
Apple Sign In - ikarandeep
https://techcrunch.com/2019/06/03/apple-sign-in-privacy/
======
mjlee
Disposable, anonymous email forwarding is a massive step forward for privacy.
I know we've all been doing it for a while, but this on a consumer level is
fantastic.

~~~
albertgoeswoof
If you don’t use apple, I just built this as a stand-alone product:
[https://idbloc.co](https://idbloc.co)

~~~
golem14
From the web page, I cannot tell what pricing is going to be - looks like you
go out of your way to not scare off potential users. I can't find pricing
information at all via Google searches, either.

That's something I really dislike. Perhaps it's a necessary evil.

~~~
albertgoeswoof
It’s at the bottom of the landing page:
[https://idbloc.co/#pricing](https://idbloc.co/#pricing)

The goal is to explain the concept ahead of the pricing as I think it’s quite
novel to most users.

~~~
prepend
I pay $30/year for a cpanel host that includes unlimited mail forwarding for
any address on any domain. This is a byproduct of what I really do which is
host a bunch of sites. $48/year for email scrubbing seems like a high price.

I think it’s great, and use it a lot. Just wonder how you got to that price vs
like $10/year.

~~~
albertgoeswoof
Pro users subsidise the free ones, unfortunately. Assuming a 1% conversion
rate to pay server costs and 1-2 devs full time at 4 usd/pro user/month you
need 2500 pro users, which is 250,000 users.

That and people pay 4 bucks for a coke these days so it’s not really much.
Also cPanel is most definitely an expert tool.

I might make it paid only soon and reduce the price but at present there’s not
much option to get real feedback and user traction.

~~~
criddell
Once it's up and running, does it really take 2 full-time people to keep it
running?

------
polutropos
According to the App Store review guidelines update posted today, Sign In with
Apple will be _required_ for any iOS app that implements a single-sign in
button.

"Sign In with Apple will be available for beta testing this summer. It will be
required as an option for users in apps that support third-party sign-in when
it is commercially available later this year."

[https://developer.apple.com/news/?id=06032019j](https://developer.apple.com/news/?id=06032019j)

~~~
mindgam3
This is Apple sensing weakness and dropping a bomb right on facebook’s
doorstep. And they sidestep the anticompetitive angle by arguing that instant
anonymous sign on is simply a better UX, which it is.

Someone at Apple deserves a raise.

~~~
canes123456
Lol, I doubt it. Apple is years late and sucks at doing the leg work of
getting third parties to adopt its suck. Look at Apple Pay which was launched
at the perfect time.

~~~
macintux
Apple Pay, the market leader?

[https://www.similartech.com/compare/apple-pay-vs-google-
pay](https://www.similartech.com/compare/apple-pay-vs-google-pay)

~~~
canes123456
Great 1% of online stores supports it. I am sure only a fraction of that
traffic actually uses apple pay. You are comparing it to google pay that had a
terrible UX and like four conflicting versions. They had to catch up to apple
pay once it launched. Apple had the perfect product at the perfect time. They
complete wasted the US chip switchover. They could have dominated retail
purchases.

------
dyarosla
Can’t services just disallow/block this address?

Fun thing is, Apple themselves block name+addon@gmail.com addresses when using
their dev console. You can bet that some companies will disallow Apple’s
signature private passwords similarly if they can, in the name of ‘security’
or what have you.

Or am I being too cynical? Feel free to CMV.

EDIT: best response addressing this seems to be ‘The addresses are only
generated from the "Sign In With Apple" workflow that a developer has to
enable in the first place’

~~~
untog
Presumably such services won't implement Sign In With Apple in the first
place. People will accept it because they want the sheer quantity of users
Apple provides.

The useful thing about Apple is that they can force people to do things they
don't particularly want to do, like accept anonymous e-mail addresses or stop
using Flash. (unfortunately this is also the bad thing about Apple)

~~~
dfabulich
"[Sign In with Apple] will be required as an option for users in apps that
support third-party sign-in when it is commercially available later this
year."
[https://developer.apple.com/news/?id=06032019j](https://developer.apple.com/news/?id=06032019j)

~~~
cwills
Sign in, but not sign up? I guess some apps will not allow accounts to be
created through the iOS app. Much like netflix stopped allowing sign up on iOS
[[https://gadgets.ndtv.com/entertainment/news/netflix-ios-
app-...](https://gadgets.ndtv.com/entertainment/news/netflix-ios-app-itunes-
billing-missing-sign-up-1902205)]

There by, when apple passes a XXXXXXX@privaterelay.appleid.com address back,
it won't match the existing account's email address = Sorry, matching account
not found ?

------
mindgam3
This is a huge move. Apple striking at the core of Facebook's play to own your
identity, which they had with Facebook Connect but have completely fudged out
with countless breaches of user privacy and trust. I used to be the biggest
fanboy of facebook connect, but now I have to say: Go Apple.

