Apple offers several privacy-focused perks with its iCloud+ subscription, including an email anonymization tool called “Hide My Email.” While this feature appears to promote online anonymity by hiding subscribers’ real email addresses behind random aliases, one user found out the hard way that Apple will give users’ real identities to law enforcement, especially when lobbing threats at the girlfriend of FBI Director Kash Patel.
What does ‘Hide My Email’ actually do?
If you pay for more iCloud storage outside of your free 5GB plan, you also have access to “Hide My Email.” As the name implies, this feature lets you create anonymous email addresses — known as aliases — that all forward emails back to your main iCloud account without revealing your real Apple ID or name to the receiver.
The story raises serious questions around Apple’s purported privacy policies.
This feature especially comes in handy when signing up for new online services. You get to create an account without giving your personal name or email to developers, advertisers, or marketers, ensuring they can’t target you or sell your data to their partners.
The ‘Hide My Email’ loophole
Up until now, it wasn’t clear whether or not Apple had a system in place to link anonymous addresses to their real counterparts. This case proves that such a loophole exists, even if Apple’s dedicated copy within the “Hide My Email” menu suggests otherwise.
The menu states, “Keep your personal email address private by creating unique, random addresses that forward to your personal inbox and can be deleted at any time.” That makes it sound like these aliases are completely private from everyone, not just advertisers.
Zach Laidlaw
Unfortunately, while third-party companies can’t access your real identity, Apple can trace “Hide My Email” addresses back to their original owners and share that information with law enforcement in the event of a crime.
The crime
Around February 28, a 26-year-old man named Alden Ruml allegedly sent an email to Alexis Wilkins — country singer and girlfriend of FBI Director Kash Patel — stating that he would be “happy” to see her face “canoed by an assault rifle.” The address Ruml used to contact Wilkins was one of 134 aliases attached to his iCloud account. Ruml reportedly sent the email after reading that Patel deployed the FBI as a security detail for Wilkins.
RELATED: Google agrees to PAY $68 million to end this lawsuit
400tmax/Getty Images
Following the threat, the FBI issued a subpoena to Apple, requesting the user’s primary email address, resulting in the identification of Alden Ruml. If convicted, Ruml faces five years in prison, followed by three years of supervised release, and a hefty fine of $250,000.
A lesson for the rest of us
The story raises serious questions around Apple’s purported privacy policies. Apple’s CEO, Tim Cook, has long held the position that “privacy is a fundamental human right,” and Apple has largely championed that stance through its products and services.
Case in point, there are many instances where Apple can’t acquiesce to law enforcement requests due to its stringent end-to-end encryption policies. As part of Apple’s legal process guidelines, the company states, “Apple does not receive or retain encryption keys for customers’ end-to-end encrypted data,” therefore this data is inaccessible to either access or hand over to third parties, including the government.
However, while iCloud emails themselves are encrypted, plain text email addresses — including primary Apple accounts and email aliases — are not encrypted. In this case, Apple had no choice but to comply with the FBI and turn over Ruml’s basic credentials that led to his arrest.
There are also questions about whether Ruml’s email to Wilkins is a credible threat of violence or simply a crude statement sent in poor taste. Some could see Kash Patel’s use of the FBI to arrest and charge Ruml as an overreach of power, simply because the target of the email was his girlfriend. Others may argue the charges against Ruml don’t go far enough after harassing a rising country artist. All of this, of course, will be hashed out in a court of law.
As for the rest of us, Ruml’s ill-fated email is a stark reminder that privacy is never guaranteed online, even when using products and services that promise to hide your identity.
Tech, Apple, Hide my email, Icloud, Fbi, Kash patel