A group of UK network operators have formally urged the UK’s Competition and Markets Authority (CMA) to regulate iCloud Private Relay, claiming that Apple’s privacy service is anti-competitive, potentially bad for users, and a threat to national security.
In its response to the CMA‘s Interim Report on mobile ecosystems, Mobile UK, a trade association of British mobile network operators, including EE, Virgin Media O2, Three and Vodafone, has raised concerns that iCloud Private Relay can have a negative impact on user experience, internet safety, and competition.
iCloud Private Relay was new service introduced with iOS 15 that ensures all traffic leaving an iPhone, iPad, or Mac is encrypted using two separate internet relays, so that companies cannot use personal information like IP address, location, and browsing activity to create a detailed profile about users.
Following a formal complaint about Private Relay from Microsoft, Mobile UK claims that the privacy service can have undesired side-effects for users: “Private Relay affects Apple users in many ways, beyond simply what level of privacy a user wants.” For example, “Apple users have suffered a worse browsing experience when using Private Relay.” This is alleged to have the potential to push users to “migrate” away from “the Safari browser to apps downloaded from the App Store where Apple can earn a commission.”
Private Relay prevents network providers from seeing the network traffic from Safari and unencrypted applications. In preventing network operators from seeing this traffic, Mobile UK says that Private Relay prevents service providers from understanding “demand patterns across mobile networks,” inhibiting their ability to effectively diagnose customer issues.
Moreover, Private Relay is alleged to compromise “content filtering, malware, anti-scamming and phishing protection provided by network providers.” Mobile UK also claims that Private Relay is a threat to national security, since it “impairs the insights available under the Government’s investigatory powers, with implication for law enforcement” with regards to “terrorism, serious organized crime, child sexual abuse, and exploitation.”
Private Relay purportedly allows Apple “to leverage its considerable market power into many areas of the market and thus being able to further entrench its position.” Mobile UK says that due to Private Relay, “providers will be unable to use the traffic data to develop their own competing mobile browsers in the future,” as well as other services that directly compete with Apple:
Network providers would no longer be able to use web traffic data over Safari to develop their own digital products and services that complete directly with Apple. For example, a network provider may no longer have access to information about a user’s content viewing habits to develop their own content that competes with Apple TV. Similarly, a network provider may no longer be able to share consumer insight with third parties that provide digital advertizing services in competition with Apple Search Ads…
Mobile UK asserts that the ability of UK Internet Service Providers (ISPs) “to differentiate and compete in the market on fair terms” is actively undermined by Private Relay since Apple is effectively becoming an ISP itself:
Apple unilaterally terminates the role of the mobile and fixed connectivity provider in resolving the internet connection, with Apple itself taking over the role of the ISP. The mobile and fixed connectivity provider’s role is reduced to providing conveyance from the handset/home to the Apple iCloud platform.
Mobile UK is concerned that “Apple could thus leverage its position in the device and operating system to grow its iCloud+ user based to develop its position as an ISP.”
Moreover, the trade association said that Private Relay directs users to more Apple services, “accessing the internet in a manner curated by Apple.” Private Relay enables Apple “to favor its own proprietary applications and service, at the expense of other providers.”
Mobile UK also said that Private Relay “affects competition in mobile browsers,” highlighting that “rival browsers cannot differentiate themselves easily” as a result of Apple’s WebKit browser engine restriction. The organization complains that users cannot “switch to an alternative browser” to skirt Private Relay since “the ability of rival browser to differentiate themselves from Safari will still be limited by the terms of Apple’s browser engine.”
In conclusion, the trade association says that Private Relay must be regulated beyond its superficial existence as a privacy service:
Mobile UK is very concerned that consumers are not fully informed about how Private Relay works or that they understand the full implications of invoking the services…
The impact of Private Relay is therefore multi-dimensional and cannot be assessed solely through a privacy lens.
Mobile UK urged the CMA to implement “a remedy that limits the use of Private Relay,” or “at the very least” prevent “Apple from making Private Relay a default-on service.” The complaint noted that “Private relay is currently default-off but it is already being used by a significant portion of Apple customers in the UK, despite being in beta mode.”
Private Relay should not be presented as a set up option or installed as an on-default service. It should be made available as an app with others can compete with similar services such as VPNs. Apple should notify relevant third parties in advance of introducing Private Relay services, so that third parties can inform their customers of how their service may change were Private Relay to be used. For example, advance warning of the introduction of Private Relay would have allowed network providers to inform customers how their security solutions may change and also inform Government how it changes their investigatory powers insight from network traffic data.
For more information, see Mobile UK’s full submission to the CMA. iCloud Private Relay has come under similar skepticism in the European Union, where major mobile operators sought the banning of Private Relay for infringing upon EU “digital sovereignty.”
Earlier this week, Apple aggressively defended its ecosystem in its detailed response to the CMA. It said that the regulator had set the benefits of Apple’s ecosystem aside “without reasoned basis, either ignoring them entirely or dismissing them on the basis of nothing more than speculation.” Apple alleged that the CMA’s Interim Report was based on “unsubstantiated allegations and hypothetical concerns raised primarily by self-serving complaints” from a handful of multi-billion dollar companies, “all seeking to make deep changes to the iPhone for their own commercial gain, without independent verification.”
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.