Did they misread the table? I see two distinct rows:

- Cloud Storage

- Internet/Web Browsing

In the big picture it’s probably fine to conflate them but the technical aspects of each are going to be very different.

probably dns/sni logs? with most sites using https that's all they're really going to get.

And with VPNs like Apple Private Relay being broadly pushed, likely less than that.

Never assume- carriers can mandate data collection or sharing.

Is there any way to change dns servers on lte/3G? Odd that iPhones let you change it for wifi, but not cellular. Can I even find out it’s using?

What about android?

Android natively supports DoH, which both lets you change the DNS server and prevent your cellular provider from redirecting/logging DNS requests:

Network Settings -> Advanced -> Private DNS

Enter one.one.one.one (or substitute your favorite DoH-supporting resolver)

Until eSNI or similar is implemented across all sites, it doesn't matter much.

Cloudflare's 1.1.1.1 app works with both Wifi and cellular by configuring itself as a VPN. I've been happy with it for a few years now.

Do you assume that the FBI does not have a similar document for Cloudflare (or any VPN or DoH provider)? I think it's probably healthy to assume that your accessed host history is semi-public regardless of how well you try to protect it. Note that even with esni your ISP or your VPN's ISP will still know the IP addresses you're getting to, and in most ordinary cases can do a reverse lookup.

CF doesn't retain much if any data from 1.1.1.1 so at a minimum you are protected from retrospective surveillance. I agree it's impossible to be perfect but let that not be the enemy of good.

>Is there any way to change dns servers on lte/3G?

probably doesn't matter because regular dns is performed in the clear. There's nothing preventing them from logging/intercepting your requests even if you changed them.

>Odd that iPhones let you change it for wifi, but not cellular.

>What about android?

AFAIK on both changing DNS can be done by using an app that acts like a VPN, and intercepts the DNS requests.

Though legally speaking, there might be a difference between logging dns packets going to ??? and dns packets hitting the provider’s dns server.

The latter could be construed as necessary logging while the former is spying for the sake of spying.

The legal aspect might change what AT&T 'has' to log, although they likely voluntarily include other passively-obtained port 53 traffic in their cooperation.

at the very least, t-mobile has static-routed public resolvers like google's to their own in the past.

DNSCloak does that, but it sometimes crashes, and unfortunately there are no recent updates.

AdGuard can do that on both android and iphone

Nextdns works on both cellular and wifi. They have a profile you can download so it’s definitely possible but maybe not through the GUI.

iOS works with opendns think of it like a cloud pi-hole—I was using the app which used to have issues with cellular, but has worked as expected more recently. Use the generated profile…

iOS supports DoH/DoT natively via work profile. Create one yourself here: https://dns.notjakob.com

I wonder what % of https requests are using esni these days..