~~~
basch
Apple ID as SSO, iMessage Profile, Memoji, and Apple Pay. Apple is near FB
Messenger parity, now that it functions as an account for external services.
It's an extremely strong move on Apple's part, especially considering how
close to it they have been for a while. They sure like taking their time
sometimes.

~~~
noelsusman
They're close to parity with a giant exception that it's not available to the
overwhelming majority of Facebook users.

~~~
pluffycat
Fb and G screwed themselves by: forcing users to submit real cell phone
numbers (no forwarding numbers allowed) and real names. I’m laughing all the
way to the apple oauth signup. So tired of G and Fb abusing users

~~~
throaway5533
Apple now requires 2FA for new accounts created on an iPhone and for 2FA they
require a phone number.

~~~
basch
but you can just go to icloud.com, sign up, and then type that into your
phone. a pretty easy workaround.

------
gigatexal
This single feature shown off today at WWDC has solidified my forever lock-in
on all things Apple and especially iOS: no longer will my email be sold
needlessly or be spammed and my logging into to different web properties sold
to marketers and ad networks and data aggregators. I trust Apple a whole lot
more becaUe they charge and arm-and-a-leg for high end hardware and soon
services because the products and services are the products not their users.

~~~
basch
As soon as Keychain can abstract away passwords completely (rando generation,
never need to show the user the password), so an end user cant tell if a site
supports Apple SSO or if Apple is just emulating SSO, Apple deserves to be
crowned the Identity Winner.

~~~
pat2man
There is a session on WebAuthN on Thursday.

~~~
lucasverra
if you are attending, could you share your learnings and how can we, outside
the conference, can have access to the information displayed?

~~~
Redoubts
[https://developer.apple.com/wwdc19/live/#!/room/](https://developer.apple.com/wwdc19/live/#!/room/)

This may host it live, but all presentations are recorded and will be here
soon.

------
jbeckham
Maybe I'm cynical, but this looks more like a data hording scheme than a
protect my privacy enhancement. If I use Google to sign in, Google and the app
has that data and can monetize it.

Now if I sign in using Apple, they are going to have the data to monetize.
They may keep the app from getting my information, but that means that their
data is better than someone else's data, so it is more valuable. Also, they
are getting app usage statistics that I may have opted out of at the OS level,
but they now have due to having the sign in history.

~~~
prdonahue
Who do you trust more _not_ to do sketchy stuff with your data, Apple or
Google? For me it's unequivocally Apple.

~~~
throwayEngineer
For me, Apple.

Google isn't outwardly evil.

Apple being anti consumer and anti developer really show you who Apple works
for.

~~~
rootusrootus
Google, the company who makes Chrome? The Chrome that will soon prevent me
from using an ad blocker?

~~~
Karunamon
Can we stop being hyperbolic please? If not blocking ads in a very specific
way is what it takes to be counted as "evil", that word has officially lost
all meaning.

------
buildbuildbuild
It seems you must first have an *OS app in order to use Apple Sign In on the
web, a $100/year barrier to entry for web developers verses Google/Facebook
auth.

"To configure web authentication, you must create a Services ID and associate
your website to an existing primary iOS, macOS, tvOS, or watchOS App ID
enabled for Sign In with Apple."

Source: [https://help.apple.com/developer-
account/#/dev1c0e25352](https://help.apple.com/developer-
account/#/dev1c0e25352)

~~~
rezz
Sounds like a great SAAS opportunity.

------
dpq
Sounds like a good time to remind people about Telegram having a similar
function for quite some time now. And just yesterday they announced a feature
to simplify logging into web sites using TG bots:
[https://telegram.org/blog/privacy-discussions-web-
bots](https://telegram.org/blog/privacy-discussions-web-bots)

It might be a personal choice, but for stuff when privacy is really important
I'd definitely pick Telegram over Apple, no matter how much the latter claims
to keep me safe from three-letter agencies as well as marketers.

