Identity compartmentation: operating with multiple yous

A consultant calls me after a wave of spear-phishing. We audit his addresses together. His public professional email — the one on his business cards, on LinkedIn, in the conference proceedings — turns up in four dumps. The address he reserves for M&A files and litigation: zero, in no database at all. He thought he’d been lucky. He’d simply compartmented, without knowing he was doing OPSEC.

The common trap

The dominant advice fits in one sentence: “keep work and personal separate.” One email for the office, one for home, and you’re done. That’s the level of sophistication you find in ninety percent of “good digital hygiene” guides, in corporate IT charters, in mainstream articles. The advice isn’t wrong. It’s insufficient to the point of being misleading, because it makes you believe two compartments are enough when your real exposure demands four.

The underlying problem: “work versus personal” is a social distinction, not a threat distinction. It reflects how you organize your life, not how an attacker, a broker, or a correlation engine organizes its collection. And leaks don’t happen along the boundaries you chose. They happen where two identities touch: a reused password, a shared recovery address, a single phone number, a browser cookie, a common technical fingerprint. The work/personal split says nothing about those bridges.

Worse: the work/personal binary pushes you to mix usages that have nothing to do with each other in terms of risk. Your tax return and your cooking-newsletter subscription end up on the same “personal” address. Your public LinkedIn signature and your confidential exchange about an acquisition share the same “work” address. You treat data you publish on purpose exactly like data whose leak would cost you a file. Real compartmentation means slicing by risk and exposure, not by social context.

The four base identities

An honest inventory of your digital life reveals four distinct compartments, defined by their exposure and the severity of a compromise. These aren’t four inboxes to create tomorrow — it’s a reading grid for classifying what you already have and deciding what needs to be separated.

Civil identity. Your legal name, attached to your civil status. Bank, tax authority, doctor, building manager, insurer, telecom carrier. This identity is stable by nature — you don’t change your legal name on a whim — and it’s not meant to be public, but it’s weakly under your control: the institutions that hold it leak regularly. The strategy here isn’t to hide it (impossible), it’s to never mix it with the other three. Your bank doesn’t need to know the address you use for your streaming subscriptions.

Public professional identity. LinkedIn, conferences, media, business cards, visible email signature, op-eds. This identity is exposed by construction: its whole point is to be findable. It’s the one that ends up in dumps, because it circulates everywhere — that’s its job. The strategy isn’t to reduce its exposure (that would be counterproductive), but to accept it’s compromised by default and never make it carry a secret.

Sensitive professional identity. Live M&A files, litigation, confidential negotiations, relationships with counterparties whose mere existence is information. This identity must be strictly compartmented, ideally on infrastructure distinct from the standard corporate directory. It’s the compartment where a leak doesn’t cost you one more spam message, but a file, a negotiating position, sometimes a notification obligation.

Operational identity. Third-party services, subscriptions, free trials, one-off sign-ups, anything that asks for an email “just to see.” It’s the most sacrificeable: its compromise has no consequences if it’s correctly isolated, because it grants access to nothing critical. It’s also the one that generates the most surface — an active internet user accumulates hundreds of accounts in this compartment over a decade.

The figure that changes everything: according to statistics published by Have I Been PwnedFree public service by Troy Hunt indexing emails in public breaches.See glossary, an email address used actively between 2010 and 2020 has an overwhelming probability of appearing in at least one breach. But that probability applies per address. An address that has only ever served three chosen correspondents, never entered into a web form, never published, has almost no chance of being in a dump — not by luck, by construction. That’s the whole point: compartmentation turns a leak probability into an architecture choice.

A detail many people miss: these four compartments are not equal in volume. The civil one fits in about ten accounts — bank, tax, social security, health insurance, telecom, utilities. The public professional one runs to a few dozen, mostly visible and assumed. The sensitive one often fits on the fingers of one hand, sometimes a single correspondent per file. The operational one explodes: that’s where the hundreds of accounts accumulated over years of sign-ups, forgotten free trials, and one-off purchases live. This asymmetry is good news. It means the compartmentation effort concentrates where it’s easiest to tool — the operational compartment, which you handle with generative aliases — and that the high-stakes compartments, sensitive and civil, are small enough to manage by hand, by eye, without automation.

A word on what compartmentation is not: it’s neither fraud, nor concealment, nor anonymity. Your civil identity remains your tax and legal identity, fully and entirely. You’re not creating a false identity — you’re separating usages of one real person. Confusing the two is the misunderstanding that scares executives off (“I’m not going to hide like a criminal”) or, conversely, that pushes the naive to believe they’re untraceable. Compartmentation is a hygiene measure, in the same sense as not writing your password on a sticky note. It organizes a reality — you have several roles — so that a compromised role doesn’t bring down the others.

