[HN Gopher] T-Mobile begins blocking iPhone users from enabling ... ___________________________________________________________________ T-Mobile begins blocking iPhone users from enabling iCloud Private Relay in US Author : monocularvision Score : 406 points Date : 2022-01-10 19:13 UTC (3 hours ago) (HTM) web link (9to5mac.com) (TXT) w3m dump (9to5mac.com) | baby-yoda wrote: | how long til ATT/Verizon do the same? is there any refuge, like | Twilio? | | alternatively, what would it take to roll your own/DIY private | relay? | | 2 DO droplets, droplet0 runs OpenVPN or something, then private | networked to droplet1 which requests are proxied through, and | droplet1 recycles IP/region on some scheduled interval? | boringg wrote: | I think what is also interesting about this article is that EU, | long the privacy stalwart, were the original ISPs to block | private relay. Seems counter intuitive to me. | gostsamo wrote: | I saw some newstitles that EU carriers want to block it, but I | haven't seen them doing it nowhere. Do you have link? | dathinab wrote: | > doing it nowhere | | Reading the article and it's predecessor it seems they are | mainly doing it on cheap contracts in the UK?? | | Which would not be in the EU. | | I'm not sure if it's even legal to do so in the EU, tbh. it | might be against the net neutrality rules in the EU (though | they have loop holes, so not sure). | boringg wrote: | In the article: "Now, in addition to some carriers in Europe, | it appears that T-Mobile/Sprint in the United States is also | blocking iCloud Private Relay access when connected to | cellular data." | dathinab wrote: | Though as far as I understood the European carriers voiced | complains but did not act, thought UK carriers did (which | isn't EU anymore). | | Tbh. the article is just not very well written, I also | first thought the article implied that T-Mobile US is an EU | carrier operating in the US (it isn't, it's an US carrier | owned to around 43% by an EU carrier, with which it shares | a bunch of thinks, like trademarks). | astrange wrote: | EU regulations aren't necessarily designed for privacy, they're | designed to troll US tech companies. Covering the screen in | cookie dialog boxes didn't accomplish much. | | One of the upcoming ones seems to just ban Kickstarter. | dathinab wrote: | not really, | | especially the mentioned banners affects US and EU companies | alike (or at least did until the US decided to claim rights | on EU citizens data through the Cloud act...). | | Wrt. to the cookie banner it you mean the one coming from | GDPR then the problem is missing enforcement. It must be as | easy to opt in as to opt out this means: | | - two clicks to opt out one for opt in => illegal | | - dark patterns which makes it easier to accidentally opt in | => illegal | | - spamming people which don't agree to being spied on with | "dialog boxes" => illegal (GDPR allows some forms purely | functional data storage without consent, for example a | non-3rd party cookie to remember that the user is opted out | _which is not used for tracking_ is legal without asking for | consent, hence there is a technical easy and legal way to not | spam people with dialog boxes, hence making it harder for | people to opt out by repeating forcing them to redo the | action is illegal). Naturally doesn't apply if you clear | cookies. | stephbu wrote: | > "vital network data and metadata and could impact "operator's | ability to efficiently manage telecommunication networks." | | Complete bunk - Their (TMobile et.al) "value add services" are | nowt more than network content provider toll-gates that the | proxies bypass. Meanwhile they are also selling every bit of user | context data (position, DNS/sites, cookies where unencryptable, | phone-id's etc) that they can scrape individually and in | aggregate to any and every advertiser. Context is worth serious | money to advertisers. | jeroenhd wrote: | If carriers could be trusted (and they clearly can't), I'd | actually agree with some of their technical requirements. | Netflix's edge boxes work well to keep them from wasting | peering capacity on video streams, and dedicated Youtube and | Twitch uplinks would save the general-purpose peering links | from a lot of unnecessary load. Unmasked routing would help | ISPs route their traffic more efficiently and cheaper. | Latencies would be lower, and rush hour throughput speeds could | be higher. It might even be a small win for the environment to | send all of your traffic back and forth between data centers. | | Sadly, many (American) ISPs are abusing their position to | gather and sell personal information from their subscribers. | They wasted their "ability to efficiently manage | telecommunication networks" the moment they started selling | data. They've become adversaries rather than partners because | they thought they could have their cake and eat it too. It's | sad, really, because with cooperation, everyone would actually | be better off with proper network management! | JohnTHaller wrote: | I'd wager this is the prevent folks from streaming over 480p on | the standard 'unlimited' plan, prevent unauthorized hotspot use, | prevent hiding DNS for data harvesting, and a few other things. | What would make more sense is simply to charge this at hotspot | rates, since they can't determine if you're using more phone and | low-res streaming bandwidth than your plan permits. | withinboredom wrote: | This is probably a good thing. When Private relay breaks (such as | on my network at my house and some public wifi networks at a | popular grocery chain), there's literally no indication that | private relay is broken. Instead, friends tell me my wifi is | broken or suddenly I can't use my grocery store's app to scan my | products. | | When your product causes your customers to call someone else and | complain, don't be surprised if that "someone else" disabled | access to your product. | jeffybefffy519 wrote: | Your iPhone immediately throws up a notification saying | "private relay unavailable". | astrange wrote: | Private relay doesn't apply to apps, only Safari. (though the | app could use a web sheet) | ssully wrote: | I've had Private Relay stop working for me once and I was | served a push notification indicating that it wasn't working. | kylehotchkiss wrote: | I wish there were better visual indications within Safari | regarding whether it's on or off. Especially when connecting to | a new wifi network with a portal, which almost always break it. | Private relay only works within Safari though, why would it | affect your grocery store app? | dathinab wrote: | Do I see it correctly that this is basically a direct consequence | of not getting proper net neutrality rules? | throwaway123x2 wrote: | This is not very uncarrier, is it? | | Or did they do away with that branding? | kup0 wrote: | I expect it to be all downhill since the Sprint merger | luke2m wrote: | I no longer have an iPhone, but can anyone confirm that T mobile | blocks cydia repos on Cellular? | ROTMetro wrote: | vmception wrote: | Does this run counter to current net neutrality regulations? Or | is this unrelated. | | Are there other legal remedies for either the subscriber or from | Apple to the ISPs? | daenney wrote: | I would suspect it's fine. Disabling this feature is a built-in | ability of iOS. It doesn't depend on ISPs treating the traffic | differently. | thehappypm wrote: | Net neutrality doesn't even apply to mobile networks. | vmception wrote: | okay, should it? because we can make that happen if enough of | us agree | mcherm wrote: | Nope - this doesn't violate net neutrality regulations in the | US... because there aren't any! | | This article: | | https://www.eff.org/deeplinks/2021/12/where-net-neutrality-t... | | talks about how many are hoping that in the near future we will | establish some net neutrality regulations, but for now there | really isn't anything (at the federal level. Some states have | tried). | vmception wrote: | So this would not be legal to block in California? | ChuckMcM wrote: | Slowly pushing the data wars into the public field of view. Kudos | to Apple for pushing so hard on this front. Now to put some | pressure on the FCC to have some rule making done about | disallowing telecom interference in the data packets. | tomjakubowski wrote: | Weird. I'm a T-Mobile customer, and I just switched to cellular | data and was able to enable Private Relay without any issue. | whatismyip.com says my ISP is Akamai. Possible T-Mobile are still | rolling the block out? | gjsman-1000 wrote: | I would think Apple has some leverage to force it if they really | wanted. | | If Apple really wanted to force the issue, they could tell | T-Mobile no more iPhone contracts unless you do it. Apple can | survive and thrive on fewer networks - the iPhone was AT&T | exclusive for a long time at the beginning. | | If that happened, there would be no way for T-Mobile to get a | supply of iPhones. People would need to buy iPhones from Apple | and then replace the SIM cards themselves. It would make T-Mobile | bend pretty quickly unless they managed to get Verizon and AT&T | to join them on the issue. | | But then Apple has a second card to play, and that's the court of | public opinion. If Apple wanted to make a public ad lambasting | the carriers for undermining people's privacy, the damage would | also force them to bend. | | Finally, of course, there's the fact that carriers need Apple | just as much as Apple needs carriers. However, between the | carriers and Apple, who has $200 billion in the bank to do things | themselves if they wanted? | | Edit: Heck, T-Mobile has a market value of $130 billion. AT&T has | a market cap of $188B, and Verizon $223 billion. If Verizon and | AT&T joined T-Mobile in protest, Apple could theoretically | attempt (or at least threaten) a hostile takeover of any of them. | That would cause a lot of discussion among the carriers and send | a strong message very quickly. | nimbius wrote: | if i had to hypothesize why T-Mobile are doing this, its | streaming media. | | TMobile has numerous pay-for-play access contracts in place for | companies like netflix and hulu. in return they get a QoS tier | and guaranteed minimums for their subscribers. | | conversely, as others have mentioned and the article itself, | private relay is absolutely haram. it damages tmobiles ability | to deliver edge content from their contractually obligated | players like netflix (without a region netflix quality might | suffer) and it completely sidesteps all of TMobiles lucrative | user plans that include access to streaming media as a feature | relative to the users data cap. | | increasingly private "anything" on a cellphone is becoming a | hostile proposition for carriers as their revenue is largely | based on predatory surveillance capitalism. without metrics and | metadata, theyre no different than the water company. | tssva wrote: | So you want them act as monopolists which is something HN | usually is very much against. Also the threat of trying to buy | a carrier out is a completely empty one and the carriers would | all know it. There is no way it would pass regulatory or court | review for the market leader in cell phone sales to own a major | carrier. | jkaplowitz wrote: | I agree with you that they probably wouldn't be allowed to | buy a major US carrier. But they aren't a monopolist or the | global market leader in cell phone sales. Even in the US | where they are indeed the market leader, their percentage of | sales hovers around