Airbnb's Context-Aware Identity Model for Privacy-First Social Features
Airbnb implemented a new context-aware identity and connection model to support social features within its Experiences platform while enforcing strict privacy. This system replaces a single global user profile with multiple context-specific profiles, isolating user identities to specific activities. Authorization framework Himeji enforces access control based on shared context, ensuring privacy at the data access layer rather than just the UI.
Read original on InfoQ ArchitectureThe Challenge: Balancing Social Features with Privacy
As platforms like Airbnb expand into social interactions, particularly in scenarios where users are strangers (e.g., group tours or events), a critical system design challenge emerges: how to enable meaningful social connections without compromising user privacy. The traditional model of a single, globally accessible user profile often clashes with the need for controlled identity exposure. Airbnb addressed this by moving away from a monolithic identity system to a more granular, context-aware approach.
Context-Specific Identity Profiles
The core of Airbnb's solution is the concept of context-specific profiles. Instead of one universal profile, users now have multiple scoped identities, each tied to a particular Experience (e.g., a specific cooking class or hiking trip). This architectural decision prevents the linkage of identities across different activities, effectively creating isolated social graphs for each context. This design choice is fundamental for ensuring that a user's presence and data in one Experience do not inadvertently leak into another, thereby upholding privacy by design.
Key Privacy Principle
By isolating identities per context, the system inherently prevents cross-context identity linkage, a crucial aspect of privacy-first design. This means a user's participation in 'Experience A' cannot be easily traced back to their participation in 'Experience B' by other users.
Enforcement via Relationship-Based Access Control
Privacy guarantees are enforced through Airbnb's internal authorization framework, Himeji, which implements relationship-based access control (RBAC) policies. These policies are evaluated at runtime to determine if users share a common context before granting access to profile information. This approach shifts the enforcement of privacy from the application's user interface layer to the underlying data access layer. This is a robust architectural pattern as it ensures consistent privacy regardless of how data is accessed, preventing potential bypasses or inconsistencies that might arise from UI-only restrictions.
Large-Scale Codebase Migration
Implementing such a fundamental change required a significant migration across Airbnb's entire codebase. The engineering team utilized automated auditing tools to identify patterns of user data access and pinpoint areas needing updates. They also leveraged AI-assisted refactoring tools to suggest code changes, with engineers performing manual reviews in a human-in-the-loop process. This highlights the operational complexity and tooling required for large-scale architectural refactorings in a mature codebase, emphasizing the importance of automated assistance combined with human oversight for accuracy and business logic preservation.