If you downloaded iOS 15, you might have noticed something different about your iCloud account. Apple updates everything paid iCloud relies on something it calls iCloud+. It includes several cool new features in addition to existing iCloud storage, syncing, and cloud features, but the most interesting might be something Apple calls iCloud Private Relay. At first, it looks like a VPN: your web browsing traffic is encrypted and sent through a relay to hide your exact location, your IP address, or the content of your browsing traffic.

It’s not a VPN, though. Not enough. There are important differences, which we will describe here. But iCloud Private Relay may be enough for most people, bringing the most obvious benefits of a VPN to millions of users who would never consider one. Here’s what this private relay feature is, how it works, and how it’s different from a traditional VPN.

Update 01/12/21: Some users report that certain carrier features block access to iCloud Private Relay. Apple added new wording to the iOS 15.3 beta to clarify the situation.

How do I enable iCloud Private Relay?

iCloud Private Relay is a free upgrade in iOS 15 for anyone who pays for iCloud storage separately or as part of an Apple One bundle. To turn it on, go to the Settings app, then tap your Apple ID name at the top. Then press iCloud and Private relay (beta) and flip the green toggle to turn it on. You can also choose between two IP address locations: general “so websites can serve local content in Safari” or a broader country and time zone for more anonymity.

What is iCloud Private Relay?

When Private Relay is enabled, all of your browsing activity in Safari will be routed through two Internet “hops” or relays. Your data is encrypted and then sent to Apple, so your ISP can’t see any of your web browsing requests. Once at Apple’s proxy server, the DNS query (the thing that points a domain name like “macworld.com” to a specific server IP address) and your iPhone, iPad, or Mac’s IP address are separated . Your IP address is stored by Apple, while your DNS request is transmitted, encrypted, to a “trusted partner” who has the decryption key, as well as a fake intermediate IP address based on your approximate location. Apple didn’t name its partners, but some web sleuths figured they were big internet backbone companies like Akami, Cloudfare and Fastly.

Apple

This means that Apple knows your IP address but not the names of the sites you visit, and the trusted partner knows the site you visit but not your IP address (and therefore not who or where you are). Neither side can piece together a full picture of the two who are you and where you go.

The website you visit usually gets your exact IP address and DNS request, so it can easily build a fairly detailed profile of exactly who you are, where you are, and where you’re going online. Combine that with a few cookies, even ones that seem harmless, and it’s pretty simple to have all of your online activity profiled, tracked, traced, and sold to advertisers (and others).

Apple

What iCloud Private Relay does is make the websites you visit completely unaware of this information, so the sites can’t create profiles of your activity.

The IP addresses used by Apple instead of yours are still roughly approximate to your general area; it is not enough to identify you personally, but it will allow sites that use your IP address to provide local news, weather, sports or other information to continue to function properly. There is an option to use an even wider IP address, but that might prevent some of these sites from working properly.

Note that Apple does not allow you to choose an IP address or even a region, and will never give the impression that you are from an entirely different place. In other words, if you want to use it to access geo-locked content in Netflix or other online services, you’re out of luck.

How is iCloud Private Relay different from a VPN?

As cool as this private relay feature is, it’s definitely not a VPN. It will do a great job of preventing your web activity from being profiled based on your basic login data. But it has a lot of flaws compared to a real VPN. Some of them include:

• It only works with Safari, not with any other apps or web browsers you use. Technically, some other DNS information and a small subset of app-related web traffic will use it, but it’s best thought of as a Safari-only thing.
• It is easily identifiable as a “proxy server”, which many large networks like schools or businesses will not work with. Most good VPNs disguise themselves to look like regular traffic without a proxy.
• As mentioned, it cannot hide the region you are connecting from, only your specific IP location, so you can’t access content locked out of your region or discover websites as if you were logging in from another country.

If all you really want to do is stop websites from building a profile of you and selling it to advertisers and data brokers, then using iCloud Private Relay on your iPhone, iPad, or Mac is a great option. It’s quick, easy, and if you already pay for any amount of iCloud storage, you’ll get it for free.

You should know that from iOS 15.1 and watchOS 8.1, iCloud Private Relay and Mail Privacy Protection do not work on Apple Watch. If you use the Mail app on your Apple Watch or open a web link (for example, sent via Messages), the watch will use your real IP address.

If you want true privacy and security for all whether you are doing on the internet or want to access content available in countries other than your own, you will always need a VPN. Fortunately, we have some VPN recommendations for you.

Can your carrier block iCloud Private Relay?

Yes, your mobile provider can disable the feature. In iOS 15.3, Apple changed the wording of settings in iOS 15.3 to let users know what’s going on:

Private Relay is disabled for your cellular plan. Private relay is not supported by your cellular plan or has been disabled in cellular settings. When Private Relay is disabled, this network can monitor your internet activity and your IP address is not hidden from known trackers or websites.

A few carriers in Europe have disabled the feature for some users, and T-Mobile here in the US has disabled the feature for some of its customers. It’s not always about malicious intent or just collecting and selling user data (although that could be, in some cases!). Some carriers offer content filtering features such as parental controls, and iCloud Private Relay blocks them from working. To ensure compatibility with these features, iCloud Private Relay must be disabled.

The more elegant solution, of course, would be to allow users to enable iCloud Private Relay and simply warn them that those features may not work on that device, rather than taking the choice away from them entirely.