iOS 15 'iCloud Private Relay' Feature Won't Be Available in China, Belarus, Saudi Arabia, South Africa and More

[siddavis]

Sooo….how long until a National Security Letter winds up at the third party company and the NSA gets its hands in the process.

That’s for anyone thinking the US isn’t just as authoritarian in tracking citizens. At least the Chinese people understand what their government is doing. The US is every bit a surveillance state as China, just laundered through various mechanisms and companies.

I do like every time Apple throws them a curveball though.

Side note: A millennial living in China has a far greater likelihood of being able to afford their own house than in the US…but “freedom” or whatever that means to you folks ?‍♂️

I'm not sure the take on posts like this. It it to tout the Chinese way as better due to outcome? Is it simply for comparisons sake to show that Americans' freedoms are being eroded day by day? Is it to shine a light on the fact that the US government is now leaning heavily on tech companies to do their surveillance dirty work that is strictly prohibited by the Constitution?

I don't get it. Is freedom a lost cause in your eyes so we should just give up?

 

[ApfelKuchen]

Anyone think there’s going to be some sort of pseudo-antitrust angled attack against Apple doing this? They’re pissing off entire swaths of the parasitic underbelly of Silicon Valley.

It seems a reasonable speculation.

This tale goes back to the 1990s and the commercialization of the internet. Back when most servers were run by universities and the backbone was still mostly grant-funded.

Commercialization of the web was built on the U.S. “free TV/radio” model - free stuff in exchange for exposure to advertising. The direct consequence of that is audience “measurement“ for (semi)-accurate delivery/targeting of those ads.

There was a time when most useful info on the web was produced at educational institutions or passionate amateurs. Business websites aimed to be nothing more than glossy product brochures, the kind of stuff intended to “support” sales rather than be a direct source of sales. But of course, once it’s possible to know “who” looked at the brochure (at least, in terms of Referrer IP address) there’s a desire to know more, much more, and once payment information could be securely transmitted, why stop at simple information-dissemination?

The one thing business will never countenance is the curtailment of it’s established markets. That would be (gasp) a violation of the principles of Free Enterprise. No nationalization of industries, no replacing advertising- or fee-based support with tax-based support, renewed demands for zero or minimal “burdensome” government regulation…

So yeah, this battle isn’t going to end, or be won by the consumer (the modern web certainly doesn’t think of its users as citizens with certain unalienable rights - all too often, customers are thought of as property). Apple’s “value-added” is and will continue to be in mitigation, rather than elimination of the extremes.

 

[NT1440]

I'm not sure the take on posts like this. It it to tout the Chinese way as better due to outcome? Is it simply for comparisons sake to show that Americans' freedoms are being eroded day by day? Is it to shine a light on the fact that the US government is now leaning heavily on tech companies to do their surveillance dirty work that is strictly prohibited by the Constitution?

I don't get it. Is freedom a lost cause in your eyes so we should just give up?

It’s a hope that Americans wake up to our own authoritarian ways and stop being baited into cheerleading the coming war that stands to end civilization as we know it. But this is better left to PRSI per the mods.

From a “this is capitalism” perspective, of course Apple isn’t going to force this to happen in China. We’ve made that country the workshop of the world and the capacity to shift elsewhere simply does not exist at scale yet. So why would Apple or any other corporation deliberately destroy themselves by playing hardball with those they are currently reliant on as so many in this thread suggest so glibly?

 

[hot-gril]

I think it is more like a forward proxy instead of a VPN.

Most likely all Apple devices will have encrypted requests using the third party's proxy public key, and forward the request to Apple's proxy server. Apple's proxy server in turn proxy the request to the third party server, which is able to decrypt the request and forward it to the target server.

So Apple knows it's from your device, but do not know which server it is for. The third party in turn only knows the request from Apple (not from your device) and knows the target server after decrypting the request.

Not sure if it will work with POP3/IMAP tho.

I could be wrong, but I guess this is how it'll work.

Yes, so you have a virtual network with internet access on the third party's middlebox. It carries arbitrary L3 traffic. That's a VPN. From the client's perspective, it doesn't look any different from other VPN services except probably the protocol (and there are many VPN protocols already).

When an article is mentioning a new product, it'd be helpful for readers to understand what it is by using the word most of us already know instead of only Apple's marketing term. It's like saying a Mac comes with AirPort without mention that means wifi.