half, well below monopoly levels. | ralph84 wrote: | I wouldn't be so certain of that. Antitrust review of mergers | is mainly concerned with whether the merger will reduce | competition in a market. Since Apple doesn't currently | operate a mobile network and none of the carriers currently | manufacture phones, it would be hard to argue a merger would | lessen competition. | | Now whether Apple shareholders want Apple operating a mobile | network is a completely different question. | reaperducer wrote: | _If Apple really wanted to force the issue, they could tell | T-Mobile no more iPhone contracts unless you do it. Apple can | survive and thrive on fewer networks - the iPhone was AT &T | exclusive for a long time at the beginning._ | | Or the other cellular networks could start running ads touting | that they let iPhone users use _all_ of the iPhone features. | | "Does your cell phone company hold you back? With Cincinnati | Bell, you can do things with your iPhone that T-Mobile won't | let you." | | Apple could even help pay for the ads. It's not like companies | with aligned interests don't do ad cost-sharing all the time | anyway. | numbsafari wrote: | > Apple could theoretically attempt (or at least threaten) a | hostile takeover of any of them. | | If I were any of the carriers, I wouldn't worry about this in | the slightest. | | Apple attempting to gain ownership of a mobile carrier in order | to impose it's will on the market would be met with incredibly | harsh regulatory scrutiny. | | Beyond that, there's a strategic reason Apple hasn't launched | their own mobile offering. The minute Apple owns a particular | mobile carrier, they would be pretty well cut off from the | other mobile carriers, or they would have to negotiate deals | that would probably be argued to be collusive trade practices. | | The real solution is that the United States needs real data | security and privacy laws that prevent network operators from | reselling your usage history, location tracking, and other | personal details. It's a national security issue at this point. | CerealFounder wrote: | There is no chance Apple would be allowed to buy or run a | mobile network. The monopoly dogs would be at the door before | the email went out. | lp0_on_fire wrote: | The vertical integration of Amazon in the past 10 years or so | makes me think those monopoly dogs can't hunt. | pdimitar wrote: | While I agree with your comment almost fully, I think it's a | bit too early to judge Apple. They probably found out just a | few days earlier than we did and are still weighing their | options. | hyperbovine wrote: | > Heck, T-Mobile has a market value of $130 billion. AT&T has a | market cap of $188B, and Verizon $223 billion. If Verizon and | AT&T joined T-Mobile in protest, Apple could theoretically | attempt (or at least threaten) a hostile takeover of any of | them. | | OTOH, one way to become the most valuable company in history is | to not go pulling stunts like that. Nothing the street loves | more than predictability. | gjsman-1000 wrote: | Of course, the odds of this are extremely small. It's just | more to show that Apple has more leverage than the carriers | in this situation. | | Edit: Another, "smarter" tactic that Apple might use is by | sending messages to the Board of Directors. If Apple can get | the Board of Directors on their side (or at least convince | them that management is fighting a war they can't win)... | another way to freak out execs at the carriers. | [deleted] | smoldesu wrote: | The odds of any American company could start scooping up | cell carriers without reproach is not just "small", but | more along the lines of "complete impossibility". The SEC | already gives Apple the stink-eye for gobbling up C-lister | startup companies; if they tried acquiring anyone in the | S&P 500, every trade commission in the world would be on | them within seconds. | | I also think it's silly to equate a company's power to the | amount of money they have (at least in the first world) but | your hypothetical does raise an interesting question: who's | deeper in bed with the State, Big Telecom or FAANG? All of | them answer to the government, even T-Mobile; but who's got | the most favor? Understanding the heinous stuff the | American government got away with when they had telecom | under their thumb doesn't set a very optimistic baseline of | expectations. It might even lead certain people to believe | (surprise surprise) that Apple's dedication to privacy | doesn't really mean much when there's money on the line. | Arguing about how "Apple is better because they have more | capital resources" has about as much pragmatic value as a | child's crayon drawing. | | Unless Apple has one-upped Room 641A, I think you're | describing a power fantasy. | andrewxdiamond wrote: | > If Apple wanted to make a public ad lambasting the carriers | for undermining people's privacy, the damage would also force | them to bend. | | That ad would be candy to the Apple PR team trying to push the | "Apple is secure and respects your privacy" campaign. I bet | we'll see Apple use the court of public opinion here, and win | with it. | SloopJon wrote: | I'm trying to think of a case in which Apple has used public | opinion in this way. The closest I can come up with is Adobe | Flash, but Apple was the one blocking a product on its | platform then. | smoldesu wrote: | If Apple escalates this into a dirt-flinging war, I don't | think any domestic carriers would take offense at reminding | the public that Apple is the only one among them that still | does business with China. But neither one will escalate | things, because both Apple and every US cell carrier have so | many skeletons in their closet that trying to call one | another out wouldn't just be hypocritical, it would be | mutually assured destruction. | gjsman-1000 wrote: | Nah - that wouldn't work. Apple would just point out that | they use networking gear made in China. Brilliant. | smoldesu wrote: | My point is that carriers and manufacturers have so much | dirt on each other that trying to escalate things would | just hurt them both. The reason why Apple (and mobile | carriers, for that matter) don't take swings at each | other is because they both need the other to look as | pristine as possible to sell units. They have a mutual | interest in looking good together, and neither Apple nor | the carriers have any vested interest in breaking that | relationship. | thebradbain wrote: | I don't think the American public would particularly care | - and some would probably even support - that Apple does | business with China. If that's the best the carriers can | throw at Apple, versus Apple cutting them off from the | single device doing the heaviest lifting to keep them | relevant, then yikes. | smoldesu wrote: | Oh, that's certainly not _the worst_ they 'd grab for, | but more of an example where they can call their bluff. | Cell carriers and hardware manufacturers alike get bent | over backwards for compliance in the United States, | trying to assert that you're "the private one" is just | going to get you called on every other front. It's not | even a question that these companies do shady things, the | real question is more about the lengths they'd go to | diminish their competition. | | Again though, rupturing this conversation is mutually | assured destruction. The reason why Apple won't call | T-Mobile's bluff is because it's better for them to look | like a symbiotic company than an adversarial one, and | T-Mobile can get away with this because data protection | in the US is a moot-point anyways. It's about as | unremarkable as news gets. | | Hell, Apple was even nice enough to give T-Mobile a | special error message when you try to use Private Relay: | | > "Your cellular plan doesn't support iCloud Private | Relay. With Private Relay turned off, this network can | monitor your internet activity, and your IP address is | not hidden from known trackers or websites." | | I wouldn't call it security theater if I couldn't see the | curtains on the left and right. | sebzim4500 wrote: | I don't think that would be effective, everyone already | knows that Apple builds their phones in China, it says on | the back. The fact that your cell carrier wants so badly to | spy on you that they are willing to go to go to bat with | Apple will, however, surprise some people. | 015a wrote: | Right, but I think there's some incorrect conclusions being | drawn. | | The article asserts that an error in the settings menu appears: | "Your cellular plan doesn't support iCloud Private Relay. With | Private Relay turned off, this network can monitor your | internet activity, and your IP address is not hidden from known | trackers or websites." | | This doesn't appear to just be a situation where T-Mobile | started blocking it at the network level; it appears to be one | where Apple submitted. | | While there's a lot of theories in this comment about how Apple | will respond; I don't see that happening (in a public way, of | course). Apple's leadership in 2022 doesn't have the same | convictions their leadership has had in the past. They're | capable of being a positive force for change, in fair weather; | but when the weather gets rough, or when forces assert power | over their expression of values, they fold. | r-w wrote: | What, so now displaying an error message means you're | responsible for the error? See some of the other threads | about why Apple might not like playing dirty to go behind | T-Mobile's back--each one needs the other for its good | reputation. | 015a wrote: | Its reasonable to assert that they wrote the error, and | they phrased the error message intentionally, in a way | which clearly says that they expected carriers to block the | service. The settings app is owned by Apple; not T-Mobile; | T-Mobile would certainly NEVER admit so plainly that they | monitor network activity (even though they do). | | Alternate phrasing which betrays different expectations: | "We could not connect to the iCloud Private Relay servers. | This may indicate an issue with your network provider, blah | blah blah." | | No VPNs is mostly standard-operating-procedure in, say, | China. That being said: I'd assume that feature, let alone | the settings page to configure it, is hidden in versions of | the software distributed in countries like that. This error | message is likely for countries where the service is | available; just not on your carrier. | | But putting that aside and even considering their stance of | submission to the CCP; they betray every spoken value their | American executives verbalize. _That_ is standard operating | procedure for 2022 Apple, and most other gigacorporations. | That is the lens that every statement Tim makes, every word | spoken at their keynotes, needs to be viewed through; that | they 're willing to invest their infinite money in whatever | projects they believe aligns with their values, but they're | wholly unwilling to stand up for those values when those | projects are battle-tested in even such an absolutely | inconsequential way as this. | | Of course, they can prove me wrong by standing up to | T-Mobile and using them as an example. I mean my god, you | couldn't ask for a better example to make, T-Mobile/Sprint | is a fourth-rate bargain bin cellular carrier, we're not | talking about a nation state; this is a toddler mad at his | parents because they won't let him eat candy for dinner. If | they can't even resolve that, what hope do any of their | values have? | smoldesu