[hamdingers]

I'm curious what you think the difference is between "a paying iCloud user" and "an anonymous rando off the internet." How many Apple gift cards do you reckon get sent to fraudsters every day? Decades worth of iCloud+ surely.

I'm running a business where I need to know who you are, because my platform can be used defraud other people. If you're trying to hide who you are from our very first interaction, that's a massive red flag.

If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)

If these terms are not acceptable to you, then great! Don't use the website, there's no need to be salty because that's what you said you wanted. Isn't it?

I don't mind either, because the number of legitimate users who are bothered by this restriction is infinitesimal compared to the number of fraudsters who would take advantage if it wasn't in place. It can be difficult to comprehend the scale of platform fraud unless you've worked in this area, many days fraudulent signups outnumber legitimate ones.

[danudey]

I feel as though it would be a lot easier and cheaper to open up a new gmail account than to create a new Apple account, add a gift card, sign up for iCloud+, and then create private relay e-mails to use for signing up.

Is there something about gmail that makes it less suitable for the fraudulent use cases than iCloud+ private relay e-mails? I presume you're thinking of the 'create many anonymous e-mails' feature in that regard, which makes some degree of sense. I wonder if iCloud+ throttles e-mail creation.

[FireBeyond]

> If you're trying to hide who you are from our very first interaction, that's a massive red flag.

You conflate email with identity, just like the media companies conflated IP addresses.

It's not hiding who you are, it's hiding my real email address behind a mask that you can't choose to sell off to marketers, or spam yourself, or otherwise profit off, regardless of the nature of our relationship - I've got plenty of spam emails from companies that I closed accounts with, thus severing our relationship.

> If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)

It's not that simple, but I guarantee it doesn't remotely slow anyone down, not at the scales we're talking. Maybe if you're talking one entity and tens or hundreds of thousands of accounts, but it's laughably naive to believe that such a person who is set up to conduct "mass fraud" can't create 100 Gmail/Outlook/iCloud email addresses a day, if not an hour, with near zero effort (it's not like they're committing "mass fraud" by hand, after all).

[hamdingers]

> I guarantee it doesn't remotely slow anyone down

I have watched the rate go down and stay down on real live dashboards.

> Maybe if you're talking one entity and tens or hundreds of thousands of accounts

We are.

I'm not so rude as to call you "laughably naive" but I am speaking from experience and you appear to be considering a hypothetical.

[iamnothere]

It sounds like you are trying to shoehorn email into some kind of “real person verification” role, when you ought to be doing actual KYC through some provider like ID.me. (If honest to god no-shit fraud is on the table.)

[hamdingers]

If I can filter/throttle fraudsters at the create account step for free, I save on the fees my KYC/IDV providers charge each time they attempt to defeat it.

[iamnothere]

At the cost of blocking legitimate users who don’t want to be spammed, don’t want to be correlated after a data breach, etc.

I have been willing to do KYC for services (usually financial) without giving out my main email. Services that put up too many barriers to this don’t get my business. I concede that there aren’t that many users like me, compared to the general public, but I’m a legitimate user.

[tom_]

There must be at least two of us!

[AlexandrB]

> If you're trying to hide who you are from our very first interaction, that's a massive red flag.

If you're trying to collect personal information that's none of your business from the very first interaction, that's a massive red flag. Like how many data leaks and customer data exposures is it going to take to understand that the data I'm giving you is a liability for me? How much spam am I expected to put up with because you give my data to a "data broker" for one reason or another? Why should I trust anything you say regarding how you will handle my data after all the embarrassing fuck-ups over the years? What is your liability if you mishandle my data, is it approximately $0? Do you have an arbitration clause in your TOS so I can't even sue you when you screw up?

There's zero responsibility from the tech industry for their continued failures in this regard and then you have the temerity to lecture me about my "red flag"? Seriously?

[cloudfudge]

You not bending over and opening your wallet is, frankly, a red flag. /s