from the lowest one come with hotspot data.
How can they change your existing contract?
I'd been happy with Verizon until recently when they blocked Private Relay. I'm starting the search again now.
Verizon is the only network that is reliable in my area. I've had great luck with visible, which is a spin-off on their network. Cheap as hell too - $25/mo for unlimited everything.
Whoa. I'll check into that.
Note that Visible is an MVNO subject to deprioritization. I’m on the lowest Verizon Unlimited plan which is subject to the same and my service is nigh unusable when my broadband internet goes out or I’m in a really large crowd (e.g. music festival)
Yes, adding in a second data point as well. Verizon directly is great in this one area nearby, but using Visible in that same area was painful for anything data related. Would show full signal bars with Visible, but actual data rates were throttled and/or strongly deprioritized.

You genuinely get what you pay for when you spend the extra dollars for the direct carrier relationship with AT&T and Verizon. All of the MVNO's as well as their own prepaid plans will not compare if the towers are busy.

(comment deleted)
I have Verizon and I'm able to use private relay. Maybe it's because I bought an unlocked phone directly from Apple? Idk.
All Verizon phones are unlocked, but the lock status does not change whether or not they can manage the carrier settings that Apple exposes to them.
I don't use Private Relay, but I do have Verizon. I just tried enabling it (with WiFi disabled, obviously) and had no issues. Do you have a source to back up your claim that Verizon blocks it?
Here's a screenshot of my Private Relay settings: https://www.icloud.com/iclouddrive/0eaTQXkx0FGrIINRWsrF3wagg...

I'd like to be proven wrong, but that looks clear.

That's really strange. Are you on an old grandfathered plan of some sort? It has to be either that or a bug, because it's pretty clear that Verizon is not blocking Private Relay in any large scale manner.
I don't think so. We're switched to the Verizon Plan Unlimited a couple years ago.
As another data point, I do not see private relay being blocked using ATT.
Does it change if you opt out of the “Verizon Custom Experience” program? Or turn off CPNI?
You will not find any, because there are none.
AT&T hits all of those for me.
Ting's been great for me and it meets those three requirements. I'm a little hesitant now that they're owned by Dish though.
(comment deleted)
> our considerations are 1) complete Internet access, 2) coverage, and 3) cost.

Anyone know how Google Fi compares on this criteria? I've been considering switching over for Fi's better security [1], but curious what Fi users think of the service. Since it piggybacks on other networks, does it inherit any of their service restrictions or other problems too?

[0]:https://fi.google.com/

[1]:https://blog.kraken.com/post/219/security-advisory-mobile-ph...

In the US, at least, Google Fi is essentially a T-Mobile MVNO. It was previously T-Mobile, Sprint, and U.S. Cellular, but T-Mobile bought Sprint, and U.S. Cellular divested a fair amount of its network.

I saw conflicting reports about whether Google Fi was affected by T-Mobile's reported text message censorship. I don't know where it stands on this iCloud Private Relay issue.

I have Fi currently; definitely recommend it.

Internet Access - err... it works? I am able to stream Netflix and YT without being locked to 480p.

Coverage - it's basically TMo coverage.

Cost - Fi is a bad deal if you plan to use a lot of data. It's almost 10$/GB (in the worst plan) or around 70$ for an "unlimited" plan, however it can get cheaper with a group (https://fi.google.com/about/plans/) . For me, its a great deal; I'm always close to a WiFi and rarely need mobile data. My bills ended up being around 25$. I'd say Fi's killer "feature" is it's international roaming charges... though I doubt that will be useful anytime soon :')

The message says that the user's "cellular plan doesn’t support iCloud Private Relay," so is this the same thing they've done with other VPN providers? That is, do they just count the traffic against the tethering/hotspot limit, since they can't shape traffic on it to, e.g., limit video quality to 480p when a user has a plan with that limitation? I don't know if they actually do this, but I've heard it before.

https://www.reddit.com/r/tmobile/comments/9ja8y1/i_can_confi...

No, they do not allow users to enable Private Relay at all because Apple allows carriers to determine whether it's available or not. Even FaceTime over cellular is still something that carriers get to decide whether to allow or not, although I'm not aware of any carriers that don't.
Why is Apple even giving them an option in this?
Because Apple wants to keep their carrier partners happy, so they give them control over things that will have an impact on cellular data.

Like I noted with FaceTime over cellular, it's nothing new.

I can't imagine what kind of leverage they think they have. is any provider going to just drop iPhone support from their network?
These deals are old. FaceTime when it came out was in the era of 3G. FaceTime over 3G could be a bandwidth hog.. and iPhones were not nearly as popular, so the negotiations were more give-and-take.
There are legitimate reasons why a specific business network might not allow it. For example, if you're on the employee network of a bank or hospital, it's very likely that your web connections are going through a proxy to make sure you're not sharing confidential data, and to block malware and such. Private Relay would go around those proxies. Allowing networks to opt out of Private Relay, then, is a better business decision than having enterprise networks just block all iPhones.
Corporate networks makes sense, but giving carriers the ability to disable it on the phone (i.e. not via blocking mask.icloud.com) doesn’t make sense. It’s not like personal hotspot where it allows you to bypass network policies, except for maybe the streaming shaping (but how long did they think that would work anyway?).
If I had to speculate, in order to continue operating in regions where governments more tightly control carriers.
From my limited testing, carriers are whitelisting traffic for high-bandwidth. When I establish a vpn tunnel on my Tmobile sim card, bandwidth drops dramatically. Presumably because they can't inspect it.
FWIW I am using Deadpool Telephony LLC, which uses the T-Mobile network (as MVNO), and Private Relay works fine.
iPhones sold in the UAE have FaceTime removed.
This is probably a good thing. When Private relay breaks (such as on my network at my house and some public wifi networks at a popular grocery chain), there's literally no indication that private relay is broken. Instead, friends tell me my wifi is broken or suddenly I can't use my grocery store's app to scan my products.

When your product causes your customers to call someone else and complain, don't be surprised if that "someone else" disabled access to your product.

Your iPhone immediately throws up a notification saying “private relay unavailable”.
I've had Private Relay stop working for me once and I was served a push notification indicating that it wasn't working.
I wish there were better visual indications within Safari regarding whether it's on or off. Especially when connecting to a new wifi network with a portal, which almost always break it. Private relay only works within Safari though, why would it affect your grocery store app?
Private relay doesn't apply to apps, only Safari. (though the app could use a web sheet)
Pretty sure you're talking about something that's not iCloud Private Relay, because if that's not the case it sounds like you're just making stuff up.

First of all, Private Relay doesn't affect your grocery store's app - 3rd party app traffic doesn't use it. It also can't 'break' your home wifi for your friends. And finally, when it's not working, it's automatically disabled, you are notified, and you continue browsing without it.

It’s also quite possible it’s changed quite a bit since it first hit the public beta. The grocery store app required you to connect to WiFi, which had a TOS you had to accept to use the WiFi.

But my home network’s DNS is quite … convoluted (intercepted and sent through DOT depending on which vlan you’re on, which somehow broke private relay). From the comments here, I’ve learned how to disable this feature remotely. So that’ll be nice.

I never saw the “it’s broken” notification. So either it came after I last used private relay, or it never broke through my “no notifications” settings.

Anybody know if this applies to companies that use tmobile's network, like Ting?
Right, and Mint Mobile
AFAIK Google Fi uses T-Mobile, and I’m still able to use private relay.
Ting may be transitioning to another network soon if rumors about Dish are to be believed.
Is this because it prevents T-Mobile from monetizing and selling user browsing data?
Or because they can't throttle video streaming sites down and internet speed test sites up?
This is almost certainly the main driver.
Private Relay only touches traffic from Safari, and while people could watch Netflix in the browser instead of the Netflix app, I doubt that many do
I've always wondered if you could start a internet speed testing website, get in the trusted list of companies like T-Mobile. Then release a VPN on the exact same servers, forcing the companies to provide the best speed to the VPN.

