Exclusive: Apple’s Craig Federighi on WWDC’s new privacy features
Apple’s annual Worldwide Developer’s Conference kicked off today. As with last year, the company opted to hold the event remotely due to the ongoing COVID-19 pandemic. But that didn’t stop Apple from showing off a host of new products, including iOS 15, iPadOS 15, MacOS Monterey, WatchOS 8, and the all-new iCloud Plus subscription service. Another similarity to last year’s WWDC: Many of those new products are not only packed with cool new features but also underlying privacy enhancements.
Indeed, new privacy protections have become one of the most important reasons to look forward to Apple’s annual operating-system upgrades. When it comes to our digital privacy in the third decade of the 21st century, it feels like we’re in a constant cat-and-mouse game. Whenever a technology comes along that gives us more privacy, it seems that those who want their hands on our data come up with new, creative ways to get it.
But does Apple also feel like it’s in a cat-and-mouse game? That’s the question that I put to Craig Federighi, the company’s senior vice president of software engineering, when I spoke to him about Apple’s newest privacy features in advance of today’s keynote. We also talked about the company’s new iCloud Private Relay (a “VPN killer” as some tech pundits are sure to call it), Apple’s role versus the governments in playing privacy regulator, and user uptake of the iPhone’s new App Tracking Transparency feature, which is so unpopular with a very blue social network.
“I think the analogy with security is apt,” Federighi says of the feline-and-rodent comparison. “The incentives for ‘innovation’ in the exploitation world are high, and so there is a lot of advancement in the art of tracking; a lot of advancement in the arts of security exploits. And so, in both areas, we think there’s going to continue to be a cat and mouse game. We think we bring a lot of tools to that fight, and we can largely stay ahead of it and protect our customers. But it’s something we recognize as a battle we will be fighting for years to come.”
At WWDC, Apple unveiled some massive new weapons in that war.
iCloud Private Relay makes VPNs look nosy
One of the most surprising announcements Apple made today is its new iCloud Plus service. The service is an evolution of the company’s existing paid iCloud service, which offers increased online storage plans across multiple tiers. What iCloud Plus adds to existing iCloud subscriptions is three new privacy features: Hide My Email, which lets users share a unique random email address at will instead of giving their real one away; an expansion of HomeKit Secure Video, which allows an unlimited number of connected security cameras to store their footage on the user’s iCloud account without counting toward storage limits; and iCloud Private Relay.
This last feature is Apple’s best privacy innovation in years—and nothing short of game-changing when it comes to shielding our movements around the web. The obvious comparison people will make is that iCloud Private Relay is Apple’s version of a VPN (something I have called for in the past for the company to offer). But from an engineering perspective, Private Relay’s privacy protections make VPNs look weak.
With a traditional VPN, users’ internet traffic is encrypted and then sent to the VPN’s server, which masks the IP and routes the data on to the websites users want to access. This keeps your ISP from knowing what site you are visiting and the destination website from knowing your actual IP address. But it still leaves one gaping privacy hole: the VPN provider itself knows your real IP and the websites you’re visiting.
And the problem is, you can never be sure what a VPN is doing with your browsing data. Of course, some VPN providers are reputable and hold no logs of your internet activity. But the world is filled with free and low-cost VPN providers that you simply have to trust are not misusing your data.
We hope users believe in Apple as a trustworthy intermediary, but we didn’t even want you to have to trust us.”
This is where iCloud Private Relay comes in—and puts VPNs to shame. iCloud Private Relay uses a dual-hop architecture. When you navigate to a website through Safari, iCloud Private Relay takes your IP address, which it needs to connect you to the website you want to go to, and the URL of that site. But it encrypts the URL so not even Apple can see what website you are visiting. Your IP and encrypted destination URL then travels to an intermediary relay station run by a third-party trusted partner. Apple would not name these trusted partners, but says the company is working with some of the largest content providers out there. Before getting to this relay station, however, your IP address is anonymized and randomized, so the relay partner can’t identify you or your device. Then at the relay station, the destination URL is unencrypted, so the third-party provider can send you on to the website you want to go to.
Because of this dual-hop architecture, neither Apple nor the relay station knows both who you are and where you are going. Apple knows who you are (because you are using iCloud Private Relay), but it doesn’t know where you’re browsing. Its third-party partner knows where you are browsing–but not who you are.