~~~
w3rhn2j34oh5o
Telegram is unencrypted by default. All standard messages are stored on the
server. Telegrams secret chat mode (end-to-end encryption) uses home made
cryptography, and has been panned by experts in past. All group chat is in the
clear and stored on the server. This is not the case with imessage. Comparing
Telegram to iMessage, telegram is not in the same league as Apple. I don't
trust either from TLA's or well funded adversaries.

~~~
Tepix
It‘s not homemade crypto. It‘s just not the latest and greatest modern crypto
but it has no glaring weakness.

~~~
_tulpa
[citation needed]..

But it’s absolutely homemade by math PhDs (not crypto specialists). And if you
search for ‘telegram security’ you’ll find any number of articles pointing out
a bunch of weaknesses. It’s also only half open source.

~~~
aasasd
> _half open source_

Not just that. The official clients repos (specifically Android) lag several
weeks, if not months, _behind the apps,_ or at least they did at one point.

Though that doesn't matter much with not-quite-verifiable releases...

------
ricardobeat
Whoa. Apple is picking up where Mozilla’s ball dropped, but with a massively
better chance of success.

Cheers to whoever is running this show.

~~~
move-on-by
Mozilla dropped the ball on this? They never had an opportunity to do this.
Apple will only succeed by bulling developers that want to stay in the
AppStore. Mozilla doesn’t have the market share or financial leverage to do
anything like this.

~~~
ricardobeat
[https://en.wikipedia.org/wiki/Mozilla_Persona](https://en.wikipedia.org/wiki/Mozilla_Persona)

> Mozilla doesn’t have the market share or financial leverage to do anything
> like this

Precisely. There was very little incentive for websites to adopt it at the
time; Apple has a lot more power.

~~~
move-on-by
They tried, they didn’t have a way to force it on companies. Not sure how
that’s considered dropping the ball?

------
maxheadroom
This is a great idea but it kind of falls short.

Elaboration with example: LinkedIn is notarious for swiping up any data points
that it can find. Your carrier, your GPS location, etc.

As long as there are two or more data points to successfully tie you to that
id, it's already game over. It'll just be added to your "targeted advertising
profile" and, given the wrong company getting ahold of it (looking at you,
Equifax), sold/traded on the advertising market to third-party advertisers to
build better profiles because... ...advertising dollars?

Anyways, the premise is cool but I think - without addressing the dragnet that
is targeted advertising - it'll just be a minor inconvenience, which will be
conquered over time with the collection of enough data points to tie it back
to the "you" that they already know.

...unless you start-off with a brand new phone (new IMEI) and don't associate
_any_ old accounts with it, that is.

~~~
minhazm
Apple doesn't allow you access the IMEI or even Mac address. And they
announced at WWDC today that they're locking down people scanning for wifi
access points + bluetooth beacons to determine location also.

The purpose of this isn't to make you anonymous. It's just to make sign on a
little simpler and for apps that you think might not be super trustworthy or
apps that don't actually need your email address you can choose to give them
this proxied one. Obviously social accounts and other applications that will
ask for your real name will know who you are.

------
busymom0
I develop apps myself and I am 100% onboard with using this instead of
offering the signup with google or facebook buttons (can offer those as
secondary options). I might even push users slightly to use this instead of
others as it gives my apps a bit of extra trust worthiness imo.

Only question I have is if it's possible to integrate this on websites and for
non-apple products too? Because I would like my app which is available on
Android too to be able to use this.

EDIT: Apple's site says it will be available on websites too. Let's hope it's
available on non-apple devices too:

> Apple is introducing a new, more private way to simply and quickly sign into
> apps and websites.

[https://www.apple.com/ca/newsroom/2019/06/apple-previews-
ios...](https://www.apple.com/ca/newsroom/2019/06/apple-previews-ios-13/)

~~~
atticmanatee
On the presentation they said it would be available on web and android.

~~~
busymom0
Thanks, I was reading the docs and apparently it will be available for
websites too and comes with a JS library which will let me use it on Android
too. I am quite excited for this as a developer.

------
pletnes
This is a natural step that I’ve been waiting for for years. This can almost
remove the need for password typing, as you don’t even need one to unlock the
device anymore. Let’s hope Microsoft does the same, and integrates with
apple’s solution. A lot of people are on iOS+Win10 for laptops.

------
gnicholas
Does this require that every device you'd wish to use to sign into the service
be an Apple device?

That is, if you're signing up for Netflix with this, would you be able to
access your account from a Roku box?

~~~
gkoberger
I imagine you'd have to get the private email from your iPhone, similar to how
1Password works.

~~~
gnicholas
And it appears from the image that the private email would be a bear to type
into another device.

~~~
tzs
Hopefully, more devices will move away from requiring you to type anything
into the device to sign in.

