It comes back to reputation. In the real world, we build up a reputation and people can choose to trust us based on it. That also means that they get to know us. I personally like being able to interact with people that I've built up a positive relationship with. Why doesn't that carry over to the virtual world though?
I think everyone's view is tinted by the over-collection of data that some companies are doing. A real-life analogy would be having someone record everything that you do. We've come to accept that to an extent when going into stores, but probably wouldn't hang out with a friend that did that. I don't think the best solution to that is to put a bag over yourself and change your voice so that you're anonymous but still hang out with that friend -- I think it's to tell your friend that you don't want to be recorded. If some service is recording you too invasively, don't do business with them. If you don't know who is recording you, get your government to pass a law like GDPR.
If you want to live in a world without reputation, there will be drawbacks. Attackers will be indistinguishable from regular users, so you have to treat regular users as if they could be attackers; you can't have a tiered approach. The person banned for posting threats (or worse) or otherwise misbehaving on a message platform will be indistinguishable from a new account. The brute force attack will be indistinguishable from the legitimate user. Etc.
To throw out the whole concept of reputation so that you can be perfectly anonymous seems like the wrong solution to the problem.
Here’s the problem - my IP address should not signal reputation. They are fungible, and can change on your carrier’s whim. GEO-IP data is spotty at best. And that doesn’t even touch on how IaaS platforms handle IPs.
The only thing that should signal my reputation is my identity, and despite the best efforts of the adtech world, you can’t reliably correlate that to an IP address.
I understand what you're saying, but my mom sure will think its frustrating that a company she does business with is going to challenge her beyond the normal experience because apple lets her protect her privacy. After all, she's telling the company who she is by logging in.
The company challenging her beyond the normal experience is forced to because until she logs in, she is indistinguishable from an attacker. That's the price she's paying for perfect privacy.
They're not doing it because they want to annoy anonymous users; they're doing it because they're not getting any signal that they can trust this connection. That's the price you pay for removing reputation, and no number of Apple Relay users can change that. Website operators can't simply start trusting completely anonymous connections simply because there are a lot of them.
That's why I say Apple should be communicating this to users: there's a price to pay for anonymity. You may see more captchas, you may get challenged with 2FA more often, etc. Not to mention, you might be making it easier for actual criminals to hide amongst the other traffic.
When she logged in, the privacy issue becomes moot of course, yes. At that point her credential can be trusted the same way as before.
I think everyone's view is tinted by the over-collection of data that some companies are doing. A real-life analogy would be having someone record everything that you do. We've come to accept that to an extent when going into stores, but probably wouldn't hang out with a friend that did that. I don't think the best solution to that is to put a bag over yourself and change your voice so that you're anonymous but still hang out with that friend -- I think it's to tell your friend that you don't want to be recorded. If some service is recording you too invasively, don't do business with them. If you don't know who is recording you, get your government to pass a law like GDPR.
If you want to live in a world without reputation, there will be drawbacks. Attackers will be indistinguishable from regular users, so you have to treat regular users as if they could be attackers; you can't have a tiered approach. The person banned for posting threats (or worse) or otherwise misbehaving on a message platform will be indistinguishable from a new account. The brute force attack will be indistinguishable from the legitimate user. Etc.
To throw out the whole concept of reputation so that you can be perfectly anonymous seems like the wrong solution to the problem.