Reality of exposure
Identity compartmentation: operating as multiple versions of yourself
The 4-operational-identity model. Infrastructure, maintenance, links to avoid. Legitimate use cases — and what this is not.
This version was translated with AI assistance and reviewed by a human.
An M&A lawyer shows me their phone: one device, one inbox, one calendar, for everything. Two days later, the client asks them why their daughter follows the Instagram account of an executive at the target company. The leak is never where you expect it.
The common trap
Most people think about identity protection as a single-layer problem: secure your accounts, use strong passwords, enable two-factor authentication, and you’re protected. This model fails because it assumes your threat is an external attacker trying to break through your defenses.
The actual threat model is different. The exposure usually happens through aggregation — not because any single piece of information is compromised, but because multiple pieces of information from different contexts get connected. Your LinkedIn tells someone your employer. Your Instagram tells them your neighborhood and your daily routine. A Companies House filing tells them your former home address. A data broker has assembled all three plus your phone number. No individual piece was particularly sensitive. The combination is.
Compartmentation addresses the aggregation threat. The goal is to ensure that information shared in one context cannot easily be linked to information shared in another.
Why one identity isn’t enough
Every identifier you use is a potential connection point. Your primary email address appears in breach databases, data broker profiles, service registrations, and public filings. The more contexts it appears in, the more it functions as a universal key linking all those contexts together.
A single Google account with your real name, connected to Gmail (your primary email), Google Calendar (your schedule), Google Photos (your location history via photo metadata), Google Maps (your home address and frequented locations), and Google Ads (your interest profile) is a unified surveillance dossier about you. Not because Google is malicious, but because that’s what a single-identity model inevitably creates.
The same principle applies to phone numbers, physical addresses, professional profiles, and social media accounts. Every identifier you reuse across contexts is a thread that someone can pull.
The 4-identity operational model
Practical compartmentation doesn’t require a new identity for every purpose. Four operational identities cover most legitimate use cases.
| Identity | Purpose | Phone | Public | |
|---|---|---|---|---|
| Civil | Government, banking, insurance, healthcare, legal | Primary personal email | Personal mobile | No |
| Public Professional | LinkedIn, visible work activities, conferences, professional associations | Work email or dedicated professional email | Work phone or VOIP | Yes |
| Sensitive Professional | Confidential projects, M&A work, investigations, legal matters in progress | Dedicated compartmented email | Separate SIM or VOIP | No |
| Operational | Research, sensitive personal matters, disposable service registrations | Aliases or burner addresses | Not linked to above | No |
Each identity has its own email address (or alias system), its own associated phone number where relevant, and ideally its own browser profile. The strict rule: identifiers don’t cross identities.
Civil identity
This is your legal, documented identity. Government correspondence, banking, insurance, healthcare, court proceedings. It’s necessarily linked to your real name and often to your home address.
You have limited control over the exposure of this identity — banks report to credit bureaus, electoral registration is a public record, courts publish filings. Accept this and minimize what you actively add to it. Don’t use your civil email address to register for newsletters or services. Don’t use your home address as a registered business address if you can avoid it.
Public professional identity
Your professional public face. LinkedIn, your employer’s website, conference appearances, articles published under your name. This identity is intentionally visible — that’s its function.
The risk is scope creep: this identity gradually accumulates information that doesn’t belong in the public professional context. Your commute visible in your LinkedIn activity feed. Your home neighborhood deducible from tagged conference check-ins. Your political views visible in your likes and follows. Keep this identity to what you’d be comfortable with any prospective employer, client, journalist, or adversary seeing.
Sensitive professional identity
This is the identity most people are missing, and the one that matters most for avoiding M&A leaks, investigation exposure, and professional dispute contamination.
Ongoing M&A work, confidential litigation, sensitive client relationships, regulatory investigations, anything where the fact of your involvement is itself sensitive information. This identity should not be discoverable by searching your name or connecting it to your public professional identity.
Dedicated email address (not on the same domain as your public professional email). Separate phone number — a VOIP line or a dedicated SIM. Ideally, a separate browser profile that doesn’t share history, cookies, or extensions with your other profiles.
The M&A lawyer from the opening story had a professional identity problem, not just a device problem. Even on separate devices, if all activity traces back to the same email address, the same calendar, the same set of identifiers — the devices don’t matter.
Operational identity
Disposable. Used for services you need but don’t want connected to any of the above. Research you’re conducting. Sensitive personal matters you’d rather not have in your main inbox. Anything where a data breach in the service would be an embarrassment or a risk if linked to your real identity.
Email aliases (SimpleLogin, addy.io) are ideal here — they forward to a real inbox but expose a throwaway address. VOIP numbers for services that require phone verification. A browser profile with no saved credentials, no synced history.
What can link identities — and what to avoid
Common linkages to avoid:
Shared devices. Using the same browser profile for sensitive professional research and personal browsing. Browser fingerprinting, cookies, and session data can link activity across accounts even without explicit login connections.
Shared infrastructure. Registering a sensitive project email account from the same IP address as your regular accounts. Even if the email address is new, the connection to your home IP is a metadata link.
Social graph leakage. The M&A lawyer’s daughter following the target company’s executive. Shared contacts on LinkedIn. A colleague who knows about both contexts mentioning one in the other. Your family’s social media activity sometimes exposes more about your work context than your own profiles do.
Temporal patterns. If your operational identity is consistently active at the same hours as your public professional identity, on the same days, with the same posting or response patterns — the behavioral fingerprint is a link.
Payment information. Using the same credit card or PayPal account to pay for services associated with different identities. Payment processors create linkage that’s invisible to you but accessible to investigators.
Maintenance and decay
Compartmentation requires ongoing maintenance. Identities decay — email providers close old accounts, VOIP numbers lapse, aliases get disabled. Set a quarterly review to check that your compartmentation infrastructure still works.
Also: rotation. The sensitive professional email address you created for a project three years ago might now be connected to enough information that it’s no longer effectively compartmented. Rotation means creating a new address for the next sensitive context rather than reusing the old one.
What this is not
This section matters because compartmented identities get mischaracterized.
This is not fraud. You’re not creating false identities to deceive banks, governments, or courts. Your legal identity remains your legal identity. Compartmentation separates contextual information, not legal accountability.
This is not absolute anonymity. A determined, resourced adversary — law enforcement with a court order, a nation-state intelligence service — can link identities. Compartmentation raises the cost and difficulty of that linkage. It does not make linkage impossible.
This is not asset concealment. Using separate email addresses doesn’t hide assets from tax authorities, creditors, or divorce proceedings. Those disclosures are legal obligations separate from operational security.
This is not a conspiracy. Privacy is a legitimate interest. Professionals in sensitive industries — lawyers, journalists, executives, consultants, security researchers — routinely maintain operational separation between contexts as a basic professional hygiene measure. There’s nothing exotic about it.
- N1 Identify which operational identity category each of your current email addresses belongs to — and find any that span multiple categories
- N2 Separate your civil and public professional identities if they currently share the same email address
- N2 Create a dedicated email address for sensitive professional activities — keep it off your public professional domain
- N2 Set up an email alias system (SimpleLogin or addy.io) for operational/disposable registrations
- N2 Audit your LinkedIn and public professional profile for information that belongs in a different identity context
- N3 Create separate browser profiles for each identity and enforce their use
- N3 Set a quarterly compartmentation review: check infrastructure, rotate aged addresses, identify new linkages
Sources and further reading
- Grugq — OPSEC for hackers (talk) [official]
- Whonix — OPSEC documentation [official]