Only problem is that you would have to be large enough that the ISPs would care if their scores looked bad.

This is basically what Netflix did. They launched fast.com, which comes off the same servers as Netflix video. The whole goal was to get people to call their ISP and complain they aren't getting the speeds they paid for and getting them to unthrottle Netflix.
Didn't know that! Wonderful!!
No, it is because...

> The carriers wrote that the feature cuts off networks and servers from accessing “vital network data and metadata and could impact “operator’s ability to efficiently manage telecommunication networks.”

But seriously, it is because it prevents T-Mobile from monetizing you and slowing you down.

iCloud Private Relay isn’t like full blown VPN that hides everything you do on the internet, only your web browsing in Safari goes through it. So their existing systems to throttle the connection of your video streaming apps will continue to work just fine.

It’s completely about monetizing your browsing history.

I believe it also takes non-https traffic from apps but since they made https mandatory quite some time ago now I suspect that is not much. Also content loaded inside email in Mail.
IIRC it redirects DNS queries system-wide as well which definitely would hinder general interest tracking.
Thank goodness the carriers can't do anything about solutions that use VPN to override default nameservers
(comment deleted)
Tmobile deprioritizes devices depending on high usage. Private Relay would allow individuals who are deprioritized to bring down entire cell towers.
No, it wouldn't. They'd still have the ability to throttle individual phones generating lots of traffic.
Carriers nat/proxy everything and in addition to bandwidth throttling, they will rate limit or otherwise whack misbehaving applications.

VPNing everything at scale will impact that monitoring/management. And that will absolutely impact towers, or cause the carriers to throttle users vs apps.

...they throttle at the phone-number/SIM. Even with a VPN your phone is still auth'ing itself to the cell towers, and those towers know what device is sending which traffic.

What this prevents is allowing say Youtube to pay TMobile to never throttle their traffic.

I know from firsthand experience that Verizon at least can and did do more circa 2016.
VPNs work at a higher level. They have to see the radio traffic to be able to deliver packets to your phone, which is where billing and access control happens (this is why you can’t spoof someone else’s IP to avoid paying your bill), and at the IP level your VPN traffic is carried from your carrier-issued IP address to your VPN provider’s addresses.

The one legitimate argument here is that this prevents traffic shaping based on the destination, which T-Mobile uses to do things like offer unlimited streaming separate from your general data quota.

Currently:

P ---- CT ---- S

With VPN/whatever:

P ---- CT ---- VE ---- S

P = Phone

CT = Cell Tower

S = Server

VE = VPN endpoint

So given this the cell tower can still determine who is using lots of traffic, they just can snoop on that traffic.

You're a little off, currently: P --- CT --- NAT Proxy/Traffic Shaper --- Possible MITM host --- S
Can you give a detailed model of how this would bring down a tower? I'm very skeptical.
You should be. There are ways to DoS a cell site, but not by just using a device.
It also cuts down on the number of companies they can extort for transit. Right now they can go to Netflix and say "would be a shame if T-Mobile customers couldn't view movies during peak hours" and Netflix has to pay them for that not to happen. With all the traffic going through Apple, Apple is the only company they can extort this way. (Meanwhile, Apple or their "third-party provider" could of course play this game, but historically tech companies have been super uninterested in doing this.)

Basically, what everyone wants is for companies like T-Mobile to be a dumb pipe. They invested in spectrum and a network, and they should just lease that network for cost + profit margin. Instead, they want to milk it. They want you to pay more for particular packets. They want the rest of the Internet to pay more for particular packets. They want to inject their own ads into unaffiliated websites. They want to build a marketing profile based on what sites you visit, and send you "offers" based on this. Right now, that is all technically possible, so they'd be defrauding their shareholders if they didn't try. But, we can of course say "no" and route around the damage. Apple is letting their customers say "no", and that means T-Mobile is doomed to irrelevance, and that's a great thing. Infrastructure should be infrastructure.

(Can you imagine what it would be like if other utilities did this kind of shit? Your water would cost less if you were using it to run a Coke-branded soft drink dispenser, but not a Pepsi one. Or, Dell computers could get electricity at a 10% discount, but not Asus ones. It would be unthinkable! But with these big ISPs, it's mandatory.)

I hate to reply to myself, but I wanted to say one other thing. When governments sell RF spectrum to companies, the expectation is that they become good stewards of the shared resource. The taxpayers are saying "you know, we think private industry can give us more value from our RF spectrum than the government", and this is their chance to prove that. What we didn't want was to enable a monopolist to nickel-and-dime the Internet to death.

I'm guessing the exact legal agreements didn't spell it out like this, but that's how I think of it. Only one company can use this finite resource at once, but just because they bought it doesn't mean there is no limit to what they can do with it.

> Right now, that is all technically possible, so they'd be defrauding their shareholders if they didn't try.

Can you expand on this? Are you saying that if a business opportunity exists and a company elects not to pursue it that constitutes defrauding shareholders? I would have thought it constituted nothing more than a disagreement over strategy.

It sounds like a sarcastic statement of the "profits not gained is profit lost" mindset and that shareholders would be upset, not literally a crime.
Yup, you're exactly right. I wrote it without thinking much (but wasn't fully serious), and didn't realize it would generate this much discussion. That's my bad for being a little careless with my rant. Thanks for clarifying it a little on my behalf.
> Meanwhile, Apple or their "third-party provider" could of course play this game, but historically tech companies have been super uninterested in doing this.

Apple notoriously "extorts" developers to be in the app store.

> Basically, what everyone wants is for companies like T-Mobile to be a dumb pipe. They invested in spectrum and a network, and they should just lease that network for cost + profit margin.

I don't think you've considered the alternatives if T-Mobile can no longer monetize traffic:

* Go back to subscribers pay per kb usage

* Eat the costs themselves

* Raise cost of mobile data plans

> Can you imagine what it would be like if other utilities did this kind of shit?

They side step this problem by charging per-use. During peak demand, prices go up. Each customer pays their share. Downside see Texas snowstorm.

I really don't see the horror that would be carriers charging for usage. I would rather that than pay for stupid things like "lines" or "devices."
> Go back to subscribers pay per kb usage

They charge $70/month for “unlimited” data which is only 50GB before throttling. I’m pretty sure they can profitably afford to run a network for that much without reselling user data.

They already charge per kb. Look at the small print -- once you hit a certain amount of usage, you are drastically rate-limited. The only difference is that some months, when you don't hit your limit, you pay more per byte.
> Right now, that is all technically possible, so they'd be defrauding their shareholders if they didn't try.

This sounds like a clumsy restatement of the urban legend that companies have an obligation to maximize shareholder value. There is in fact no such rule, for the obvious reason that nobody can accurately predict the future and calculate the optimal value.

https://corpgov.law.harvard.edu/2012/06/26/the-shareholder-v...

In this case, a company like Apple could say that they are choosing to forgo short-term profits from selling out their users’ privacy because they feel that the long-term loyalty will be greater, and anyone arguing otherwise would still have to admit that this approach has been phenomenally profitable.

Does T-Mobile actually extort companies for transit? When they announced their video streaming throttling + zero-rating, I looked through their the publicly available documents. From what I recall, there wasn't any sort of payment process, and mostly there was two parts: identifying the traffic so T-Mobile knew to zero rate it, and either adaptive bandwidth usage (which seems pretty common for video streaming anyway) or identifying the traffic so the provider could serve lower bandwidth streams.

It's not in line with the net neutrality, but it's useful for the direct parties:

a) a video streaming customer wins because they can do video streaming without touching their data allotment.

b) the video streaming server wins because their customers are able to do more streaming

c) t-mobile wins because they've reduced bandwidth requirements

Competitive streaming services that are not included in the program don't win, but t-mobile made it fairly easy to join. Users who want to stream at 4k or whatever don't win, but they can turn off the bandwidth restrictions and use their data allotment if that's what they want to do.

