IIRC, in one of the WWDC talks, Apple's advice is stop relying on IP address as a signal of the user's location. Either make use of the location APIs on the platform or work out something different.

Trusting location APIs is also silly, as those can be spoofed easily. What Apple is really doing here is subverting the entire concept of geo-blocking services, which is great.

Many APIs can be spoofed. If a system is trusting a third party service for security purposes, that needs to be subject to some close scrutiny. Using location as one signal of many is reasonable, and in some legal regimes, at least for now, required. Using location as the sole signal is foolish, and never was sufficiently reliable for anything but the most casual security check. See for example https://splinternews.com/how-an-internet-mapping-glitch-turn...

This does not prevent geo-blocking, because the relay's IP is still in the same region as the user.

Except when it isn’t like in the OP’s article. Also, when datacentres inevitably go down, traffic will be rerouted, potentially to other countries.

Thank you, this really well summarises my article.

In my previous work we used the term "progressive authentication" for something similar. If the authentication attempt matched previous patterns, assume it's OK. If one or more of the signals is different but not obviously suspicious, present an additional challenge. This would be the case if the user lived in, for example, Seattle, and the login came from a place like the bay area, which they have previously visited. If it's clearly anomalous, provide all challenges and possible even block the attempt. This would be the case if, for example, an obvious bot script running coming from an address that resolved to an AWS instance in Hong Kong.

Why would my visitor be surprised that I'm suspicious though? They're choosing to be suspicious.

Another analogy I could make is someone that is blocking their caller ID. Should they be surprised that fewer people will take their call? They're lumping themselves in with spammers.

I think Apple -- and anonymizing proxy/VPN services in general -- should be communicating that to their customers.

Whoah there Nelly! That’s a huge leap from ‘using built in privacy protection features of my phone’ to ‘choosing to be suspicious’.

Why should everyone between me and my data have access to an IP address that is tied to my personal data? And when did choosing to not allow that become a shady thing to do?

— edited autocorrect of ruins to features

It comes back to reputation. In the real world, we build up a reputation and people can choose to trust us based on it. That also means that they get to know us. I personally like being able to interact with people that I've built up a positive relationship with. Why doesn't that carry over to the virtual world though?

I think everyone's view is tinted by the over-collection of data that some companies are doing. A real-life analogy would be having someone record everything that you do. We've come to accept that to an extent when going into stores, but probably wouldn't hang out with a friend that did that. I don't think the best solution to that is to put a bag over yourself and change your voice so that you're anonymous but still hang out with that friend -- I think it's to tell your friend that you don't want to be recorded. If some service is recording you too invasively, don't do business with them. If you don't know who is recording you, get your government to pass a law like GDPR.

If you want to live in a world without reputation, there will be drawbacks. Attackers will be indistinguishable from regular users, so you have to treat regular users as if they could be attackers; you can't have a tiered approach. The person banned for posting threats (or worse) or otherwise misbehaving on a message platform will be indistinguishable from a new account. The brute force attack will be indistinguishable from the legitimate user. Etc.

To throw out the whole concept of reputation so that you can be perfectly anonymous seems like the wrong solution to the problem.

Here’s the problem - my IP address should not signal reputation. They are fungible, and can change on your carrier’s whim. GEO-IP data is spotty at best. And that doesn’t even touch on how IaaS platforms handle IPs.

The only thing that should signal my reputation is my identity, and despite the best efforts of the adtech world, you can’t reliably correlate that to an IP address.

I understand what you're saying, but my mom sure will think its frustrating that a company she does business with is going to challenge her beyond the normal experience because apple lets her protect her privacy. After all, she's telling the company who she is by logging in.

The company challenging her beyond the normal experience is forced to because until she logs in, she is indistinguishable from an attacker. That's the price she's paying for perfect privacy.

They're not doing it because they want to annoy anonymous users; they're doing it because they're not getting any signal that they can trust this connection. That's the price you pay for removing reputation, and no number of Apple Relay users can change that. Website operators can't simply start trusting completely anonymous connections simply because there are a lot of them.

That's why I say Apple should be communicating this to users: there's a price to pay for anonymity. You may see more captchas, you may get challenged with 2FA more often, etc. Not to mention, you might be making it easier for actual criminals to hide amongst the other traffic.

When she logged in, the privacy issue becomes moot of course, yes. At that point her credential can be trusted the same way as before.

This is what Private Relay changes. They're not choosing to be suspicious. Right now, if you're eligible, you're opted in by default. So you end up either deciding that mac/ios users are suspicious by default, or you need to redefine suspicious.

The difference between Apple and other anonymizing proxy/VPN services will be the size of the user base.

Websites will have to choose if they're willing to provide a worse UX to Apple customers.

> Why would my visitor be surprised that I'm suspicious though? They're choosing to be suspicious.

I didn't say that. In the example I gave, you looked through your peephole and couldn't identify the visitor. Perhaps there's a problem with the peephole.

The person at the door is changing one aspect of many and it's not even one that the person may even have any understanding about. They are very clearly saying their name to you.

If not getting a source IP makes it impossible for you to determine who someone is, you really need to reevaluate your identity systems. IP addresses are not reliable indicators of anything, let alone identity.

> someone that is blocking their caller ID.

They do give you valid login and password, why is that not enough?

You've never had your credentials stolen, or lifted in any of the many widely-reported password store breaches? https://haveibeenpwned.com/Passwords

I get your point. No, I have nothing stolen, and I def will not enter my password on HIBP ever :). I think this IP based security checks should be on by default, yes, but with opt-out option. Im using VPN all the time and getting sick of “new device” emails.

Btw, none of Apple services complained yet about my vpn usage.