Screenshot of Apple’s iCloud website
Apple’s usually one of the few companies taking a stand to protect users’ privacy. Their “Hide My Email” feature allows users to do what it says on the box. They hide their real email with a randomly generated email mask. This ensures that companies can’t target users based on the email addresses they receive when users sign up for services or make purchases. It does not protect users from law enforcement. While you might be lead to believe that the masked email address will be encrypted in your iCloud account so only you can unmask them, it’s just not the truth. Apple has full access to each mask, and that means they’re beholden to the law.
When the FBI makes a lawful demand of Apple, they have to comply. It’s why policy is never security. You can’t trust that a company won’t decrypt your data if they have the keys to do so. All you can do to protect yourself is ensure your data is encrypted with keys only you have access to.
Apple just reminded us that security by policy isn’t security at all. But with email masking, should you have expected anything else?
In This Article:
Apple Complies with FBI Request
To be clear, Apple did the right thing here. The person in question was making threatening emails to the girlfriend of FBI director Kash Patel. It is never okay to make someone fear for their life because of a disagreement, video game, or their mere existence. It is unfortunately an indicator of the sad state of this world that we must remind people not to jump to violence as a solution for everything. That said, you should understand the limits of current email masking technology, what happened here, and how you can avoid pseudo-anonymous messaging mix-ups.
Hide my Email
Apple introduced the Hide my Email feature into their iCloud+ offerings. While not a part of Apple’s free iCloud product, a paid iCloud subscription will let you create fake email addresses that will forward your emails from the fake address to your real one. A number of services offer something like this, from a few companies. It’s a mail forwarding service that uses a randomly generated email as the “mask” that other companies will see. It’s as simple as that.
Privacy Limitations
Apple creates the masks for you, but they still need to know where the email is supposed to go. That means someone making an email mask that’s random will still have it tied to their actual email address in Apple’s servers. Consider it like the branches of a tree. They’re all mapped to the root. None of those branches are separate from that root, the key of the map. No email mask exists without the email address belonging to the account holder.
In this kind of setup, it’s impossible to anonymize the masked emails. Someone simply looking at a mask may not be able to tell where the email actually ends up. This is how email masking can protect your privacy from companies that would like to link your real email address to your identity across the web.
The company that generates the masks, Apple in this case, has the entire map. They see those masks, the branches of the tree, and the root as well. This is why you have to choose a company that is not involved in marketing or training AI with user data. It’s also why you can never be fully anonymous, because Apple will have that data, and they will be able to hand it over to the authorities.
Where They Went Wrong
Let’s start off with the content of the emails. Yikes. The person who allegedly sent the emails was clearly deeply disturbed, and strong language is used.
“Do you know how happy I’ll be when your cunt ass face is canoed by an assault rifle? Tick tock bitch. Watch your back.”
– Allegedly sent by Alden Ruml via email mask
Canoeing, if you were as innocent as I was before reading this article is an act of corpse mutilation that involves desecrating the head of a dead body with a shot in a particular spot to the forehead allegedly popularized by SEAL Team 6.
However, ignoring that they likely went wrong listening to conspiracy theory podcasts, obsessing over violence, and sending threatening emails to the girlfriend of the director of the FBI, Kash Patel, where did he go wrong from a technological standpoint? In other words, what gave him away? Is it possible to use email masking to hide your email address?
No.
You could create an anonymous email address through a number of sources. Set it up through an anonymous and encrypted VPN, perhaps hide traces of yourself through the Tor network, and create an address that’s truly anonymous. But you’d risk exposure every time you access it and, unless the machine you’re accessing it on and the client you’re accessing it on, it’s not going to be secure enough for your needs if you need full anonymity. Email masking isn’t to help you organize protests or distribute radical zines. It’s to protect you from spam. From marketers being able to identify you by your email address across different purchases, accounts, and websites. It’s not for anonymous communication and no one wants to create any system to be used for disgusting violent threats.
Your best bet is still to use an encrypted communication medium. Not even something like Proton Mail, as mail is only encrypted when in-network, but something like Signal. And you definitely don’t want to use anything actually attached to your identity, even if it is behind a mask. Masks are to protect you from advertisers, not governments.
What Could a Better Email Masking System Look Like?
The problem with email masking is that you need one source of truth. You need the provider of the email masks to be able to forward messages heading to the email mask to your real email. That is a “plain text” operation, or one that at least gives the owner of the masking service the only encryption keys. They might protect your identity from spammers and marketers (what’s the difference?), but they still will have every single mask you use and link it to your real account. If you use a masking service, make sure it’s from a company you trust not to train AI on your emails or read through them for their own marketing purposes.
Get off Gmail. Get an email address with a company that centers privacy, and only use a masking service from a company that prioritizes your privacy, because you’re giving them a lot of control. Unfortunately, email is not an encrypted medium yet. There are a number of services, such as Proton Mail, trying to make encrypted emails more normalized, but they largely, even if encrypted, end up decrypted before they reach a user because the receiver’s client and service cannot decrypt those messages.
Is There a Way to Do This Right?
You could, potentially, use an encrypted email service and start to shun emails coming from non-encrypted services. There are ways to do this, none of them are very smooth yet. A good masking service would also be encrypted with your own keys. Someone would send an email to your masking service, that service would associate your message with an encrypted storage container, and your email client would be the only one with keys to that container so they never need to forward the email directly to you and never need to know your actual email address to provide your mail for you. It basically uses an encrypted box for storing emails you would have to fetch manually from. Nothing like this seems to exist yet.
Protecting Yourself
Email masks do not anonymize you entirely. The way they seem to work currently associates each mask with your real email address. Only the company issuing the mask, whether it’s Apple, Mozilla, or some other email masking service, can associate the mask to your real email address. This can offer you protection from advertisers, but does little to protect you from the law.
If you want to communicate anonymously, use Signal. I don’t know how many times you need to hear it, but normalize using Signal for everything, talk to people exclusively on Signal, and follow these tips to make Signal even more secure. Just stop sharing everything with everyone. We’re entering dangerous times for privacy and security, why make things worse by sharing everything with corporations and governments who wish to exploit you?
Sources:
- Matthew Cole, The Intercept
- Joseph Cox, 404 Media