Apple's Hide My Email service lets users generate anonymous, randomized email addresses to help avoid spam, but it isn't going to protect you from subpoenas — especially if you threaten the FBI directly.
End-to-end encryption ensures that your data remains yours on-device and in transit. This applies to things like iMessage and Apple Health, especially when Advanced Data Protection is turned on.
However, that doesn't mean Apple won't comply with a subpoena when it is presented with one that fits the scope of the request. Hide My Email might help protect users from spam, but if you're emailing threats to the FBI director's girlfriend, there's nothing to protect you.
According to a report from 404 Media, a person named Alden Ruml used an anonymized email address to send a colorful threat that involved an assault rifle mutilating Alexis Wilkins' head. Wilkins is the girlfriend of the FBI director Kash Patel.
Of course, it was trivial for the FBI to send a subpoena to Apple to get the information, which Apple provided. The company also noted that Ruml had 134 anonymized email addresses.
If you're reading AppleInsider, you're not surprised that Apple provided the Hide My Email account details. It isn't encrypted data and isn't meant as a tool that totally anonymizes the user from Apple and authorities with a lawful subpoena.
The only way Apple couldn't have sent this information to the FBI is if it was outside of its reach via encryption. However, since Apple needs to know the address to forward mail to the user's iCloud email, that was never going to be the case.
What data Apple shares when subpoenaed
We've had a lot of highly public events help reveal exactly what kind of data Apple can and can't hand over to various governments when asked through legal processes. The long and short of it is simple — Apple isn't above the law of countries it operates in.
Apple holds itself to a high standard when it comes to handling user data
Apple can, however, within reason, push back on subpoenas that go too far. If a subpoena asks for all of a user's email history, for example, Apple would push back and ask for a specific date range for a specific address.
In extreme circumstances, like when providing data about mass shooters and the like, Apple will hand over a more broad scope of information, if not everything it has. However, there are limits.
Anything that is end-to-end encrypted can't be accessed by Apple. Period. End of story.
Here is what is encrypted by default:
- Health data
- iCloud Passwords
- Wi-Fi and Cellular credentials
- Home data
- Payment information
- Siri information
- iMessage and FaceTime
There is one exception that goes back years — iMessage. Apple stores the iMessage encryption keys in iCloud backup, so if you or someone you chat with uses Messages in iCloud and backs up their iPhone, Apple can get the key from the iCloud backup.
That's where Advanced Data Protection comes in.
Here's what is encrypted with ADP turned on:
- Device backups
- Messages backups
- iCloud Drive
- Notes
- Photos
- Reminders
- Safari Bookmarks
- Voice Memos
- Wallet passes
Because device backups are included in this list, it means Apple no longer has access to encryption keys of any kind. The only remaining services without end-to-end encryption are the ones necessary for their operation, like Calendar, Contacts, and iCloud Mail.
However, keep in mind that Hide My Email is still visible to Apple regardless of ADP. The purpose of Hide My Email is to give users the ability to generate a randomized email for creating new accounts so if spam originates from that new account, it can simply be shut off.
Apple goes a long way to protect user privacy and security. It fought against government demands for backdoors to encryption and has only enhanced consumer-grade protections since — see also Lockdown Mode.
However, realize that Apple isn't at war with law enforcement. Information like your name, email address, payment data, order history, and other non-encrypted data are free game for subpoenas.