At my last job, I was involved with a lot of zero-rating deals as the application provider; we never paid for it, and I don't recall ever being asked for payment. Some of the carriers even setup plans without our knowledge or consent or assistance; this didn't usually work great long term, because of misidentified traffic, but it indicates the demand was there without us pushing it.

T-Mobile probably isn't extracting too much of value from HTTPS traffic. It's probably more about traffic shaping.
You can extract a whole lot of value by mapping which sites someone is visiting even if you don't know what they're doing there, and you can get that information just from IPs.
The hostname of most (all?) TLS connections is sent plaintext at the start of a new connection. This is called SNI (Server Name Indication).

That provides some (or a lot) of value I am guessing.

Even without that, it's a pretty easy traffic analysis for:

- Time T0: User requests the DNS record for example.com

- Time T0+10ms: DNS returns "example.com. 193 IN A 10.1.2.3"

- Time T0+20ms: User opens a connection to 10.1.2.3 port 443

Chances are pretty good they're looking at example.com, even if you can't examine a single packet.

DoH mitigates this by hiding all DNS queries.
Still hides HTTP level metadata like the path, POST body, cookies, etc, no? All you’d have is the hostname
This is solved by ECH/ODoH but for full effect you have to trust the DNS server.
T-Mobile partners with various video providers to provide lower-bandwidth streams that don't count against bandwidth caps. Less-cynically, this may be to enforce that.

I consider those agreements to be violations of Net Neutrality, since they're inherently not treating all data the same.

I believe T-Mobile's newer plans (Magenta tiers) don't do this.
It is a blatant violation of net neutrality, but somewhat paradoxically, actually benefits the consumer in my experience. Several friends of mine on T-Mobile have raved about how Netflix/Spotify/et al. don’t count towards their monthly data limit.

That said, iCloud private relay only applies to Safari, so T-Mobile blocking it probably doesn’t have much to do with their variable data caps.

It's not paradoxical at all, net neutrality also protects from bad effects kicking in long-term. Zero-rating is effectively the same as providing dumping prices compared to the competition. It may benefit the customer now, but leads to lock-in.

See Facebook's internet.org.

T-Mobile is pretty up-front about the various video quality options with their plans, and also has ways to temporarily boost your video quality for a few dollars.

For many people, a cheaper plan with slightly lower quality video is a great tradeoff.

> I consider those agreements to be violations of Net Neutrality, since they're inherently not treating all data the same.

I would agree if they do not make that available to all services. At least at the time they did that for music there was a pretty long list of partners so I’d be most interested in knowing whether they charge money or reject applicants.

I don’t think they’ve made the terms of those deals public, so it’s impossible to know if they’re fair or not. Either way, it can lead to service lock-in, because the next Netflix will be at even more of a disadvantage until they’re big enough to sign on with T-Mobile.
Is there a list of private relay addresses used by Apple?
There are currently two subdomains associated with Private Relay. Apple's documentation implies that all connections are initiated through one or the other.

    mask.icloud.com
    mask-h2.icloud.com
I think what is also interesting about this article is that EU, long the privacy stalwart, were the original ISPs to block private relay. Seems counter intuitive to me.
I saw some newstitles that EU carriers want to block it, but I haven't seen them doing it nowhere. Do you have link?
In the article: "Now, in addition to some carriers in Europe, it appears that T-Mobile/Sprint in the United States is also blocking iCloud Private Relay access when connected to cellular data."
Though as far as I understood the European carriers voiced complains but did not act, thought UK carriers did (which isn't EU anymore).

Tbh. the article is just not very well written, I also first thought the article implied that T-Mobile US is an EU carrier operating in the US (it isn't, it's an US carrier owned to around 43% by an EU carrier, with which it shares a bunch of thinks, like trademarks).

Agreed poorly written article.
> doing it nowhere

Reading the article and it's predecessor it seems they are mainly doing it on cheap contracts in the UK??

Which would not be in the EU.

I'm not sure if it's even legal to do so in the EU, tbh. it might be against the net neutrality rules in the EU (though they have loop holes, so not sure).

EU regulations aren't necessarily designed for privacy, they're designed to troll US tech companies. Covering the screen in cookie dialog boxes didn't accomplish much.

One of the upcoming ones seems to just ban Kickstarter.

not really,

especially the mentioned banners affects US and EU companies alike (or at least did until the US decided to claim rights on EU citizens data through the Cloud act...).

Wrt. to the cookie banner it you mean the one coming from GDPR then the problem is missing enforcement. It must be as easy to opt in as to opt out this means:

- two clicks to opt out one for opt in => illegal

- dark patterns which makes it easier to accidentally opt in => illegal

- spamming people which don't agree to being spied on with "dialog boxes" => illegal (GDPR allows some forms purely functional data storage without consent, for example a non-3rd party cookie to remember that the user is opted out _which is not used for tracking_ is legal without asking for consent, hence there is a technical easy and legal way to not spam people with dialog boxes, hence making it harder for people to opt out by repeating forcing them to redo the action is illegal). Naturally doesn't apply if you clear cookies.

Does this run counter to current net neutrality regulations? Or is this unrelated.

Are there other legal remedies for either the subscriber or from Apple to the ISPs?

Nope - this doesn't violate net neutrality regulations in the US... because there aren't any!

This article:

https://www.eff.org/deeplinks/2021/12/where-net-neutrality-t...

talks about how many are hoping that in the near future we will establish some net neutrality regulations, but for now there really isn't anything (at the federal level. Some states have tried).

So this would not be legal to block in California?
As much as I don’t like this, I would suspect it’s fine.

Disabling this feature is a built-in ability of iOS. It doesn’t depend on ISPs treating the traffic differently.

Net neutrality doesn’t even apply to mobile networks.
okay, should it? because we can make that happen if enough of us agree
Everytime I think carriers cannot get even more scummier, they manage to do it.
Private Relay was always a sketchy proposition; if privacy is your concern, you're almost always better off using a VPN.

Yes, granted, Apple could always extract (and to some extent probably is) your history directly via OS hooks, but the "Private" relay gives them a completely opaque off-device way to centrally track what everyone is visiting, which is just another data point feeding into their rapidly-growing advertisement business.

Paranoid? Maybe, but after the whole on-device scanning fiasco I view Apple in the same category as Google, Facebook and Microsoft when it comes to privacy guarantees.

> Yes, granted, Apple could always extract (and to some extent probably is) your history directly via OS hooks, but the "Private" relay gives them a completely opaque off-device way to centrally track what everyone is visiting

Err, no it doesn't - that's the whole point of the way it's engineered. All Apple sees is your IP address with none of the request details, and your IP is obscured before being sent to the second relay (Cloudflare, fastly, etc) , who only see the request detail with no origin/requestor information.

[1] https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...

The entire point of private relay is that neither Apple nor the third party CDN can match the destination website to an individual.

If your argument is “they probably aren’t doing what they say they’re doing” and so you shouldn’t use their tools, then you better start writing your own operating system from scratch and designing and fabbing your own silicon, because there’s no guarantee any of these companies or open source projects aren’t compromised.

Apple is also capturing DNS queries, so they minimally have that as a data point.

Regardless, the more general concern that parent seems to make is what is to stop Apple in the future from monetizing this data? I think the only thing protecting us as consumers is their policy. And as we all know policies can change very simply with a change to the terms of service.

I believe Apple now supports ODoH (oblivious DNS over HTTPS) although I do not know if it is used for private relay.
To quote the relevant section:

“ODoH sends DNS queries through the first internet relay, so the DNS server cannot identify the user issuing a query. Each query itself is padded and encrypted using Hybrid Public Key Encryption (HPKE) to help ensure that the first internet relay cannot tell the domain name a user is looking up.”

Apple is the “first internet relay” and they seem to explicitly state that they don’t see the DNS queries themselves.

I will eat my hat if Apple doesn't enter the ad market big-time in a couple of years. All the signs point to them building a massive privacy-invading trove of data on their customers to exploit.

Of course, their PR will spin it up as "privacy focused, totally anonymous, personalized advertisement" and some will just gobble that up as gospel.

