A comparison of Apple’s Private Relay and a VPN

Perhaps you’ve seen in the privacy news about Apple’s new product, Private Relay, which is intended to enhance privacy and security. Private Relay advertises a technique that allows users to surf the web without disclosing their public IP address, making it more difficult for websites to monitor their online browsing activity. Contrary to popular belief, Private Relay is not a VPN and does not provide the same level of security as a VPN.

Private Relay will be included in Apple’s iCloud+ service, which is an enhanced version of iCloud. This means that you may start using a Private Relay for as low as $0.99 per month with 50GB of storage.

What makes a VPN superior to a Private Relay?

Due to the way a VPN works, it offers more privacy and security. While a VPN encrypts all data sent from your device, Apple’s Private Relay has many significant restrictions, including the following:

Only compatible with Safari

Safari now accounts for 18% of browser use, which implies that 82% of users will either need to switch to Safari or surf unencrypted.

Only compatible with HTTP

This implies that any HTTPS transmission will be unprotected by Privacy Relay.

Unable to choose a region

This implies that geo-restricted content cannot be accessed. Additionally, this is unlikely to change, as Apple said during a developer session: ‘Private Relay ensures that users cannot exploit the system to appear to be from another area, allowing you to continue enforcing region-based access restrictions.’

No protection for users in certain regions

Belarus, China, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines do not have access to Private Relay. These are nations that are unfriendly to VPNs and have a history of censorship.

No extra functions that are usually included with VPN clients

Private Relay does not have any extra features, such as a kill switch, configurable areas, or varying encryption levels.

What advantages can Private Relay offer?

Private Relay is simple to use without the app hassles associated with traditional VPNs. Simply sign in with an iCloud+ membership on your Apple device, activate Private Relay in your iCloud settings, and Private Relay begins protecting your Safari activity.

When you connect to a website for the first time, Private Relay selects two servers at random to manage your traffic. Your smartphone establishes a quick and secure QUIC/HTTP3 connection to the first server, Apple’s Ingress. The connection is authenticated using RSA Blinded Signatures, which prevents you from transmitting your username, password, or other account information. This removes the need for a password manager or password management application. As with a VPN, the Ingress Proxy is unaware of the websites you visit since that information is encrypted on your device.

Since your IP address may still be used to identify you, the Ingress Proxy substitutes it with an estimated geographical location. If you have a Los Angeles IP address, the state of California may show up. Private Relay may be configured to use an IP address from your country and time zone, providing it with a considerably larger pool of IP addresses to select from.

The Ingress Proxy establishes a secure connection with the Egress Proxy and forwards your request to it. This second server will be operated by a third-party content provider, not by Apple, and will be a partnered content delivery network provider. Egress Proxy decrypts your request and establishes a connection to the website you’ve requested.

This is the knowledge separation that protects your privacy: the Ingress Proxy knows a bit about who you are (your IP address), but not what you’re doing; the Egress Proxy knows everything about what you’re doing, but not who you are.

While the Egress Proxy is unaware of your IP address, it is required to pass something to the website you are attempting to access for it to show translated information. To do this, Egress Proxy analyzes the approximate location it receives (California) and assigns you a randomly generated IP address from a pool in the approximate region.

This method provides websites with enough information about your location to show relevant content but does not allow for your identification. They see a different IP address each time you come, and your true IP address is never disclosed. They only know that the connection was established through the Egress Proxy, and so they send their content encrypted to that address, which is then routed to the Ingress Proxy and finally to your device.

Private Relay network

Unlike VPNs, which provide information about their networks, like the number of servers, locations, and providers, Apple has not disclosed information about the Private Relay architecture or which partners operate the Egress Proxies. Cloudflare, Fastly, Oblivious DoH (ODoH), and Akamai are presently believed to be the culprits based on limited public knowledge of marketing content and currently known IP addresses. Apple has not verified that Akamai, Cloudflare, and Fastly operate access to 300,000+ servers, much more than any VPN service.

Additionally, it is unknown under what jurisdiction Private Relay would operate, although it is believed to be in the United States since Apple is based in the United States. Due to 14 Eyes agreements and FISA warrants, this is a non-starter for many VPN users, and as such, it is recommended to use a reliable VPN for Mac.

Found this useful? Share with