 

[quarkysg]

Yes, so you have a virtual network with internet access on the third party's middlebox. It carries arbitrary L3 traffic. That's a VPN. From the client's perspective, it doesn't look any different from other VPN services except probably the protocol (and there are many VPN protocols already).

When an article is mentioning a new product, it'd be helpful for readers to understand what it is by using the word most of us already know instead of only Apple's marketing term. It's like saying a Mac comes with AirPort without mention that means wifi.

There’s a different between a VPN and a proxy. A VPN operates at the network layer and is transparent to the applications. A proxy operates at the application layer.

Edit: To add on, a VPN implementation necessarily means that every hop must know the source and destination address.

 

[russell_314]

Apple is going by the laws in the countries they do business in. How is this even news ?‍♂️

 

[hot-gril]

There’s a different between a VPN and a proxy. A VPN operates at the network layer and is transparent to the applications. A proxy operates at the application layer.

Edit: To add on, a VPN implementation necessarily means that every hop must know the source and destination address.

Not sure what you mean; do iOS apps know they're going through Private Relay? The article says all traffic leaving the device. I think "proxy" usually refers to something that handles one particular kind of application traffic rather than arbitrary L3 (or even L2 in some cases). Like, HTTPS proxies. Those are out of style maybe cause a VPN is strictly better.

Not every hop in a VPN needs to know the final src and dst. With a typical VPN, the Netflix app sends to a Netflix server's IP, the virtual network interface wraps that in a packet destined for the VPN instead, and then the VPN unwraps it and sends to Netflix. This case is the same except it takes one more hop. And on LTE, there's another similar layer around all this, the cell network's EPC.

Edit: Meant to say, not every hop in a VPN needs to know the final src and dst. There are all sorts of middleboxes built into the network itself, especially cellular ones. On LTE, the tower wraps your IP packets in its own encrypted L5 payload inside an IP packet destined for the carrier's EPC, which is routed through the cell core network with many hops not necessarily knowing the final dst. The EPC then unwraps it before sending to the Internet.

 

[Apple_Robert]

Will this apply to an Apple One subscription? When does this become available?

It applies. I haven't seen a live date, yet.

 

[quarkysg]

Not sure what you mean; do iOS apps know they're going through Private Relay? The article says all traffic leaving the device. I think "proxy" usually refers to something that handles one particular kind of application traffic rather than arbitrary L3 (or even L2 in some cases). Like, HTTPS proxies. Those are out of style maybe cause a VPN is strictly better.

Not every hop in a VPN needs to know the final src and dst. With a typical VPN, the Netflix app sends to a Netflix server's IP, the virtual network interface wraps that in a packet destined for the VPN instead, and then the VPN unwraps it and sends to Netflix. This case is the same except it takes one more hop. And on LTE, there's another similar layer around all this, the cell network's EPC.

From my understanding of how L3 routing works, every node within the network (whether it's physical or virtual i.e. VPN) has to know src and dst, or they wouldn't know how to route. Similarly for L2 VPN like L2TP/IPSec or OpenVPN bridge mode, they need to know src and dst MAC addresses. The difference between VPN and physical network is that VPN will bypass many physical nodes, but the VPN server/provider will know who you are and where you are going to.

From what I understand of what has been announced, my guess will be something like how a proxy works, but in this case, a two stage proxy, instead of how we understand it to be a traditional one stage forward proxy (which knows who you are and where you're going to). Such implementation works for stateless protocol like HTTP. Not too sure it'll work with stateful protocols tho. Apple will likely use a transparent proxy implementation, either via APIs(likely) or packet scanning and re-package HTTP traffic to their first stage iCloud proxy.

 

[hot-gril]

From my understanding of how L3 routing works, every node within the network (whether it's physical or virtual i.e. VPN) has to know src and dst, or they wouldn't know how to route. Similarly for L2 VPN like L2TP/IPSec or OpenVPN bridge mode, they need to know src and dst MAC addresses. The difference between VPN and physical network is that VPN will bypass many physical nodes, but the VPN server/provider will know who you are and where you are going to.