I don't trust any of these fuckers any more... :)

I think 2 things are stopping apple from entering that market in earnest.

1. Privacy is a differentiator for Apple’s business. Google et al can’t compete and win on privacy. Apple can use this to win at recruiting and win at selling their ecosystem.

2. Apple’s hitting revenue/ growth targets. Other r&d investments better align with their ecosystem so there is no business driver today to enter this market.

Having said that I won’t be surprised if Apple misses a few qrtly earning targets and decides to enter the ad market.

The purpose of private relay is more to prevent ISPs/Cell carriers from vacuuming up your data and selling it in probably totally identifiable ways to the lowest sketchy bidder.

All the big carriers have already been sued by FCC for selling location data without permission[1], and even last month Verizon is trying to justify collecting more data on everything you use your phone for[2]. Apple's business model is less gross than ISPs and their partnership with Cloudflare to prevent even themselves from being able to access traffic logs is an extra plus

[1] https://www.nytimes.com/2020/02/27/technology/fcc-location-d... [2] https://www.theverge.com/2021/12/17/22841372/verizon-custom-...

> if privacy is your concern, you're almost always better off using a VPN

I am really skeptical of this. Not that ISPs are extremely trustworthy, but they're at least bound by some state mandated privacy protections which <Foreign VPN Provider> is not.

Valid concerns, you need to pick your VPN carefully if using a public provider. In my case, I relay everything to a VM I trust that is running a firewall and AdGuard for DNS ad-blocking.

The system may not work for everyone (for example, streaming services optimize based on your location, which will break down if the VM lives in some cloud), but I use my phone for music, browsing and email (not video consumption) so it works for me.

The thing is, I already have to trust Apple because they can do anything they want on my device. Why would I want to add a third party to that, especially one that runs a VPN service?
Give credit where credit is due. I haven't owned an Apple device since my trusty IIgs and am not a fan of Disneyland computing in general, but I may seriously ponder buying a Mac mini simply to gain access to their popular VPN that will be impractical for websites to block or CAPTCHA-hell.
I wonder why Apple allows this. Do the carriers really have more leverage than Apple here?
(comment deleted)
Apple has good reasons to allow this. Inside a corporate network for example you may not want DNS queries going to Apple’s servers.

So Apple has made it very easy for a network admin to disable private relay. All an admin needs to do is blocking name lookups for relay.Apple.com*

*I don’t recall the actual DN used, it’s in Apple’s docs if you are curious.

The OS should be able to distinguish between a corporate network and mobile carrier, right?
It can, but if mask.icloud.com is where the relay connection needs to go that wouldn’t help.
Apple still shouldn't make it so easy to block this wholesale, even on corporate networks. Instead, they should have a way to make only corporate-internal traffic not go through it.
I think if you gave most people the choice to either:

a) disable this feature (that they likely don't fully understand) or

b) change their cellular service provider

they're going to choose the former even though migrating your phone number is pretty damn easy nowadays.

I would think Apple has some leverage to force it if they really wanted.

If Apple really wanted to force the issue, they could tell T-Mobile no more iPhone contracts unless you do it. Apple can survive and thrive on fewer networks - the iPhone was AT&T exclusive for a long time at the beginning.

If that happened, there would be no way for T-Mobile to get a supply of iPhones. People would need to buy iPhones from Apple and then replace the SIM cards themselves. It would make T-Mobile bend pretty quickly unless they managed to get Verizon and AT&T to join them on the issue.

But then Apple has a second card to play, and that's the court of public opinion. If Apple wanted to make a public ad lambasting the carriers for undermining people's privacy, the damage would also force them to bend.

Finally, of course, there's the fact that carriers need Apple just as much as Apple needs carriers. However, between the carriers and Apple, who has $200 billion in the bank to do things themselves if they wanted?

Edit: Heck, T-Mobile has a market value of $130 billion. AT&T has a market cap of $188B, and Verizon $223 billion. If Verizon and AT&T joined T-Mobile in protest, Apple could theoretically attempt (or at least threaten) a hostile takeover of any of them. That would cause a lot of discussion among the carriers and send a strong message very quickly.

> If Apple wanted to make a public ad lambasting the carriers for undermining people's privacy, the damage would also force them to bend.

That ad would be candy to the Apple PR team trying to push the “Apple is secure and respects your privacy” campaign. I bet we’ll see Apple use the court of public opinion here, and win with it.

If Apple escalates this into a dirt-flinging war, I don't think any domestic carriers would take offense at reminding the public that Apple is the only one among them that still does business with China. But neither one will escalate things, because both Apple and every US cell carrier have so many skeletons in their closet that trying to call one another out wouldn't just be hypocritical, it would be mutually assured destruction.
Nah - that wouldn't work. Apple would just point out that they use networking gear made in China. Brilliant.
My point is that carriers and manufacturers have so much dirt on each other that trying to escalate things would just hurt them both. The reason why Apple (and mobile carriers, for that matter) don't take swings at each other is because they both need the other to look as pristine as possible to sell units. They have a mutual interest in looking good together, and neither Apple nor the carriers have any vested interest in breaking that relationship.
I don't think the American public would particularly care – and some would probably even support – that Apple does business with China. If that's the best the carriers can throw at Apple, versus Apple cutting them off from the single device doing the heaviest lifting to keep them relevant, then yikes.
Oh, that's certainly not the worst they'd grab for, but more of an example where they can call their bluff. Cell carriers and hardware manufacturers alike get bent over backwards for compliance in the United States, trying to assert that you're "the private one" is just going to get you called on every other front. It's not even a question that these companies do shady things, the real question is more about the lengths they'd go to diminish their competition.

Again though, rupturing this conversation is mutually assured destruction. The reason why Apple won't call T-Mobile's bluff is because it's better for them to look like a symbiotic company than an adversarial one, and T-Mobile can get away with this because data protection in the US is a moot-point anyways. It's about as unremarkable as news gets.

Hell, Apple was even nice enough to give T-Mobile a special error message when you try to use Private Relay:

> "Your cellular plan doesn’t support iCloud Private Relay. With Private Relay turned off, this network can monitor your internet activity, and your IP address is not hidden from known trackers or websites."

I wouldn't call it security theater if I couldn't see the curtains on the left and right.

It's strange that you think Americans would equate "people in China are suffering" and "X is spying on me".

Your suggested response doesn't change my mind at all, it seems quite desperate and pathetic. And I want to see a stronger moral stance on trade with China.

I don't think that would be effective, everyone already knows that Apple builds their phones in China, it says on the back. The fact that your cell carrier wants so badly to spy on you that they are willing to go to go to bat with Apple will, however, surprise some people.
I'm trying to think of a case in which Apple has used public opinion in this way. The closest I can come up with is Adobe Flash, but Apple was the one blocking a product on its platform then.
>What's a computer?

Apple trys to manipulate public opinion constantly.

A computer is a device where you can work on, unlike a tablet, unless you are in a band or paint digitally.
> Heck, T-Mobile has a market value of $130 billion. AT&T has a market cap of $188B, and Verizon $223 billion. If Verizon and AT&T joined T-Mobile in protest, Apple could theoretically attempt (or at least threaten) a hostile takeover of any of them.

OTOH, one way to become the most valuable company in history is to not go pulling stunts like that. Nothing the street loves more than predictability.

Of course, the odds of this are extremely small. It's just more to show that Apple has more leverage than the carriers in this situation.

Edit: Another, "smarter" tactic that Apple might use is by sending messages to the Board of Directors. If Apple can get the Board of Directors on their side (or at least convince them that management is fighting a war they can't win)... another way to freak out execs at the carriers.

(comment deleted)
The odds of any American company could start scooping up cell carriers without reproach is not just "small", but more along the lines of "complete impossibility". The SEC already gives Apple the stink-eye for gobbling up C-lister startup companies; if they tried acquiring anyone in the S&P 500, every trade commission in the world would be on them within seconds.

