Solving Connectivity Problems Caused by Interlocking Apple Privacy Settings

Complaints about website loading have been trickling in of late, and while the details vary, the commonality has been that the problems started with macOS 12.4 Monterey. Sometimes the problem was just with Safari; other times, it affected Chrome and other browsers too. In some cases, the entire page would refuse to load; in others, only portions of the page would fail.

The solution to the problems I’ve seen so far is simple: in System Preferences > Network, turn off Limit IP Address Tracking for each network adapter you use (Ethernet and Wi-Fi below—they look surprisingly different).

For some people, the problems have extended to iOS 15 and iPadOS 15. Apple provides the same Limit IP Address Tracking option in Settings > Wi-Fi > YourNetwork and Settings > Cellular > Cellular Data Options.

If you read the fine print underneath the iPhone screenshots above, you’ll notice that it says, “When this is turned off, iCloud Private Relay will also be turned off for this network.” That message appears on my iPhone because I do have iCloud Private Relay enabled for the iPhone, whereas I turned it off on my Mac.

I wish I better understood what’s happening here, but it’s devilishly difficult to test a feature that prevents tracking by malicious actors, given that I’m neither malicious nor an actor. Clouding the situation even further is the fact that features that say they’ll limit IP address tracking or hide your IP address exist in three completely separate places:

• iCloud Private Relay: This overarching privacy feature routes all your traffic through two separate Internet relays to hide your IP address from the site to which you’re connecting. You can turn it on and off in System Preferences > Apple ID on the Mac and Settings > YourName in iOS and iPadOS.
• Limit IP Address Tracking: This option is either enabled or disabled for each network you use, whether Wi-Fi, Ethernet, or cellular. As noted above, its description changes depending on whether iCloud Privacy Relay is on or off.
• Hide IP Address: Safari and Mail both offer this option in their preferences but say little about how it relates to iCloud Private Relay.

Here’s what I think is going on and where I’m unsure. I hope you can use this information to walk the fine line between increased privacy and more frequent connection problems.

iCloud Private Relay

The first thing to check if you experience sporadic networking failures is iCloud Private Relay. This feature, available only to iCloud+ subscribers who pay Apple for additional storage space, routes all your traffic through two Internet relays, one run by Apple and another run by a major content-delivery network like Akamai, Cloudflare, or Fastly. Apple has a white paper that explains it in detail, but here are the basics.

The privacy win is that only your ISP and Apple know your IP address because your ISP and the first relay (called the “ingress proxy”) have to associate the connection with you to send the response back to you. The address of the website you want to load is encrypted, however, so neither your ISP nor Apple knows where you’re going.

The second relay (known as the “egress proxy”) assigns a new, temporary IP address to the request, decrypts the address of the destination website, and completes the connection to the remote site. In other words, the egress proxy doesn’t know your IP address—it gets only enough information to locate you in roughly the right region of the world so geolocation isn’t a problem.

Apple acknowledges that iCloud Private Relay can cause problems, in part due to the new transport protocols it uses. iCloud Private Relay also takes over from your DNS servers, which may account for some of the problems; at least one user had a Pi-hole ad blocker installed. macOS tells you this when you specify DNS servers in System Preferences > Network > YourNetwork > Advanced > DNS.

As a user, however, if you have problems, there are only two things you need to try, as described above:

• Disable iCloud Private Relay entirely. It’s easily turned on and off, so there’s no harm in flipping that switch as needed.
• Disable Limit IP Address Tracking for a particular network. That would let you, for instance, disable it on your iPhone for your home Wi-Fi network while leaving it on for your cellular data connection.

You wouldn’t necessarily guess that Limit IP Address tracking would disable iCloud Private Relay for a particular network, and Apple mentions it only once in its documentation of iCloud Private Relay, saying:

Private Relay can be turned on or off just for a specific network using the Limit IP Address Tracking preference.*

The asterisk points to a footnote that says:

* In earlier versions of iOS, iPadOS, and macOS, this preference is called iCloud Private Relay.

So why did Apple rename that option? Here’s where things get murky. I think it has to do with Limit IP Address Tracking doing more than just disabling iCloud Private Relay.

Limit IP Address Tracking

Apple has said that disabling Limit IP Address Tracking turns iCloud Private Relay off for a particular network. And I think it’s safe to say that if you disable both iCloud Private Relay and Limit IP Address Tracking, traffic will flow normally to and from your ISP and destination sites.

But what about the remaining possibility, where iCloud Private Relay is turned off, but Limit IP Address Tracking is turned on? Here’s where that fine print comes into play. When iCloud Private Relay is turned on, the fine print reads:

Limit IP address tracking by hiding your IP address from known trackers in Mail and Safari. When this is turned off, iCloud Private Relay will also be turned off for this network.

