A New Approach to Identity on a Social Platform
When Airbnb began expanding its Experiences offering, the company faced a familiar challenge. How do you let strangers interact around shared activities without exposing personal information that should remain private? The answer, as it turns out, involves a complete rethinking of how user identity works on the platform. The new system, built around what the company calls a context aware identity model, represents a significant departure from the standard social media approach where one profile follows you everywhere.
Most platforms treat identity as a single, portable asset. Your username, photo, bio, and activity history travel with you across groups, events, and conversations. Airbnb recognised that this model creates privacy risks when people gather for temporary, activity-based interactions. A cooking class in Bangkok should not reveal your review history from a surfing lesson in Portugal. The redesign solves this by making identity local to each interaction.
Why a Single Global Profile Falls Short for Shared Experiences
The old model worked well enough when Airbnb primarily connected hosts and guests for accommodation bookings. Those relationships are relatively simple. A host needs to know who will stay in their home. A guest wants to feel confident about the host. But Experiences are different. A group of eight strangers might book a photography walk through a local guide. They do not need to see each other’s past trip histories or know where else they have travelled.
Before the redesign, participants in an Experience could potentially access profile information that had nothing to do with the activity at hand. This created discomfort for privacy-conscious users who wanted to engage socially without broadcasting their broader travel patterns. Airbnb needed a way to allow social interaction within a bounded context while preventing that context from leaking into unrelated parts of the platform.
The Privacy Problem with Portable Identities
Portable identities are convenient for platforms that want to maximise engagement. When your profile follows you everywhere, the platform can surface connections, recommend friends, and build a richer picture of your behaviour. But that same portability becomes a liability when you want to participate in a one-off activity with people you may never see again. Your identity becomes a permanent record attached to temporary interactions.
Airbnb’s solution treats each Experience as its own micro-community with its own set of identity rules. The context aware identity model ensures that the profile you present in one Experience is invisible in another, even if the same people are involved. This is not just about hiding information. It is about fundamentally separating identity across contexts so that no technical mechanism exists to link profiles together.
The Seven Privacy Features Powering the New Identity Model
Airbnb’s implementation rests on seven distinct privacy features, each addressing a specific aspect of identity exposure. Together, they form a comprehensive system that enables social interaction while protecting user privacy at the architectural level.
1. Context-Specific Profiles Tied to Individual Experiences
The core of the new model is the concept of a scoped profile. Instead of maintaining a single global identity, each Experience generates its own profile for every participant. This profile may include a name, a photo, and perhaps a short introduction relevant to the activity. But it contains no reference to the user’s broader account history, other Experiences, or past trips.
Think of it like attending a conference where you wear a name badge that only shows your name and the session you are attending. Nobody at that session can look at your badge and learn which other conferences you have attended or what sessions you visited yesterday. Each Experience is a self-contained identity bubble.
This design makes it technically impossible for one participant to look up another user’s profile outside the shared Experience. The identity simply does not exist in any other context. For users who value privacy, this eliminates the anxiety of wondering what strangers might discover about them after a brief interaction.
2. Isolated Social Graphs That Prevent Cross-Context Linking
Social graphs are the webs of connections that platforms build between users. In most systems, if you interact with someone in one context, that connection becomes part of your permanent network. Airbnb’s model prevents this by keeping each Experience’s social graph completely isolated from every other.
If you join a hiking Experience in Switzerland and later join a pottery workshop in Japan, the connections you make in each context remain entirely separate. Nobody from the hiking group can see that you also participated in the pottery workshop, and vice versa. This isolation prevents the kind of cross-context profiling that can occur when platforms aggregate relationship data across different activities.
The context aware identity architecture ensures that relationship data is tied to the specific Experience rather than to the user’s global account. This represents a fundamental shift from the typical approach where connections accumulate across the entire platform.
3. Relationship-Based Access Control Through the Himeji Framework
Enforcing these privacy boundaries at scale requires a sophisticated authorization system. Airbnb built this using an internal framework called Himeji, which applies relationship-based access control policies at runtime. Instead of checking whether a user has a specific role or permission level, Himeji evaluates whether two users share a meaningful context before granting access to profile information.
For example, when a participant in a cooking class clicks on another participant’s name, Himeji checks whether they are both enrolled in the same Experience. If they are, the system reveals the context-specific profile. If they are not, access is denied. This evaluation happens in real time, ensuring that privacy rules are applied consistently regardless of how users navigate the platform.
Relationship-based access control is more granular than traditional role-based systems because it considers the specific relationship between two users at the moment of access. This allows Airbnb to support social features like messaging and participant lists while maintaining strict boundaries around identity exposure.
4. Data Access Layer Enforcement for Consistent Privacy Guarantees
Many platforms implement privacy controls at the user interface level. Buttons are hidden, fields are masked, and links are removed from the frontend. The problem with this approach is that it relies on every interface component correctly enforcing the same rules. A single bug in the UI can expose information that should remain private.
Airbnb shifted enforcement to the data access layer. Instead of relying on the frontend to decide what information to show, the backend refuses to return data unless the access control policies are satisfied. This means that even if a developer accidentally builds a UI element that requests protected information, the request will fail at the data layer. Privacy is guaranteed at the infrastructure level rather than at the presentation level.
This architectural choice provides consistent privacy guarantees across all services that access user data. Whether the request comes from a mobile app, a web browser, or an internal API, the same access control rules apply. The context aware identity model is enforced not by policy documents or code reviews, but by the fundamental architecture of the data layer itself.