Tools per compartment

Once the grid is in place, the tooling is almost mechanical. Each compartment calls for different infrastructure, chosen for its exposure level.

For the operational compartment, the right tool is SimpleLoginEmail alias service hiding your real address, acquired by Proton in 2022.See glossary or its native Apple equivalent, Hide My Email. The principle: one unique alias per service. When you sign up on a site, you generate service-name.xyz@yourdomain.simplelogin.io, which relays to your real inbox without revealing it. If that service leaks, you immediately know where the spam comes from (the alias is dedicated), you cut the alias in one click, and no other sign-up is affected. You turn a global leak into a local incident. In practice, this is the single change that delivers eighty percent of the benefit of compartmentation for twenty percent of the effort.

For the sensitive compartment, the infrastructure must be severed from everything else: a mailbox at ProtonSwiss privacy-focused suite (Mail, VPN, Drive, Pass, Calendar) with open-source model.See glossary Mail or Tutanota, with E2EEEnd-to-end encryption: only sender and recipient can read content.See glossary encryption, created with no link to the public identity — no recovery via the civil email, no phone number shared with the other accounts, ideally created from a clean browser session. The goal isn’t absolute anonymity (your correspondent knows who you are), it’s the absence of an exploitable technical bridge between this mailbox and the rest of your surface. This address must never, under any pretext, be entered into a public form, a third-party service, or a visible signature.

For the public professional identity, the point of attention is the phone number. Putting your personal mobile number on a business card directly links the public identity to the civil identity — the number is a pivot identifier that brokers love, because it’s stable and cross-references everything. A separate number, ideally VOIP (Twilio, JMP.chat, or a second line from your carrier), absorbs the public exposure without contaminating your real line. Avoid tying that number to your primary IMEIUnique 15-digit hardware identifier of a mobile terminal.See glossary if you can help it.

Then there’s technical isolation, which cuts across all compartments: Firefox containers (Multi-Account Containers), or dedicated browsers per identity. Opening LinkedIn and your sensitive Proton inbox in the same browser profile hands any fingerprintingIdentifying a device by unique browser and system characteristics.See glossary script the very correlation you’re trying to avoid. Same IP, same browser fingerprint, same third-party cookies: the two identities become linkable without a single password having leaked.

Payment deserves the same attention as email and phone, because it’s a pivot identifier in exactly the same way. A named bank card entered on an operational service links that usage to your civil identity through the banking network — and transaction aggregators, in certain jurisdictions, resell those signals. Single-use virtual cards (Revolut, or ephemeral cards depending on your bank) absorb that exposure for the operational compartment. You don’t need this for your civil compartment — which is your real bank anyway — but for sacrificeable subscriptions and trials, a dedicated virtual card prevents a payment-data leak at a third-party merchant from touching your real card or linking that merchant to the rest of your accounts.

A word on the hardware trade-off. The most complete form of isolation is a dedicated device for the sensitive compartment — a separate phone, a separate machine, or at minimum a distinct system user profile. It’s heavy, and most individuals don’t need it. But for an executive handling M&A files, or a lawyer on sensitive litigation, the invisible synchronization of contacts across accounts on a single device is exactly the kind of bridge that reveals a confidential relationship — the social app that “suggests” a contact because you crossed paths in a shared address book. The dedicated device cuts that class of leak at the root. It’s the most expensive investment in the whole process, and the only one reserved for genuinely exposed profiles.

The non-contamination rule

Building four compartments is pointless if you link them. Compartmentation isn’t a state you reach, it’s a discipline you maintain — and it boils down to three prohibitions.

Never reuse a password across compartments. It’s the obvious thing we’ve repeated for twenty years, but it takes on a particular meaning here: a password shared between your operational alias and your sensitive inbox links the two the moment either one leaks. A password managerApplication storing and generating unique passwords for each service.See glossary with unique secrets per account isn’t an option, it’s the prerequisite. Be careful, though: a password manager synchronized across all your devices, in a single vault, recreates a junction point — if that vault is compromised, all compartments fall together.

Never mention the sensitive address in a public context. Once is enough. The sensitive address slipped into an email cc’d on a file that ends up in court, indexed in a shared document, or entered out of habit into a form — and the compartment is punctured forever. OSINTIntelligence from open (public) sources: social media, registries, archives.See glossary tools and correlation engines don’t forgive: what was once public stays correlated.

Never link identities through cross-recovery. This is the most frequent and most invisible mistake. You create a nice sensitive inbox, then you set its recovery address to your civil email “so I don’t lose access.” You’ve just linked the two: whoever controls the civil email controls the sensitive inbox. Same for shared recovery phone numbers. The recovery chain is the hidden skeleton that links all your accounts — audit it before anything else.