With iCloud Private Relay turned off, the fine print shrinks to:

Limit IP address tracking by hiding your IP address from known trackers in Mail and Safari.

I haven’t been able to find any Apple documentation of what this means, but my guess is that Apple has essentially embedded the iCloud Private Relay approach of routing traffic through two Internet relays into Mail and Safari, such that it affects only requests from those apps. What I don’t understand is what “hiding your IP address from known trackers” means and how it differs from hiding your IP address in general. Let’s investigate.

Hide IP Address

On the Mac, you can go to Safari > Preferences > Privacy to find another Hide IP Address setting. In Mail, look in Mail > Preferences > Privacy, though you must disable Protect Mail Activity to manage the Hide IP Address option separately. (Generally speaking, leave Protect Mail Activity enabled if you can.)

In iOS and iPadOS, you’ll find the equivalent options in Settings > Safari > Hide IP Address and Settings > Mail > Privacy Protection. In Mail, again, you must turn off Protect Mail Activity if you want to control Hide IP Address on its own.

So what do these Hide IP Address features do? With Safari, it’s difficult to know. If you click or tap the Learn More link on either the Mac or iPhone, it takes you to an explanatory page about iCloud Private Relay that offers no insight into the link to Safari.

Mail, however, is more forthcoming. Click or tap its Learn More link, and you’ll get quite a bit of information about how Protect Mail Activity uses a two-hop system that sounds nearly identical to iCloud Private Relay. It even clarifies that if you turn off Protect Mail Activity and leave Hide IP Address enabled, it will continue to “mask your IP address using the same two-separate-internet-relays design.”

In addition, Protect Mail Activity routes all remote content downloaded by Mail through two separate relays operated by different entities. The first knows your IP address, but not the remote Mail content you receive. The second knows the remote Mail content you receive, but not your IP address, instead providing a generalized identity to the destination. This way, no single entity has the information to identify both you and the remote Mail content you receive. Senders can’t use your IP address as a unique identifier to connect your activity across websites or apps to build a profile about you. … If you choose to disable Protect Mail Activity, the Hide IP Address feature will still mask your IP address using the same two-separate-internet-relays design.

I suspect that it’s iCloud Private Relay all the way down.

Putting It All Together

Here’s how I believe we should think about these interlocking settings.

• iCloud Private Relay: At the top level is iCloud Private Relay. Turn it on, and it runs all your traffic through the ingress and egress proxies, providing the highest level of privacy. However, it’s entirely likely that iCloud Private Relay will cause problems, so Apple lets users drop down to a lower level of privacy.
• Limit IP Address Tracking: That’s where the Limit IP Address Tracking option at the network level comes in. You can disable it to turn off iCloud Private Relay selectively or enable it (with iCloud Private Relay disabled) to apply iCloud Private Relay-like traffic routing to traffic from Safari and Mail. But since those apps are quite different—Safari needs to be able to connect to a far more varied set of servers than Mail—Apple separated them as well.
• Hide IP Address: That’s why each app has its own Hide IP Address setting. You might need to turn off iCloud Private Relay, turn off Limit IP Address Tracking, and turn off Safari’s Hide IP Address setting but still want to keep Mail’s Hide IP Address option enabled. It’s conceivable you’d want to disable Mail’s tracking protection and enable Safari’s, but that seems less likely.

Lending support to my theory is that if you disable Hide IP Address for Safari and Limit IP Address Tracking for your network and then turn on iCloud Private Relay, it first prompts you to turn on Safari’s Hide IP Address setting (below left) and then alerts you that it’s disabled for your network (below right).

Again, I don’t know what Apple means when it specifies that Limit IP Address Tracking and Hide IP Address affect only “known trackers.” The Hide IP Address screen in Safari makes the distinction clear—as long as iCloud Private Relay is enabled, you can choose from either Trackers and Websites or just Trackers. Without iCloud Private Relay turned on, you can only choose to hide your IP address from Trackers.

I’ve been unable to find any Apple documentation of how the company identifies known trackers and massages Safari and Mail traffic to protect your IP address from them. What happens when you connect to a remote site that’s not a known tracker? Does Apple send your IP address through in the clear? Perhaps someone who knows how to analyze network traffic could find out, but that’s beyond my skill set.

Realistically, however, what’s important is that if you’re having problems, you can turn off iCloud Private Relay first, and if that doesn’t resolve the issue, turn off Limit IP Address Tracking. If even that’s not enough, turn off Hide IP Address for Safari or Mail.

Otherwise, just leave them all on and enjoy whatever level of additional privacy they provide.