wrote: | Apple was the one who wrote that text out and put it in | your iPhone. You can choose to interpret that any way you | choose, but it's pretty clear that Apple either _really_ | loves and trusts T-Mobile or (more likely) their "Privacy | is a Human Right" bit rides shotgun to their moneymaking | shtick. | hffftz wrote: | > People would need to buy iPhones from Apple and then replace | the SIM cards themselves. | | Changing sims is VERY easy, but a sim that doesn't match an | approved phone is also easy to block? | kongolongo wrote: | >the iPhone was AT&T exclusive for a long time at the | beginning. | | I think that was a very different time though. Smartphones were | just becoming popular. A lot of other upcoming smartphones also | had carrier exclusives at that time (Verizon with the Droid | line). I don't know if that would be acceptable in today's | world. | | A joint move like that by the carriers would be subject to a | lot of antitrust scrutiny, where as apple can move on it's own | with a lot less scrutiny. | bogomipz wrote: | >"There's likely not much that Apple can do here, but it | underscores another limitation of Private Relay as a feature as | well as the power that carriers hold." | | Doesn't Apple have a lot that can do there? Wouldn't there be TOS | set by Apple that would cover interfering with functionality? I | would hope apple would flex some muscle here as this would | otherwise set a new dismal precedent where features were only | available on a carrier by carrier basis. At one time T-Mobile | seemed to try to cultivate a pro-customer perception. I guess | those days are long over? | nerdjon wrote: | I really hope this doesn't catch on, but I am concerned that | settings has a message for this instead of it just mysteriously | being not working. Makes me wonder if there is an official way | carriers can block this? | | I know at home since I have pihole setup I got an alert that | private relay can't work on my home network. | Shank wrote: | If you block the domains that private relay uses, it won't | work. Those are `mask.icloud.com` and `mask-h2.icloud.com`. | Then it'll display a message informing you that it doesn't | work. I imagine the carrier restriction just shows up in the | carrier panel because there isn't a way to access the Internet | on cellular via private relay if it's disabled. | | [0]: https://developer.apple.com/support/prepare-your-network- | for... | nerdjon wrote: | I guess thinking about it more, it would be fairly simple to | say something like "if consistently can't setup private | relay" and "on cellular" display this message. | | For a moment I was thinking it would only trigger with | something specific from the carrier, but I see little reason | apple would actually work with them on this. They are not | really in the business of making the carriers happy. | | Edit: someone else pointed out it is actually a feature that | the carriers can do. that... is disappointing. | woodruffw wrote: | From Apple's developer docs for Private Relay: they're probably | displaying that message if either of the well-known endpoints | returns NXDOMAIN[1]. | | They explicitly identify school and enterprise networks as | legitimate cases where Private Relay needs to be blocked, so | that's probably how carriers are doing it as well. | | [1]: https://developer.apple.com/support/prepare-your-network- | for... | josephcsible wrote: | > They explicitly identify school and enterprise networks as | legitimate cases where Private Relay needs to be blocked | | Why are these legitimate? Censorship is wrong even when | schools do it. | woodruffw wrote: | "Legitimate" in the sense of "pre-existing policies," not | "I personally believe this is morally acceptable." | [deleted] | rcarmo wrote: | Like I pointed out in the sister thread about EU telcos: | | https://news.ycombinator.com/item?id=29875805 | | Phone carriers do not want to be a dumb pipe - and having Private | Relay go through their networks breaks: | | - HTTP header enrichment (which they use for self-care/customer | sites/services), | | - zero rating (which they set up deals for with social networks, | music streaming services, etc., often applying specific QoS tags) | and | | - all sorts of value added services (many using deep packet | inspection and DNS analytics) that they offer instead of raw, | unfettered connectivity. | | I don't think many people are aware of exactly how much data | telcos are sitting on, anonymized or not. | | And, of course, it also plays havoc with legal interception | because there is no easy way to do MITM. | | (edit: readability) | jeroenhd wrote: | Is this really about EU telcos, though? In the European article | I mostly see messages about this from UK telcos, which are | European but no EU anymore. I've heard that UK net neutrality | law is kind of a joke, and now that they're outside of EU | control the UK can do whatever the hell it wants, and I fear | for UK citizens that the mostly consumer-focused EU ideals | aren't shared by the current UK leadership. | | Plenty of telcos want to force competitors out of the market | with zero rating and triple play subscriptions, but I don't | think any of them have made any moves against net neutrality | this bad. A few years ago I've seen carriers doing HTTP | introspection to force images through their compression proxies | (usually budget ISPs who want to stop people from actually | using up their data plan so they can make a profit) but that | seems to have stopped completely now. | | As for legal interception, this doesn't make any difference. | When law enforcement finds that the suspects are communicating | over Apple's network, they'll just knock on Apple's door with a | warrant and demand a wire tap from their network. That's how | legal interception of "privacy protection" VPN providers works, | and Apple isn't even trying to ship traffic outside national | borders, just to the closest data center. | lstamour wrote: | I doubt long term that it causes much havoc with three letter | agencies. If anything, it simplifies it a small bit because now | they can look at the records of only two intermediaries, Apple | and the CDNs they use. That said, why go to the trouble? | Depending on how it's configured, Apple would already likely be | tracking your browser history in iCloud, backups, etc. Plus | websites that track user activity (e.g. have logins) can be | asked directly for data. | jyrkesh wrote: | Shouldn't those all be true of ISPs too, though? Why are telcos | different? Is it just because they need stricter QoS because of | airwaves vs. cables? Do you think that argument still holds | water in a post-5G-saturated world? | nathanyz wrote: | Exactly, carriers really don't want anything that helps push | net neutrality in any real way. They don't want to be | commoditized to where it's just pipe for Internet data to | transmit through as you mentioned. | Spooky23 wrote: | MITM is pretty moot right now with TLS everywhere. Apple is | taking this stand because it's inline with their business. | | Zero-rating is really bad for Apple. And by making themselves | the virtual network layer, they have the ability to roll out | their own last mile networks later. | r-w wrote: | To be fair, you could make the same argument that TLS is moot | because everything at the other layers (routing, application, | and even hardware) is extremely vulnerable to attack. MITM is | still a very real thing. | | If anything makes it moot, it's not other technology; it's | social engineering attacks. | paxys wrote: | The point of TLS is that every bit of network | infrastructure could be compromised but your connection | would still be secure as long as your own device and the | end server (and the cert authority) remained clean. | oflannabhra wrote: | One big difference in the US is that most telcos also have ad | businesses, and this will negatively impact them. | kevin_thibedeau wrote: | This is more about selling data to aggregators. | 88840-8855 wrote: | I have been working through some consulting activities with 8 | telcos over the past years on the topic BiG DaTa. While it is | true that telcos have data, ALL of the telcos I have worked | with lack the capability to do ANYTHING with that data. | | First, they dont get the right people, because good people dont | go to telco. Second, they have super fragmented stacks, | especially in markets that have consolidated over the years. | Third, they simply dont have figures out ANY business model for | that data (except some We SeLl LoCaTiOn DaTa To GoVeRnMenTs | that is illegal in most Western countries anyway by now). | | So... all this "TELCO SOOO BAD BECAUSE ALL MY DATA THEY EAT" | talking is laughable to me after seeing the truth. I am | surprised what people here in HN think of the capabilities of | telcos. | | Edit: as I saw some comments below on "three letter agencies". | Fun fact, ALL the 8 telcos that I have experienced hat guys | from the local "three letter agencies" working there to detect | crime stuff. | nickysielicki wrote: | FWIW, it's working for me on a TMobile MVNO. | AlexCoventry wrote: | Has T-Mobile given any indication that they're planning to block | VPNs more generally? | jonathanmayer wrote: | I previously served as CTO of the FCC Enforcement Bureau. A | couple thoughts on the regulatory dimensions of this report. | | * This could be a Federal Trade Commission problem. T-Mobile, | like all major ISPs, has made public representations about | upholding net neutrality principles [1]. These voluntary | commitments were part of the Trump-era FCC's rationale for | repealing net neutrality rules. Breaching the commitments could | constitute a deceptive business practice under Section 5 of the | Federal Trade Commission Act. | | * This could also be a Federal Communications Commission problem. | When repealing the Obama-era net neutrality rules, the Trump-era | FCC left in place a set of transparency requirements [2]. Making | an inaccurate statement about network management practices can be | actionable under that remaining component of the FCC's net | neutrality rules. | | I haven't seen a comment from T-Mobile, so to be clear, that's | just based on the report. | | [1] https://www.t-mobile.com/responsibility/consumer- | info/polici... | | [2] | https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A... | inetknght wrote: | > _Making an inaccurate statement about network management | practices can be actionable under that remaining component of | the FCC 's net neutrality rules._ | | Who would be responsible for bringing about that action and, if | they don't bring about action, what can regular people do about | it? | bkmrkr wrote: | Looks like I am leaving Tmobile | NaturalPhallacy wrote: | Anybody know if this applies to companies that use tmobile's | network, like Ting? | jzig wrote: | Right, and Mint Mobile | selimthegrim wrote: | Ting may be transitioning to another network soon if rumors | about Dish are to be believed. | rgrmrts wrote: | AFAIK Google Fi uses T-Mobile, and I'm still able to use | private relay. | gigel82 wrote: | Private Relay was always a sketchy proposition; if privacy is | your concern, you're almost always better off using a VPN. | | Yes, granted, Apple could always extract (and to some extent | probably is) your history directly via OS hooks, but the | "Private" relay gives them a completely opaque off-device way to | centrally track what everyone is visiting, which is just another | data point feeding into their rapidly-growing advertisement | business. | | Paranoid? Maybe, but after the whole on-device scanning fiasco I | view Apple in the same category as Google, Facebook and Microsoft | when it comes to privacy guarantees. | mindslight wrote: | Give credit where credit is due. I haven't owned an Apple | device since my trusty IIgs and am not a fan of Disneyland | computing in general, but I may seriously ponder buying a Mac | mini simply to gain access to their popular VPN that will be | impractical for websites to block or CAPTCHA-hell. | jedberg wrote: | The thing is, I already have to trust Apple because they can do | anything they want on my device. Why would I want to add a | third party to that, especially one that runs a VPN service? | kylehotchkiss wrote: | The purpose of private relay is more to prevent ISPs/Cell | carriers from vacuuming up your data and selling it in probably | totally identifiable ways to the lowest sketchy bidder. | | All the big carriers have already been sued by FCC for selling | location data without permission[1], and even last month | Verizon is trying to justify collecting more data on everything | you use your phone for[2]. Apple's business model is less gross | than ISPs and their partnership with Cloudflare to prevent even | themselves from being able to access traffic logs is an extra | plus | | [1] https://www.nytimes.com/2020/02/27/technology/fcc- | location-d... [2] | https://www.theverge.com/2021/12/17/22841372/verizon-custom-... | moolcool wrote: | > if privacy is your concern, you're almost always better off | using a VPN | | I am really skeptical of this. Not that ISPs are extremely | trustworthy, but they're at least bound by some state mandated | privacy protections which <Foreign VPN Provider> is not. | gigel82 wrote: | Valid concerns, you need to pick your VPN carefully if using | a public provider. In my case, I relay everything to a VM I | trust that is running a firewall and AdGuard for DNS ad- | blocking. | | The system may not work for everyone (for example, streaming | services optimize based on your location, which will break | down if the VM lives in some cloud), but I use my phone for | music, browsing and email (not video consumption) so it works | for me. | djrogers wrote: | > Yes, granted, Apple could always extract (and to some extent | probably is) your history directly via OS hooks, but the | "Private" relay gives them a completely opaque off-device way | to centrally track what everyone is visiting | | Err, no it doesn't - that's the whole point of the way it's | engineered. All Apple sees is your IP address with none of the | request details, and your IP is obscured before being sent to | the second relay (Cloudflare, fastly, etc) , who only see the | request detail with no origin/requestor information. | | [1] | https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over... | atty wrote: | The entire point of private relay is that neither Apple nor the | third party CDN can match the destination website to an | individual. | | If your argument is "they probably aren't doing what they say | they're doing" and so you shouldn't use their tools, then you | better start writing your own operating system from scratch and | designing and fabbing your own silicon, because there's no | guarantee any of these companies or open source projects aren't | compromised. | josho wrote: | Apple is also capturing DNS queries, so they minimally have | that as a data point. | | Regardless, the more general concern that parent seems to | make is what is to stop Apple in the future from monetizing | this data? I think the only thing protecting us as consumers | is their policy. And as we all know policies can change very | simply with a change to the terms of service. | dwaite wrote: | I believe Apple now supports ODoH (oblivious DNS over | HTTPS) although I do not know if it is used for private | relay. | No1 wrote: | They are using ODoH in the private relay. | | https://www.apple.com/privacy/docs/iCloud_Private_Relay_O | ver... | tylerchr wrote: | To quote the relevant section: | | "ODoH sends DNS queries through the first internet relay, | so the DNS server cannot identify the user issuing a | query. Each query itself is padded and encrypted using | Hybrid Public Key Encryption (HPKE) to help ensure that | the first internet relay cannot tell the domain name a | user is looking up." | | Apple is the "first internet relay" and they seem to | explicitly state that they don't see the DNS queries | themselves. | gigel82 wrote: | I will eat my hat if Apple doesn't enter the ad market big- | time in a couple of years. All the signs point to them | building a massive privacy-invading trove of data on their | customers to exploit. | | Of course, their PR will spin it up as "privacy focused, | totally anonymous, personalized advertisement" and some | will just gobble that up as gospel. | | I don't trust any of these fuckers any more... :) | josho wrote: | I think 2 things are stopping apple from entering that | market in earnest. | | 1. Privacy is a differentiator for Apple's business. | Google et al can't compete and win on privacy. Apple can | use this to win at recruiting and win at selling their | ecosystem. | | 2. Apple's hitting revenue/ growth targets. Other r&d | investments better align with their ecosystem so there is | no business driver today to enter this market. | | Having said that I won't be surprised if Apple misses a | few qrtly earning targets and decides to enter the ad | market. | fshbbdssbbgdd wrote: | It already happened: https://amp.ft.com/content/074b881f- | a931-4986-888e-2ac53e286... | pram wrote: | It uses ODoH for DNS. | | https://blog.cloudflare.com/oblivious-dns/ | asimpletune wrote: | Apple should just start their own carrier | ballenf wrote: | I would guess Xfinity and other ISPs will be watching this | closely. They have the same incentives and Xfinity among others | strongly lobbied Congress when there were browsing privacy bills | (that failed) in Congress. | Volker_W wrote: | Everytime I think carriers cannot get even more scummier, they | manage to do it. | blcknight wrote: | I had turned private relay off during the beta since it seemed | flaky when connections were poor. I have a VPN for torrents that | I just installed on my phone because of this. Screw T-Mobile. | hnburnsy wrote: | I wonder if this would this apply to MVNOs who use the | TMobile\Sprint network? | busterarm wrote: | That would mean Google Fi VPN wouldn't work. | | I was using my own always-on VPN w/ GrapheneOS on T-Mobile's | network and was having tons of problems with calls and texts | not getting through. | doctorsher wrote: | This does not seem to be the case. Elsewhere in the comments, | neurobashing said their private relay works fine for an MVNO on | T-Mobile. | hedgehog wrote: | These kinds of shenanigans are exactly the reason you shouldn't | trust carriers with plain text data. People bash Apple for not | adopting RCS over iMessage but it would just lead to more crap | like this but for your text messages. | tomComb wrote: | RCS supports E2E encryption, and Google's apps implement it. | | (And I think the complaints about iMessage are its exclusivity | - the best solution is an iMessage for Android.) | hedgehog wrote: | Thanks, I missed they'd added E2E last summer. It looks like | it's only for 1:1 chats and only on some phones depending on | handset vendor and carrier, is that accurate? If so it still | seems like adding RCS would have pretty limited usefulness vs | interop with say WhatsApp. | | I don't fault any one company on the messiness of the | situation, it's kind of a tragedy of the commons situation. | Apple isn't willing to compromise the UX complexity of adding | more messaging types with different behavior, Google isn't | willing to force carriers and handset manufacturers to make | RCS really good, and carriers just don't care about anything | other than ARPU and being "value added". | | Oh, and WhatsApp interop will never happen even though that | would probably actually be good because Facebook. | [deleted] | jeroenhd wrote: | RCS is a shitty system set up by a shitty telco industry. The | protocol is behind what most countries in the world use | already. I see it as just an attempt from the telco industry to | start charging subscriptions for Whatsapp again, but about five | to ten years too late. | | iMessage would be fine if it wasn't for the shitty vendor lock- | out. Everyone I know uses some kind of cross platform chat app, | usually either Whatsapp or Telegram. It's sad to see the green | bubble shaming that Apple's exclusionary tactics has created be | of such influence in US social circles. | Rebelgecko wrote: | TMobile's RCS supports e2e encryption | ballenf wrote: | Carriers generally don't care about payloads, they can monetize | you from the metadata. What kind of websites you frequent and | when. They don't need to know which color of maternity clothes | you're shopping for to know you're pregnant. | jrochkind1 wrote: | Can anyone explain the case from T-Mobile's end? | | (Not asking for sarcastic not-in-good-faith explanations of BS | reasons that you are imagining. | | Asking for anyone who understands more about a cell carrier's | needs than I do, to explain what <<the feature cuts off networks | and servers from accessing vital network data and metadata and | could impact "operator's ability to efficiently manage | telecommunication networks.>> actually means, to someone who is | not a telecom engineer but does understand engineering. | | And/or other motives, but based on understanding more of their | business than I do, not just wild guesses!) | jasongill wrote: | The reason is right in the "what's new" section of the T-Mobile | privacy policy: https://www.t-mobile.com/privacy-center/our- | practices/privac... | | > "However, starting April 26, 2021, T-Mobile will begin using | some data we have about you, including information we learn | from your web and device usage data (like the apps installed on | your device) and interactions with our products and services, | for our own and 3rd party advertising, unless you tell us not | to." | | T-Mobile sells browser history data to advertisers, and Private | Relay blocks that revenue stream. They are on the offensive to | protect their new-found profit center, and most likely are | doing this now to show Apple that this is not a feature that | they want to see be turned on by default. | | It's the beginning of the same saber rattling that Facebook did | when Apple announced it would simply ask customers if they | wanted to allow apps to track them | wronglebowski wrote: | I belive this functions like a VPN in some ways and blocks | video throttling. They use traffic inspection to throttle video | streams down to 480p unless you have the most premium of plans. | aeonflux wrote: | I've never heard that IPS (not the content provider) is | throttling down Video Quality by altering the traffic. Do you | have some links to back up that claim? This doesn't make much | sense, as they would have to download the high quality video | anyway, then invest massive CPU power to downscale this. Most | content providers will scale down the quality if they detect | bad network conditions. If ISP would want lower quality, they | could just artifficaly slow the connection. | [deleted] | aaron42net wrote: | On cell networks, video content is by far the largest consumer | of bandwidth. And the default for video generally is to auto- | adjust the resolution to the highest quality that the network | supports. This kind of