Apple’s iCloud+ subscription includes several privacy-oriented features, like an email anonymization tool called “Hide My Email.” This tool aims to enhance online anonymity by concealing subscribers’ real email addresses with random aliases. However, one user recently learned the hard way that Apple can share users’ real identities with law enforcement, particularly in cases involving serious allegations like blackmail, as happened with FBI Director Kash Patel’s girlfriend.
What does “Hide My Email” do?
If you subscribe to iCloud storage beyond the free 5 GB, you can use the Hide Email feature. This allows you to generate anonymous email addresses, or aliases, which forward emails to your main iCloud account. This means you don’t have to reveal your actual Apple ID or name to recipients.
This feature is particularly handy for signing up for new online services, enabling you to create accounts without sharing your name or email with developers or marketers who might otherwise target you or sell your data.
“Hide My Email” loophole
So far, it wasn’t completely clear if Apple had a way to link these anonymous email addresses back to users’ real identities. This recent incident has proven that such a loophole does exist, even though Apple’s “Hide My Email” description implies a higher level of privacy.
According to their description, users can “keep your personal email address private” by creating a unique address that can be deleted anytime. This gives the impression that aliases are fully private. However, while third parties can’t see your true identity, Apple can trace these anonymous addresses back to the original owners and, in the event of a crime, share that information with law enforcement.
Incident details
On February 28, a 26-year-old man, Alden Ruml, allegedly sent a threatening email to Alexis Wilkins, who is dating FBI Director Kash Patel. The message reportedly included disturbing comments about her with an assault rifle. Ruml used one of 134 aliases linked to his iCloud account to make this threat after reading a statement made by Patel. Following this, the FBI stepped in to ensure Wilkins’ safety.
Responding to the threat, the FBI requested information from Apple regarding users’ main email addresses, which ultimately led to Ruml’s identification. If convicted, he could face a five-year prison sentence, followed by three years of supervised release and fines of up to $250,000.
Implications for users
This situation poses significant questions regarding Apple’s privacy claims. Tim Cook, Apple’s CEO, has long insisted that “privacy is a fundamental human right.” Apple often backs this up through its products, emphasizing strict encryption policies that generally complicate compliance with law enforcement requests.
However, it turns out that while iCloud Mail itself is encrypted, the email addresses—including both the primary Apple account and the aliases—are not fully protected in plaintext. Thus, in this case, Apple had to comply with the FBI’s request and provide the information that led to Ruml’s capture.
Moreover, there are still questions about whether Ruml’s email to Wilkins was genuinely a credible threat or just a poorly timed joke. Some may view the FBI’s actions as excessive, especially because the target was the girlfriend of a high-profile official. Others might argue the charges against Ruml might not adequately address the extent of his harassment towards artists. All these factors will likely be explored during the court proceedings.
For ordinary users, Ruml’s case serves as a stark reminder: online privacy is never a certainty, even when using tools that are designed to protect your identity.