From what I understand of what has been announced, my guess will be something like how a proxy works, but in this case, a two stage proxy, instead of how we understand it to be a traditional one stage forward proxy (which knows who you are and where you're going to). Such implementation works for stateless protocol like HTTP. Not too sure it'll work with stateful protocols tho. Apple will likely use a transparent proxy implementation, either via APIs(likely) or packet scanning and re-package HTTP traffic to their first stage iCloud proxy.

Yes, every node within the L3 network needs to know the src and dst, but a VPN is implementing an L2 or L3 network wrapped in the application layer. The system doesn't care about its implementation, just that it can use the VPN as an L2 or L3 network interface. Private Relay seems to match this description, a virtual L3 network for your applications. I think NordVPN works similarly; it has more than one hop.

I realized my above comment made no sense and edited it to talk about LTE networks, but I was late. Basically, even what your device sees as L2 or L1 is often implemented at the application layer with a series of hops through middleboxes via their own physical network, and some of those boxes don't know your original L3 packet's src and dst.

 

[quarkysg]

Yes, every node within the L3 network needs to know the src and dst, but a VPN is implementing an L2 or L3 network wrapped in the application layer. The system doesn't care about its implementation, just that it can use the VPN as an L2 or L3 network interface. Private Relay seems to match this description, a virtual L3 network for your applications. I think NordVPN works similarly; it has more than one hop.

I realized my above comment made no sense and edited it to talk about LTE networks, but I was late. Basically, even what your device sees as L2 or L1 is often implemented at the application layer with a series of hops through middleboxes via their own physical network, and some of those boxes don't know your original L3 packet's src and dst.

Not sure I follow you tho. I was referring to the OSI 7 layers. When you said 'a VPN is implementing an L2 or L3 network wrapped in the application layer' are you referring to the iOS apps? From how I understand it, an Application Layer protocol means that the applications need to understand the protocol (e.g. HTTP for browsers, Telnet/SSH for terminal app) that the lower layers of the OSI stack will not bother with. So a L3/network layer will only understand the network part (e.g. IP protocol). All these can be implemented with an OS application (e.g. OpenVPN) with API calls into the OS.

Apologies if you already knows all these. Not meaning to sound like a teacher here.

For a L2/L3/L4 network layer to function, the next hop need to know src and dst right? The claim here is that Apple doesn't know where your device is sending traffic to, and the third party doesn't know who you are but knows where your the request is going to. This doesn't fit the working of a routeable network as how I understand it tho.

 

[Apple_Robert]

This is a VPN, but Apple is bound by local laws in every country they sell iCloud, so don’t expect it to be private in the sense that law enforcement can’t trace back traffic.

It’s so your data is private from your device *to Apple*.

The third party company is probably CloudFlare or someone in that space.

Those that try to do illegal things with the service may be in for a rude awakening.

 

[hot-gril]

Not sure I follow you tho. I was referring to the OSI 7 layers. When you said 'a VPN is implementing an L2 or L3 network wrapped in the application layer' are you referring to the iOS apps? From how I understand it, an Application Layer protocol means that the applications need to understand the protocol (e.g. HTTP for browsers, Telnet/SSH for terminal app) that the lower layers of the OSI stack will not bother with. So a L3/network layer will only understand the network part (e.g. IP protocol). All these can be implemented with an OS application (e.g. OpenVPN) with API calls into the OS.

Apologies if you already knows all these. Not meaning to sound like a teacher here.

For a L2/L3/L4 network layer to function, the next hop need to know src and dst right? The claim here is that Apple doesn't know where your device is sending traffic to, and the third party doesn't know who you are but knows where your the request is going to. This doesn't fit the working of a routeable network as how I understand it tho.

I think we're saying the same thing mostly when it comes to that OSI stuff, and normally a diagram would be used to describe this. I may also be guilty of talking past you.

I would describe this as, the third party is the meat of the VPN and Apple is a proxy to them. But the whole package is a VPN from the consumer's (or device's) perspective, and that's what matters.

 

[FloatingBones]

That's how you know it's good.

I know it's good because Apple has undoubtedly been using it internally over the past 18 months.

 

[amartinez1660]

Sooo….how long until a National Security Letter winds up at the third party company and the NSA gets its hands in the process.

That’s for anyone thinking the US isn’t just as authoritarian in tracking citizens. At least the Chinese people understand what their government is doing. The US is every bit a surveillance state as China, just laundered through various mechanisms and companies.