Quite a few devices or apps on devices have already done so. Instead of having
you enter the account ID and password directly, they give you a URL to visit
that is something like [https://<device-maker>.com/add-
device](https://<device-maker>.com/add-device), and show you a random code.

You go to the given URL in your normal browser on whatever device you normally
use for web browsing, where you can login to your account at <device-maker>
and enter the code the device gave you.

A few seconds later the device notices you've completed this, and you are then
automatically signed in on that device.

------
Scrantonicity
Doesn't this also lock in users to Apple? Will I still be able to use these
apps on other devices?

~~~
inapis
If Apple discloses the generated email id. But the given examples seem very
tedious to type.

------
hk__2
I can already see devs implementing things such as `if email domain ends in
privaterelay.appleid.com reject the email address and ask for a "real" one`,
like what already exists for yopmail and others.

~~~
moduspol
Such a dev would likely just not implement "Sign in with Apple".

This is for the devs that specifically want the minimal-friction sign-in.

~~~
dcbadacd
Some screenshots display that it also works on the web, I'd love to find out
how exactly but I ain't buying an Apple device and a developer license for
that.

------
mrb
I love that TC chose a picture of "fc452bd5ea@privaterelay.appleid.com" to
illustrate the article. When was the last time you saw a service that could be
described by a single "word"?

~~~
ignoramous
If I showed it to my mom, she still wouldn't know what was up. The genius
would be in to make the UX frictionless and disposable addresses the default.
Let's see how Apple executes this. They do absolutely pull UX stuff off from
time to time. So, that's there.

------
NightlyDev
"without turning over any of their personal data to a third-party company"

Uhm.. If a user sign up on my site with apple sign in then they definetly will
share personal data with a third-party: Apple.

If user A wants to use product B and signs in using solution from C then C is
the third-party.

~~~
paintstripper
Yeah, but lots of people including me trust Apple with their data. I sure as
hell don't trust your site.

------
fenbielding
If anyone needs this right now, we've been offering this for a while with
[https://www.faircustodian.com](https://www.faircustodian.com)

Lots more planned for the future of personal privacy protection too.

------
thrill
I updated my AppleID since I haven't used it in years (have other devices) in
anticipation of implementing this as soon as it's available on a site I'm
working on. It appeared they offered two-factor authentication to get away
from those 1990's type of security questions. Ah, not so fast - 2FA is only
enabled with Apple devices. Poor play there, Apple. This service looks like
something sorely needed - bring the rest of the flock into the fold and let
everyone plug in their Yubi key.

~~~
Tepix
FIDO U2F or TOTP. On the other hand it‘s perfectly understandable that they
use his to sell their hardware.

~~~
thrill
Google doesn't limit who can login by their device manufacturer, but the
supposed privacy focused company does?

~~~
freewilly1040
Yep, the privacy focused company makes money selling hardware rather than ads.

~~~
thrill
So, the privacy draw is just another gimmick to them, and not a supposed part
of their DNA?

~~~
asaddhamani
If you're not paying them, they need to pay for you to use their services. And
to do that, they will want to make their money back on that.

It is a good thing that they're not giving their services away for free;
they're putting their money where their mouth is. If you look at all the
companies that give their stuff away for free, they do it to collect data for
advertising, and they make money from advertising, in most cases (unless
they're using investor money to fund you).

Apple is not an advertising company, and I do not see any problem in them
using this to draw in customers. It is a major selling point for Apple that
they respect your privacy. They do a lot of their ML stuff on-device to
preserve your privacy, they encrypt your data on their servers or anonymise it
whenever possible, they do a lot to prevent apps from tracking you like
limiting location access and other data, etc.

------
minimaxir
Per a screenshot in the Keynote, Sign in with Apple will also work on the Web,
which will be interesting.

~~~
oh_hello
They already offer Apple Pay on the web. I imagine the experience will be
similar here.

~~~
minimaxir
True, although that would imply Sign in with Apple would be Safari-only, which
might be a hard sell.

~~~
saagarjha
Might be a JavaScript API like MusicKitJS, since I don’t see this requiring
hardware support.

------
bound008
Free disposable forwarding email addresses that you can turn off. Built on the
startup bus years ago: [http://boun.cr](http://boun.cr)

MailGun ( a YC company ) was providing their API for free, until another
company came along and offered to take over the project. All of the code and
design was built on a bus from CA to ATX.

(and one of the team members met their co-founder on that (StartupBus) trip
and went through YC. I believe they are a unicorn now)

------
empath75
Finally an excuse to delete my Facebook account completely. SSO was the only
reason I was still using it.

I do wonder how many sites will actually implement it.

