alt Hacker NewsI'm curious what you think the difference is between "a paying iCloud user" and "an anonymous rando off the internet." How many Apple gift cards do you reckon get sent to fraudsters every day? Decades worth of iCloud+ surely.
I'm running a business where I need to know who you are, because my platform can be used defraud other people. If you're trying to hide who you are from our very first interaction, that's a massive red flag.
If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)
If these terms are not acceptable to you, then great! Don't use the website, there's no need to be salty because that's what you said you wanted. Isn't it?
I don't mind either, because the number of legitimate users who are bothered by this restriction is infinitesimal compared to the number of fraudsters who would take advantage if it wasn't in place. It can be difficult to comprehend the scale of platform fraud unless you've worked in this area, many days fraudulent signups outnumber legitimate ones.
Replies
It sounds like you are trying to shoehorn email into some kind of “real person verification” role, when you ought to be doing actual KYC through some provider like ID.me. (If honest to god no-shit fraud is on the table.)
> If you're trying to hide who you are from our very first interaction, that's a massive red flag.
If you're trying to collect personal information that's none of your business from the very first interaction, that's a massive red flag. Like how many data leaks and customer data exposures is it going to take to understand that the data I'm giving you is a liability for me? How much spam am I expected to put up with because you give my data to a "data broker" for one reason or another? Why should I trust anything you say regarding how you will handle my data after all the embarrassing fuck-ups over the years? What is your liability if you mishandle my data, is it approximately $0? Do you have an arbitration clause in your TOS so I can't even sue you when you screw up?
There's zero responsibility from the tech industry for their continued failures in this regard and then you have the temerity to lecture me about my "red flag"? Seriously?
> If you're trying to hide who you are from our very first interaction, that's a massive red flag.
You conflate email with identity, just like the media companies conflated IP addresses.
It's not hiding who you are, it's hiding my real email address behind a mask that you can't choose to sell off to marketers, or spam yourself, or otherwise profit off, regardless of the nature of our relationship - I've got plenty of spam emails from companies that I closed accounts with, thus severing our relationship.
> If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)
It's not that simple, but I guarantee it doesn't remotely slow anyone down, not at the scales we're talking. Maybe if you're talking one entity and tens or hundreds of thousands of accounts, but it's laughably naive to believe that such a person who is set up to conduct "mass fraud" can't create 100 Gmail/Outlook/iCloud email addresses a day, if not an hour, with near zero effort (it's not like they're committing "mass fraud" by hand, after all).