I do like every time Apple throws them a curveball though.

Side note: A millennial living in China has a far greater likelihood of being able to afford their own house than in the US…but “freedom” or whatever that means to you folks ?‍♂️

Just commenting on the concept of “owning your house” or car or anything for that matter… this is not country or politics specific just some perspective: try not paying the taxes, fees, licenses, etc of many little things attached to the “owned” stuff.
We basically have to pay for the right to use our own things. Some countries takes this quite further than others.

 

[xander49x]

but nobody forces Apple to lecture morals from the high ground on others - or to sell in those countries for that matter

When did they lecture anyone, they informed people of their company stance on privacy how are they on the high ground?

 

[xander49x]

That's certainly true, but it's Apple itself that acknowlegdges privacy as a "fundamental human right". It's the first line in their privacy statement. It's their choice to acknowledge privacy like that and a legitimate one, but it has consequences.

Apple decided to compromise on privacy to be able to do business in China. This is too a perfectly legitimate position, but it ultimately means that they are in fact compromising what they acknowledge to be a fundamental human right for the sake of doing business.

If they believe doing business it's more important than privacy, which is a perfectly legitimate position, they should not acknowledge privacy as a "fundamental human right", because if they compromise it for the sake of doing business as a matter of fact they are not treating it as one.

very good response, you gave me something to think about.

 

[I7guy]

[…].

If they believe doing business it's more important than privacy, which is a perfectly legitimate position, they should not acknowledge privacy as a "fundamental human right", because if they compromise it for the sake of doing business as a matter of fact they are not treating it as one.

The privacy aspect was never meant to override the rights of government. So yeah, it’s a fundamental human right, and apple can still do business and declare privacy a fundamental right and not be hypocritical.

 

[Tech198]

That's how you know it's good.

haha.. i guess..

China hates anything with the word "encrypting"

 

[Shirasaki]

haha.. i guess..

China hates anything with the word "encrypting"

Im surprised they don’t just outright ban encryption inside China mainland (no https, no TLS, no SSL. Encrypting your personal data is a criminal offence).

 

[Airforcekid]

Im surprised they don’t just outright ban encryption inside China mainland (no https, no TLS, no SSL. Encrypting your personal data is a criminal offence).

Easy every intelligence agency outside China would have a field day. Its kind of like do you take the door off your teenagers room to see if they are doing drugs/making out etc. but at the same time you don't want the guy renting the basement apartment that walks by their room seeing them changing cloths etc.

 

[Shirasaki]

Easy every intelligence agency outside China would have a field day. Its kind of like do you take the door off your teenagers room to see if they are doing drugs/making out etc. but at the same time you don't want the guy renting the basement apartment that walks by their room seeing them changing cloths etc.

Heh…
Makes sense for regular people but on CCP it doesn’t make any sense. But whatever, they do what they do.

 

[hot-gril]

Im surprised they don’t just outright ban encryption inside China mainland (no https, no TLS, no SSL. Encrypting your personal data is a criminal offence).

They try to limit people to encryption schemes that are already broken, like outdated versions of TLS. I guess that way people get a false sense of security from the government while having some security against amateur hackers.

 

[bsolar]

The privacy aspect was never meant to override the rights of government. So yeah, it’s a fundamental human right, and apple can still do business and declare privacy a fundamental right and not be hypocritical.

If Apple believes privacy to be a fundamental human right, it means it believes the right is entitled to any human being for the mere fact of being human, regardless of what any government says on the matter. That's by definition what a fundamental human right is.

So no, Apple cannot at the same time acknowledge privacy as a fundamental human right and compromise it for the sake of business without being hypocritical.

 

[I7guy]

If Apple believes privacy to be a fundamental human right, it means it believes the right is entitled to any human being for the mere fact of being human, regardless of what any government says on the matter. That's by definition what a fundamental human right is.

So no, Apple cannot at the same time acknowledge privacy as a fundamental human right and compromise it for the sake of business without being hypocritical.

Privacy is a fundemental human right that is granted by a government. Apples' stance is your neighbor, search engine, web advertiser shouldn't be able to paint a picture of you. Apple was never trying to abridge the laws of government in the countries it does business in.

So yes, Apple can acknowledge that privacy is a fundamental human right and not be hypocritical about saying so.