Inside iCloud+ Private Relay: can it be trusted?

There are lots of good reasons for not wanting to expose your IP address when you connect to a website. For most of us, at least those fortunate enough to live under regimes which aren’t overtly oppressive, the prime reason is to prevent sites capturing data about us: it’s mostly about privacy.

Unfortunately, VPN isn’t a single clear-cut protocol, and requires a great deal of trust between you and your VPN service. It isn’t hard to envisage a VPN provider using your information to their advantage, as they could be quietly logging every last detail of all the connections you make through their service. Recently, concern has been expressed that some quite popular VPN services are owned by companies which operate from jurisdictions which don’t protect privacy well, or which could be directed to release information from their logs. As if to deepen the distrust, several of these articles are clearly unannounced promotions for competing VPN providers. So who can you trust to provide your VPN service?

Apple announced an alternative at WWDC last June, in its iCloud+ Private Relay service, and just before Christmas published a more detailed overview of that service, which is still officially in beta-release in Monterey 12.1 and its equivalents in iOS and iPadOS. In addition to describing in detail the service as it currently operates, it spells out those services and situations which don’t benefit from its Private Relay.

How it works

The way this works is through two sets of relay servers. The first relay, operated by Apple, knows your IP address but not the destination address you’re connecting to. The second relay, operated by a major content delivery network like Cloudflare or Akamai, doesn’t know your real IP address, but does know the destination.

As IP addresses bear some location information, which is often important for your connections, the Relay IP used by the second relay is chosen according to one of two options as to how local that should be. You can opt for that to preserve your country and time zone, or to be vaguer and merely place you within a larger region. For example, when I opt for the more specific, my Relay IP usually locates me in London, around 70 miles away. If I change to use the regional option, the Relay IP could come from any part of the UK, including Scotland, more than 500 miles distant.

Regional information is important for many website connections, for example to verify that you are entitled to access geographically limited media and services. Many sites use it to redirect your connection to localised sites which default to your preferred language and currency. Of course if you give explicit permission, sites can obtain more precise locational information, but you control that locally: for example, location information is only provided by Safari to sites listed for the Location item in the Websites tab in its Preferences.

The first step in establishing a Private Relay connection is for the first relay to verify that your Mac is in good standing with Apple’s iCloud+ service, which checks both the device and account. Apple touts this as giving remote services good levels of protection from fraud and abuse.

Next, the first relay provides your Mac with a Geohash, which is used by the second relay, in conjunction with your location option, to allocate the Relay IP. DNS name resolution uses encryption with a network proxy in Oblivious DNS over HTTPS (ODoH) to protect the privacy of DNS name resolution performed in the Private Relay service.

Apple assures us that the logs maintained by its Private Relay service are minimal, and don’t contain any personal identifiers. The closest they come is the network and regional information derived from IP addresses.


When turned on, Private Relay doesn’t attempt to protect certain connections. These include:

  • Any traffic to the local network. Relaying is only available to public internet servers.
  • Cellular services including MMS, telephony (XCAP), Entitlement Server access, tethering traffic, and Visual Voicemail. I think those are also excluded from VPNs.
  • Traffic routed through a VPN, which always takes precedence, as does a proxy configuration such as Global Proxy.
  • Certain geographical areas, where Private Relay isn’t available.
  • Currently, third-party browsers etc. don’t appear able to use any Private Relay features, which are confined to Safari and other Apple products. VPNs normally work with all software regardless of its vendor.

Custom DNS settings can also affect part or all of Private Relay. If your Mac has custom encrypted DNS configured in a profile or app, that DNS service will be used instead of its own ODoH. Safari connections and unencrypted HTTP connections will resolve names with the DNS server specified before being routed through Private Relay. However, a local unencrypted DNS server, or one set manually in the Network pane, won’t be used for Private Relay traffic.

If you want to block the use of Private Relay, for example on a network which requires all traffic to be audited, the simplest way to do that is to prevent DNS resolution for and hostnames.

VPN or Private Relay?

Despite its careful design, Private Relay still does have problems with certain sites and services. Where possible, Apple is preferring to advise the user when a connection can’t be made, rather than expecting the user to build and maintain an exception list. Otherwise the service now appears quite robust and performs well.

The decision whether to use VPN or Private Relay comes down to:

  • Does Private Relay provide the protection you want, or do you require a proper VPN?
  • Does Private Relay work with all your key websites?
  • Does Private Relay protect the apps you use, or do you use a third-party browser?
  • Can you put full trust in your VPN service, its operator, and the jurisdiction from which it operates?

From what I see, iCloud+ Private Relay almost invariably wins when it comes down to trust. And the fact that I currently pay less than $/€/£ 1 per month for my iCloud+ service.