Apple is making a quiet change to one of its best privacy features, and I’m not convinced anyone has fully thought through the downside yet.
This summer, Apple will start routing both Hide My Email and Sign in with Apple relay addresses through the same domain: private.icloud.com.
On the surface, it’s the kind of backend change most people will never notice. Existing addresses will continue to work, emails will still be delivered, and users won’t need to update anything.
Apple presents it as a simplification, and for most customers that’s probably exactly what it looks like. The problem is what this simplification does behind the scenes.
Today, Apple’s two anonymous email systems live on separate domains. Hide My Email uses iCloud-based relay addresses, while Sign in with Apple relies on privaterelay.appleid.com.
If a company wanted to reject both address types, it had to account for each separately. Under the new setup, everything points to private.icloud.com.
That means a website, app, or email platform that dislikes anonymous registrations suddenly has a much cleaner target. Instead of dealing with multiple domains, it can identify and block Apple’s privacy-focused addresses with a single rule.
Also: Apple just canceled the iPhone 18 for 2026 — here’s what it means for your upgrade
That’s what gives me pause. Apple’s privacy tools work because they let people participate online without immediately handing over a permanent email address.
Whether you’re signing up for a free trial, downloading an app, or creating an account you’ll probably never use again, Hide My Email creates a layer of separation between you and the company collecting your data.
It’s one of the smartest privacy features Apple has ever shipped, and arguably one of its most underappreciated.
By consolidating everything under a domain that practically announces its purpose, Apple may have made those addresses easier to identify than ever before.
Apple isn’t weakening the underlying privacy protections with this domain change. The core relay system functions exactly as before to mask your real identity, and any aliases you’ve already created are staying fully active.
My concern is different. The more obvious Apple’s relay addresses become, the easier it is for companies to single them out if they decide they only want customers who provide “real” email addresses.
And while many businesses won’t care, some absolutely will. Marketers, subscription services, lead-generation platforms, and apps that depend heavily on customer data have little incentive to embrace tools designed to limit what they can collect.
Apple has already told developers they’ll need to update their systems to recognize private.icloud.com. That’s a reasonable request. But it also serves as a reminder that these addresses now have a single, clearly identifiable home.
Maybe the benefits of consolidation outweigh the risks. Maybe Apple has technical reasons that make the change worthwhile. If so, the company hasn’t explained them publicly.
What Apple calls simplification, privacy advocates may see as a new point of failure. And for a company that has spent years positioning privacy as a competitive advantage, that’s a debate worth having.
