iCloud Private Relay is one of the latest services to come from Apple, as part of iCloud+ coming alongside iOS 15. It has often been described as another VPN, but the reality is quite different.
Since iCloud Private Relay only seems to work over Safari (not any other applications), throughout this article we will only compare the service to VPNs in the context of web browsing, not the use of torrenting etc…
Without using any VPN or similar service, your IP address is exposed to websites you access and your ISP can see exactly which domains you are visiting. Traditionally VPNs have been used to solve both of these problems. When connected to a VPN, your ISP can no longer see which domains you visit (but your VPN provider can) and the websites you visit will only see the VPN IP, not your original IP. iCloud Private Relay does work in a similar way, but in some cases, it is even better.
To put it into detail about how your traffic is routed, we will look at three different scenarios:
No VPN or iCloud Private Relay
This is how your traffic reaches the destination by default, with no protections.
Your Device -> Your ISP -> The website you visit.
Here we can see the only section between you and the website you visit is your ISP, meaning they can see exactly what you are doing. This also opens up other security issues, for example, if you are using a public hotspot, it is possible for others to see your traffic or you may even join a malicious network, which again can expose your traffic and potentially leak sensitive information if any website you access is not HTTPS secured.
Using a VPN
While using a VPN your traffic reaches the destination a little differently.
Your Device -> Your ISP -> VPN Provider -> The website you visit.
Here we can see that your traffic still reaches the ISP first, but since your device is only connecting to the VPN provider at this point, that is all the ISP will see. Any traffic reaching the web will then be routed through the VPN provider. At this point the VPN provider can see which websites you are trying to reach (although many do claim to have no logs, there is no way to verify this). At the final stage, the website will only see the IP provided by the VPN, which is not your own.
Using iCloud Private Relay
This method is most similar to using a VPN, but in some ways, it is more secure.
Your Device -> Your ISP -> Apple Relay -> 3rd Party Relay -> The website you visit.
Here you can see there are two steps between your ISP and the website. Here are the details:
Device -> ISP: This is where the connection to iCloud Private Relay happens, like with a VPN service. Your ISP can only see you are connecting to the Apple Relay server.
Apple Relay: At this point, Apple will see your connection IP address, but not the website you are visiting. This is because before the website request reaches Apple’s servers the data is encrypted.
Apple Relay -> 3rd Party Relay: At this stage, the Apple Relay will have stripped away from your original IP address, so the 3rd Party Relay cannot see it and you will be assigned a random IP address which will be close to your current location (you can change this in settings to Maintain General Location or Use Country and Time Zone). This 3rd Party Relay is not owned by Apple and from our experience has usually been Cloudflare or Fastly. They will not know your original IP but will know the website you are trying to visit.
The website: They will see the randomly assigned IP provided by the 3rd Party Relay.
The security enhancements over a traditional VPN are clear to see. This is because Apple cannot know which website you are visiting (a VPN provider will know this) and the 3rd party who does know which website you are visiting, will not know who you are. This process therefore greatly improves privacy.
Overall it would appear iCloud Private Relay is a great service and will protect many users online without them even knowing. The main downside is that the service is limited only to Safari, but for the vast majority of users that won’t be a problem. The service will be included with iCloud+ at no additional cost.