UK Network Operators Target iCloud Private Relay in Complaint to Regulator
macrumors.comEverything in their complaint is precisely the reason why their customers want to use Private Relay! We don't want our browsing data observed and analysed by network operators, we want a dumb pipe that gets out of our way.
The arguments they're making are a mix between nonsensical and absurd to me. The only vaguely legitimate point they make is that some users have experienced worse browsing experiences (because it's beta software/because some websites don't play nicely with VPNs), but then say that this is intended to push users away from using Safari?
And are they seriously arguing they could build a viable competitor to mobile browsers if only they have access to all our browsing data? Personally I was leaving it off until it was out of beta, but this just convinced me to turn it on
> The only vaguely legitimate point they make is that some users have experienced worse browsing
While this complaint is definitely them throwing every single dart at the board, the note that Private Relay reduces the government’s ability to monitor internet use is at least legitimate.
That's fair, although there are so many other products available that do the same thing, run by organisations much less cooperative with governments. Perhaps the scale of a company like Apple providing it changes the equation, but it still strikes me as scare-mongering, however I am of the opinion that the government shouldn't have the ability to passively monitor individual internet use so that probably makes me biased
The article left me wondering whio the right person at the regulator is to contac to counter this (I'm a UK consumer)
I'm not surprised by this move – the UK's conservative government is very fond of trying to control the internet, and since the "Snooper's Charter" went live in 2016, but apparently half the young population of the UK know about VPNs and 25% tor specifically for getting around blocks on pornography [1] – so clearly, these commercial complaints are doomed to fail.
I personally have never used Apple's private relay, but I have encrypted all my traffic since Snooper's Charter. The fact that the industry bodies are complaining about it -- effectively complaining that they can't spy and snoop on their users, often for commercial gain -- makes me think it is effective.
[1] https://onlinelibrary.wiley.com/doi/full/10.1002/poi3.250
I'd amazed if 25% of teenagers actually used Tor.
My generation is the tail end of people who actually grew up using computers versus the "mobile"-ized internet for everything, and I was basically the "umm can you darkweb for me pretty please" guy for all my friends. Easy profit. Arbitrage their laziness for my ability to use a computer.
Tor is super easy to use on phones these days. On Android you can just install the Tor Browser app.
You also have to be able to work out how to use certain types of encryption or so I've heard.
No, you can just start using it - it's based on the Firefox app.
You are aware VPNs are not just Tor right? Commercial VPNs have been in the spotlight for at least a decade as a way to spoof streaming and gaming services' regional lockouts. I have no trouble believing 25% of teenagers at least know about VPNs.
The comment says "and 25% tor specifically"
Which implies that 25% know about Tor and traditional VPNs. So even when a teen isn't necessarily going to use Tor they know that other VPNs exist to get around blocks.
So the mobile companies are miffed that they can no longer mine the data they carry for their own benefit?
It does favour Apple in the market, though, because Apple can still see all the traffic, which is what the CMA in interested in. What is needed is for the mobile companies to offer the same protections that Apple offers, so all will benefit.
You’re assuming private relay is like a VPN. It’s not [1]. Apple can see your IP address but not the service you are connecting to. The independent private relay partner (eg cloudflare) can see the service being connected to but not your IP address. The website can see nothing about the connection (unless you login). This also prevents tracking you across sites btw.
Yeah - I’m not sure what the state of things are in the UK, but here in America Private Relay is a pretty easy choice, as ISPs sell off your data with aplomb: https://arstechnica.com/tech-policy/2017/03/for-sale-your-pr...
Apple cannot see the traffic in a meaningful sense [1].
[1]: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...
Apple knows that you are going somewhere...but doesn't know where.
I’m wondering what prevents network operators from just disabling the use of Private Relay on their networks.
This could be achieved both via legal means (in e.g. their terms of service to prohibit use of any VPNs or similar software) as well as on a technical level. As per [1]:
> The fastest and most reliable way to do this is to return a negative answer from the network’s DNS resolver, preventing DNS resolution for the mask.icloud.com and mask-h2.icloud.com hostnames necessary for Private Relay traffic.
These ISPs surely operate some DNS resolvers - just make them return NXDOMAIN results. This doesn’t require consent or collaboration from Apple.
[1] https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...
Because then you have about half your customer base ringing support asking why the internet doesn’t work. Many will complain on social media claiming this ISP just doesn’t work, many will switch to other providers.
Apple is bigger and more important than the ISP and likely much more trusted by the consumer.