5. Automated Codebase Auditing to Identify Data Access Patterns
Migrating from a global identity model to a context-aware one required Airbnb to scan its entire codebase for locations where user data was being accessed. The engineering team built automated auditing tools that searched for patterns of data access across thousands of files and services. These tools identified candidate locations where the identity model needed to be updated.
The audit produced a list of every place in the codebase where user identity information was read, written, or passed between services. Each candidate location was then mapped to the owning team based on repository structure. This allowed Airbnb to organise the migration work efficiently, with each team responsible for updating their own code.
The automated audit was critical because Airbnb’s codebase had grown over more than a decade. No single engineer, or even a team of engineers, could manually trace every data access path. Automation made the migration feasible at scale.
6. AI-Assisted Refactoring with Human-in-the-Loop Validation
Once the audit identified the locations requiring changes, Airbnb used AI-assisted refactoring tools to suggest specific code updates. These tools analysed the existing code and proposed modifications that would replace global identity references with context-specific ones. The suggestions were based on patterns learned from the audit results.
However, the AI did not make changes autonomously. Each suggestion was reviewed and validated by an engineer before being deployed. This human-in-the-loop process ensured that the AI suggestions preserved business logic and did not introduce unintended side effects. Engineers could accept, reject, or modify each suggestion based on their understanding of the code’s purpose.
You may also enjoy reading: Data Center Guzzled 30 Million Gallons: 5 Unnoticed Signs.
This combination of automation and human oversight allowed Airbnb to scale the migration across a large codebase while maintaining accuracy. The AI handled the repetitive, pattern-based work, while engineers applied domain expertise to edge cases and complex logic paths.
7. Cross-Functional Governance Across Engineering, Product, Privacy, and Legal Teams
Privacy features are not purely technical. They require alignment across multiple disciplines. Airbnb’s migration brought together engineers, product managers, privacy specialists, and legal advisors to define identity semantics and rollout priorities. Each group brought a different perspective on what privacy meant in the context of Experiences.
Engineers focused on implementation feasibility and system performance. Product managers considered how the new identity model would affect user experience and social interaction. Privacy specialists evaluated whether the controls met regulatory requirements and user expectations. Legal advisors ensured compliance with data protection laws across different jurisdictions.
This cross-functional governance structure meant that decisions about identity exposure were not made in isolation. When a question arose about what information should be visible in a given context, the answer reflected input from all relevant perspectives. The result was a system that balanced social functionality with privacy protection in a way that satisfied technical, product, and legal requirements simultaneously.
How the Migration Worked in Practice
Implementing the context aware identity model required more than architectural changes. It demanded a coordinated effort across hundreds of engineers, thousands of files, and millions of lines of code. Airbnb’s approach offers lessons for any platform considering a similar transition.
The engineering team divided the work into phases. The first phase focused on the auditing and identification of data access patterns. The second phase involved manual review of each candidate location to determine whether the data access was internal or externally exposed. The third phase applied the AI-assisted refactoring tools to generate code changes. The final phase validated and deployed the updates across production systems.
Throughout the process, Airbnb maintained a commitment to preserving existing functionality. The goal was not to change how Experiences worked, but to change how identity was represented and accessed behind the scenes. Users should not notice any difference in their ability to interact with others during an Experience. They should simply feel more confident that their information is protected.
What This Means for Privacy-Conscious Users
For someone who values their privacy, the new identity model addresses several common anxieties. When you book an Experience, you no longer need to worry about other participants digging through your profile history. The information they see is limited to what is relevant to the activity at hand. Your travel patterns, review history, and past interactions remain invisible to people you meet through Experiences.
This is particularly valuable for users who participate in multiple Experiences across different locations. Each trip becomes a fresh start from an identity perspective. The connections you make in one city have no bearing on your interactions in another. Your privacy is protected not by vague promises or complicated settings, but by the fundamental architecture of the platform.
As Joy Jing noted in a LinkedIn post discussing the system, the design supports social interactions without compromising user privacy. This is the central trade-off that the context aware identity model successfully navigates. Users can enjoy the social benefits of shared Experiences without sacrificing control over their personal information.
Lessons for Other Platforms Adding Social Features
Airbnb’s approach offers a blueprint for any platform that wants to introduce social features without inheriting the privacy problems of traditional social networks. The key insight is that identity does not need to be global to be functional. Context-specific profiles can support rich social interaction while keeping user data contained within bounded environments.
Platforms considering similar features should start by auditing their own data access patterns. Understanding where and how user identity is accessed across the codebase is a prerequisite for any architectural change. Automated tools can help with this, but human review is essential for interpreting context and preserving business logic.
The investment in cross-functional governance is also worth replicating. Privacy is not solely an engineering concern. Product decisions, legal requirements, and user expectations all shape how identity should be exposed. Bringing these perspectives together early in the design process prevents costly rework later.
Finally, the shift from interface-level to data-layer enforcement is a pattern that deserves wider adoption. When privacy guarantees are embedded in the architecture rather than in the UI, they become more reliable and harder to bypass. This is especially important as platforms grow and the number of services accessing user data increases.
Airbnb’s context aware identity model represents a thoughtful response to the tension between social connectivity and privacy. By making identity local to each interaction, the company has created a system that enables meaningful social engagement while respecting the boundaries that users deserve. It is a model worth studying for anyone building social features in a privacy-conscious world.