To these three technical prohibitions add a subtler contamination, almost always underestimated: behavioral contamination. Two identities can stay perfectly watertight technically — different addresses, unique passwords, isolated browsers — and remain linkable through the way you use them. A recognizable writing style (stylometric analysis is now within reach of consumer tools), the same activity time zone, the same niche topics, the same connection rhythm. For most readers, this threat level is theoretical and justifies no effort. But you need to know about it for two reasons: first because it defines the limit of what compartmentation can do — it prevents automatic correlation, not the targeted analysis of a determined adversary; second because it’s a reminder that the weak link, in the end, isn’t the tool but the habit. The hardest metadata to erase is you.

The practical test to verify your compartments hold needs no sophisticated tooling. The browser test: from a private window, logged out, search each of your addresses and pseudonyms, and note what appears linked. The recovery test: for each critical account, trigger the “forgot password” flow and watch which address or number it sends you to — that’s the real map of your bridges, often very different from the one you thought you had. The cross test: enter your sensitive address into Have I Been Pwned; if it shows up, the compartment was already punctured and you didn’t know it. These three tests take half an hour and usually reveal at least one forgotten link.

What this means in practice

Rotation as maintenance

A compartment isn’t eternal. An identity accumulates exposure over time — every sign-up, every exchange, every leak from a third-party service adds a line to your aggregated profile. Rotation, that is, the periodic replacement of an identity with a new one, is the maintenance that keeps this accumulation from becoming a risk.

The operational identity rotates annually, or immediately after a detected leak. It’s trivial with aliases: cutting an alias and generating a new one takes ten seconds, and since each service has its own alias, rotation can be targeted — you only change what leaked. That’s the whole structural advantage of per-service aliases over a single address.

The public professional identity rotates every three to four years, with a transition period. You don’t change a public signature overnight — you need a window of several months during which both addresses work, the time for correspondents, directories, and profiles to update. It’s a heavy operation, one you plan, not an emergency reaction.

The sensitive identity, on the other hand, doesn’t rotate: it’s stable by necessity (changing addresses in the middle of a litigation is unmanageable), but it’s audited every six months. The audit checks one thing only: that the bridges haven’t reformed. A recovery address added by mistake, an alias pointing to the wrong place, a reused number — the linking metadataData about data: who wrote what, when, where, to whom.See glossary always reintroduces itself through the small doors, and only a regular audit flushes it out.

Mistakes we see all the time

• “I created a new address” — without migrating the critical services. The old address remains the real entry point; the new one only adds surface. As long as the bank, the password manager, and the primary email point to the old one, nothing has changed.
• The password manager synchronized everywhere in a single vault. Excellent against reuse, but it recreates a single junction point: compromise the vault, and you compromise all compartments at once. For the sensitive compartment, a separate vault is justified.
• Cross-recovery between identities. The civil email as backup address for the public professional email, the single phone number everywhere: these invisible links silently undo all the compartmentation. It’s the most costly mistake because it’s the most discreet.
• Mixing identities in the same browser. Same profile, same IP, same fingerprint: fingerprintingIdentifying a device by unique browser and system characteristics.See glossary links what passwords separate. Opening the sensitive identity and the public identity side by side cancels the isolation.
• Confusing compartmentation with anonymity. CompartmentationSeparating identities by usage (civil, public pro, sensitive pro, operational).See glossary doesn’t make you anonymous — your correspondents know who you are. It prevents the correlation between your usages. Believing you’re untraceable because you have a Proton inbox is a dangerous illusion that pushes you toward risky behavior.

Actionable checklist

• N1 List your current addresses and classify them by compartment: civil / public pro / sensitive / operational
• N1 Create an operational alias (SimpleLogin or Hide My Email) and route every new third-party sign-up through it
• N2 Audit the recovery chains: no critical account should be recoverable via the operational email or an address present in a dump
• N2 Provision an E2EE sensitive inbox (Proton/Tutanota) with no recovery link to the civil or public identity
• N2 Test your profile from a fresh browser (no cookies, no login) and note the visible links between identities
• N3 Isolate browsers or enable Firefox Multi-Account Containers, one identity per container
• N3 Plan the rotation of the operational identity at 12 months and an audit of the sensitive identity at 6 months

Going further

For the technical detail of alias relaying and per-domain management, the SimpleLogin documentation is the operational reference, complemented by Apple’s support page on Hide My Email for the iCloud ecosystem. If you want to understand why an email address is a pivot identifier so hard to compartment, RFC 5321 (SMTP) sheds light on the routing mechanics that make any address intrinsically traceable. And before building your compartments, read the inventory of what has already leaked: you don’t compartment data that’s already public, you compartment the data that isn’t yet.