So as someone who setup a freeswitch PBX with some devices to move the land line onto a computer network and then ran a voip phone on my mobile connected to the freeswitch PBX without and inside a VPN, the teleco's do mess around with voip calls.
The national security element is probably valid, but preemptive action is taken against people here in the UK (prejudiced by science or just a form of scientific reinforcement) to mess around with people from an early age.
Govt's, Religions and industry leading entities dont want their positions in society messed around with.
This is the best recommendation for a product you could ask for.
Oh, fuck those people, why not moan about tor, P2P and other encrypted protocols as well? They're just annoyed they can't monitor communications for the pleasure of the UK government who have historically proven to be a bunch of snoops? As an UK resident, I wish they'd shut up and whine about more important issues instead. Bunch of nosey morons that think there's a potential terrorist hiding under every broadband router!
I’ve been thinking of switching to a different operator for a while and this is the last drop.
But so now, what’s left on offer if I exclude those associated within the Mobile UK group?
Go home, put your phone in the drawer, and use a wired ISP.
I believe that’s all of them.
> Mobile UK says that due to Private Relay, "providers will be unable to use the traffic data to develop their own competing mobile browsers in the future”
Thanks but I like my carriers to be dumb pipes
Maybe the regulators should interview the customers. I would side with Apple
So do they also hate https? How about ECH?
While I don't have tons of sympathy for the complaint, it exemplifies a trend we’ve been seeing for a long time: privacy at all costs, trust nobody. I think this stance is dangerous when deployed wholesale and without nuance to our technologies and protocols.
Here’s what I mean: rather than technology sewing a ski mask onto my head so that nobody can see me online, I’d rather have technology inform me about the nature of the site or network I’m using so I can make the choice of what my posture should be. I want to trust the services I use because they’re respectable and have earned my trust. If everyone is wearing a mask then how can I trust anyone? I’m not super excited about an internet where we trust nobody.
A concrete example: TLS 1.3. What if I want to trust a 3rd party to help me keep an eye on my traffic at a network level? Can’t now because sites can always know if there’s a MITM and of course they assume that’s always bad and unintended. (Perhaps they’re actually more interested in retaining proprietary access to their traffic.) Instead why can’t TLS allow me to configure a cipher-suite that allows me to e.g. run my own proxy for <insert reason>?
Same for browsers. Shouldn’t the browser be asking me which pieces of information and which APIs I want to allow a site to access (with sensible defaults, of course) rather than locking all the useful stuff behind “secure contexts”? It’s really hard to not see some of this privacy paranoia as conveniently enabling a lot of subversive platform control…
>Here’s what I mean: rather than technology sewing a ski mask onto my head so that nobody can see me online, I’d rather have technology inform me about the nature of the site or network I’m using so I can make the choice of what my posture should be. I want to trust the services I use because they’re respectable and have earned my trust. If everyone is wearing a mask then how can I trust anyone? I’m not super excited about an internet where we trust nobody.
This approach might work for the average HN user, but what about your aunt? Is it reasonable for her to know the "nature of the site or network" she's using, or what her "posture should be"?
>A concrete example: TLS 1.3. What if I want to trust a 3rd party to help me keep an eye on my traffic at a network level?
1. Are you talking about SNI? AFAIK encrypted SNI requires cooperation from DNS, so if you really wanted to you could disable it at the DNS level.
2. for every user who has some sort of network security appliance that works like you described, there's probably 100 that don't.
>Same for browsers. Shouldn’t the browser be asking me which pieces of information and which APIs I want to allow a site to access (with sensible defaults, of course) rather than locking all the useful stuff behind “secure contexts”?
my impression from the barcode detection api[1] is that policies like this are "fuck http" rather than "improve security".
Yeah it is certainly a tension between designing for your aunt and for power users. I do think simply making your posture configurable with sensible defaults for the masses would go a long way toward quelling my unease. It’s the “because there are 100 aunties and one of you, sorry, you must be like your aunt” that’s frustrating.
Re TLS: I’m referring to the encrypted server cert. It breaks inspection middle-boxes since they can no longer dynamically generate a response certificate on the fly. I’d just like the ability to say “hey I actually run and trust my middleware, TLS please run in proxy mode” even though I also agree with the new TLS behavior as a good default in general.
On yeah I forgot to add to the list:
* Apple breaking mac addresses for privacy
* IPv6 privacy extensions (we can’t give everyone a stable address because tracking). We have stable physical addresses… why is the answer to privacy problems “whelp I guess we cant have a nice global internet after-all? I will concede privacy extensions at least don’t clobber your ability to have a stable address since you still do. I’d just like to see user level control over which address to use for what instead of a blanket all browsing happens with your anonymous address.