~~~
driverdan
Why do you need SSO? Password managers make it easy to manage accounts.

~~~
ben509
PMs don't make it easy, they make it reliable and central. The default
password generation usually doesn't work, and a web form doesn't capture
everything, but I'm never clicking and guessing even when I haven't used an
account in years.

But SSO wins on mobile, because the PM is clunky even with a custom keyboard.
Even then, I keep a dummy entry in my PM just so I'm tracking it.

~~~
basch
Mobile Dashlane and Lastpass work much better on Android, where the OS allows
you to set default apps. If Apple deserves any antitrust spankings its for not
allowing user control of protocol handlers and default programs.

~~~
dcbadacd
Bitwarden seems to work quite nicely as well but in addition to that Bitwarden
is open-source.

~~~
basch
I was going to mention it but I hadn't used it yet.

------
buboard
So what if in the future apple decides they dont want to allow your website to
use it anymore (because e.g. it violates their UX guidelines)?

------
lghh
What is forcing the sites that I'd want to use a fake email address with to
use this? It wouldn't be in their interest to. They will just stick with their
current SSO setup of Google/Facebook/whatever and never touch this, if they
have SSO at all. I LOVE LOVE LOVE the idea, I just don't know if it will be
useful and successful.

~~~
jdminhbg
Nothing is forcing them to, and lots probably won't. The carrot is the much
lower friction for sign up for users. It's similar to Apple Pay, where you
don't get credit card info, but you do get a much easier user flow that will
get you more signups.

~~~
DuskStar
But will it be lower friction than login with Google or Facebook? It feels
like it's more common for someone to have an account from one of those two
than from Apple, and so "sign on with Apple" will never be able to be the
_only_ SSO option, while Google or Facebook could be.

If the better (for the site) SSO options also have near-universal market
penetration, what's the incentive to add Apple?

~~~
awinder
I would venture a guess that apple/icloud accounts are the highest % account
type amongst iPhone holders. All sorts of people have reasons for not having
gmail / facebook / etc., but apple account setup is pretty prominent in device
setup.

~~~
DuskStar
Sure, it might be the highest % among iPhone holders - but for a website, what
portion of your users are going to be iPhone holders, and what portion of the
Windows/Android crowd have Apple accounts?

~~~
jdminhbg
You don't have to implement it to the exclusion of other methods. There are
plenty of merchants on the web with Apple Pay and also Paypal, straight up
credit card numbers, etc.

~~~
DuskStar
Of course you don't have to implement it to the exclusion of all others! But
let's suppose that, say, 65% of users have a Google account, 75% have a
Facebook account, and 40% have an Apple account - and the circles overlap such
that adding Apple adds 10% to the total coverage. Now, if everyone who has an
Apple account prefers it, and users with an Apple login yield 30% less
revenue... _gaining that extra 10% of users costs you revenue, because for
every user you gained at 70%, three existing users cut their revenue by 30%_.

------
masnick
For a while now I’ve been using “someservice.com@account.mydomain.me” when
signing up for accounts.

I use FastMail for my email hosting, and they allow you to turn on wildcards
for any custom domain. I don’t get any spam because it’s at a subdomain —
never enable *@mydomain.me because you will get a mountain of spam to admin@,
webmaster@, etc.

------
ruffrey
We've been thinking about this for Mailsac.com. It is already possibly but
clunky. Considered making browser plugins to make it easier to create and
route disposable addresses, and "black hole" disposable email addresses once
it's clear they've been resold to advertisers.

------
schaum
If they implement it in OIDC they basically randomize the mail address for
every application? What about the other scopes?

[https://auth0.com/docs/scopes/current/oidc-
scopes](https://auth0.com/docs/scopes/current/oidc-scopes)

------
xtat
2019 big tech innovation is basically finding ways to ensure only _they_ have
access to your data

------
cavisne
This is very cool in terms of security principles (no email that can be used
to track you by default, mandatory 2FA, mandatory SPF for emails).

The mandatory inclusion if you use third party SSO already (smart I think as
otherwise FB and Google would probably start paying developers _not_ to
include it) aside, this will probably get a lot of uptake for apps that dont
use SSO.

Apps that people mainly use on mobile devices and TV's would benefit a lot
from this (as these devices arent good for typing in complex passwords).
Additionally larger companies would be concerned about letting Google or FB
sell their user list to competitors for targeting. Apple already has all this
information, so nothing is lost by enabling SSO.

