Apple iCloud Private Relay
IP addresses have been the main tool for preventing persistent vandalism and abuse on the wikis — but the availability and reliability of IP addresses is changing for many reasons. The latest change is Apple’s iCloud Private Relay. It affects Safari users with a paid iCloud account.
This new feature may obscure the IP addresses of 3–5% of our editors by the end of 2021. Tens of thousands of people will be affected. It may cause issues for communities’ ability to prevent vandalism and abuse. It's likely that other browsers will follow Apple's lead, as they've done before. This problem is likely to grow.
Communities typically block edits from IP addresses that obscure individual users. If this practice is continued with iCloud Private Relay editors, 3–5% of all our editors could experience a block in the coming months. This includes logged-in, active editors who may not understand why they've encountered a block.
As these changes happen, the communities, users with advanced MediaWiki permissions, the Wikimedia Foundation (WMF), and others need to work together. We need to learn how the security of the wikis can be maintained while the pathways to editing remain open for all good-faith participants.
We would like to learn more, to help us make a plan.
|
Wikimedia and IP addresses
IP addresses have been the main tool for preventing persistent vandalism and abuse on the wikis.
- IP addresses are unique identifiers for a source of internet activity. They can belong to things like a phone, a wifi connection, or a corporate network. For most of the history of the internet, they could be used to roughly identify an internet user. They could also give information about that user’s location at the city level.
- Our communities rely on IP addresses as their core identity and security model.
- Users have always been able to edit without logging in. Their IP address has been their sole form of identity—the way that they receive messages, are tracked, and are blocked.
- For users who are logged in, IP addresses are the main tool for identifying persistent abusers. They can be blocked based on their IP logs.
- In some cases, whole ranges of IP addresses are blocked for being persistent sources of abuse.
Changes in technology
The broad change
The availability and reliability of IP addresses is changing for many reasons. Apple’s iCloud Private Relay is the latest change. Other tech providers will probably make similar changes.
- The nature and availability of IP addresses is changing. With the advent of IPv6, IP addresses are more dynamic than before. This problem will only be worse in the future as more users come online.
- Additionally, IP addresses and user agent information have become personal data. Hiding them has become a service more and more internet users want.
- External market and government actions make these changes. They are not under the control of the Wikimedia movement or WMF.
- The Anti-Harassment Tools team at WMF has been looking into the issues surrounding IP addresses. It is building tools that may reduce the effect of these changes. But the work will not prevent IP addresses from becoming less useful over time.
- Changes like these can quickly spread. Once Apple makes this change, other browser providers like Google and Mozilla may remove browser information sent with requests as well. While this is not known for sure, it is a prediction based on market analysis. For example, after Google announced that Chrome will no longer send user agent info, Mozilla also announced that similar changes were in the works for Firefox browsers.
More details on iCloud Private Relay
- Apple is starting to provide a service called “iCloud Private Relay”. It masks the IP address of a Safari user such that they appear to be coming from a central pool of Apple IP addresses. It will apply to Safari browsing behavior on both desktop and mobile devices. Learn more.
- iCloud Private Relay is available only for iCloud+ subscribers and any family member in their Family Sharing group (i.e., one subscription can serve a maximum of 6 users across all their devices) and only affects browsing in Safari. Not all Apple users are iCloud+ subscribers. As of August 2023, it is a paid service with a low barrier of entry, with pricing starting at $0.99/month or local equivalent.
- As of the release of iOS 15 and macOS Monterey in 2021, iCloud Private Relay has been enabled by default for iCloud+ subscribers. Users can turn off the service (opt-out) entirely but don't have the option to allowlist websites.
- As of the release of iOS 16 and macOS Ventura in 2022, users can reload a page and temporarily show their IP address. This only affects that specific browsing session in the tab in which this option is used. In practice, this is automatically disabled once the user browses to a different domain or subdomain and after a certain amount of time has elapsed. In practice, this means that if a website does a redirect, like during an SSO login session, or a page is loaded in a new tab, like how some scripts do, iCloud Private Relay is reenabled. Wikimedia properties don't always detect the regular IP, despite the forced reload when the user uses this option, possibly due to caching issues. This issue is especially prevalent on the mobile version of wikis.
- It may eventually be included in the operating system for free, as a similar service for how Mail is now free.
- The advent of iCloud Private Relay has been known about by community members for some months. The English Wikipedia administrators noticed this service coming and had a related discussion in June 2021.
- Users of the Opera web browser have faced a similar situation for several years. Opera offers a free VPN service. This is a non-default (opt-in) service. Note that Opera has a significantly lower share of the usage.[2]
Effect on Wikimedia
Many communities block edits from IP addresses that obscure individual users. If they do so with iCloud Private Relay editors, 3-5% of editors will likely encounter a block in the near term. This number would likely grow as other browser providers follow Apple’s practice.
We want to learn the extent to which communities are okay with the effect this will have on editors. Also, we are curious if there is openness for reconsidering the rules on large IP blocks.