sucks, since bandwidth is a shared | resource for all users of a given antenna on a cell tower. | | Though Speedtest on your cell might show your connection speed | as 100 megabits/sec down, cell networks special-case video by | identifying it as video and rate-limiting it to something like | 1 megabit/sec. This is considered "efficient network | management". For T-Mobile, this based on the plan | (https://www.t-mobile.com/cell-phone-plans), they sell either | "SD streaming" or "4k UHD streaming". "SD streaming" is a fancy | way to express that they rate-limit identified video streams to | 1 megabit/sec. | | They identify video streams by watching the IP your phone is | connecting to and/or the hostname mentioned in the TLS SNI | header and checking if it is Youtube, Netflix, etc. Sending | video content over a VPN removes their ability to understand | what the content is. | room500 wrote: | Non-cynically, it probably does introduce some issues in these | legacy telecom systems. | | For example, if you run out of data for a month, many carriers | will continue giving you access to the internet APN, but then | block access to "external" websites. This is so you can easily | open your browser and "top up" on data to continue using your | device. | | Or the usage of HTTP (not HTTPS) was relatively common back | when I was in the space (7-10 years ago). There wasn't a need | to use HTTP because the carrier was in full control of the pipe | between the device and the server. Adding in a VPN that somehow | tries to intercept that traffic (that was supposed to exist | entirely within the telecom) is not going to work. | josephcsible wrote: | But if that were the only reason why, then couldn't they just | turn off Private Relay in that specific case, instead of all | the time? | mdasen wrote: | These aren't wild guesses, but I also don't have inside | information. | | 1. Browsing history. We know that Verizon is tracking it for | their gain: https://www.wired.com/story/verizon-user-privacy- | settings/. It seems reasonable that T-Mobile and others don't | want that door to close on them. | | 2. Video streaming management. Carriers typically restrict | video streaming on some/all of their plans to certain | resolutions. For example, I think most American carriers limit | video streaming to around 480/720p at 1.5Mbps or less unless | you have bought a premium plan. VPNs often get around this and | I know that my carrier can't detect Netflix access through | iCloud Private Relay. Right now, iCloud Private Relay doesn't | proxy app traffic, but it could in the future. | | 3. It looks like mobile carriers are looking to get into "edge | cloud" stuff. Verizon has been pushing this and they recently | emphasized this in their 5G Ultra presentation. If traffic is | going through iCloud Private Relay, buying expensive "edge | cloud" services from Verizon is a waste of money since the | traffic would be leaving the network to go through Private | Relay. | | 3a. Netflix ships "Open Connect Appliances" that ISPs can hook | into their network to serve Netflix content. If your traffic is | going through a proxy, you start accessing the content on a | server farther away. This mostly doesn't apply given that | Private Relay only does Safari traffic, but one could see | Private Relay expanding to apps in the future. | | 4. I think there is a certain knowledge of what is using data | that can be helpful to carriers. For example, I worked for a | university and they wanted to set different QoS for things like | peer-to-peer file sharing vs. web browsing. The university | didn't want to punish P2P tech or anything like that. They just | wanted to make sure that P2P usage didn't overwhelm other users | and uses of the network. Likewise, it could help the university | spot patterns like viruses/bots that might be using a lot of | network traffic. | | 4a. I think this can also play into how companies position | their offerings. For example, T-Mobile has introduced features | like "Music Freedom" and "Binge On" that allowed unlimited | audio streaming and video streaming before unlimited plans were | a thing. They surely did analysis of network usage of those | features before introducing them. You can look at how much | video streaming users are doing and then model how much data | would be used if you limited it to 480p (including accounting | for an uptick in usage due to it being unlimited). However, if | you don't know how data is being used, you lose the ability to | spot patterns that might be opportunities. | | 4b. It makes sense to want to offer different QoS for different | services. If someone is using FaceTime, you want that to be a | good experience. You don't want to prioritize a speed test over | someone's FaceTime call. You don't want to prioritize | downloading from YouTube over a FaceTime call. That YouTube | video can be buffered and if you know that you've transferred | 15 megabits worth of 1.5Mbps video, you kinda know that the | user doesn't need the next 1.5 megabits of video for 10 | seconds. | | 4c. I know that a lot of people want their connection to be an | unbiased dumb-pipe, but I think that people only want that | because they tend to see crappy stuff from companies looking | for money. Seeing it from a university that only wanted to give | people the best possible network experience feels a bit | different. QoS can be a positive thing and a dumb-pipe isn't | always great. | | I'm a bit surprised that T-Mobile would go this route at this | time. iCloud Private Relay doesn't proxy app traffic at this | time and I haven't seen that they have a similar browsing- | history program like Verizon's. Still, there are reasons to | want to be able to understand your traffic both for business | reasons and for a better customer experience. Again, I'm | surprised because it seems like the reasons today are slimmer. | I think the Netflix OCA use case is a good one since it reduces | network usage in a way that simply helps the parties involved, | but wouldn't really be possible if the traffic first went via | another external server. | | I'd emphasize that nothing here is to say that T-Mobile is | doing the right thing. It's just to bring up areas where a | company might want to know more about its network access | patterns. Some of that can be used for good like the Netflix | OCA system or giving higher QoS guarantees to FaceTime. Some of | it can be used for bad like knowing using browsing history for | advertising. | mleonhard wrote: | T-Mobile, Verizon, AT&T, and other ISPs joined together and | successfully lobbied Republicans in the US government for | permission to record what their customers do online and sell | that information [0, 1]. Apple's proxy service takes away that | revenue source. | | [0] https://www.techrepublic.com/article/the-real-reason- | behind-... | | [1] https://mashable.com/article/how-to-stop-tmobile-att- | verizon... | nickhalfasleep wrote: | Revenue from tracking customers for advertisements. | aeonflux wrote: | There is a solid, technical problem with VPN usage on such a | massive scale. Carriers, like T-Mobile, can arrange traffic | exchange with big content providers. Majority of traffic | generated goes to a handful of providers, like YouTube, | Netflix, Facebook. It's not even about direct, financial | incentives. It's a win-win for both ISP and content providers | to peer directly and limit the amount of traffic routed through | paid uplinks. It's a win for users too, since they can get | their content with less hops, through bigger pipes. Even Tier-1 | network operators | (https://en.wikipedia.org/wiki/Tier_1_network) can optimize | traffic by making the direct inter-connections for traffic- | heavy content. | | When everything is encrypted and goes over the ISP just to the | VPN endpoints, they can't do anything. In the end, they will | have to arrange peering not with content providers but with VPN | providers, who works for Apple. | | PS. There is a lot of tension in current setup, even without | Apple stepping up. In the old fashion market, the last mile is | the king. Big grocery chains have direct access to users, so | they are the strong side in the relation with producers. They | can position brand X over Y, if they have better margin. They | also create their own brand Z rip-off and sell that directly. | Just look what Amazon does in that space. When it comes to ISP, | they have direct users and have very little to say. They are | basically dump pipes, just like the power line. | | T-Mobile was very vocal in the past in that space. They often | wanted the MANGAs (heh) of the world to pay them a share from | their ads. I remember T-Mobile threatening, that they might | replace some ads with their own ads. Since they provide the | users with phones, they can install their own certs on devices. | Chrome has SSL pinning not only, to save users from hackers, | but to save their own business model being attacked by ISPs. | kstrauser wrote: | "User begins blocking T-Mobile from future consideration." | | I'm not using an ISP that prevents me from accessing perfectly | legal Internet services. No matter how they want to brand | themselves, today's telcos are ISPs, no more, no less. | | When shopping for cell phone providers, our considerations are 1) | complete Internet access, 2) coverage, and 3) cost. T-mobile | could charge $5 a month for unlimited usage, but if they can't | satisfy requirements #1 and #2, then #3 is moot. | SkyMarshal wrote: | _> our considerations are 1) complete Internet access, 2) | coverage, and 3) cost._ | | Anyone know how Google Fi compares on this criteria? I've been | considering switching over for Fi's better security [1], but | curious what Fi users think of the service. Since it piggybacks | on other networks, does it inherit any of their service | restrictions or other problems too? | | [0]:https://fi.google.com/ | | [1]:https://blog.kraken.com/post/219/security-advisory-mobile- | ph... | hentrep wrote: | If you're in the US, have you found a wireless provider that | meets your criteria? | aaomidi wrote: | Small Business AT&T | MBCook wrote: | As far as I know Verizon doesn't block things. They have | great coverage. | | They're not cheap. | | Woo oligopoly! | kstrauser wrote: | They block private relay on my phone. | zachberger wrote: | Strange, I'm on Verizon too and its not blocked | kstrauser wrote: | No kidding? If I go into Settings > iCloud > iCloud > | Private Relay (Beta), I see: | | > Private Relay is turned off for your cellular plan. | | > Your cellular plan doesn't support iCloud Private | Relay. | kevdev wrote: | I'm on Verizon, and it works fine for me. | skykooler wrote: | Verizon just blocked personal hotspot from my phone with | the message that I would need to switch to a non-unlimited | plan to reenable it. | darkarmani wrote: | How can they change your existing contract? | jaywalk wrote: | That doesn't sound right at all. All of Verizon's | unlimited plans aside from the lowest one come with | hotspot data. | PascLeRasc wrote: | Ting's been great for me and it meets those three | requirements. I'm a little hesitant now that they're owned by | Dish though. | kstrauser wrote: | I'd been happy with Verizon until recently when they blocked | Private Relay. I'm starting the search again now. | jaywalk wrote: | I don't use Private Relay, but I do have Verizon. I just | tried enabling it (with WiFi disabled, obviously) and had | no issues. Do you have a source to back up your claim that | Verizon blocks it? | kstrauser wrote: | Here's