------
nwsm
What's the incentive for apps to offer it? Now they don't get user data.

~~~
the_watcher
There are plenty of applications that don't actually care about the additional
data they could arguably get from a Google/Facebook login, and only offer it
because one click sign-up/login drives more signups.

~~~
nwsm
In cases of a trustworthy third party, what is the concern of linking to
Google/Facebook account compared to an Apple account that doesn't offer any
data? I don't think I've seen any instances of Facebook integration
credentials being hacked/stolen.

~~~
the_watcher
In reality, pretty much nothing (particularly since now, third parties
basically only get name + email). The value is that some (small or large)
number of potential users might not know or believe that and trust Apple more.

~~~
rootusrootus
Ha, I can't imagine why I might trust Apple more than Facebook or Google. /s

------
parliament32
I'm not an Apple user, and don't own any of their products, but this is a
great step forward for privacy. I'm happy to see companies prioritizing
privacy for users.

That being said, any company that actually cares about collecting users'
identities (you know, the ones you'd actually want to use this for) will
definitely block @privaterelay.appleid.com from being used. Apple would've
been better off using a well-known domain and having both private and non-
private addresses on it, like @me.com .

------
jeroenhd
Will this service be available on the web? I get the feeling that this will
only be available on iOS, meaning that you lose access to all your accounts if
you decide to switch to Android.

~~~
malloreon
ios, macos, web, all announced.

------
countbackula
"Apple says it can authenticate a user using Face ID on their iPhone without
turning over any of their personal data to a 3-p company."

So is this feature exclusive to Face ID and iPhone? Would users, Face ID
enabled or not, be able to use it with only their iCloud email/ID? And would
older iPhone models incapable of FaceID still be eligible?

These may be just questions of a skeptical mind, but I really hope Apple isn't
using a pro-user, pro-privacy feature to phase users out of older models.

------
stirner
I used to do something similar when I ran my own mail server. Whenever I
created an account for a new service, I would add an entry to /etc/aliases
e.g.

    
    
        news.ycombinator.com: stirner
    

and sign up for the service as news.ycombinator.com@mydomain.com. If I ever
left a service, I would just remove the corresponding alias and restart
Postfix.

I eventually got tired of the work required to avoid spam filters and switched
to iCloud Mail, so I’m glad to see this feature built in.

------
simonhamp
This is the ultimate way to manage your incoming email - I’ll be filtering
everything based on the `to:` address when this rolls out and my life will be
wonderful again

------
yalogin
Emails from companies already have a unsubscribe button. So if I unsubscribe
they shouldn't send me emails. That is not changing with the new Apple Sign In
feature. Emails will still have the unsubscribe feature. The only reason for
devs to push for a real email is to sell it to advertisers. They are not
deleting the email once I unsubscribe. So giving them an ankoymized email is
good. I hope this succeeds.

~~~
tartuffe78
Many spam emails I get these days from companies say things like "Unsubscribe
from this list" so for example I have to unsubscribe from their "Daily
Digest", "Weekly Digest", "Recommendations", etc. all one at a time.

~~~
SOLAR_FIELDS
And there's no guarantee how many of those "lists" you are on with some
softwares. You might have a one-click unsubscribe, but you just one-click
unsubscribed from the first of 100 lists you were placed on for that company.

------
pishpash
Some sites now seem to check whether an address is valid from some database or
heuristic, because a random email with a valid domain is still rejected.

~~~
kyboren
There is definitely a phenomenon of checking for prohibited email domains.
However, absent extra-functional motivations like user data collection, smart
developers don't bother with heuristics for email addresses much beyond the
presence of an '@' character.

If you want to know if a purported email address is deliverable, try to
deliver email to it.

------
kevin_b_er
Companies already massive dislike fake/temporary emails. Go find a throwaway
email service and you'll find many many websites blacklist them. I'll actually
be angry if Apple succeeds, because it'll just mean I can only have private
email address as an apple customer and not anywhere else. Many companies might
make an exception for Apple, but not anyone else.

~~~
thrill
This is neither a fake nor a temporary email. It is unique, made specific by
the combination of the user's appleid and the target app/website, and
permanent in that it will remain the same. The ability of the user to
automatically discard/block content sent to the email address doesn't change
this, as it's no different other than (probably) more convenient than setting
up a bunch of spam filter rules for those "services" that refuse to remove
your address.

~~~
Xelynega
It says in the article that it's a 'unique, random address', so I don't know
where you're getting the 'combination of the user's appleid and the target
app/website' from. The purpose of the service is the same as other temporary
email services, to anonymize signing up for services by providing a fake
email.

