Mail Privacy Protection Seemingly Undermined by Apple Watch [Updated]

[MacRumors]

The security provided by Apple's Mail Privacy Protection feature is seemingly undermined by a lack of Apple Watch support, security researchers have found.

Mail Privacy Protection is a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also prevents senders from tracking whether you opened an email, how many times you viewed an email, and whether you forwarded the email.

• iOS 15: How to Prevent Emails From Tracking You With Mail Privacy Protection

The feature works by routing all content downloaded by the Mail app through multiple proxy servers to strip your IP address, and then it assigns a random IP address that corresponds to your general region, making email senders see generic information rather than specific information about you.

Apple's legal documentation on Mail Privacy Protection indicates that the feature is available for iPhone, iPad, and Mac only, but security researchers and developers Talal Haj Bakry and Tommy Mysk have discovered that since the Apple Watch does not hide a recipient's IP address, it can compromise the overall security provided by Mail Privacy Protection.

https://twitter.com/i/web/status/1460345878946922498

The Apple Watch downloads remote content, such as images, using the recipient's real IP address, both when receiving a Mail notification and when opening an email, meaning that even for users who have enabled Mail Privacy Protection on their iPhone, their IP address is exposed.

While Mail Privacy Protection is a feature exclusive to iOS 15, iPadOS 15, and macOS Monterey, the fact that simply receiving a Mail notification on the Apple Watch can reveal a user's IP address and bypass Mail Privacy Protection on other devices seems to be an oversight and we have reached out to Apple for comment.

Update: The same security researchers have now highlighted that iCloud Private Relay is also unavailable on the Apple Watch, meaning that a user's IP address can be exposed when opening links in the Messages app.

https://twitter.com/i/web/status/1460688549867622408

iCloud Private Relay is an Apple service that ensures Safari traffic leaving an iPhone, iPad, or Mac is encrypted. It uses two separate internet relays to ensure that companies cannot access personal information like IP address, location, and browsing information to create a detailed profile about you.

Users who have iCloud Private Relay enabled on their other devices should be aware that their IP address is still discoverable from Apple Watch activity.

Article Link: Mail Privacy Protection Seemingly Undermined by Apple Watch [Updated]

 

[TheYayAreaLiving 🎗]

Wow! Hopefully, Apple isn’t rushing it to push out the App. This really needs to be fixed

 

[Apple_Robert]

Thanks for the heads up. I will make sure not to use on the watch until this is fixed. Notifications have been turned off and will only check on the phone.

 

[antiprotest]

Slipping more and more on privacy and security while adding more and more "safety" and "child protection" features that could compromise privacy and security.

 

[Morod]

Since I don't have a watch, all okay here. Thanks, Apple!

 

[mazz0]

Apple have always been bad at this.

I have automatic downloading of images etc disabled so as not to inform spammers that they've hit an active address, which Mail allows you to do.

The problem is Mail doesn't show you the target of links in the email until you mouse-over (or long-touch) them, which also, by default, loads of a preview of the destination, thus giving the game away.

I hope Apple's servers are preloading/caching any of the proxied content, thus giving the game away before you've even opened the email. Anybody know for sure when they first download the content?

Edit: Oops! That should say I hope they aren’t pre-loading/caching!

 

[SW3029]

Would be great if this even worked right in Monterey. See here: https://forums.macrumors.com/thread...event-content-from-loading-privately.2319487/

Mail Privacy Protection is a joke.

 

[LivingMyBeachLife]

Slipping more and more on privacy and security while adding more and more "safety" and "child protection" features that could compromise privacy and security.

You do realize that Apple is not a trailblazer on "child protection" features. Facebook, Google and others already have these features. They just weren't forthright in announcing.

Every time you log on to a site or app, your privacy and security has already been compromised. You've given up your right to privacy. Read the Terms of services and End User License Agreements of the sites and apps you use. You have no privacy. Why do you think you have to "opt out" versus being given the choice to "opt in"

 

[GermanSuplex]

Apple is great, but some of their oversights are mind-boggling. For instance - you still can't mass-delete messages from the watch. Does nobody in Apple wearing an Apple Watch get tired of having to do that? I surely can't be the only one?

And given that virtually everyone with an Apple Watch use an iPhone and other iOS/Mac OS devices, this comes close to making the mail privacy features useless.

 

[BootsWalking]

My Apple Watch notified me that my heart rate increased unexpectedly while I was reading this article.

 

[Cosmosent]

The problem is MUCH BIGGER than what's being reported !

And I know this from growing up & starting my career in Silicon Valley.

When a stock goes up appreciably, like Apple's stock has the past three OR so years, those with vested stock options cash out & retire early !

In other words, Apple very-likely has been losing lots of Engineers & Software Developers over the past few years !

 

[TAKeanice]

Can anybody explain to me how the feature is supposed to keep me safe at all? Scammers put pictures with a unique URL into their mails. They don’t identify their recipients by IP but by that identifier in the URL. Therefore, if I don’t want to be seen by scammers, pictures must not be loaded at all!

There used to be the option to disable loading remote content in mails. Now that’s only possible when turning off the new “protection” feature. Can anyone explain that rationale to me?

 

[kalafalas]

Apple is great, but some of their oversights are mind-boggling. For instance - you still can't mass-delete messages from the watch. Does nobody in Apple wearing an Apple Watch get tired of having to do that? I surely can't be the only one?

And given that virtually everyone with an Apple Watch use an iPhone and other iOS/Mac OS devices, this comes close to making the mail privacy features useless.

Why delete messages? The watch only holds onto a weeks worth of messages anyway, just leave it be

 

[OhMyMy]

And here I am getting really comfy with all the privacy features in iOS 15. Time to start using a VPN again??‍♂️

 

[nwcs]

I found mail on the watch is kinda useless. It doesn't stay in sync very well and often shows me old content. Easy enough to just disable the notification and turn off load remote images for the watch. Problem solved until a better fix comes along.

 

[_Spinn_]

This seems like a major oversight.

 

[randomthoughts]

Slipping more and more on privacy and security while adding more and more "safety" and "child protection" features that could compromise privacy and security.

It’s a misrepresentation to say they are slipping on privacy and security when the new functionality is additive to what already was and remains for most other platforms and apps. It just wasn’t part of watchOS. People aren’t browsing the web on their watch and your activity in Safari on your phone won’t have the same IP address as your watch. It’s not like a security breach. And just a reminder Private Relay is still BETA.

 

[Villarrealadrian]

We need moaaaarr protection!

 

[now i see it]

It’s not like an IP address is very useful to anyone.

Here’s an example of one: 69.89.31.226

Now find me.

 

[svish]

Hopefully Apple brings support for watchOS too

 

[SoundJudgment]

Apple's latest buzz-word strikes again: "OOooops!!"

 

[DogHouseDub]

It's HORRIBLE that something which didn't exist 2 months ago doesn't work properly. What are we supposed to do now? Go back to how we were receiving email in August 2021?

 

[SoundJudgment]

We need moaaaarr protection!

We hear ya, Christopher Walken! "Moaaaarr Powaaaah!!"

 

[ScubaCinci]

Who reads email on their watch - especially messages from potential spammers? Simple work-around, don't open email messages on your watch except from those senders you trust.

 

[msackey]

Wow. Holy! This is good to know.

Apple better have a fix for this soon!