* Strong PKI/identity: cant give everyone client certs because they have a stable ID somebody might use to track you. IDK how about you give me an option when I connect to a site “do you want to connect as <handle> or connect anonymously”?
These privacy violations really feel like a social problem that we’ve failed to wrangle so we reach for a technology solution at all costs.
I’m not really sure what your point is. In the example, your ISP could monitor what sites you visit. With private relay no one gets to see the site you visit except you and the site. You established a relationship with your ISP to provide you with internet connectivity. Your ISP is trying to exploit that relationship to sell information about that internet connectivity to get additional revenue beyond that (not just for network optimization purposes which they don’t need the sites you visit). Conversely I establish a relationship with a random website to do whatever that is. Usually I haven’t consented to having them follow me around everywhere digitally or physically to unrelated sites. You can’t base it on trust because trust doesn’t scale to the size of the internet.
* Configurable TLS - I’m pretty sure all non-mobile browsers and Android let you configure the trust chain if you want to MiTM yourself (if I recall correctly with Apple you have to jailbreak). That’s a bit more complicated since most will engage in certificate pinning but that was developed due to a specific type of security attack so I don’t know what the answer there is.
MACs are randomized as part of the new wifi standard because people could literally follow you around physically from a distance (or even fully remotely). This isn’t an Apple thing.
These aren’t hypothetical. These are defenses that are developed in response to active misbehavior on the part of parties unrelated between the two parties that are trying to establish a trusted relationship. Some times it’s fine without but the times when it’s not tends to be a bigger problem that’s exploited at scale.
Re configurable TLS: TLS 1.3 allows services to perfectly pin certs and reject your custom root CA. It breaks the flow you are talking about that has worked up to 1.2. The answer is to not build a myopic protocol/technology that only cares about 1 dimension of usage.
Re mac addresses: I’m not saying there aren’t valid reasons for people to want these changes. I’m asking the user be allowed to configure their privacy posture at the protocol level rather than assuming all users want i finite anonymity. Maybe you care about someone following your phone around in public but maybe at home you want to enable secure neighbor discovery and give your stationary devices strong link-level identity…
My point is it’s complicated and “privacy at all costs” is not a one-size-fits-all silver bullet solution.
I never argued these problems aren't real and only hypothetical. I’m asking to be given the ability at the protocol level to make informed decisions as to where I fall on the privacy vs security axis rather than be wholly subject to protocols that assume I always want maximum privacy.
Yeah cert pinning is annoying but there's competing interests over that. The application vendors don't want you to be able to inspect the data & generally that's true as well. The niche debugging/analysis use-case can still typically be managed by disabling cert pinning once you have root (unless the application has its own TLS implementation which gets trickier).
re mac address == strong link level identity, it was never that and using it in that sense isn't accomplishing much. MAC addresses are trivial to spoof. If you want identity, then use proper cryptographic mechanisms to establish that (e.g. mTLS).
What we've seen as a profession is that that level of flexibility makes things harder to configure correctly leading to various security vulnerabilities. Or the optionality being user facing makes it not user friendly and makes it easy to socially engineer attacks. It sucks but in practice we've not found a way to optimize along several axes simultaneously. Don't forget that all your optional features is stuff someone has to build, implement, test & maintain. The only way out I think is to demonstrate a way forward that manages to attain the goals you seek without sacrificing the technical privacy measure. The technical privacy measures have been put in place as a result of real-world lessons learned, not hypothetical things.
> Re configurable TLS: TLS 1.3 allows services to perfectly pin certs and reject your custom root CA. It breaks the flow you are talking about that has worked up to 1.2. The answer is to not build a myopic protocol/technology that only cares about 1 dimension of usage.
No it doesn't. I have no idea what technology you think this is (maybe HPKP?), but installing a local root CA absolutely continues to work in all browsers with TLS 1.3.
TLS proxies need to be able to inspect the server certificate response in order to dynamically generate an appropriate certificate. This flow doesn't work in TLS 1.3 since the certificate is encrypted to prevent MITM.
MITM for TLSv1.3 is possible. Plenty of solutions available for enterprises to do this. The MITM occurs still happens for TLSv1.3 on key exchange, allowing for the subsequent certificate to also be MITM and be replaced and encrypted. The only real affect TLSv1.3 has for MITM is that company policies for decryption can't match on the cert to determine if decrypt should occur, but they can still use the SNI which is plaintext
I thought combined with encrypted SNI this was no longer possible since the middleware doesn't have access to that information.