You will need to be careful about reading email messages on your Apple Watch, if anyone expects to take full advantage of the new Mail Privacy Protection feature in iOS 15.
One of the many new privacy features in iOS 15, Mail Privacy Protection, helps mask your identity by hiding your actual IP address from email trackers. The feature is built into the Mail application on your iPhone and iPad, but obviously this is not the case when it comes to the MailOS Watch application on the Apple Watch.
Two security researchers in Canada and Germany recently discovered that email messages appearing on the Apple Watch are not able to protect Mail Privacy, even if this feature works on a paired iPhone.
To make matters worse, the duo note that this can happen even if you do not read the actual email messages on your Apple Watch. That is because notification previews also reveal your IP address to trackers, even if Mail Privacy Protection works on your iPhone.
How Mail Privacy Protection Works
Mail Privacy is not a novel concept – Gmail has been running since 2013 – but it is new to Apple Mail application on iPhone, iPad, and Mac. It is designed to block attempts by email marketers, which use unsolicited images to track who actually opened their emails and so on.
Lots of marketing emails with lots of pictures, but almost none of these are in the email. Instead, email is as basic as a web page with links to download images from a web server. By adding a unique image to each recipient, marketers can see who opened a message and where it came from.
While there is little you can do to prevent a vendor from knowing that you have unlocked their message, since the unique tracking code is associated with your email address, Mail Privacy protects your IP address so that they do not able to integrate that with your location or any other web browsing activity.
For example, without Mail Privacy Protection, advertisers may associate your IP address with your actual identity, because of course, they already have your email address. This allows them to track your other browsing activity.
Mail Privacy Protection avoids this by opening any image links in the email through a series of intermediate proxy servers. Instead of retrieving your real IP address, trackers look for a generic address that belongs to a mammoth cloud service provider, such as Cloudflare – an IP address that thousands of others will reuse.