Privacy News Apple's Hide My Email tweak leaves privacy fans fuming

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,027
5,265
2,168
Germany
Content source
https://www.bitdefender.com/en-us/blog/hotforsecurity/apples-hide-my-email-tweak-leaves-privacy-fans-fuming
A few days ago, Apple quietly announced what might have seemed like a minor change to one of its most popular privacy features - and has left some users feeling that the company is pulling the rug from underneath them.

Hide My Email is a privacy feature that lets users create unique, random email addresses that forward messages to your real inbox. That means you can sign-up for websites, newsletters, and apps without exposing your personal email address.

The benefit? Well, you can simply delete the alias if a company starts sending you unwanted email - helping to reduce your exposure to spam, marketing lists, and data brokers as well as protecting your privacy.

But now Apple has announced that it plans to move all newly-generated Hide My Email aliases from the familiar "@icloud.com" domain to "@private.icloud.com" instead.

At first sight that may seem fine. The problem is, however, that one of the reasons that Hide My Email worked so well was because its aliases were indistinguishable from regular iCloud email addresses.

When a website or app received a sign-up from an "icloud.com" address it had no way to tell if it was a genuine Apple user or someone using the privacy feature to protect themselves.

However, when Apple makes you use a "@private.icloud.com" address, the ambiguity disappears. All any website or app that wants to block anonymous sign-ups now has to do is to reject any email address ending in "@private.icloud.com".

Existing addresses on the old domains will continue to work and forward mail as before, according to Apple, but all newly-generated aliases will be issued on the new domain from later this summer.

The reaction on Reddit was predictably swift, and unsurprisingly unimpressed. Many Apple users criticised the decision, saying it would make the Hide My Email feature significantly less useful for anyone trying to sign-up anonymously for services that don't want them to.

In what was perhaps a reminder to users that Hide My Email does not guarantee anonymity, it was reported earlier this year that Apple had handed over to US law enforcement the real account details of a Hide My Email user after the account allegedly sent threatening messages to the girlfriend of FBI director Kash Patel.

For now, if you already have existing Hide My Email addresses in use, they should continue to work without any changes on your part. But if you were planning to create new aliases in the future and use them as genuinely anonymous sign-up addresses, things may be about to get more complicated.
Click to expand...
 
  • Like
Reactions: Halp2001
What this change really affects is “detectability,” not whether Hide My Email forwards mail safely.

What changes (practically)
Moving new aliases from @icloud.com to @private.icloud.com makes Hide My Email addresses easier for websites to identify and potentially block with a simple domain rule. That can reduce its usefulness for people who relied on the alias looking like a normal iCloud address.

What does NOT change
  • It does not automatically break your existing Hide My Email aliases. If Apple keeps routing as before, old aliases should continue to forward normally.
  • It does not make you “anonymous.” Hide My Email is primarily an email-address masking/forwarding feature, not an identity-hiding system. Apple (like other providers) can generally map an alias back to an account when legally compelled.

Likely outcomes you should plan for
  • Some services will block @private.icloud.com to discourage throwaway/alias sign-ups (especially freemium trials, high-abuse platforms, and some newsletters).
  • Many services will not care, because they already rely on other anti-abuse signals (phone verification, payment method, device reputation, CAPTCHAs, etc.).

Reasonable workarounds (depending on your goal)
  • If your goal is mainly spam control and compartmentalization: Hide My Email still works well even if the domain is recognizable, as long as the site accepts it.
  • If a site blocks @private.icloud.com: you may need to use a normal mailbox address, or a different aliasing provider (some users use services like SimpleLogin or Firefox Relay), understanding those can also be detected/blocked depending on the domain.
  • If you want long-term control and portability: using a custom domain (with an email provider that supports catch-all/aliases) avoids being tied to any single provider’s alias domain policy, but it requires more setup and ongoing domain ownership.

Security / privacy takeaway
This is a usability hit for “blend in” sign-ups, but it doesn’t turn Hide My Email into a bad feature—it just makes it easier for websites to treat these sign-ups differently. The safest expectation is: Hide My Email helps reduce exposure and limits damage from data sharing/breaches, but it’s not a guarantee of anonymity and it can be refused by services at any time.
 

You may also like...