I also think it's silly to equate a company's power to the amount of money they have (at least in the first world) but your hypothetical does raise an interesting question: who's deeper in bed with the State, Big Telecom or FAANG? All of them answer to the government, even T-Mobile; but who's got the most favor? Understanding the heinous stuff the American government got away with when they had telecom under their thumb doesn't set a very optimistic baseline of expectations. It might even lead certain people to believe (surprise surprise) that Apple's dedication to privacy doesn't really mean much when there's money on the line. Arguing about how "Apple is better because they have more capital resources" has about as much pragmatic value as a child's crayon drawing.

Unless Apple has one-upped Room 641A, I think you're describing a power fantasy.

Sure, but on the other hand if there is one thing Apple (as well as Tesla, Facebook and Google) are known and loved by the stock markets for, it is vertical integration to an absolutely insane degree.

Apple would literally capture the entire value chain of the iDevice ecosystem with such a stunt, not to mention have yet another steady stream of income.

>the iPhone was AT&T exclusive for a long time at the beginning.

I think that was a very different time though. Smartphones were just becoming popular. A lot of other upcoming smartphones also had carrier exclusives at that time (Verizon with the Droid line). I don't know if that would be acceptable in today's world.

A joint move like that by the carriers would be subject to a lot of antitrust scrutiny, where as apple can move on it's own with a lot less scrutiny.

Not to mention AT&T paid through the nose for this exclusivity.
If Apple really wanted to force the issue, they could tell T-Mobile no more iPhone contracts unless you do it. Apple can survive and thrive on fewer networks - the iPhone was AT&T exclusive for a long time at the beginning.

Or the other cellular networks could start running ads touting that they let iPhone users use all of the iPhone features.

"Does your cell phone company hold you back? With Cincinnati Bell, you can do things with your iPhone that T-Mobile won't let you."

Apple could even help pay for the ads. It's not like companies with aligned interests don't do ad cost-sharing all the time anyway.

While I agree with your comment almost fully, I think it's a bit too early to judge Apple. They probably found out just a few days earlier than we did and are still weighing their options.
So you want them act as monopolists which is something HN usually is very much against. Also the threat of trying to buy a carrier out is a completely empty one and the carriers would all know it. There is no way it would pass regulatory or court review for the market leader in cell phone sales to own a major carrier.
I agree with you that they probably wouldn't be allowed to buy a major US carrier. But they aren't a monopolist or the global market leader in cell phone sales. Even in the US where they are indeed the market leader, their percentage of sales hovers around half, well below monopoly levels.
Anti trust starts when abuse of a powerful position begins. There is no threshold requiring you to be a monopolist or even a dominant player. Just that you abuse your position.
I wouldn't be so certain of that. Antitrust review of mergers is mainly concerned with whether the merger will reduce competition in a market. Since Apple doesn't currently operate a mobile network and none of the carriers currently manufacture phones, it would be hard to argue a merger would lessen competition.

Now whether Apple shareholders want Apple operating a mobile network is a completely different question.

There is no chance Apple would be allowed to buy or run a mobile network. The monopoly dogs would be at the door before the email went out.
The vertical integration of Amazon in the past 10 years or so makes me think those monopoly dogs can't hunt.
Regulators responsible for anti trust enforcement only give lip service to the laws they are meant to enforce. The rest of the time their lips are firmly pressed up against the asses of the people they are meant to regulate.
> People would need to buy iPhones from Apple and then replace the SIM cards themselves.

Changing sims is VERY easy, but a sim that doesn't match an approved phone is also easy to block?

Right, but I think there's some incorrect conclusions being drawn.

The article asserts that an error in the settings menu appears: "Your cellular plan doesn’t support iCloud Private Relay. With Private Relay turned off, this network can monitor your internet activity, and your IP address is not hidden from known trackers or websites."

This doesn't appear to just be a situation where T-Mobile started blocking it at the network level; it appears to be one where Apple submitted.

While there's a lot of theories in this comment about how Apple will respond; I don't see that happening (in a public way, of course). Apple's leadership in 2022 doesn't have the same convictions their leadership has had in the past. They're capable of being a positive force for change, in fair weather; but when the weather gets rough, or when forces assert power over their expression of values, they fold.

What, so now displaying an error message means you're responsible for the error? See some of the other threads about why Apple might not like playing dirty to go behind T-Mobile's back--each one needs the other for its good reputation.
Its reasonable to assert that they wrote the error, and they phrased the error message intentionally, in a way which clearly says that they expected carriers to block the service. The settings app is owned by Apple; not T-Mobile; T-Mobile would certainly NEVER admit so plainly that they monitor network activity (even though they do).

Alternate phrasing which betrays different expectations: "We could not connect to the iCloud Private Relay servers. This may indicate an issue with your network provider, blah blah blah."

No VPNs is mostly standard-operating-procedure in, say, China. That being said: I'd assume that feature, let alone the settings page to configure it, is hidden in versions of the software distributed in countries like that. This error message is likely for countries where the service is available; just not on your carrier.

But putting that aside and even considering their stance of submission to the CCP; they betray every spoken value their American executives verbalize. That is standard operating procedure for 2022 Apple, and most other gigacorporations. That is the lens that every statement Tim makes, every word spoken at their keynotes, needs to be viewed through; that they're willing to invest their infinite money in whatever projects they believe aligns with their values, but they're wholly unwilling to stand up for those values when those projects are battle-tested in even such an absolutely inconsequential way as this.

Of course, they can prove me wrong by standing up to T-Mobile and using them as an example. I mean my god, you couldn't ask for a better example to make, T-Mobile/Sprint is a fourth-rate bargain bin cellular carrier, we're not talking about a nation state; this is a toddler mad at his parents because they won't let him eat candy for dinner. If they can't even resolve that, what hope do any of their values have?

Apple was the one who wrote that text out and put it in your iPhone. You can choose to interpret that any way you choose, but it's pretty clear that Apple either really loves and trusts T-Mobile or (more likely) their "Privacy is a Human Right" bit rides shotgun to their moneymaking shtick.
The wording "doesn't support" seems very cooperative; it's less likely to generate angry calls to the network's customer service than "sabotages", "blocks", or "interferes with" - all of which are arguably more accurate descriptions.
if i had to hypothesize why T-Mobile are doing this, its streaming media.

TMobile has numerous pay-for-play access contracts in place for companies like netflix and hulu. in return they get a QoS tier and guaranteed minimums for their subscribers.

conversely, as others have mentioned and the article itself, private relay is absolutely haram. it damages tmobiles ability to deliver edge content from their contractually obligated players like netflix (without a region netflix quality might suffer) and it completely sidesteps all of TMobiles lucrative user plans that include access to streaming media as a feature relative to the users data cap.

increasingly private "anything" on a cellphone is becoming a hostile proposition for carriers as their revenue is largely based on predatory surveillance capitalism. without metrics and metadata, theyre no different than the water company.

Having worked for a couple carriers, network operators, and the back end data processor for them, I agree that the carriers are fighting and losing the data wars. They did make a lot of money on surveillance, but it is dropping as more coms are encrypted. I don't quite understand why people feel comfortable with a $3T company holding all their data, but I guess it is just in fewer baskets. People like me who know too much only use VOIP and prepaid burner SIM's on phones that always run VPN and airplane mode 98% of the time. It is way cheaper and more secure.
I don't think Private Relay routes app traffic through Apple servers, just Safari traffic: https://support.apple.com/en-us/HT212614

Please correct me if I'm wrong. If that's the case, I believe most/all iPhone users watch Netflix/content sites via an app, so that traffic would not be routed via Private Relay.

This may affect Mac Safari traffic, though. I am curious if they have any exceptions on the backend for edge content providers.

> Apple could theoretically attempt (or at least threaten) a hostile takeover of any of them.

If I were any of the carriers, I wouldn't worry about this in the slightest.

Apple attempting to gain ownership of a mobile carrier in order to impose it's will on the market would be met with incredibly harsh regulatory scrutiny.