- We want administrators to feel safe and supported. The quality and reputation of Wikimedia projects needs to be protected. Marginalized editors who need protection should also be supported. Casual good faith participants should be able to edit on the browser and device of their choice. The loss of IP-as-identity challenges all these goals.
- When users of iCloud Private Relay attempt to edit from Safari, they will appear with one of the dedicated Relay IP addresses.
- Decisions around whom to block and why are made at a local community or global governance level. There are rare “office actions” to ban users. But in principle, blocking is an area with a long history of community self-governance. Large communities and global sysops have decided that “open proxies”, virtual private networks (VPNs), shared IP services, iCloud Relay, and similar services will be blocked on all wikis.[3] The reason is that identity fraud is too easy to commit using them, since IPs are our identity model.
- Certain IP addresses are blocked from editing even by logged-in users. As a result, iCloud Private Relay will affect logged-in users as well.
- Because iCloud Relay only affects Safari browsers, editors in the Wikipedia iOS app will not be affected. Also, iCloud Private Relay subscribers will not be affected when they change their browser.
- Apple has published the IP ranges that will be used for iCloud Relay, and blocks are currently in place on those ranges.
- The way to request an IP block exemption (IPBE) is not designed with large numbers or global groups in mind. Even a cautious estimate is that a few thousand logged-in editors will encounter a block. This is far more than existing IPBE processes are set up for. If we don't change the way IPBE works, for those users it will be difficult to ask for and gain exemptions or explanations in their language. What's more, on small and medium wikis there may be no related policies. Also, communities of those wikis may not know how to help the affected users.
Effect statistics
- To estimate the potential effect, we looked at the edits coming through Safari browsers. Next, we combined them with estimates around the update of iCloud Private Relay.
- In the last 90 days, 11.6% of logged-in editors edited with Safari and 17.7% of logged-out editors edited with Safari.
- We used these numbers and estimated when iCloud Relay will become widespread. We believe 1.6% of logged-in editors and 2.5% of logged-out editors will encounter a block in the month after iCloud Private Relay comes out for macOS. Update - iCloud Private Relay is now integrated, though still opt-in, in MacOS 12 (Monterey), released in November 2021.
- When iCloud Relay becomes opt-out, we estimate 4.6% of logged-in editors and 7.2% of logged-out editors will encounter a block each month.
- The usage of Safari for editing varies by wiki. Please see the accompanying table for numbers on the most and least affected wikis.
- We also attempted to estimate how many edits are being prevented because of the range blocks currently in place for iCloud Relay IP ranges.
- As of the November 2021 release of MacOS 12 Monterey, iCloud Relay is available to all Apple devices running current public releases, including iOS 15. This addition of desktop users is not reflected in the analysis here.
- We made this estimate by comparing the number of edits being made from iOS 15 to the number of pageviews coming from iOS 15. Next, we split it by whether they are coming through Relay ranges or not. See more details on why we did it this way, along with some assumptions this method makes.
- For iOS 15 users not using Relay, there are about 241 edits per million page views. For iOS 15 users using Relay, there are about 9 edits per million page views. Applying some arithmetic, this seems to come out to about 120 blocked edits per day right now (as of October 2021).
- We expect this number to increase as iOS 15 and Relay usage increases, and as Relay becomes available for desktop users.
This table shows the usage of Safari browser for editing in select wikis in recent weeks. There are some with the most usage (Japanese, Swedish, and Norwegian Bokmål Wikipedias) and the least usage (Bengali and Hindi Wikipedias). Note that only a part of Safari users will use iCloud Private Relay.
Wiki | Logged-in editors[4] | Logged-out editors[5] | Logged-in edits[6] | Logged-out edits[7] |
---|---|---|---|---|
Overall | 11.6% | 17.7% | 7.9% | 14.7% |
English Wikipedia | 14.4% | 22.0% | 11.1% | 18.8% |
Japanese Wikipedia | 21.7% | 27.3% | 16.5% | 19.7% |
Swedish Wikipedia | 18.4% | 29.3% | 12.8% | 26.8% |
Norwegian Bokmål Wikipedia | 17.1% | 31.3% | 7.3% | 31.5% |
Bengali Wikipedia | 0.8% | 1.4% | 0.3% | 0.7% |
Hindi Wikipedia | 1.4% | 1.1% | 2.7% | 2.1% |
Wikimedia Commons | 8.0% | 17.3% | 4.5% | 10.5% |
Wikidata | 6.6% | 11.9% | 4.1% | 18.6% |
References
- ↑ There is no direct evidence that this will certainly happen. This hypothesis is based on market analysis.
- ↑ See also: Usage share of web browsers.
- ↑ See also: No open proxies.
- ↑ Percentage of editing accounts in last 90 days making one or more edits in Safari
- ↑ Percentage of editing IP addresses during August 2021 making one or more edits in Safari
- ↑ Percentage of edits from accounts in last 90 days that were made from Safari
- ↑ Percentage of edits from IPs during August 2021 that were made from Safari