← Back to context

Comment by hamdingers

15 days ago

[flagged]

> If you insist on giving me a fake email, your business is probably a liability I don't want anyway

It's not a fake e-mail, it's a legitimate e-mail that you can send e-mail to and the user will receive, which has to be created by a paying iCloud user and not an anonymous rando off the internet.

I'd be interested to know what downsides, if any, you see for a website to accept a private e-mail address like this. Do you have a legitimate complaint about these sorts of e-mails? Again, given that private relay isn't an 'anonymous e-mail service' (it's still tied to your iCloud account so spam, etc. shouldn't be any more of an issue) but merely an 'anonymous to the person you're giving the e-mail to' service.

If your actual complaint is 'if you insist on giving me an e-mail that you can revoke unilaterally making me unable to contact you against your wishes, and which cannot be associated with other user data from other sources to build a profile of you, then you're not worth having as a customer' then that's a separate complaint - and one that means I want nothing to do with your website.

  • I'm curious what you think the difference is between "a paying iCloud user" and "an anonymous rando off the internet." How many Apple gift cards do you reckon get sent to fraudsters every day? Decades worth of iCloud+ surely.

    I'm running a business where I need to know who you are, because my platform can be used defraud other people. If you're trying to hide who you are from our very first interaction, that's a massive red flag.

    If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)

    If these terms are not acceptable to you, then great! Don't use the website, there's no need to be salty because that's what you said you wanted. Isn't it?

    I don't mind either, because the number of legitimate users who are bothered by this restriction is infinitesimal compared to the number of fraudsters who would take advantage if it wasn't in place. It can be difficult to comprehend the scale of platform fraud unless you've worked in this area, many days fraudulent signups outnumber legitimate ones.

    • > If you're trying to hide who you are from our very first interaction, that's a massive red flag.

      You conflate email with identity, just like the media companies conflated IP addresses.

      It's not hiding who you are, it's hiding my real email address behind a mask that you can't choose to sell off to marketers, or spam yourself, or otherwise profit off, regardless of the nature of our relationship - I've got plenty of spam emails from companies that I closed accounts with, thus severing our relationship.

      > If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)

      It's not that simple, but I guarantee it doesn't remotely slow anyone down, not at the scales we're talking. Maybe if you're talking one entity and tens or hundreds of thousands of accounts, but it's laughably naive to believe that such a person who is set up to conduct "mass fraud" can't create 100 Gmail/Outlook/iCloud email addresses a day, if not an hour, with near zero effort (it's not like they're committing "mass fraud" by hand, after all).

      1 reply →

    • > If you're trying to hide who you are from our very first interaction, that's a massive red flag.

      If you're trying to collect personal information that's none of your business from the very first interaction, that's a massive red flag. Like how many data leaks and customer data exposures is it going to take to understand that the data I'm giving you is a liability for me? How much spam am I expected to put up with because you give my data to a "data broker" for one reason or another? Why should I trust anything you say regarding how you will handle my data after all the embarrassing fuck-ups over the years? What is your liability if you mishandle my data, is it approximately $0? Do you have an arbitration clause in your TOS so I can't even sue you when you screw up?

      There's zero responsibility from the tech industry for their continued failures in this regard and then you have the temerity to lecture me about my "red flag"? Seriously?

      1 reply →

    • I feel as though it would be a lot easier and cheaper to open up a new gmail account than to create a new Apple account, add a gift card, sign up for iCloud+, and then create private relay e-mails to use for signing up.

      Is there something about gmail that makes it less suitable for the fraudulent use cases than iCloud+ private relay e-mails? I presume you're thinking of the 'create many anonymous e-mails' feature in that regard, which makes some degree of sense. I wonder if iCloud+ throttles e-mail creation.

    • It sounds like you are trying to shoehorn email into some kind of “real person verification” role, when you ought to be doing actual KYC through some provider like ID.me. (If honest to god no-shit fraud is on the table.)

      8 replies →

As others have alluded to, I'm not doing this to be anonymous, I'm doing this because companies can't be trusted not to leak my email address. Every real business that knows my real identity (banks, payroll, government, retailers, etc.) gets its own alias.

When an organization invariably leaks my email and I start receiving spam to it, I generate a new one, update my email on record, deactivate the old one, and the spam stops.

> fake email

Its a real address that I can use to monitor your behavior, since businesses send so much damn spam.

Been using them for 25 years, not gonna stop any time soon.

Seems like we have a meeting of the minds here. You don't want me as a customer and I don't want you as a vendor (or payment processor). Enjoy your spamming :)