a screenshot of my Private Relay settings: https:/ | /www.icloud.com/iclouddrive/0eaTQXkx0FGrIINRWsrF3wagg... | | I'd like to be proven wrong, but that looks clear. | jaywalk wrote: | That's really strange. Are you on an old grandfathered | plan of some sort? It has to be either that or a bug, | because it's pretty clear that Verizon is not blocking | Private Relay in any large scale manner. | kstrauser wrote: | I don't _think_ so. We 're switched to the Verizon Plan | Unlimited a couple years ago. | lotsofpulp wrote: | As another data point, I do not see private relay being | blocked using ATT. | ortusdux wrote: | Verizon is the only network that is reliable in my area. | I've had great luck with visible, which is a spin-off on | their network. Cheap as hell too - $25/mo for unlimited | everything. | [deleted] | kstrauser wrote: | Whoa. I'll check into that. | fotta wrote: | Note that Visible is an MVNO subject to deprioritization. | I'm on the lowest Verizon Unlimited plan which is subject | to the same and my service is nigh unusable when my | broadband internet goes out or I'm in a really large | crowd (e.g. music festival) | nathanyz wrote: | Yes, adding in a second data point as well. Verizon | directly is great in this one area nearby, but using | Visible in that same area was painful for anything data | related. Would show full signal bars with Visible, but | actual data rates were throttled and/or strongly | deprioritized. | | You genuinely get what you pay for when you spend the | extra dollars for the direct carrier relationship with | AT&T and Verizon. All of the MVNO's as well as their own | prepaid plans will not compare if the towers are busy. | ifaxmycodetok8s wrote: | I have Verizon and I'm able to use private relay. Maybe | it's because I bought an unlocked phone directly from | Apple? Idk. | jaywalk wrote: | All Verizon phones are unlocked, but the lock status does | not change whether or not they can manage the carrier | settings that Apple exposes to them. | spullara wrote: | AT&T hits all of those for me. | LeoPanthera wrote: | You will not find any, because there are none. | [deleted] | diebeforei485 wrote: | Is this because it prevents T-Mobile from monetizing and selling | user browsing data? | ascagnel_ wrote: | T-Mobile partners with various video providers to provide | lower-bandwidth streams that don't count against bandwidth | caps. Less-cynically, this may be to enforce that. | | I consider those agreements to be violations of Net Neutrality, | since they're inherently not treating all data the same. | MontyCarloHall wrote: | It is a blatant violation of net neutrality, but somewhat | paradoxically, actually benefits the consumer in my | experience. Several friends of mine on T-Mobile have raved | about how Netflix/Spotify/et al. don't count towards their | monthly data limit. | | That said, iCloud private relay only applies to Safari, so | T-Mobile blocking it probably doesn't have much to do with | their variable data caps. | rhn_mk1 wrote: | It's not paradoxical at all, net neutrality also protects | from bad effects kicking in long-term. Zero-rating is | effectively the same as providing dumping prices compared | to the competition. It may benefit the customer now, but | leads to lock-in. | | See Facebook's internet.org. | aeternum wrote: | T-Mobile is pretty up-front about the various video quality | options with their plans, and also has ways to temporarily | boost your video quality for a few dollars. | | For many people, a cheaper plan with slightly lower quality | video is a great tradeoff. | cglong wrote: | I believe T-Mobile's newer plans (Magenta tiers) don't do | this. | acdha wrote: | > I consider those agreements to be violations of Net | Neutrality, since they're inherently not treating all data | the same. | | I would agree if they do not make that available to all | services. At least at the time they did that for music there | was a pretty long list of partners so I'd be most interested | in knowing whether they charge money or reject applicants. | lkxijlewlf wrote: | No, it is because... | | > The carriers wrote that the feature cuts off networks and | servers from accessing "vital network data and metadata and | could impact "operator's ability to efficiently manage | telecommunication networks." | | But seriously, it _is_ because it prevents T-Mobile from | monetizing you and slowing you down. | wlesieutre wrote: | iCloud Private Relay isn't like full blown VPN that hides | everything you do on the internet, only your web browsing in | Safari goes through it. So their existing systems to throttle | the connection of your video streaming apps will continue to | work just fine. | | It's completely about monetizing your browsing history. | lathiat wrote: | I believe it also takes non-https traffic from apps but | since they made https mandatory quite some time ago now I | suspect that is not much. Also content loaded inside email | in Mail. | andiareso wrote: | IIRC it redirects DNS queries system-wide as well which | definitely would hinder general interest tracking. | nunez wrote: | Thank goodness the carriers can't do anything about | solutions that use VPN to override default nameservers | jrockway wrote: | It also cuts down on the number of companies they can extort | for transit. Right now they can go to Netflix and say "would | be a shame if T-Mobile customers couldn't view movies during | peak hours" and Netflix has to pay them for that not to | happen. With all the traffic going through Apple, Apple is | the only company they can extort this way. (Meanwhile, Apple | or their "third-party provider" could of course play this | game, but historically tech companies have been super | uninterested in doing this.) | | Basically, what everyone wants is for companies like T-Mobile | to be a dumb pipe. They invested in spectrum and a network, | and they should just lease that network for cost + profit | margin. Instead, they want to milk it. They want you to pay | more for particular packets. They want the rest of the | Internet to pay more for particular packets. They want to | inject their own ads into unaffiliated websites. They want to | build a marketing profile based on what sites you visit, and | send you "offers" based on this. Right now, that is all | technically possible, so they'd be defrauding their | shareholders if they didn't try. But, we can of course say | "no" and route around the damage. Apple is letting their | customers say "no", and that means T-Mobile is doomed to | irrelevance, and that's a great thing. Infrastructure should | be infrastructure. | | (Can you imagine what it would be like if other utilities did | this kind of shit? Your water would cost less if you were | using it to run a Coke-branded soft drink dispenser, but not | a Pepsi one. Or, Dell computers could get electricity at a | 10% discount, but not Asus ones. It would be unthinkable! But | with these big ISPs, it's mandatory.) | jrockway wrote: | I hate to reply to myself, but I wanted to say one other | thing. When governments sell RF spectrum to companies, the | expectation is that they become good stewards of the shared | resource. The taxpayers are saying "you know, we think | private industry can give us more value from our RF | spectrum than the government", and this is their chance to | prove that. What we didn't want was to enable a monopolist | to nickel-and-dime the Internet to death. | | I'm guessing the exact legal agreements didn't spell it out | like this, but that's how I think of it. Only one company | can use this finite resource at once, but just because they | bought it doesn't mean there is no limit to what they can | do with it. | balls187 wrote: | > Meanwhile, Apple or their "third-party provider" could of | course play this game, but historically tech companies have | been super uninterested in doing this. | | Apple notoriously "extorts" developers to be in the app | store. | | > Basically, what everyone wants is for companies like | T-Mobile to be a dumb pipe. They invested in spectrum and a | network, and they should just lease that network for cost + | profit margin. | | I don't think you've considered the alternatives if | T-Mobile can no longer monetize traffic: | | * Go back to subscribers pay per kb usage | | * Eat the costs themselves | | * Raise cost of mobile data plans | | > Can you imagine what it would be like if other utilities | did this kind of shit? | | They side step this problem by charging per-use. During | peak demand, prices go up. Each customer pays their share. | Downside see Texas snowstorm. | Spivak wrote: | I really don't see the horror that would be carriers | charging for usage. I would rather that than pay for | stupid things like "lines" or "devices." | acdha wrote: | > Go back to subscribers pay per kb usage | | They charge $70/month for "unlimited" data which is only | 50GB before throttling. I'm pretty sure they can | profitably afford to run a network for that much without | reselling user data. | darkarmani wrote: | They already charge per kb. Look at the small print -- | once you hit a certain amount of usage, you are | drastically rate-limited. The only difference is that | some months, when you don't hit your limit, you pay more | per byte. | acdha wrote: | > Right now, that is all technically possible, so they'd be | defrauding their shareholders if they didn't try. | | This sounds like a clumsy restatement of the urban legend | that companies have an obligation to maximize shareholder | value. There is in fact no such rule, for the obvious | reason that nobody can accurately predict the future and | calculate the optimal value. | | https://corpgov.law.harvard.edu/2012/06/26/the- | shareholder-v... | | In this case, a company like Apple could say that they are | choosing to forgo short-term profits from selling out their | users' privacy because they feel that the long-term loyalty | will be greater, and anyone arguing otherwise would still | have to admit that this approach has been phenomenally | profitable. | markbnj wrote: | > Right now, that is all technically possible, so they'd be | defrauding their shareholders if they didn't try. | | Can you expand on this? Are you saying that if a business | opportunity exists and a company elects not to pursue it | that constitutes defrauding shareholders? I would have | thought it constituted nothing more than a disagreement | over strategy. | sodality2 wrote: | It sounds like a sarcastic statement of the "profits not | gained is profit lost" mindset and that shareholders | would be upset, not literally a crime. | toast0 wrote: | Does T-Mobile actually extort companies for transit? When | they announced their video streaming throttling + zero- | rating, I looked through their the publicly available | documents. From what I recall, there wasn't any sort of | payment process, and mostly there was two parts: | identifying the traffic so T-Mobile knew to zero rate it, | and either adaptive bandwidth usage (which seems pretty | common for video streaming anyway) or identifying the | traffic so the provider could serve lower bandwidth | streams. | | It's not in line with the net neutrality, but it's useful | for the direct parties: | | a) a video streaming customer wins because they can do | video streaming without touching their data allotment. | | b) the video streaming server wins because their customers | are able to do more streaming | | c) t-mobile wins because they've reduced bandwidth | requirements | | Competitive streaming services that are not