Why did Apple develop this technology rather than build a more conventional VPN into its operating systems? “Core to the nature of the internet is that the IP address is traditionally exposed between the requester and the host – and that has some privacy knock on effects that aren’t always understandable to users and certainly aren’t always desirable to users. And so that’s a problem we wanted to solve,” says Federighi. He notes an unprotected IP has led to vectors for abuse by bad actors. “VPNs are a technology that has sought to provide some of those protections, but they do involve putting a lot of trust in a single centralized entity: the VPN provider. And that’s a lot of responsibility for that intermediary, and involves the user making a really difficult trust decision about exposing all of that information to a single entity.”
Federighi notes most internet users aren’t in a position to gauge the trustworthiness of any particular VPN. “We wanted to take that [trust evaluation] completely out of the equation by having a dual-hop architecture,” he says. “We hope users believe in Apple as a trustworthy intermediary, but we didn’t even want you to have to trust us [because] we don’t have this ability to simultaneously source your IP and the destination where you’re going to–and that’s unlike VPNs. And so we wanted to provide many of the benefits that people are seeking when in the past they’ve decided to use a VPN, but not force that difficult and conceivably perilous privacy trade-off in terms of trusting it a single intermediary.”
If all goes according to Apple’s plans, iCloud Private Relay will also have the “it just works” benefit of the company’s best technologies. When users are logged into their iCloud Plus account on a Mac, iPhone, or iPad, the feature will be automatically enabled. It should be noted, however, that, unlike a VPN, iCloud Private Relay will only work in Safari. That’s a bummer for anyone who uses another browser such as Chrome or Firefox (and a possible argument for switching to Safari).
Using iCloud Private Relay, a website will get users’ regional area but not their precise location. This way, users can still enjoy localized content on the sites they visit while hiding their specific whereabouts. Unlike traditional VPNs, Private Relay won’t allow users to route their traffic through a server in a particular country, a common technique for sidestepping the geolocation locks that Netflix and other streaming services use to restrict access to content by region.
Users of corporate VPNs should encounter no problems running both their company’s VPN and iCloud Private Relay at the same time. That’s because the corporate traffic will route through the corporate VPN, while all other traffic will route through iCloud Private Relay. And users can still use third-party VPNs even when iCloud Private Relay is enabled. In this case, all traffic will route through the third-party VPN, which means users who use those VPNs to get around streaming services’ geo-restrictions will not have to disable Private Relay to do so.
From email to Siri
iCloud Private Relay was far from the only privacy enhancement Apple unveiled today. And while Private Relay is part of Apple’s new for-pay iCloud Plus subscription service, other new privacy features are baked into iOS 15, iPadOS 15, WatchOS 8, and MacOS Monterey at no extra cost.
These privacy enhancements include Mail Privacy Protection, a devastating blow to the tracking pixel industry. Tracking pixels are shady, invisible pixels that marketers (or anyone who wants to) slip into an email sent to you. When you open that email, the tracking pixel connects to the sender’s server, alerting the sender to things like your IP address, your location, and the fact that you’ve opened the email at all.
But with iOS 15, iPadOS 15, and MacOS Monterey, if you use Apple’s Mail app, any email you open will now route through a relay that loads any tracking pixels there before sending the email onto you. Since tracking pixels are remotely loaded on Apple’s relay they aren’t associated with your IP address, thus preventing the sender from using them as a tool to spy on you. The advantage here is that the email you receive can still load all the rich remote imagery—which itself can be used used as tracking pixels—without giving away your privacy. You’ll get this protection no matter which email service you use via the Mail app, such as iCloud, Gmail, Yahoo Mail, or a work account.
Apple is also beefing up Safari’s Intelligent Tracking Prevention for Macs and iOS devices. Now ITP will block a user’s IP address from being revealed for known trackers. It already blocked fingerprinting characteristics such as screen resolution, apps and extensions installed, and other details that websites can use to determine your identity.
Apple’s non-Mac devices will get even more privacy transparency features this year, too. iOS, iPadOS, and WatchOS will gain App Privacy Report, which lets users easily see how often an app accesses services the user has granted use of such as the device’s microphone and camera, its photos or contacts, or other information such as Health data. The report, which can be found in the Privacy section in the Settings app, will also allow users to see what third-party domains an app is contacting. These third-party domains hint at where an app could be sending your data. If you don’t like what you see, you can take action by changing the offending app’s permissions in Settings.
Siri, too, is becoming much more private. In recent years, virtually every voice assistant (Amazon’s Alexa, the Google Assistant, Microsoft’s Cortana, and yes, Siri) has made headlines for sending some users’ voice recordings to be verified by a human. To make sure this can’t happen again, Siri will now process audio requests on the device itself. That means there are no more recordings to be sent off to a human anywhere. As a matter of fact, in iOS 15 and iPadOS 15, many Siri operations—including launching apps, setting alarms and timers, and controlling music—can be performed with no internet connection at all.