Beyond that, there's a strategic reason Apple hasn't launched their own mobile offering. The minute Apple owns a particular mobile carrier, they would be pretty well cut off from the other mobile carriers, or they would have to negotiate deals that would probably be argued to be collusive trade practices.

The real solution is that the United States needs real data security and privacy laws that prevent network operators from reselling your usage history, location tracking, and other personal details. It's a national security issue at this point.

I was thinking the same, then I remembered that Google has its own phones, it owns Android, and it managed to start its own cellular network without a whisper. So, no reason why Apple can't do the same.
Google is in slightly more of a "home-grown" situation, but more importantly Lina Khan was not in her current chair back when all that stuff happened. In marked contrast to previous officeholders, she won't be deferring to the "monopoly is good" FCC.
Launching an MVNO that pays out to network providers isn’t the same thing as a hostile takeover of a single carrier, for either case.

Also, as a carrier, I’m not worried about Google’s MVNO for one simple reason: Google hates humans.

For all that the carriers are bad to their customers, they at least have a footprint in meatspace. Google’s DNA finds physical footprint and real human interaction anathema.

I would gladly take Google in a customer foot race any day.

They contract it out, but Google Fiber had door to door sales people attempting to get people to switch to Google Fiber a few months ago. Several of my neighbors switched from these people reaching out.

There's a difference between temporary sales presence contracted out and a permanent retail presence, though, you're right.

I always felt like Fiber was a warning shot to all of the ISPs trying to constrain what/how/where customers could do while extracting as much money as possible.

In other words, if they keep this behavior up, Google will begin to compete as well as advocate (fight for the regulation, laws, etc) for other, smaller, new ISPs to enter the market. Or fight harder on the net-neutrality front. Or potentially worst of all for the incumbent/monopolistic ISPs, fight to make them dumb-pipes.

Then again, maybe it's just another google product/service destined from conception for the graveyard...

Apple could simply reimplement APN and iCloud Files and etc over their own Private Relay connections, so that any carrier who blocks Private Relay ends up blocking all push notifications to all Apple devices. They have not yet done so, but if they do, either all US carriers will have to collude to block it — which could reasonably be considered anti-competitive behavior and would attract immediate governmental review — or they'd all have to allow Private Relay, as otherwise they'd bleed millions of customers due to being hostile to iPhone.

It seems safe to assume that Apple doesn't like user APN traffic being tracked any more than the rest of their traffic, and so I would imagine this is essentially the roadmap for all Apple Services provided to their users over the next few years.

It's also possible the Beta is just to see what happens when they make the traffic visible and possible to block, and having seen the carriers tending towards "block anything that inhibits tracking", they might simply target Private Relay 2.0 as "HTTP3 over 443/udp to http3.apple.com" and have that be an N-way reflector point for all customer-provided Apple services, including Private Relay and the rest as different channels over that multipath HTTP3 layer. They chose to implement Private Relay in a way that could be detected, and are measuring how neutrality-hating carriers respond. Assuming it's their final answer is not a bet I'd take.

It seems like any kind of forceful action would trigger government review. The safest option to me seems to be just having a modal pop up saying "T-Mobile blocks private relay from being used".

It isn't a forceful use of power by Apple and it clearly informs just the simple truth that the users carrier is hostile and maybe they want to switch.

I expect my iPhone to work the same on any carrier.
That has never been the case. Carriers have been tampering with web traffic for a while now. If T-Mobile is specifically tampering with the network, the problem is external and out of the control of Apple.
In the US, big Carrier A implements the full array of iPhone capabilities for carriers under Settings > Cellular; big Carrier B does not. Most people aren’t aware of what they’re missing, but for example, when implemented by the carrier properly, the cellular data usage heading is “this billing cycle” instead of “however long it’s been since you last clicked Reset Statistics manually”; and Settings > Phone > Call Forwarding has an iOS native UI rather than forcing you to dial 1980s-style *#12##0112636382* modem strings into the dialer.

Does your carrier implement this? If not, will you switch carriers? It’s unclear what degree of importance you assign to your expectation, as it could be anything from “for the tasks I care about” to “in every possibly way without exception”. (For me: It’s not important eniugh to switch carriers on its own, though it’s certainly a factor if I have greater reasons.)

I was always wondering why statistics never correctly showed information for my billing cycle. Admittedly, I wasn't the account holder until recently, but I never understood that it was a carrier settings. Are there other carrier-specific features that you know about?

By the way, your parent comment hypothesizing about http/3 and Apple services likely being routed via Private Relay was also very insightful. The http/3 part seems quite speculative, but I could easily see the Apple services being routed over Private Relay as part of any standard "dogfooding" roadmap.

There is not a lot of difference between http3 and a VPN protocol that can bundle and transport multiple bidirectional channels asynchronously, especially when considering the restriction “only uses http protocols and none other” — a quality that many Apple services share with Private Relay.

It’s absolutely speculative to consider http3 a viable replacement for ”a VPN”, as many consider Private Relay to be^, but that’s not due to any technical limitation. We could benchmark Squid-over-http3 versus Wireguard VPN in various latency and packet loss scenarios today (if implemented), and get productive and interesting results. We could do the same with varnish / nginx versus openvpn / pptpd. Whether or not it supports CONNECT is worth noting, but is no obstacle for “let’s assume that everything is HTTP”, as appears widely applicable to both Apple’s services to their customers, and a significant majority of consumer VPN traffic, today.

Have those benchmarks been performed yet? Are we all doing it wrong by using wireguard et al. to Mullvad et al. for 99% HTTP traffic and we just don’t realize it yet? I look forward someday to finding out the answer :)

ps. iOS carrier APIs and functionality are NDA’d so I don’t have any other information or useful examples to offer, as my experience with carriers as their customer is very limited. Perhaps others will know; apologies.

^ I haven’t seen an FP yet titled “If it can’t carry SSH traffic, it’s not a VPN”, but certainly there’ll be one someday. I can’t predict when, though, anymore than I can guess when someone else will realize to seriously ask, supported by benchmarks and encapsulation overhead charts, “Should tcp be deprecated in favor of http?”. (I have no opinion on what the correct answers are at this time.)

Better verbiage would be "T-Mobile requires the ability to report your browsing activity to third-parties."
Legally much more risk since you are now assuming motives rather than stating plain facts. Even if those motives seem certainly correct.
It is a plain fact that they will have that ability.
ps. Everyone who’s reading this story and discussion, go read the report that T-Mobile only forces Private Relay off for customers who are enrolled in their content-filtering product:

https://tmo.report/2022/01/t-mobile-blocking-icloud-private-...

There’s been an update to the article addressing this:

> However, many of the users we’ve heard from, and tested ourselves, do not have any such content filtering enabled. We’ve followed up with T-Mobile for additional clarification, but have not yet heard back.

I don't know why these products are still around. They are already basically useless; from T-Mobile's site:

> Visiting secured web sites (https) because encryption prevents Web Guard from seeing the content of those websites

I guess T-Mobile should start downgrading HTTPS to HTTP /s

Some carriers would if they could. That's why HSTS was implemented.
Apple could theoretically attempt (or at least threaten) a hostile takeover of any of them

Yeah, that's not Apple's style. Besides, they don't want all of the legacy crap that comes with owning a cell phone carrier.

I suspect the issue is making its way up the corporate ladder through various directors and Vice Presidents.

And I'm sure Apple's got a business plan for running their own MVNO they could dust off if things get out of hand. But let's hope it doesn't come to that.

Theoretically they could buy it, replace the management, sign a contract to never do such things again, and spin it off. They wouldn't necessarily have to deal with it beyond that.

But this would be rewarding existing ownership with a buy-out.

> I would think Apple has some leverage to force it if they really wanted.

No, because then people will ask why they also don't use the leverage to enable this feature in China/Russia/...