included in the | program don't win, but t-mobile made it fairly easy to | join. Users who want to stream at 4k or whatever don't win, | but they can turn off the bandwidth restrictions and use | their data allotment if that's what they want to do. | | At my last job, I was involved with a lot of zero-rating | deals as the application provider; we never paid for it, | and I don't recall ever being asked for payment. Some of | the carriers even setup plans without our knowledge or | consent or assistance; this didn't usually work great long | term, because of misidentified traffic, but it indicates | the demand was there without us pushing it. | nojito wrote: | Tmobile deprioritizes devices depending on high usage. | Private Relay would allow individuals who are deprioritized | to bring down entire cell towers. | deadbunny wrote: | Currently: | | P ---- CT ---- S | | With VPN/whatever: | | P ---- CT ---- VE ---- S | | P = Phone | | CT = Cell Tower | | S = Server | | VE = VPN endpoint | | So given this the cell tower can still determine who is | using lots of traffic, they just can snoop on that traffic. | dpratt wrote: | You're a little off, currently: P --- CT --- NAT | Proxy/Traffic Shaper --- Possible MITM host --- S | MikeBVaughn wrote: | Can you give a detailed model of how this would bring down | a tower? I'm very skeptical. | kstrauser wrote: | No, it wouldn't. They'd still have the ability to throttle | individual phones generating lots of traffic. | Spooky23 wrote: | Carriers nat/proxy everything and in addition to | bandwidth throttling, they will rate limit or otherwise | whack misbehaving applications. | | VPNing everything at scale will impact that | monitoring/management. And that will absolutely impact | towers, or cause the carriers to throttle users vs apps. | cobookman wrote: | ...they throttle at the phone-number/SIM. Even with a VPN | your phone is still auth'ing itself to the cell towers, | and those towers know what device is sending which | traffic. | | What this prevents is allowing say Youtube to pay TMobile | to never throttle their traffic. | Spooky23 wrote: | I know from firsthand experience that Verizon at least | can and did do more circa 2016. | acdha wrote: | VPNs work at a higher level. They have to see the radio | traffic to be able to deliver packets to your phone, | which is where billing and access control happens (this | is why you can't spoof someone else's IP to avoid paying | your bill), and at the IP level your VPN traffic is | carried from your carrier-issued IP address to your VPN | provider's addresses. | | The one legitimate argument here is that this prevents | traffic shaping based on the destination, which T-Mobile | uses to do things like offer unlimited streaming separate | from your general data quota. | woodruffw wrote: | T-Mobile probably isn't extracting too much of value from HTTPS | traffic. It's probably more about traffic shaping. | kstrauser wrote: | You can extract a whole lot of value by mapping which sites | someone is visiting even if you don't know what they're doing | there, and you can get that information just from IPs. | mox1 wrote: | The hostname of most (all?) TLS connections is sent plaintext | at the start of a new connection. This is called SNI (Server | Name Indication). | | That provides some (or a lot) of value I am guessing. | kstrauser wrote: | Even without that, it's a pretty easy traffic analysis for: | | - Time T0: User requests the DNS record for example.com | | - Time T0+10ms: DNS returns "example.com. 193 IN A | 10.1.2.3" | | - Time T0+20ms: User opens a connection to 10.1.2.3 port | 443 | | Chances are pretty good they're looking at example.com, | even if you can't examine a single packet. | symlinkk wrote: | Still hides HTTP level metadata like the path, POST body, | cookies, etc, no? All you'd have is the hostname | kstrauser wrote: | TLS hides all that already. | gruez wrote: | DoH mitigates this by hiding all DNS queries. | astrange wrote: | This is solved by ECH/ODoH but for full effect you have to | trust the DNS server. | cmelbye wrote: | One reason could be that T-Mobile limits video streaming | resolution based on the subscriber's plan. Only the most | expensive plan can stream 4K video, otherwise it will | "typically" be limited to 480p. https://www.t-mobile.com/cell- | phone-plans?lines=2 | kylehotchkiss wrote: | Or because they can't throttle video streaming sites down and | internet speed test sites up? | wlesieutre wrote: | Private Relay only touches traffic from Safari, and while | people _could_ watch Netflix in the browser instead of the | Netflix app, I doubt that many do | rolobio wrote: | I've always wondered if you could start a internet speed | testing website, get in the trusted list of companies like | T-Mobile. Then release a VPN on the exact same servers, | forcing the companies to provide the best speed to the VPN. | | Only problem is that you would have to be large enough that | the ISPs would care if their scores looked bad. | jedberg wrote: | This is basically what Netflix did. They launched fast.com, | which comes off the same servers as Netflix video. The | whole goal was to get people to call their ISP and complain | they aren't getting the speeds they paid for and getting | them to unthrottle Netflix. | rolobio wrote: | Didn't know that! Wonderful!! | jaywalk wrote: | This is almost certainly the main driver. | daenney wrote: | Yes. | newshorts wrote: | I smell an opportunity for t-mobile to add a "private relay | enabled" tier to their pricing structure. | | Pay extra for privacy | asadlionpk wrote: | I wonder when will Apple launch their own network. Would be fun! | tuetuopay wrote: | This is the worst thing. Not for Apple or Apple users, but for | the general internet. If that goes through, and countries | effectively end up making Private Relay illegal, that is a very | VERY strong precedent to block regular VPNs. And that's terrible. | | I wonder if the same could happen to TOR, if VPN end up the same | way... | bonyt wrote: | The message says that the user's "cellular plan doesn't support | iCloud Private Relay," so is this the same thing they've done | with other VPN providers? That is, do they just count the traffic | against the tethering/hotspot limit, since they can't shape | traffic on it to, _e.g._ , limit video quality to 480p when a | user has a plan with that limitation? I don't know if they | actually do this, but I've heard it before. | | https://www.reddit.com/r/tmobile/comments/9ja8y1/i_can_confi... | jaywalk wrote: | No, they do not allow users to enable Private Relay at all | because Apple allows carriers to determine whether it's | available or not. Even FaceTime over cellular is still | something that carriers get to decide whether to allow or not, | although I'm not aware of any carriers that don't. | amaccuish wrote: | iPhones sold in the UAE have FaceTime removed. | chinathrow wrote: | Why is Apple even giving them an option in this? | jaywalk wrote: | Because Apple wants to keep their carrier partners happy, | so they give them control over things that will have an | impact on cellular data. | | Like I noted with FaceTime over cellular, it's nothing new. | joe5150 wrote: | I can't imagine what kind of leverage they think they | have. is any provider going to just drop iPhone support | from their network? | thehappypm wrote: | These deals are old. FaceTime when it came out was in the | era of 3G. FaceTime over 3G could be a bandwidth hog.. | and iPhones were not nearly as popular, so the | negotiations were more give-and-take. | kstrauser wrote: | There are legitimate reasons why a specific business | network might not allow it. For example, if you're on the | employee network of a bank or hospital, it's very likely | that your web connections are going through a proxy to make | sure you're not sharing confidential data, and to block | malware and such. Private Relay would go around those | proxies. Allowing networks to opt out of Private Relay, | then, is a better business decision than having enterprise | networks just block all iPhones. | easton wrote: | Corporate networks makes sense, but giving carriers the | ability to disable it on the phone (i.e. not via blocking | mask.icloud.com) doesn't make sense. It's not like | personal hotspot where it allows you to bypass network | policies, except for maybe the streaming shaping (but how | long did they think that would work anyway?). | haswell wrote: | If I had to speculate, in order to continue operating in | regions where governments more tightly control carriers. | flerchin wrote: | From my limited testing, carriers are whitelisting traffic | for high-bandwidth. When I establish a vpn tunnel on my | Tmobile sim card, bandwidth drops dramatically. Presumably | because they can't inspect it. | neurobashing wrote: | FWIW I am using Deadpool Telephony LLC, which uses the | T-Mobile network (as MVNO), and Private Relay works fine. | gennarro wrote: | Can someone explain how it's possible to block this? Just stop | the whole IP range from the network? | kstrauser wrote: | iPhones find the entry servers to Private Relay via DNS. If you | drop those hostnames, then it's effectively blocked. | vmception wrote: | should let users run them | | like Tor exit nodes, or obfs4 bridges | | turn it into a war of attrition! | gennarro wrote: | So with a custom dns server you are fine? | | Edit: woodruffs above provided docs | giobox wrote: | While its trivial to edit DNS settings for wifi, its | actually quite difficult to change your DNS server on the | cellular profile on iOS as comment from Easton here rightly | points out. I was kinda surprised the first time I found | out you can't edit the cellular DNS server settings via the | phone's Settings app. | | One option that works for me to get custom DNS on iOS | cellular connections (I like PiHole ad blocking on my | phone) was to setup my own VPN connection to a VPS instance | running PiHole for DNS and WireGuard for the VPN. Lets me | get custom DNS, pihole adblocking over cellular so long as | VPN isn't blocked by your cellular provider etc. Was two | trivial Docker containers to get running, costs very little | in AWS. | | Same trick also lets me access region blocked TV services | from my iOS devices over US cellular simply by turning a | VPN on - I just stand up the containers on a VPS host based | in source country and connect to that. | easton wrote: | Yes, but you can't set custom DNS for cellular networks | without a configuration profile or an app, so it's unlikely | that most people have that set. | kstrauser wrote: | Depends on the ISP. If they block or re-write DNS packets, | then setting your own servers wouldn't fix it. That's a | real thing people see in the wild: | https://superuser.com/questions/897543/how-can-i-check-if- | my... | woodruffw wrote: | I'm not familiar with Private Relay's details, but based on the | available public information: every connection is initiated | through a proxy server controlled by Apple, so all Verizon | (probably) has to do is detect that initiation pattern and/or | figure out which IPs/subdomains are specifically responsible. | | Apple can probably improve the situation by making Private | Relay more like a VPN (instead of a fancy web proxy + DNS | masker), including reusing the same IPs and domains that iCloud | traffic is already going through. | | Edit: Apple's docs show two well-known subdomains for Private | Relay[1]. Blocking both of those is probably what Verizon's | doing. | | [1]: https://developer.apple.com/support/prepare-your-network- | for... | sa1 wrote: | Apple allows networks to block Private Relay: | | "Network settings | | Some organizations might be required to audit all network | traffic by policy. To comply with such a requirement, these | networks can block access to Private Relay. Users will be | alerted that they need to either disable Private Relay for the | network or choose another network. The fastest and most | reliable way to do this is to return a negative answer from the | network's DNS resolver, preventing DNS resolution for the | mask.icloud.com and mask-h2.icloud.com hostnames necessary for | Private Relay traffic." | | https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over... | stefan_ wrote: | No, Apple built-in a feature for carriers to disable it. | Neil44 wrote: | There seems to be a lot of tacit assumption here that phone | companies want to do bad things with your browsing metadata and | Apple doesn't, but I don't see any firm reason to make that | assumption. | janandonly wrote: | Does this mean Verizon and t-mobile are also blocking all VPN | traffic? | | Also, how can the "land of the free" not have net-neutrality | laws? | skunkworker wrote: | No, Verizon is not at least. I will commonly connect to my home | network over self-hosted vpn while on Verizon LTE. | joe-collins wrote: | We did, briefly, under Obama. More recently, the previous | administration unwound those rules. | | More technically: NN was implemented via the existing authority | of the FCC, rather than any new law. Then the FCC, under new | leadership, decided that internet service was outside of that | authority, actually, and dropped that enforcement. Under Biden, | there has been no change back in the other direction. (And at | no point has there been a separate, federal law.) | kevin_b_er wrote: | The previous administration even attempted to prevent states | from having net neutrality by claiming that disclaiming FCC | authority was a prohibition on it. Yes, by attempting to | claim FCC had no authority to regulate they also | simultaneously claimed this prohibited states from regulating | it. | | The paradoxical was a direct reflection of the corruption | within the FCC at the hands of the previous administration. | jondwillis wrote: | If anyone is aware of any grassroots efforts to reinstate NN, | please comment. I had basically forgotten about the rollback | under Ajit Pai, which, is in my cynical view, exactly what | _they_ want. | thebigjewbowski wrote: | You could say our ISPs are free to make deals with whomever wrt | bandwidth. | | Is free, unlimited HD Netflix steaming worth more than private | relay? I'm guessing most people would say yes. | | I'd consider switching. Oddly enough though I was able to turn | on private relay on T-Mobile USA. | divbzero wrote: | For me, this new policy will be reason enough to switch away from | T-Mobile at the nearest opportunity. | finite_jest wrote: | I think you should avoid T-Mobile if you can. Not just as a | matter of principle, but also pragmatism. They have an extremely | crude SMS censorship/anti-spam system [1] which even blocks links | to lichess.org, the popular online chess website. | | They have poor security practices like storing passwords in | plaintext [2], and they had a large data breach (probably about | 100M customers affected) last year. [3] | | And now, it seems they are throwing in some protocol blocking | too. | | PS: This isn't protocol blocking at the packet/port level, so I | may have used "protocol blocking" a bit inappropriately. | Apparently Apple allows the carriers to prevent people from | enabling iCloud Private Relay, and T-Mobile is doing that. Apple | is probably doing so due to the pressure by the carriers. In | August, four carriers (Vodafone, Telefonica, Orange and T-Mobile | ) signed a letter urging the European Commission to stop Apple | from providing Private Relay. (According to a report by The | Telegraph: https://archive.fo/BRUS4#selection-915.74-925.194) | This, of course, still quite preposterous. | | [1]: https://news.ycombinator.com/item?id=29744347 | | [2]: https://news.ycombinator.com/item?id=16776347 | | [3]: https://news.ycombinator.com/item?id=28192423 (The first | comment by @jonathanmayer has a list of other recent T-Mobile | security incidents) | jc_811 wrote: | I would love to leave T-Mobile, but they are the only carrier | in the US who offers such a core piece of functionality for me: | International service included out-of-the-box. | | I love to travel, and nothing beats being able to land in | (pretty much) any country in the world, turn on your phone and | have working service just like that. No SIM cards, no different | numbers, no local pre-paid cards, and no crazy international | fees. | | As someone who enjoys work/travel for weeks to months at a | time, every other major carrier is not feasible for this (think | 10$/day, which becomes unreasonable when you're out of the | country for 3+ weeks). | | Unless somebody else could recommend another option it seems | I'm stuck with T-Mobile for now. | lancesells wrote: | I have AT&T and it's a toggle to turn it on but you're right | about the $10/day. I've felt the sting many times. | mtoner23 wrote: | Google fi? service probably isnt as good as t mobile though | ac29 wrote: | Google Fi is T-mobile service in the US (and Sprint, which | T-mobile acquired). | r-w wrote: | Google Fi uses T-Mobile in the background. Depending on | what you mean by "service probably isnt [sic] as good", you | may either be wrong or be making a niche point. | vageli wrote: | Google Fi does everything you ask for (and works with more | phones that just those that Google manufactures). | [deleted] | bogwog wrote: | Google Fi is an MVNO of T-mobile/Sprint (last I checked | anyways). so if T-mobile blocks the private relay for their | network, it could affect them too. | | Also, Google Fi kinda sucks. They used to be the cheapest, | but nowadays you can get better prices from other services. | For example, Google charges $10/gb/mo, whereas Mint Mobile | (another T-mobile MVNO) charges 4gb for $15/mo, or $30 for | unlimited. | | Google Fi is only cheaper if you use less than 1.5gb of | data per month, and the service quality is probably the | same. | | ...and that's not even mentioning all the privacy concerns | attached to Google. | pkulak wrote: | The difference is that Google Fi runs at the top network | priority. You can find loads of dirt-cheap MVNOs, but | your data is at the back of the line if there's any | congestion. | reidjs wrote: | As someone who used Google Fi for a while internationally, | DO NOT get Google Fi! So many problems on an iPhone 7. | Little to no connectivity in many places where they | advertised having connectivity. This was ~2018-2020, so | maybe it has improved, but I had such a bad experience with | them. | tristor wrote: | This is the only reason I switched to T-Mobile originally and | the only reason I still have them. Their coverage is so poor | that I get no LTE service sitting in my house in a core part | of the major metro area. I'm only able to maintain them | because they were an early and ardent adopter of WiFi | Calling. On a recent trip in the US I had no service off | major interstate highways. Internationally though, T-Mobile | is amazing. I honestly wish my experience in the US was as | good as my experience while traveling... there's not much | point in having uncapped LTE when you get 1 or 0 bars of | service, at least internationally I get great service even if | it is speed capped at 256kbps. | perfectstorm wrote: | avoid T-Mobile and join AT&T or Verizon? i'm sure they have | their fair share of shady/borderline illegal things they do. | manuelabeledo wrote: | > i'm sure they have their fair share of shady/borderline | illegal things they do. | | That might be true, but at least AT&T doesn't block private | VPNs, nor has plans to do so. | r-w wrote: | Here is what your comment boils down to: | | "A." | | "But B!" | | >> "But still, A." << | k4ch0w wrote: | And go where? I've had bad experiences with service with AT&T | and Verizon in my area, Washington State. It's shockingly | spotty. | reaperducer wrote: | Good timing. My wife is going to get a cellular data plan for her | new iPad this week. | | Now I know to cross T-Mobile off the list. | hendersoon wrote: | It's very easy to block private relay on your network by simply | blocking resolution of two hosts, Apple has this documented. | | https://developer.apple.com/support/prepare-your-network-for... | | There's only one legitimate justification to block it; to better | manage their network by caching data locally and not going over | the internet. Private relay retains your rough physical location | but it obviously connects outside of your ISP's network. | | Thing is that's a legit reason to block it, but it isn't a | _strong_ one. | josephcsible wrote: | That's not a legit reason to block it for everyone on the | network. That's a legit reason for individual iPhone owners to | turn it off if they value better performance over privacy. | amaccuish wrote: | Ever more convinced it's been a good idea to route all my phone | traffic through WireGuard. | | Though it interests me why mobile networks feel they are able to | do this whereas landline ISPs don't tend to in such great | numbers. At least, as far as I am aware, Deutsche Telekom aren't | adding headers to bare HTTP requests etc. | | I'm wondering if it's actually worth caving and having my home | traffic tunneled to some provider more reputable. | somebodythere wrote: | I wonder why Apple allows this. Do the carriers really have more | leverage than Apple here? | josho wrote: | Apple has good reasons to allow this. Inside a corporate | network for example you may not want DNS queries going to | Apple's servers. | | So Apple has made it very easy for a network admin to disable | private relay. All an admin needs to do is blocking name | lookups for relay.Apple.com* | | *I don't recall the actual DN used, it's in Apple's docs if you | are curious. | josephcsible wrote: | Apple still shouldn't make it so easy to block this | wholesale, even on corporate networks. Instead, they should | have a way to make only corporate-internal traffic not go | through it. | somebodythere wrote: | The OS should be able to distinguish between a corporate | network and mobile carrier, right? | easton wrote: | It can, but if mask.icloud.com is where the relay | connection needs to go that wouldn't help. | [deleted] | badlucklottery wrote: | I think if you gave most people the choice to either: | | a) disable this feature (that they likely don't fully | understand) or | | b) change their cellular service provider | | they're going to choose the former even though migrating your | phone number is pretty damn easy nowadays. | sprite wrote: | Is there a list of private relay addresses used by Apple? | seligman99 wrote: | If you mean IP addresses, then, yes, they publish a .csv with | the IP addresses [1] | | It seems to update once a month [2] | | [1] https://developer.apple.com/support/prepare-your-network- | for... | | [2] https://imgur.com/a/35HIV5M (only showing counts for IPv4, | they have huge IPv6 blocks) | woodruffw wrote: | There are currently two subdomains associated with Private | Relay. Apple's documentation implies that all connections are | initiated through one or the other. | mask.icloud.com mask-h2.icloud.com ___________________________________________________________________ (page generated 2022-01-10 23:00 UTC)