Choice, not disruption
Some of this year’s privacy and transparency enhancements are sure to ruffle feathers. After all, ISPs won’t be happy to learn that iCloud Private Relay will make it easy for Apple device users to keep their very monetizable browsing activity private–users who might not have turned to expensive or confusing VPN services in the past.
And some other tech giants might not like that Apple’s new App Privacy Report lets users see where, for instance, a big social media app is sending their data. Some companies could push back as hard against these privacy enhancements as they did against Apple’s App Tracking Transparency feature earlier this year. That feature lets Apple’s users choose to allow an app to share their data with third parties. By some accounts, it’s led to almost 95% of iPhone users opting out of app tracking.
We … view success not through the lens of what the opt in or opt out rate is, but the fact that users have choice.”
Given how high this opt out rate is reported to be, I asked Federighi if he can confirm these figures. Federighi declined to do so, saying Apple doesn’t have official numbers. However, he says that when Apple designed ATT, it wasn’t necessarily hoping that most users would opt out of tracking. Nor was it hoping to kneecap those in the advertising business.
“The key for us is that users have a choice,” he explains. “You know, whether if it was 50/50 or 95/5 or 5/95– that’s all fine if it represents what the user actually wanted; that they had the opportunity to evaluate that decision and make whatever decision was right for them. So we certainly view success not through the lens of what the opt in or opt out rate is, but the fact that users have choice.”
Speaking of consumer choice, many companies–or even entire industries–are reluctant to offer it because doing so hurts their bottom line. That’s why government regulations are often necessary to get powerful businesses to change their ways. But in the privacy area, most national governments have found themselves unwilling to regulate. A recent Guardian op-ed by Open University professor John Naughton lamented this fact, noting that Apple seems to be the only organization capable of defending our privacy.
I asked Federighi if he feels that Apple must pick up the ball because governments haven’t enacted laws that would guarantee privacy. “I’d certainly like to believe that we’re doing good and play a constructive role here, for sure,” he says. “[But] I do think Apple has a set of different tools, naturally, than governments have. We have certain technology skills and a certain access to an end-to-end technology platform where we can innovate.”
Federighi explains that governments are often reactive when it comes to technology–and there’s no way for them to get around that. At least on the consumer front, companies do most of the innovating. They’re also the ones who find new ways to exploit data. So governments can put rules around technologies or processes only after they’ve become a problem. Those rules often lag far behind the speed of such innovations. That’s why even if governments were more proactive, it would still fall on companies such as Apple to develop new privacy-enhancing technologies.
That being said, Federighi believes that “there’s absolutely a role where government can look at what companies like Apple are doing and say, ‘You know, that thing is such a universal good–such an important recognition of customer rights–and Apple has proven it’s possible. So maybe it should be something that becomes a more of a requirement.’ But that may tend to lag [Apple’s privacy] innovation and creation of some new thing that they can evaluate and decide to make essentially the law.”
History has shown that we can move the industry in really meaningful ways.”
To date, Apple’s privacy advancements haven’t had that trickle-down effect on government regulation. But they’re already affecting the broader tech industry. For example, Google is introducing a somewhat watered-down version of Apple’s Privacy Labels in Android’s Google Play store, though not until 2022. Android 12, due later this year, will also feature equivalents of iOS privacy enchantments such as approximate location permissions and camera and mic indicator lights. Better late than never? Sure. But they might not be in the works at all if Apple hadn’t introduced such privacy enhancements first.
I asked Federighi if he’s optimistic Apple’s continued privacy advancements will keep the broader tech industry moving in the right direction as far as user privacy is concerned.
“I think history has shown that we can move the industry in really meaningful ways. And certainly sometimes others come along slowly or reluctantly. But ultimately, when customers become aware of what they should expect, what they can expect, what is possible once they are made aware that the deal they thought they had to make–that actually, that’s not a deal they have to make— then the whole industry has to react to offer customers what they now realize they want and demand,” he says. “As we continue to–hopefully, in many areas–show the way, I think we will change customer expectations and the market as a whole will react. And that’s a really important role we play.”
iCloud Private Relay and the other privacy features of iCloud Plus will be available to current and new iCloud storage plan subscribers for the same cost as the older plans when iCloud Plus debuts this fall. All other iOS 15, iPadOS 15, WatchOS 8, and MacOS Monterey privacy features will arrive when those operating systems get their updates, also in the fall.
(28)