I don't think anyone thinks America's third-largest cell carrier has the same power as the Russian or Chinese government. Certainly Apple can say "We cannot make China and Russia do what we want" because they don't have that much leverage.
Last I checked, T-Mobile has approximately 100% fewer nukes than Russia or China.
Apple has to abide by the law in each jurisdiction it operates in or cease operating there.

It doesn’t have the ability to give a middle finger to both those governments and still be able to sell devices to Russians and Chinese people to use Private Relay on.

Why would Apple need carriers and vice versa? 3GPP is a series of standards for a reason.

This blocking is a net neutrality issue. Hope it doesn't hold, at least in Europe.

Just because the tech is standardized doesn't mean Apple could just fly on their own. The carriers are entrenched via spectrum ownership. It would be impossible for Apple to build a network without the right spectrum.
Maybe I should have been more clear. I meant that as long as you uphold the standards you can connect to any network.
The message that would send is that EU anti-trust mechanisms would need to be engaged pronto.
What a strange world US is where phone sales and carriers aren't separate.

> People would need to buy iPhones from Apple and then replace the SIM cards themselves.

The horror! We've been doing this the entire time here in Russia. Carriers have always had exactly zero say on what phones can and can't do.

Of course you can buy the phone from Apple and put in a SIM card in the US. I’ve done it many times. You shouldn’t take fake internet outrage so seriously.
People would need to buy iPhones from Apple and then replace the SIM cards themselves.

I mean, why isn't this already a thing? This isn't difficult at all. I don't buy my phone from my carrier. When I get a new phone, I simply take the old sim out and put it in the new one. The last time I had to do more was when the phones changed from a standard SIM to a mini SIM - the old one wouldn't physically fit. That was some years ago, though.

I'd think the bigger issue might be with the US phone networks: Do they still force you to use your phone with the carrier even though this isn't necessary at all? And if so, why haven't folks protested since it is obviously a way to trap people into one carrier.

Also, since folks in non-US countries can just buy a phone and put a sim card in, Apple won't have any issues adjusting whatsoever.

It is already a thing, just not prevalent. Although I believe for the moment, you still have to choose your radio-specific variant as the transition to 4G and 5G isn't 100% complete yet; CDMA vs GSM. (I hope I'm wrong about this by now). Sometimes it's (or was) based on spectrum.

Another issue is probably the "incentives" provided through the network providers and their partners, especially when an iPhone is traded in. Often times it results in significant "savings" for the consumer. (I imagine Apple could implement something similar, if not superior if they wanted)

Finally it's physical presence. Apple has done a fantastic job of creating a physical place to serve your needs, and of course you can always buy online, but there are those that prefer or require going to a place to take care of their phone needs.

I also shudder to imagine what the Apple stores would look like if they had to deal with and resolve the kinds of network issues (not to mention some of the characters that need the help) I've seen the superabundance of network provider mall/strip-mall stores deal with.

Hopefully all of these are just remnants of a time we'd all like to put behind us.

> I mean, why isn't this already a thing? This isn't difficult at all. I don't buy my phone from my carrier.

There is no need to buy a phone from the mobile network in the US. People have been able to pop a SIM into a phone and call the mobile network and have them add the IMEI for many years.

(comment deleted)
I wonder when will Apple launch their own network. Would be fun!
I recall reading that starting their own MVNO was the backup plan under Jobs if they had not been able to convince any existing carriers to allow the iPhone.

At the time, the carriers specified much of how the software must work on any phone that they allowed onto their networks, both functionality and UI. Apple wanted the relationship with the carrier to be that Apple was in charge of everything except the low level code for dealing with the cellular network.

Cingular agreed, the iPhone was a huge success, the other carriers then agreed, and that's where we are today.

Does this mean Verizon and t-mobile are also blocking all VPN traffic?

Also, how can the "land of the free" not have net-neutrality laws?

We did, briefly, under Obama. More recently, the previous administration unwound those rules.

More technically: NN was implemented via the existing authority of the FCC, rather than any new law. Then the FCC, under new leadership, decided that internet service was outside of that authority, actually, and dropped that enforcement. Under Biden, there has been no change back in the other direction. (And at no point has there been a separate, federal law.)

The previous administration even attempted to prevent states from having net neutrality by claiming that disclaiming FCC authority was a prohibition on it. Yes, by attempting to claim FCC had no authority to regulate they also simultaneously claimed this prohibited states from regulating it.

The paradoxical was a direct reflection of the corruption within the FCC at the hands of the previous administration.

If anyone is aware of any grassroots efforts to reinstate NN, please comment. I had basically forgotten about the rollback under Ajit Pai, which, is in my cynical view, exactly what they want.
You could say our ISPs are free to make deals with whomever wrt bandwidth.

Is free, unlimited HD Netflix steaming worth more than private relay? I’m guessing most people would say yes.

I’d consider switching. Oddly enough though I was able to turn on private relay on T-Mobile USA.

No, Verizon is not at least. I will commonly connect to my home network over self-hosted vpn while on Verizon LTE.
Same here, except instead of commonly, always, my cellular data won't work if I'm not connected. If they interfered with that I would switch carriers in a heartbeat.
For me, this new policy will be reason enough to switch away from T-Mobile at the nearest opportunity.
Has T-Mobile given any indication that they're planning to block VPNs more generally?
I had turned private relay off during the beta since it seemed flaky when connections were poor. I have a VPN for torrents that I just installed on my phone because of this. Screw T-Mobile.
how long til ATT/Verizon do the same? is there any refuge, like Twilio?

alternatively, what would it take to roll your own/DIY private relay?

2 DO droplets, droplet0 runs OpenVPN or something, then private networked to droplet1 which requests are proxied through, and droplet1 recycles IP/region on some scheduled interval?

Good timing. My wife is going to get a cellular data plan for her new iPad this week.

Now I know to cross T-Mobile off the list.

I wonder if this would this apply to MVNOs who use the TMobile\Sprint network?
That would mean Google Fi VPN wouldn't work.

I was using my own always-on VPN w/ GrapheneOS on T-Mobile's network and was having tons of problems with calls and texts not getting through.

This does not seem to be the case. Elsewhere in the comments, neurobashing said their private relay works fine for an MVNO on T-Mobile.
Can anyone explain the case from T-Mobile's end?

(Not asking for sarcastic not-in-good-faith explanations of BS reasons that you are imagining.

Asking for anyone who understands more about a cell carrier's needs than I do, to explain what «the feature cuts off networks and servers from accessing vital network data and metadata and could impact “operator’s ability to efficiently manage telecommunication networks.» actually means, to someone who is not a telecom engineer but does understand engineering.

And/or other motives, but based on understanding more of their business than I do, not just wild guesses!)

(comment deleted)
I belive this functions like a VPN in some ways and blocks video throttling. They use traffic inspection to throttle video streams down to 480p unless you have the most premium of plans.
I've never heard that IPS (not the content provider) is throttling down Video Quality by altering the traffic. Do you have some links to back up that claim? This doesn't make much sense, as they would have to download the high quality video anyway, then invest massive CPU power to downscale this. Most content providers will scale down the quality if they detect bad network conditions. If ISP would want lower quality, they could just artifficaly slow the connection.
There is a solid, technical problem with VPN usage on such a massive scale. Carriers, like T-Mobile, can arrange traffic exchange with big content providers. Majority of traffic generated goes to a handful of providers, like YouTube, Netflix, Facebook. It's not even about direct, financial incentives. It's a win-win for both ISP and content providers to peer directly and limit the amount of traffic routed through paid uplinks. It's a win for users too, since they can get their content with less hops, through bigger pipes. Even Tier-1 network operators (https://en.wikipedia.org/wiki/Tier_1_network) can optimize traffic by making the direct inter-connections for traffic-heavy content.

When everything is encrypted and goes over the ISP just to the VPN endpoints, they can't do anything. In the end, they will have to arrange peering not with content providers but with VPN providers, who works for Apple.

