Practical Privacy, Security, and Speech Guide
A field guide to modern privacy, security, and freedom of speech.

8. Compartmentalisation and identity separation

Notebook with a checklist
Habits, routines, and human factors.

Limiting damage by design

Keep identities separated.
Keep identities separated.

Compartmentalisation means keeping parts of your digital life apart so that a mistake, leak, or compromise in one area does not automatically spill into others. It is not about creating a perfect, sealed-off existence. It is about limiting blast radius: if one identity is exposed, it should not reveal your whole life or endanger people connected to you.

Identity separation is the practical expression of that idea. It can be as simple as using separate email addresses for banking and social media, or as rigorous as maintaining distinct devices, accounts, and networks for different activities. The right level depends on your context: someone running a community archive, a journalist speaking with sources, and a parent managing a household will all make different trade-offs.

Multiple identities safely

Most people already have multiple identities without naming them. You have a work identity, a personal one, and perhaps a hobby identity, all with different expectations. The risk comes when those identities can be easily linked together by shared details: a recovery phone number, a reused username, or a single device that signs into everything.

Creating separate identities safely starts with clarity. Decide what each identity is for, and what it should not touch. For example, a community organiser might keep a public-facing identity for event promotion, and a private one for coordination with volunteers. The public identity should not share a recovery email that points to their real name, and it should avoid contact lists that could expose relationships.

A common misunderstanding is that using a different username is enough. In practice, linkability comes from small overlaps: a photo with embedded location data, the same writing style, or a payment method that reveals a billing address. These are not mysterious or rare. They are routine data points that services collect by default.

Safe separation therefore uses distinct contact points. Separate email addresses, phone numbers, and payment methods reduce linkability, but they also create management burdens. People lose access to accounts when they forget which identity is tied to a particular phone number. The mitigation is simple and unglamorous: keep a secure, offline record of what belongs to which identity, and review it occasionally.

Devices, accounts, and networks

There are three broad layers where separation can happen: devices, accounts, and networks. Each layer has its own costs and benefits.

Devices are the strongest boundary. Using a separate laptop or phone for a sensitive identity reduces the risk of cross-contamination from cookies, saved logins, and background apps. It also reduces the impact of malware: if one device is compromised, the other may remain unaffected. The downside is cost and inconvenience, and the risk of human error. People often defeat the purpose by signing into personal email “just this once” to fetch a file.

Accounts are the most common boundary. Separate user profiles on a single device, or separate browser profiles, can keep cookies and login states apart. This is often enough for everyday use, but it is easier to slip up. Notifications from the wrong account, or autofill inserting the wrong details, are typical failure modes.

Networks add a layer of separation around where and how you connect. Using different networks for different identities can reduce correlation based on IP address or network metadata. In practice, this might mean using mobile data for one context and home Wi‑Fi for another. It is not a magic shield: mobile networks still know who you are, and public Wi‑Fi has its own risks. Network separation works best when combined with other layers.

For most people, the most effective approach is a combination: separate accounts for routine separation, and a dedicated device or user profile for the few activities that deserve extra protection. Try to keep each boundary as simple as possible so it is sustainable.

One-way information flow

One-way flow is a habit that prevents accidental linking. The idea is that information should flow from a more sensitive context to a less sensitive one only when you are certain it will not identify you. For instance, you might use a public-facing identity to read community updates, but you would not use that identity to log into personal cloud storage or to contact a relative.

In practice this means making deliberate choices about where files, contacts, and browsing history go. A journalist might read public documents on a work laptop but move any sensitive notes to a separate device that never touches personal accounts. A volunteer coordinator might copy public-facing messages into a private notes system, but never copy private contact lists into the public account.

A frequent mistake is “just quickly moving a file” between contexts, often via email or a messaging app. That creates hidden links: the sending account, timestamps, and server logs all become part of the trail. Safer options include using removable storage for strictly controlled transfers, or re‑creating necessary information manually in the destination context. It is slower, but it breaks the automated linking that services create by default.

Clean versus contaminated contexts

The language of “clean” and “contaminated” contexts can sound dramatic, but it is useful. A clean context is one that has not been connected to your main identity and does not carry identifying data. A contaminated context is one that already has links, whether through logins, contacts, or device identifiers.

Contamination is often invisible. A browser profile used for personal email can leak into other accounts through saved autofill data, cached logins, or even a browser extension that syncs data across profiles. Likewise, a phone that has had a personal SIM inserted will carry identifiers that can be tied to you, even if you later use it for a different purpose.

Mitigation starts with honesty about what is already linked. If a device has been used for personal accounts, treat it as contaminated and decide whether that is acceptable for the identity you want to use on it. If not, use a separate device or a fully reset one, and resist the temptation to sign into familiar accounts.

Clean contexts are fragile. A single accidental login can compromise them, and it is easy to forget which context is which when you are tired or in a hurry. Practical safeguards include physical cues (a different case or sticker on a device), clear naming of browser profiles, and keeping a written map of which device or account is for what. These are low-tech solutions, but they work because they help people avoid mistakes.

Abandoning identities

Sometimes the safest move is to stop using an identity. This might be because it has been compromised, because a service has changed its policies, or simply because the identity is no longer needed. Abandoning an identity is not as simple as “deleting the account”. Data can persist, and the identity can remain linkable through old posts, cached pages, or people who have interacted with it.

The first decision is whether to decommission gradually or quickly. A gradual approach might involve posting a final update and moving contacts to a new channel. A rapid shutdown might be safer if the identity is at risk, but it can also draw attention if done suddenly. Context matters: in some situations, a quiet tapering off is the least conspicuous option.

There are risks either way. Deleting accounts can remove control over your content, but leaving them active can allow others to misuse them if access is lost. A practical mitigation is to change passwords, remove recovery options you no longer control, and store the credentials securely if you want to keep the account dormant. If you need to delete, do it after downloading any records you might need, and accept that deletion is not guaranteed to erase all traces.

In the UK, people often assume that “right to erasure” under data protection rules will remove everything. It can help in some cases, but it is not absolute, and it does not reach third‑party copies or public archives. Treat erasure as a tool, not a guarantee.

Everyday scenarios and trade-offs

Consider a teacher who runs a local climate group. They use a personal phone and a public social media account to post events. A parent from the school finds the account and connects it to the teacher’s personal profile because the same phone number was used for account recovery. The risk here is not a sophisticated attacker; it is routine cross‑linking. The mitigation could be as simple as using a separate recovery email and disabling contact discovery on the public account.

Now consider a small business owner who manages customer messages and personal banking on the same laptop. Malware from a compromised website can read stored browser cookies, granting access to both contexts. Separating accounts into different browser profiles reduces the impact, but a separate device for banking would be safer if the owner can justify the cost. The trade-off is time and money versus reduced exposure.

These choices are never perfect. Compartmentalisation lowers risk but adds friction, and friction creates its own hazards: missed messages, forgotten passwords, and the temptation to merge contexts “just for convenience”. The realistic goal is not absolute separation, but a pattern of use that is clear, repeatable, and good enough for your circumstances.