------
nly
Using 'Sign in with X' with service Y means you're giving X, or anyone forcing
X to abuse their position, full access to your account on Y.

Additionally, anything sent to you@privaterelay.appleid.com flows through an
Apple server.

You can trust Apple with this now, but it's not so easy to revoke that trust
later. Still, it's useful for throwaway signups and garbage I suppose.

------
awfully
How is this going to work with all the websites that make you login with your
email address? Gonna be super hard remembering them?

------
dontbenebby
Interestingly Mozilla tried something like this a while back:

[https://en.wikipedia.org/wiki/Mozilla_Persona](https://en.wikipedia.org/wiki/Mozilla_Persona)

Sadly they cancelled it.

(I was actually hired as an intern to work on it, but they stopped paid
development between me accepting my offer and my arrival in SF)

------
olliej
How long until sites start blocking the cloaked addresses? (although of course
Apple can just churn those address patterns)

~~~
JustSomeNobody
How long until those sites cease to exist?

------
plonkus
I like that you can use the feature on the web too, but it appears you need a
paid developer account to generate the client id/secret

[https://developer.apple.com/documentation/signinwithappleres...](https://developer.apple.com/documentation/signinwithapplerestapi)

------
gameguy43
This is neat. But I'd have thought the lower-hanging fruit anti-spam wise for
Apple would've been to add a "mark as spam" button next to push notifications
so users can start reporting all the apps that abuse push notifications to
send them advertisements.

------
groovybits
This is similar to Abine's Blur service, which provides a throwaway phone
number, and (seemingly) infinite throwaway emails addresses that can forward
to your own personal email address.

[https://www.abine.com](https://www.abine.com)

------
dcbadacd
Unfortunately there's no way to implement this as a OAuth2 flow and without
having an Apple device. Seems unreasonable to require an Apple dev account
just for providing sign up - it can be tested without installing apps or just
borrowing an iPhone.

------
jiveturkey
How will this be different that anon.penet.fi? (Besides the data being held in
the US, where it is very much in reach of the authorities; Apple isn't going
to shut down the service to uphold some privacy principle vs a government
authority.)

------
bxio
Google's + and . trick on a dummy-proof, invisible, consumer level. Nice!

------
skc
I'm no big fan of Apple, but I must say I get a perverse pleasure out of moves
like this because you'd probably find that 90% of Facebook employees swear by
and love Apple products.

------
tschwimmer
This is really good for consumers, but I'm afraid that many websites simply
won't bother to implement this. Apple just doesn't have the unique marketshare
that Google and FB have. The set of users that would use such a thing is the
union of privacy focused users and users with an Apple ID and not a Facebook
or Google account. This set is heavily overrepresented on HN but is relatively
small overall.

If I run foo dot com, is that set of users attractive enough to me that I'll
spend the engineering time to implement this? I can't think of many instances
where it would be.

~~~
dantheman0207
Might be true. Certainly it’s true that Apple represents a smaller user base
then, say, Google or Facebook.

But Apple users represent a disproportionately large subset of the users that
spend money.

------
ngcc_hk
Great. I guess also you need to use apple machines to remember the email
address and any password for you. Sometimes they ask for it.

------
max76
On the downside if I use Apple Sign In on apps I probably won't be able to
sign in to that application on my Android devices.

~~~
twiceaday
Or a non-Mac computer? I doubt it. This is likely just an Apple id sign-in
that is progressively enhanced on ios / osx.

------
baxtr
Sounds promising, because this is where Apple is really got at: taking
something “at the fringes” and taking it to the mainstream.

------
zenbane
I'd like to have something similar for actual physical mailing addresses,
perhaps UPS or Fedex could offer this.

~~~
ChicagoBoy11
My local UPS office in NY can accept packages on my behalf for a very small
sum of money. Do you mean something more extensive than that?

------
jedikv
Great feature, shame it's tied to apple hardware - making it inaccessible to
those who cannot afford it.

------
jason46
Will this effect apps that i use on an ipad and an android phone that share a
login?

------
pndy
Isn't there a flaw? What does stop service provider/application vendor from
banning this relay domain and force users to provide _real_ email address for
data-mining purposes aka "ensuring that service/app will work"? Unless of
course that Apple would deal with those who would go for this

------
dooglius
Does this effectively kill the ability for services to have sign-up promo
codes?

------
timothyduong
I've been predicting this since iOS 11! So good to see it come to fruition.

