Yes, I know that they are not the same, but in my particular case they fulfill practically the same function. Change such an ingrained habit and such an important component of the security configuration of my ecosystem of devices has not been something I have taken lightly. I’ve been contemplating the idea for months, weeks testing it, and I’ve finally made up my mind.
The mistakes that make me ask the question
For the better part of those six years using a VPN, my VPN of choice has been NordVPN. Both in terms of security guarantees —super important— and in performance, price, speed and other variables I consider it one of the best VPNs on the market and yet… There was not a day that I did not have to reconnect it more than 5 times.
If I had used the VPN intermittently the issue would have been very different, I know, but I used the VPN 24 hours a day. On the Mac is where the connection was more stable, because while using it, the communication with the network was constant. But on the iPhone and the iPad, which years ago incorporated systems to avoid investing so much energy in always being connected to the network the subject changed a lot.
I have to say that a few years ago I had not detected so many failures, but for some time now, especially several weeks ago, the situation was becoming untenable. I noticed it every day, it interfered with simple tasks and made using my devices not as pleasant as it should be.
iCloud Private Relay seems to have the answer
iCloud Private Relay was introduced with iOS 15, and while little changed with iOS 16—I expected it to cover all connections, not just Safari—it came out of beta and became much more stable. Back in the day I didn’t consider iCloud Private Relay as an alternative to my VPNbut today my habits have changed, so yes.
I have been thinking about Apple’s browsing protection service for a long time and still aware of the changes in my habits that I would have to make, I was attracted to the simplicity of Apple’s proposal.
iCloud Private Relay is not a VPN, for better and for worse
To be clear. iCloud Private Relay is not a VPN. In some things it is much better, in some things it is less. What is it better at? When we choose a VPN service we have to make sure that it does not keep a record of our connections or monitor them. It has to be what we call zero-log and, although there are many external audits involved, it is a matter of trust.
By using iCloud Private Relay we don’t have to trust Apple. The system is designed with a double relay that makes Apple know who we are, but not where we are going, and its partners (Cloudflare, Akamay and Fastly, mainly) know where we are going, but not who we are. The net result is that browsing is truly private. an architecture zero trust most interesting.
Meanwhile, the options to change the server, to change the country, that the vast majority of commercial VPNs offer are not included in iCloud Private Relay. It’s just not for that. It is not to access streaming services as if we were in a certain country, it is to protect browsing.
Likewise, and the difference is very important, iCloud Private Relay only covers Safari browsing and Mail connectivity. Nothing more. This means that third-party applications continue to see our IP and can identify and geolocate us.
Speed and reliability as the most important argument
When the situation with NordVPN became untenable for me, I started testing iCloud Private Relay. I confess that the only ones I had done before these were shortly after its release. What I discovered, on this occasion, was that the Connection speed was much higher with iCloud Private Relay than through all commercial VPNs I’ve tried.
I have checked ClearVPN by MacPaw and also ExpressVPN along with the aforementioned NordVPN. In the image above these lines you can see the number of measurements I made over several days where, time and time again, iCloud Private Relay far exceeded the speed of other alternatives.
The holes that lead me to a lower level of commitment
A VPN as a privacy and security protection measure is interesting as long as there are no leaks. Leaks refers to times when some of our traffic leaves the VPN tunnel. And that happens. I know perfectly.
The way I have it configured, when the NordVPN is confused, all connections should be cut, but sometimes when the reconnection time is long something slips through. At that point it’s done. The service you are accessing already has your IP and therefore your location.
Also, Several Apple services, due to their importance and need for reliability, escape the tunnel of any VPN and connect directly to the servers. We will talk about this later, because it does not seem, in my opinion, too serious, but it is something to take into account.
Another aspect is that the connections made from the Apple Watch (if it is connected to Wi-Fi and not exclusively to the iPhone) do not go through any VPN. Neither do Apple TV connections., where it is not possible to install a VPN. Yes, I have tried routers with built-in VPN, but the speed is 30 times less than what I normally have. And we are talking about routers with a price of almost 1000 euros.
Encryption of services leaves little information visible
The issue of privacy comes to me long before using a VPN. I have always cared, for example, use trusted DNS servers, never those of the operator. Personally, I opted for OpenNIC years ago, but there are many others. As a result, I am familiar with the type of exposure you can have if you do not use a VPN.
An exhibition is the one that comes from that the operator, and various nodes on the network, see the connection itself. The other is by intercepting the DNS request (something that can be prevented by using encryption) or by responding to it. The system’s services use Apple’s DNS to reach the company’s servers, and what’s more, almost everything ends up on the same server.
Said in other words. The operator does not know which Apple service we ask for, while regardless of whether we use the Photos, Maps or iMessage app, everything goes to .icloud.com, .iCloud-content.com, mzstatic.com or, directly to . apple.com, to name a few examples. So that Going by the connection reveals little information.
This is the reason why, Personally, I have never found it alarming that some Apple services were going out onto the open network.. That now, by moving to iCloud Private Relay, everyone does it, it was not something that would make me back out of making the change.
Safari is the holy grail of our data
What yes, what Seeing that we use a certain application or a certain other, you can obtain a profile of our tastes or preferences. There are clearer apps than others, yes. Dating apps, for example, really expose something very personal about ourselves, but let’s remember that I almost only use Apple apps.
And since I was getting ready to make the jump to iCloud Private Relay I’ve cut back on third-party apps even more. Five on the iPhone and six on the iPad, specifically. Applications that either do not connect to the network in any way (verified with the Apps Privacy Report) or I cut that connection with my Firewall.
Thus, having the most important thing protected. Having the navigation completely safe from outside eyes, I ran out of arguments to continue using my VPN. Many services, call it Twitter, the bank or others have web applications, so I can access almost everything from Safari. Another day I’ll tell you about my RSS client hosted on my own servers, for example.
Hiding the IP really is that important
I was almost convinced that I wanted to move to iCloud Private Relay when I had to coldly analyze the issue of IP and location. Me My main concern was those applications and services that knew who I was (not my random identifier). These were the ones that cost me the most to see that they could access my location through locating the IP.
Meanwhile, the fact that someone like CNN saw a visit from Barcelona worried me rather little. Clearly you will see many more. Minimizing the list, the only app that was going to know who I was and where I was was going to be Slack. I could live with it. More if I take into account that my real IP had slipped in more than once due to failures in the VPN.
All that can be seen I can say and have said
So I wasn’t too worried about individual applications having access to my IP. Less taking into account that a restart of the iPhone or the router changed it, but yes, Telefónica, my operator, saw too much. Here I had to reach a compromise.
That Telefónica knows that I have Slack open all day and that it sees my open connections with Apple’s servers is not something I have to hide. Some other very specific app is not something that is any secret either and usage patterns blur with background refresh, among others. I already told you that my privacy is very important to me and which are the apps that have passed my filter and I use. It is public information, so to speak.
Yes. The operator is the skinniest fucking in my entire line of argumentbut I had to move on. The stability and speed benefits of iCloud Private Relay were too great to consider otherwise.
Getting used to a new system
I confess. I look at the Wi-Fi connection on the iPad, I don’t see the VPN signal and it seems strange to me. Before it was the indicator that something was wrong with the connection. Of course, I have not had to recollect myself to anything at all. Syncing has improved and the overall experience with my devices is much more satisfying.
I realize that at some point I might want to backtrack on the decision to switch from a VPN to iCloud Private Relay, but for now I’m really delighted. Commitments? Yes. I have already mentioned them. But ultimately, a change that, for me, with my pattern of use and my needs, has been for the better. To much better.