PS. There is a lot of tension in current setup, even without Apple stepping up. In the old fashion market, the last mile is the king. Big grocery chains have direct access to users, so they are the strong side in the relation with producers. They can position brand X over Y, if they have better margin. They also create their own brand Z rip-off and sell that directly. Just look what Amazon does in that space. When it comes to ISP, they have direct users and have very little to say. They are basically dump pipes, just like the power line.

T-Mobile was very vocal in the past in that space. They often wanted the MANGAs (heh) of the world to pay them a share from their ads. I remember T-Mobile threatening, that they might replace some ads with their own ads. Since they provide the users with phones, they can install their own certs on devices. Chrome has SSL pinning not only, to save users from hackers, but to save their own business model being attacked by ISPs.

Wouldn't most carriers have peering relationships with Apple for Apple TV content? Presumably iCloud Private Relay traffic could be sent over that connection as well, meaning that of all the VPN-esque solutions, Apple's is the most efficient from a traffic exchange perspective.

(Of course, it was likely never about the traffic exchange itself, but rather the ability to route, shape, and track traffic dynamically on a host-by-host basis, as others have speculated.)

I am guessing that AppleTV traffic is very low compared to Netflix or YouTube. Anyway I guess this setup must be super complicated. Apple is probably partnering with tons of entities to provide this all over the world. It must be a huge challenge at Apple scale. I wonder if they have any long term goals, which are not obvious.
Well the ISPs and content providers can cry me a river about their network optimization. They brought this all upon themselves. Remember when nobody used to use VPNs?
the apple vpn provider is cloudflare, which just do free peering
The reason is right in the "what's new" section of the T-Mobile privacy policy: https://www.t-mobile.com/privacy-center/our-practices/privac...

> "However, starting April 26, 2021, T‑Mobile will begin using some data we have about you, including information we learn from your web and device usage data (like the apps installed on your device) and interactions with our products and services, for our own and 3rd party advertising, unless you tell us not to."

T-Mobile sells browser history data to advertisers, and Private Relay blocks that revenue stream. They are on the offensive to protect their new-found profit center, and most likely are doing this now to show Apple that this is not a feature that they want to see be turned on by default.

It's the beginning of the same saber rattling that Facebook did when Apple announced it would simply ask customers if they wanted to allow apps to track them

On cell networks, video content is by far the largest consumer of bandwidth. And the default for video generally is to auto-adjust the resolution to the highest quality that the network supports. This kind of sucks, since bandwidth is a shared resource for all users of a given antenna on a cell tower.

Though Speedtest on your cell might show your connection speed as 100 megabits/sec down, cell networks special-case video by identifying it as video and rate-limiting it to something like 1 megabit/sec. This is considered "efficient network management". For T-Mobile, this based on the plan (https://www.t-mobile.com/cell-phone-plans), they sell either "SD streaming" or "4k UHD streaming". "SD streaming" is a fancy way to express that they rate-limit identified video streams to 1 megabit/sec.

They identify video streams by watching the IP your phone is connecting to and/or the hostname mentioned in the TLS SNI header and checking if it is Youtube, Netflix, etc. Sending video content over a VPN removes their ability to understand what the content is.

Then couldn’t apple add some metadata on the user’s behalf that this traffic is a video stream? Of course it can be spoofed by the user, but if the hard-to-change default is well-defined by apple, then networks can depend and use that info.
Non-cynically, it probably does introduce some issues in these legacy telecom systems.

For example, if you run out of data for a month, many carriers will continue giving you access to the internet APN, but then block access to "external" websites. This is so you can easily open your browser and "top up" on data to continue using your device.

Or the usage of HTTP (not HTTPS) was relatively common back when I was in the space (7-10 years ago). There wasn't a need to use HTTP because the carrier was in full control of the pipe between the device and the server. Adding in a VPN that somehow tries to intercept that traffic (that was supposed to exist entirely within the telecom) is not going to work.

But if that were the only reason why, then couldn't they just turn off Private Relay in that specific case, instead of all the time?
These aren't wild guesses, but I also don't have inside information.

1. Browsing history. We know that Verizon is tracking it for their gain: https://www.wired.com/story/verizon-user-privacy-settings/. It seems reasonable that T-Mobile and others don't want that door to close on them.

2. Video streaming management. Carriers typically restrict video streaming on some/all of their plans to certain resolutions. For example, I think most American carriers limit video streaming to around 480/720p at 1.5Mbps or less unless you have bought a premium plan. VPNs often get around this and I know that my carrier can't detect Netflix access through iCloud Private Relay. Right now, iCloud Private Relay doesn't proxy app traffic, but it could in the future.

3. It looks like mobile carriers are looking to get into "edge cloud" stuff. Verizon has been pushing this and they recently emphasized this in their 5G Ultra presentation. If traffic is going through iCloud Private Relay, buying expensive "edge cloud" services from Verizon is a waste of money since the traffic would be leaving the network to go through Private Relay.

3a. Netflix ships "Open Connect Appliances" that ISPs can hook into their network to serve Netflix content. If your traffic is going through a proxy, you start accessing the content on a server farther away. This mostly doesn't apply given that Private Relay only does Safari traffic, but one could see Private Relay expanding to apps in the future.

4. I think there is a certain knowledge of what is using data that can be helpful to carriers. For example, I worked for a university and they wanted to set different QoS for things like peer-to-peer file sharing vs. web browsing. The university didn't want to punish P2P tech or anything like that. They just wanted to make sure that P2P usage didn't overwhelm other users and uses of the network. Likewise, it could help the university spot patterns like viruses/bots that might be using a lot of network traffic.

4a. I think this can also play into how companies position their offerings. For example, T-Mobile has introduced features like "Music Freedom" and "Binge On" that allowed unlimited audio streaming and video streaming before unlimited plans were a thing. They surely did analysis of network usage of those features before introducing them. You can look at how much video streaming users are doing and then model how much data would be used if you limited it to 480p (including accounting for an uptick in usage due to it being unlimited). However, if you don't know how data is being used, you lose the ability to spot patterns that might be opportunities.

4b. It makes sense to want to offer different QoS for different services. If someone is using FaceTime, you want that to be a good experience. You don't want to prioritize a speed test over someone's FaceTime call. You don't want to prioritize downloading from YouTube over a FaceTime call. That YouTube video can be buffered and if you know that you've transferred 15 megabits worth of 1.5Mbps video, you kinda know that the user doesn't need the next 1.5 megabits of video for 10 seconds.

4c. I know that a lot of people want their connection to be an unbiased dumb-pipe, but I think that people only want that because they tend to see crappy stuff from companies looking for money. Seeing it from a university that only wanted to give people the best possible network experience feels a bit different. QoS can be a positive thing and a dumb-pipe isn't always great.

I'm a bit surprised that T-Mobile would go this route at this time. iCloud Private Relay doesn't proxy app traffic at this time and I haven't seen that they have a similar browsing-history program like Verizon's. Still, there are reasons to want to be able to u...

Very good point on cache servers for Netflix and YouTube. Telcos save a lot of money when they terminate the traffic in their network. Private relay may affect that. Although apple’s solution could be clever about it.
Apple's solution could be clever about it, and it currently doesn't even block edge routing on mobile apps. It currently only supports Safari traffic, and most streaming will be via an app with things like Netflix. I suppose if YouTube routes to an edge that may be affected if viewing via Safari, but I'd be surprised if peering agreements aren't made when Private Relay goes out of beta.
I think this is honestly the biggest legitimate concern for the carriers: where the bits go.

Right now a hypothetical metro area might have a 20G circuit to Carrier A, a 20G circuit to Carrier B, and 20G of private peering to {Netflix, Google, etc}. With private relay they need to rip all that out and replace it with a 60G pipe to Apple.

This is the worst thing. Not for Apple or Apple users, but for the general internet. If that goes through, and countries effectively end up making Private Relay illegal, that is a very VERY strong precedent to block regular VPNs. And that's terrible.

I wonder if the same could happen to TOR, if VPN end up the same way...

> I wonder if the same could happen to TOR, if VPN end up the same way...

It can't, because some of us don't let third-party corporations control what we're allowed to do with our computer.