Apple SSO :)

------
ramon
I loved the concepts! Cannot wait to see the site with the SDKs and all.

------
ashtonian
Wish all the cc companies would do this with their numbers. Some do.

------
buboard
So this is only for mac/iphone users? That's not a large enough segment to
warrant adding a sign in option for most sites. Would be nice if Mozilla had
done something similar with Persona.

~~~
ilikehurdles
Something like 58% of site visits are from mobile browsers, and mobile Safari
makes up over half of all mobile browsers. Of course, your mileage may vary,
but that's a pretty large segment.

~~~
buboard
So its like 25% of Americans and much less everyone else. Plus you will be at
the mercy of apple if they decide to remove your app, plus if you need an
actual usable email, you have to ask for a second email. Sounds a bit
confusing, they shouldnt have tied this to email address.

------
xalava
In order to read this article you must redeem your privacy to more than a
dozen companies or go through five screens with a confusing UX to change
parameters. Oh Irony

------
cfarm
Google and FB will likely copy this asap.

------
sdan
Is this Safari only or for all browsers?

------
beenBoutIT
When Apple users use this to commit fraud/trolling/stalking/etc. and get
tracked down it's going to make Apple look bad.

~~~
busymom0
Not really. It's still linked transparently behind the scenes to your Apple
ID. The connection won't be visible to the developers but the fraud etc will
already be taken care of when signing up for your Apple ID.

~~~
beenBoutIT
The reality is that it won't do much to protect users privacy or prevent
tracking, although it will make it easier for users to avoid spam filling up
their inboxes.

------
shaneos
Seems like a direct copy of MaskMail.net

Nice to have the product validated, but never fun when a giant just duplicates
your business

------
ycombonator
This is awesome news for developers ! They should have done this years ago.

------
ChrisMarshallNY
I'll use it.

------
piokoch
Am I correct that TechCrunch page violates GDPR? I don't see any option to
opt-out from being tracked. There is OK button and manage option link, but I
can't manage anything, I can only agree for tracking...

------
grenoire
"This domain is not allowed."

~~~
chrisshroba
While websites do blacklist temporary email providers like Mailinator, I think
Apple has more power here; blocking the domain can be pegged as more of an
anti-privacy move than blocking Mailinator, which is more anti-spam.

------
NN88
Apple is ahead of the game officially.

~~~
throaway5533
Outlook.com has allowed email aliases for a really long time.

------
xtat
right, another one to ban

------
AJRF
Someone who is not apple should do this and charge for it. I'd pay $10 for
something like that

~~~
danShumway
Don't Fastmail aliases already work the same way?

That's $5 a month for 600 private email addresses, which (for me at least) is
more than enough to cover all of the services I use.

Unless they're easier to re-associate with your main account for some
technical reason I'm not aware of?

------
ashtonian
Orr you could buy a domain, and use a catch all email rule and then use an
unique rmail address per site. Like mybank@mydomain, yourepamsite@mydomain
ect.. I've never had any security problems.

~~~
danShumway
How would that help with tracking? The domain you buy will be a unique
identifier that's owned only by you.

What tracking will this defeat that couldn't also be thwarted by putting dots
and plus modifiers in a Gmail address?

------
Justsignedup
While I like this for privacy purpose this is pretty nafarious.

There is no mechanism by which you can use this sign-on without Apple. That
means you are stuck with these specialized accounts you would need to re-setup
once you leave apple. Just another lock-in.

This is definitely not the first time apple does anything like this. If apple
really cared they would make a tool for any device or operating system to
enable this. But they will not.

~~~
Aaronn
... if you looked at the screenshot of the app they showed it also had sign up
without using Apple Sign in and just using a email address.

~~~
danShumway
You might be misunderstanding what the poster was talking about -- it's not
that you'll need an Apple ID to sign up for a site, it's that once you sign up
with an Apple ID, you might not have a way to link your account to a different
email address. That effectively means that you'd need to recreate your account
when you move away from Apple.

Of course, the other side of that is that sites are probably going to have
ways to link accounts, and it likely won't be a huge deal. They certainly have
no motivation to help Apple with lock in. It's not going to be any different
from the process that exists today for moving associating an email with an
account you created through Google/Github signin.

Still, it would be nice to have a way to use this without an iPhone, or it
will be a (small) extra piece of friction you just have to deal before moving
ecosystems, rather than piecemeal after getting a new phone.

Also note that the same exact concerns exist with Google/Facebook sign in,
it's just that they aren't tied to a physical device so you only need to worry
about losing them if you're making a conscious decision to delete your
account.

