The rollout of iOS 15 in September was connected to several major stories, such as the impact of new privacy policies on digital marketing and the patching of the vulnerability exploited by Pegasus spyware. One element that flew under the radar was the addition of the new iCloud private relay feature, but this did not go unnoticed by mobile operators. Unhappy with the feature’s ability to defeat their user tracking mechanisms, some of the industry’s biggest names are petitioning European regulators to see it as a threat to national digital sovereignty.
Major mobile operators try to sic europe’s regulators on iCloud Private Relay
iCloud Private Relay is essentially a virtual private network (VPN) option now available to any Apple device that has updated to iOS 15. Mobile operators are unhappy with it as it prevents them from scrying into metadata and network information, something widely used as a secondary revenue source.
The immediate response by some mobile operators has been to ban it. Though the companies have yet to announce this as an official policy, some European customers of T-Mobile and other major operators have reported that they cannot enable iCloud Private Relay due to network restrictions. (T-Mobile has issued a statement saying that it does not ban the feature but that it may not work as it conflicts with its existing content filtering features).
The mobile operators are not stopping short at this solution. In both the United States and Europe, T-Mobile is campaigning for regulators to step in and investigate iCloud Private Relay. In Europe they have been joined by the major carriers Orange, Telefonica and Vodafone.
The pitch by these mobile operators to world governments is that iCloud Private Relay violates national “digital sovereignty,” or the idea that data passing through each country must be subject to that country’s laws. As with a VPN, iCloud Private Relay routes the user’s traffic through a series of different servers around the world to obfuscate its origin and content. The method is all about keeping the data out of the hands of nation-states it passes through and keeping it from being traced back to an individual person, rather than deferring to all of those aspects of “digital sovereignty” along the way.
The involved mobile operators sent a joint letter to European regulators on this topic in August, shortly before iOS 15 was rolled out. In addition to the digital sovereignty claim, they are also invoking anti-competition concerns by arguing that iCloud Private Relay restricts their access and could interfere with network speeds.
iCloud Private Relay is available to all Apple device users with iOS 15.2, but it is a premium subscription service that comes packed with iCloud+ (a security and storage service that runs users anywhere from $1 to $10 per month depending on the desired amount of additional iCloud storage space).
Does “digital sovereignty” claim hold up?
iCloud Private Relay goes a bit beyond the standard VPN service, something that mobile operators widely allow and have no problem with. The device user’s internet traffic immediately goes through a server system owned by Apple en route to its actual destination, masking the user’s IP address and DNS records from the mobile operator. It is then handed off to a secondary server system owned by a third party partner, one that helps hide the user’s IP address by assigning it a new one that is in the same general geographic location.
This splits responsibility and visibility between the two networks. Apple’s own servers can see the original user IP address and the carrier they are connected to, but not what sites the user is visiting. Apple’s partner is able to see what sites the user is accessing, but cannot connect them to the original IP address.
This differs from a VPN service, which generally handles all of this on its own. It does also have some limitations that a typical VPN does not have, chiefly that the user will not be able to get around region blocks on services (since their masked IP will be from the same general area). But mobile operators are concerned about mass adoption of it by Apple users because of its low price and ease of use.
The mobile operators invoking digital sovereignty will likely point to the fact that Apple has already buckled in some parts of the world and disabled iCloud Private Relay where national laws forbid encrypted traffic that the government does not have a backdoor into (China, Saudi Arabia and Belarus among others).
Security and legal experts are only beginning to examine the digital sovereignty question, but early sentiment is that any issues raised by iCloud Private Relay are no different than those raised by a traditional VPN service.
The European Commission has yet to comment on the issue.